OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-taxii] Query Use Cases Needed!

So here’s a few I’ve needed personally (project only partially uses STIX/TAXII now, but the concepts translate):
  • Return all courses of action related to a given set of TTPs (granted this relationship does not exist in STIX now)
  • Return all TTPs for a given set of indicators
  • Return all incidents for a given set of indicators
  • Query by construct type + title (I.e. Give me all campaigns where the name matches Deep Panda)
  • The most advanced one I can think of: return incidents with specific affected asset (identified by IP or ID)
John

From: <cti-taxii@lists.oasis-open.org> on behalf of Jason Keirstead
Date: Wednesday, August 12, 2015 at 3:36 PM
To: Mark Davidson
Cc: "cti-taxii@lists.oasis-open.org"
Subject: Re: [cti-taxii] Query Use Cases Needed!

Query by threat actor (with expected string search options) I would think to be important.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for "Davidson II, Mark S" ---2015/08/12 03:22:56 PM---All, Since query was called out yesterday as a pote"Davidson II, Mark S" ---2015/08/12 03:22:56 PM---All, Since query was called out yesterday as a potential challenge for the Channel model that's been

From: "Davidson II, Mark S" <mdavidson@mitre.org>
To: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 2015/08/12 03:22 PM
Subject: [cti-taxii] Query Use Cases Needed!
Sent by: <cti-taxii@lists.oasis-open.org>




All,

Since query was called out yesterday as a potential challenge for the Channel model that’s been proposed for TAXII, I’d like for us to try and validate the Channel model against query use cases. I’d like for us to start by identifying query use cases that we think we care about. For now, a one-liner of the use case is probably the right level of abstraction (we can add more detail later).

To get the conversation started, here are some things I’ve heard on the list:
      · Query by ID
      · Query by “observable” (e.g., IP / Hash)

Once we’ve collected the use cases, we can analyze their impact on the channel model. Please offer up your one-liner query use cases!

Thank you.
-Mark

P.S. We have not forgotten the query discussions of old; this is partly to generate discussion and partly to see what’s still on the forefront.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]