Re: [cti-users] Re: Isolate STIX as file after transfer through TAXII 2

["Stanley_Hsiao@trend.com.tw" <Stanley_Hsiao@trend.com.tw>]

Hi Bret and Ringo,

 

Appreciate your reply. Here’s my scenario. In the past, TAXII 1.x poll request can gather STIX from TAXII collections. After that, I can save the individual <stix:STIX_Package> (as the screenshot below) as files on local file system.  

 

 

 

Whereas TAXII 2.0, a collection is a bundle encapsulating everything at top-level. So, here comes my imaginary scenario, when threat researchers submit their threat reports into a collect of a TAXII 2.0 server, multiple reports will be merged into a single bundle (as the screenshot below). How can I retrieve individual reports as files like I did for TAXII 1.x?

 

 

 

** If you have trouble viewing the images above, please the links below:

1. STIX 1.x package - https://www.tbox.trend.com.tw/app#folder/SPng/Temp/STIX_1_x_Package.png?a=HVp2rdkFB20
2. STIX 2.0 bundle - https://www.tbox.trend.com.tw/app#folder/SPng/Temp/STIX_2_0_bundle.png?a=i9g5N9pvFmI

 

To Bret,

 

I am unable to join your slack workspace. Could you send me an invite?

 

Regards,

Stanley

 

From: Bret Jordan <jordan2175@gmail.com>
Date: Friday, 9 March 2018 at 2:08 AM
To: "Stanley Hsiao (RD-TW)" <Stanley_Hsiao@trend.com.tw>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Re: Isolate STIX as file after transfer through TAXII 2

 

Stanley,

 

I would love to help you, I just do not fully understand what you are trying to do.  

 

If you are working on TAXII, keep in mind that we are working on 2.1 that fixes a few things that were found in 2.0.  I can give details so you can code towards 2.1.

 

If you can give me more information about what you are trying to do, I should be able to help you.

 

I also setup a slack channel for this users group that you can find here: CTI-workspace.slack.com if it would be easier to communicate over slack.

 

Bret

Sent from my Commodore 128D

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

On Mar 7, 2018, at 11:09 PM, "Stanley_Hsiao@trend.com.tw" <Stanley_Hsiao@trend.com.tw> wrote:

Dear CTI Users,

 

I am implementing a TAXII 2.0 server. In the past, individual STIX files can be isolated from a TAXII 1.x collection. But everything is top-domain within a single bundle right now, how can I isolate the STIX files from a TAXII 2.0 collection?

 

Regards,

Stanley

 

 

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential 

and may be subject to copyright or other intellectual property protection. 

If you are not the intended recipient, you are not authorized to use or 

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.

 

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.