[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] Query Use Cases Needed!
My concern with Cypher, if offered as a candidate, is that it is proprietary (as far as I know) and would force an implementation to a particular vendor.
There is also SPARQL. http://www.w3.org/TR/sparql11-query/ It is graph based, but targets RDF specifically which could be problematic.
- Jasen.
From: Patrick Maroney <Pmaroney@Specere.org>
Date: Thursday, August 13, 2015 at 9:50 AM To: "Wunder, John A." <jwunder@mitre.org>, "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>, MITRE Employee <jasenj1@mitre.org>, "Jordan, Bret" <bret.jordan@bluecoat.com> Subject: Re: [cti-taxii] Query Use Cases Needed! In addition to the other suggestions, presuming we are talking next major release of TAXII, we should look at the Conceptual models for next gen STIX/CybOX which will presumably contain a much richer Relationships Model when considering approaches for
the Query Language. In other words we might be able to incorporate Graph based queries (i.e., Cypher:
http://neo4j.com/developer/cypher-query-language/)
Patrick Maroney
President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org I suggest XQuery.
This will not only allow very rich queries, but would allow the querier to specify what they want returned rather than entire STIX documents.
- Jasen.
From: <cti-taxii@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Thursday, August 13, 2015 at 12:12 AM To: "Wunder, John A." <jwunder@mitre.org>, "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org> Subject: Re: [cti-taxii] Query Use Cases Needed! All these are really good use cases. Thanks for taking the time to write them down. As these are all falling in to a general theme I think we can now being to look at the ideas that we need to support them....
So what I get from this discussion is:
1) We need a way for a client to present some sort of key/value pair where the key is the object identifier and the type of dataset that the value exists in and then the value is what it contains.
2) We need the ability to say, if that value in the object equals something, does not equal something, contains, etc.
3) We need the ability to say this object AND this other object or this OR that.
Some examples...
1) Give me all indicators that contain a name of XYZ, that were seen between 2015-07-01T00:00:00 AND 2015-07-01T00:01:00 but not indicators with a TTP of FOO
2) Give me all TTPs with a name that contains ABC, and have observables in the following net block 4.0.0.0/8 and happened during January or February of 2015
The trick is going to be making this easy to do... As with all discussions on TAXII, we can easily and rapidly go from high level use-cases to putting rubber to the road.
Simple Example Structures of a Query (to get the discussion going)
Query:
Key:
stix-indicator-name
Value: RedHat
Operator: contains
Query
Key: stix-indicator-id
Value: 1111-1234-1234-54321
Operator: equals
This is pretty easy to wrap our brains around.... What gets more tricky is how to do an AND or an OR operator. Any thoughts?
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]