[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-comment] STIX/TAXII Data Life Cycling
|
Hello There, Just wondering if you had any insights to share. Regards, Jeff From: Jeff LoSpinoso Hello Jane, So here’s what I’ve got. Our SIEM platform has a built-in TAXII client. I set up a feed from a TAXII server where the SIEM platform basically just creates a list of IPv4 addresses. Our SIEM vendor has told us
that we must apply a time to live so the list does not grow to larger over time. They state that the only way an indicator can be removed from the list is by way of a TTL enforced on the list where this TTL is pulled from thin air having nothing to do with
any dates provided by the TXF. My response to them is that the only way something should be removed from the downstream copy of the Threat Feed is if the Threat Feed says so. A simple analogy. If an Airline maintains a copy of the DHS no-Fly list for their own use, they should not remove a bad guys name off the list just because it’s been there for more than X number of days. It should
only be removed when DHS says it should be removed. So what are the mechanisms for a TAXII Client to stay in sync with its authoritative feed? Similar to how Active Directory replicates objects (including deletions) I would imagine. I’ve searched high and low and can’t find any clues as to how this works. To my sad surprise our SIEM vendor, a household name in IT, clearly hasn’t a clue as demonstrated by their urging to just arbitrarily
drop indicators based on a random TTL. Any insights would be greatly appreciated. Enjoy you weekend wherever you are. Regards, Jeff From:
cti-comment@lists.oasis-open.org <cti-comment@lists.oasis-open.org>
On Behalf Of JG
CAUTION: This email originated outside of our organization. Before clicking any links or attachments, please confirm
that you recognize the sender and know that the content is safe. Jeff: Thanks for reaching out to the community. Can you tell us a little more about your specific Use Case? For specific indicators or STIX Domain Objects (SDOs) we have a revoke property that can be invoked by the original producer of that SDO. We also have a Modified property if a producer finds out
additional information and wants to update. From the consumer side, it would help to know a little more. Is your Use Case related to duplicates? Or is it related to an indicator or set of indicators that you no longer need for your analysis? Please describe the problem you are trying to solve. Jane Ginn On 2/20/2020 9:55 AM, Jeff LoSpinoso wrote:
-- ***************************** Jane Ginn, MSIA, MRP Secretary, OASIS CTI TC Sponsor, TAC TC Sponsor, BP TC jg@ctin.us 001 (928) 399-0509 ***************************** |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]