Hello.
My company, Graphaware, has become interested in cybersecurity and has been following STIX and TAXII for some time. While our core expertise lies in graph databases, such as Neo4j, as professional software developers we are exploring the implementation of the STIX and TAXII specs.
I have a few questions on the created_by_ref property of STIX objects and am hoping this group can provide some insight.
1) When a STIX object is created, is the created_by property typically sent by the client (the creating entity) or it is typically omitted by the client and instead assigned by the TAXII server as part of the STIX object creation?
If the created_by property is typically sent by the creating client, how does the TAXII server know it can trust the client to provide a valid value? Is the fact that the client must be authenticated and authorized to the TAXII server establish the trust that the client will not submit invalid/misleading/malicious STIX data?
If the created_by property is not typically sent by the creating client, is it recommended that the TAXII server make use of the currently authenticated user to populate this information on the STIX object? For example, if client A publishes the creation of a new STIX object and omits the created_by property the TAXII server will modify the incoming STIX object and assign a created_by property that points to client A.
2) Do the STIX/TAXII specs provide any guidance on created_by_ref value validation? For example, lets say that a client A, a successfully authenticated and authorized client, creates a STIX object with a created_by property with a value of “client_B_id”. Yet, let’s say that this STIX/TAXII implementation does not have any data about client B. Would the creation of this STIX object, who’s created_by_ref is essentially unknown to the system, be allowed? While I can see the creation needing to be allowed, particularly in the case where STIX data is “merely” being republished by a peer TAXII server, this scenario would create dangling data that references entities that are unknown within the system. From the view of data integrity, this would be bad but from the view of flexibility and exchange of free form information, this would be good. Does the STIX/TAXII specs or this group have any opinion as to which way a compliant STIX/TAXII implementation should go?
Thanks,
Eric