Re: [cti-stix] How should this look

On Jan 28, 2016, at 20:04, Wunder, John A. <jwunder@mitre.org> wrote:

IMO this really gets at the messaging concept…how will people be sharing STIX? In STIX 1.2 it’s been “here’s a package of STIX content”, but moving forward we’ve talked about things like more focused messages and request/response.

So I would think we need to build out a “message base” like we’re doing with the CTI core object fields. Things like message IDs, types, and timestamps but also things that need to go alongside all STIX content: information sources, data markings, etc. Then if we define a “package”, it’s probably just a big list of objects (including relationships).

(fwiw we mocked this up in twigs, though haven’t had a lot of time to work through it so consider it very rough: https://github.com/johnwunder/twigs/tree/master/data-model/messages)

From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry@soltra.com>
Date: Thursday, January 28, 2016 at 7:49 PM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] RE: How should this look

Yep Bret,

I like that. I think it would work well with STIX requests and responses as well so I like that:

{
"type": "stix-request",
"id": "stix-request--3ba2c668-6aa3-4f3d-abd4-82f884e8f99d",
"request": {
     …
}
}

And

{
"type": "stix-response",
"id": "stix-response--656ff5b4-3c2b-441c-b570-9f6ec549582f",
"request_id": "stix-request--3ba2c668-6aa3-4f3d-abd4-82f884e8f99d",
"response": {
     …
}
}

I have a couple of questions about the stix-package use though…

1.       Will multiple stix packages be able to be sent in the same TAXII exchange?
2.       Will STIX packages be able to be sent along with STIX requests and STIX responses in the same TAXII exchange? I think they should so that we open up the possibility of long polling/streaming of data
3.       Does the stix package need an ID if we are only concerned about the id’s of the objects within the stix-package? i.e. its only an envelope at present, does that need an ID.
4.       Or.. should we keep the stix-package ID to keep in line with the stix-requests and stix-responses that will need an ID to keep track of them and the relationships between them

That’s off the top of my head so please excuse any mistakes J.

Cheers

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jordan, Bret
Sent: Friday, 29 January 2016 10:13 AM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] How should this look

I want to start writing some APIs for STIX 2.0.. But I am not yet sure how things should look at the top level... I am thinking something like???? This is meant to get people talking so we can start fleshing this out as cleanly and rapidly as possible.

{
"type": "stix-package",
"id": "stix-package--ad3d029f-6fe7-4923-aafc-3b69aed32365",
"indicators": [
{
"type": "indicator",
"id": "indicator--3d5338a0-9305-4373-b59c-616ac2e9b18f",
"timestamp": "2016-01-28T15:44:53Z",
"title": "Some really neat indicator that we found"
}
]
}

Thanks,

Bret

Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

cti-stix message