Re: [cti] TAXII Query Endpoint

[Allan Thomson <athomson@lookingglasscyber.com>]

Bret â I want to be clear on my concerns and your summary somewhat misrepresents those concerns.

 

Intelligence data pivoting (analyst workflows) and doing queries on intelligence data to understand related intelligence is a clear use case for many products in the industry. Without those basic capabilities most TIPs would not exist.

 

No one is questioning the âneed for doingâ such a thing. Iâm questioning the how and where pivoting takes place when combined with TAXII 2.0 servers.

 

So, I questioned how the solution was being proposed and whether that actually solved the real-use cases.

 

I asked for details on specific products and workflow to understand more fully what is being proposed actually solves the need.

 

Many people spoke up and said they needed this capability but few, if any, shared a realistic concrete/flow-by-flow example.

 

Having spent the better part of 2 years developing the interop test documents it has become really obvious how easy it is to define features in STIX/TAXII but when you consider the realistic product interactions across vendors you realize that the designs were not based on a fully understood use case.

 

The fact that Jason is arguing for an alternative API completely helps re-enforce my point.

 

So I suggest before we add it to the specification that we prove out this capability works for the products that need it (not just one-sided) by doing and showing it meets the need with the same process we are doing for STIX features.

 

Allan

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Tuesday, November 27, 2018 at 3:07 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] TAXII Query Endpoint

 

All,

 

On the working call today, where we had 19 people, we talked about the TAXII query proposal that I sent out a week ago on the TAXII list (proposal 1). We also talked about the proposal from Jason and Terry (proposal 2). 

 

On the call the near unanimous view was that proposal 1 is probably the way we need to go.  Allan, expressed concern about the need for doing it at all but seemed to be okay with the design, if it was actually needed. 

 

Previous discussions on the TAXII list only resulted in one person being against this.

 

If anyone else has comments or opinions about this, please speak up. If not, the editors will move forward with adding a suggestion to the document based on the broad consensus we seem to have.

 

 

Bret