OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti-comment] STIX/TAXII Data Life Cycling

Hello Jane,


So here’s what I’ve got. Our SIEM platform has a built-in TAXII client. I set up a feed from a TAXII server where the SIEM platform basically just creates a list of IPv4 addresses. Our SIEM vendor has told us that we must apply a time to live so the list does not grow to larger over time. They state that the only way an indicator can be removed from the list is by way of a TTL enforced on the list where this TTL is pulled from thin air having nothing to do with any dates provided by the TXF. My response to them is that the only way something should be removed from the downstream copy of the Threat Feed is if the Threat Feed says so.


A simple analogy. If an Airline maintains a copy of the DHS no-Fly list for their own use, they should not remove a bad guys name off the list just because it’s been there for more than X number of days. It should only be removed when DHS says it should be removed.


So what are the mechanisms for a TAXII Client to stay in sync with its authoritative feed? Similar to how Active Directory replicates objects (including deletions) I would imagine.


I’ve searched high and low and can’t find any clues as to how this works. To my sad surprise our SIEM vendor, a household name in IT, clearly hasn’t a clue as demonstrated by their urging to just arbitrarily drop indicators based on a random TTL.


Any insights would be greatly appreciated. Enjoy you weekend wherever you are.






From: cti-comment@lists.oasis-open.org <cti-comment@lists.oasis-open.org> On Behalf Of JG
Sent: Friday, February 21, 2020 11:40 AM
To: cti-comment@lists.oasis-open.org
Subject: Re: [cti-comment] STIX/TAXII Data Life Cycling


CAUTION: This email originated outside of our organization.  Before clicking any links or attachments, please confirm that you recognize the sender and know that the content is safe.


Thanks for reaching out to the community. 

Can you tell us a little more about your specific Use Case?  For specific indicators or STIX Domain Objects (SDOs) we have a revoke property that can be invoked by the original producer of that SDO.  We also have a Modified property if a producer finds out additional information and wants to update. 

From the consumer side, it would help to know a little more. Is your Use Case related to duplicates?  Or is it related to an indicator or set of indicators that you no longer need for your analysis?  Please describe the problem you are trying to solve.

Jane Ginn


On 2/20/2020 9:55 AM, Jeff LoSpinoso wrote:



How are indicators removed from a collection, more specifically how does a consumer of a TAXII Feed know when to remove an indicator from its synchronized copy of the collection?


Your insights would be most appreciated.




Jeff LoSpinoso, CISSP

TCP Cybersecurity Team



Jane Ginn, MSIA, MRP
Secretary, OASIS CTI TC
Sponsor, TAC TC
Sponsor, BP TC
001 (928) 399-0509

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]