OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-users] TAXII Collections


Hi Josh,

 

From my understanding, most people use Collections per feed. In general most threat feeds I've seen send out the same data available to everyone who is allowed to poll that collection. 

 

With your data, does each customer get their own personalized feed of threat intel? Or do groups of customers get the same intel (e.g. some are in one group, and others in another)? If its the former then you pretty much need a feed per customer. If its the later, then you can do a feed per group, and use internal access control policies or TAXII Query features to restrict the data that each individual customer receives (see section 5.2.2.1 in TAXI Services Specification 1.1).

 

The best place to identify the differences between the Data Set and Data Feed concepts is in the TAXI Services Specification 1.1, section 5.2 (Data Collections and Content): https://taxiiproject.github.io/releases/1.1/TAXII_Services_Specification.pdf. 

 

Data Feeds are considered to be ordered and immutable. I think of Data Feeds as logs. They effectively act as a record of what has happened at that time in the Collection and that 'record of fact' cannot be altered. You can of course issue new updated version of STIX data, but it will be a new updated version of the STIX data with a new timestamp. Anyone querying the Data Feed and requesting a time period covering the initial issue of STIX Object A and the subsequently updated STIX Object A would see two copies of it. 

 

Data Sets are effectively a snapshot of what it is like right now. I think of Data Sets as Database 'views'. They are a snapshot of the data in that collection right at that time. The next time the client polls the complete data set may be the same, or it may be completely different. IMHO It's like a box of chocolates...


Cheers

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

 

On 23 October 2015 at 01:54, Josh Larkins <jlarkins@malcovery.com> wrote:

I’m wondering if anyone could shed some light on how they map Collections in TAXII to the data they produce. In implementation discussions with our developer, it makes logical sense to us to align a TAXII Collection with an individual feed we might provide to a customer, thus n customers results in n Collections. Does that seem like a correct approach, assuming here that individual customers might have different permissions surrounding what data they’re allowed to receive?

 

Similar to the above question, we’re planning to use the Data Feed type, rather than a Data Set. Since it seems that some type of order would be needed to reliably retrieve data from a Poll Service, what is the use case for a Data Set type collection? The only thing I could come up with is a canned, proof of concept, type data for use in something like a POC.

 

Josh Larkins

Sr Threat Intel Analyst

PhishMe 

Office:  703-350-4321

Web: www.phishme.com

Twitter: @phishme

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]