[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] RE: How should this look
IMO this really gets at the messaging concept…how will people be sharing STIX? In STIX 1.2 it’s been “here’s a package of STIX content”, but moving forward we’ve talked about things like more focused messages and request/response.
So I would think we need to build out a “message base” like we’re doing with the CTI core object fields. Things like message IDs, types, and timestamps but also things that need to go alongside all STIX content: information sources, data markings, etc.
Then if we define a “package”, it’s probably just a big list of objects (including relationships).
(fwiw we mocked this up in twigs, though haven’t had a lot of time to work through it so consider it very rough: https://github.com/johnwunder/twigs/tree/master/data-model/messages)
From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry@soltra.com>
Date: Thursday, January 28, 2016 at 7:49 PM To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: [cti-stix] RE: How should this look Yep Bret, I like that. I think it would work well with STIX requests and responses as well so I like that: { "type": "stix-request", "id": "stix-request--3ba2c668-6aa3-4f3d-abd4-82f884e8f99d", "request": { … } } And { "type": "stix-response", "id": "stix-response--656ff5b4-3c2b-441c-b570-9f6ec549582f", "request_id": "stix-request--3ba2c668-6aa3-4f3d-abd4-82f884e8f99d", "response": { … } } I have a couple of questions about the stix-package use though… 1.
Will multiple stix packages be able to be sent in the same TAXII exchange?
2.
Will STIX packages be able to be sent along with STIX requests and STIX responses in the same TAXII exchange? I think
they should so that we open up the possibility of long polling/streaming of data 3.
Does the stix package need an ID if we are only concerned about the id’s of the objects within the stix-package? i.e.
its only an envelope at present, does that need an ID. 4.
Or.. should we keep the stix-package ID to keep in line with the stix-requests and stix-responses that will need an ID
to keep track of them and the relationships between them That’s off the top of my head so please excuse any mistakes
J. Cheers Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 |
terry@soltra.com From:
cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jordan, Bret I want to start writing some APIs for STIX 2.0.. But I am not yet sure how things should look at the top level... I am thinking something like???? This is meant to get people talking so we can start fleshing this out as cleanly and rapidly
as possible. { "type": "stix-package", "id": "stix-package--ad3d029f-6fe7-4923-aafc-3b69aed32365", "indicators": [ { "type": "indicator", "id": "indicator--3d5338a0-9305-4373-b59c-616ac2e9b18f", "timestamp": "2016-01-28T15:44:53Z", "title": "Some really neat indicator that we found" } ] } Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]