[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] RE: STIX Sightings
On 29.10.2015 21:45:21, Terry MacDonald wrote: > > PROBLEM: > > There is no real mechanism within STIX for a consumer of STIX data > to ask a question from the rest of the threat sharing community that > they are part of. This functionality is required if we are going to > get good multi-directional threat intelligence sharing happening. > Wow, this is good stuff, Terry! I hadn't fully thought through the notion of a broadcast query. Good on ya, man! > > This is different from the normal 'broadcast' style STIX message, > where the message is just sent to all parties and no replies are > expected. With STIX request/response there is a direct > question/answer relationship required. > > Please note this request/response is also different to TAXII Query, > as the question is being asked to all members of the channel, rather > than just the single TAXII server you are locally connecting to > (which is IMHO more where TAXII Query fits in). > I'm biased, since I've been working on the notional query spec for TAXII 2.0, but I think we can solve this via TAXII REST query instead of creating two new top-level STIX objects. I've written up my proposal for query scoping here [0]. The tl;dr is to add an optional 'broadcast' parameter to TAXII query. If not specified, assume that a query is targeting just the local CTI repository. If the flag is specified, the CTI repository receiving the query acts as a proxy, forwarding the incoming query to all the hosts implied by the specified trustgroup(s), collecting the query results, and passing them back to the client. [0]: https://taxiiproject.github.io/taxii2/notional-query-api/#query-scoping -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra | An FS-ISAC & DTCC Company www.soltra.com -- "There are only two hard things in Computer Science: cache invalidation and naming things." --Phil Karlton
Attachment:
signature.asc
Description: PGP signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]