OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: RE: [cti] Missing MTI - what to do?

What I mean is if I create a STIX document and push it to a TAXII server on a channel, I expect anyone else subscribed to that channel should either receive the document as I created it, or not receive it at all. I myself do not think TAXII should be diving into the STIX and modifying the documents, removing attributes from them.

Imagine if some vendors got together and made a tempoary extension to the indicator property called "Risk" or something, but whenever a producer sent it onto the wire, the TAXII server stripped it off. That value might be useful for a consumer.. the TAXII server has no idea what values will be of use to whom, it should not be stripping off a property just because it doesn't recognize it.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for John-Mark Gurney ---02/01/2016 03:41:36 PM---On Sat, Jan 30, 2016 at 6:26 AM, Jason Keirstead <Jason.John-Mark Gurney ---02/01/2016 03:41:36 PM---On Sat, Jan 30, 2016 at 6:26 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com > wrote:

From: John-Mark Gurney <jmg@newcontext.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: cti@lists.oasis-open.org
Date: 02/01/2016 03:41 PM
Subject: Re: RE: [cti] Missing MTI - what to do?




On Sat, Jan 30, 2016 at 6:26 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
The question is at what level?  Do you mean you can't break up a STIX package?  So that means that you don't want a TAXII server to be able to query a specific Observable/Incident/etc by ID since that would break up a STIX package?

or do you mean that TAXII should not be modifying the objects that flow over it, but mix/matching, say demoting an object inline to reference is fine, or only sending the Indicators from a STIX package, but not the other info?

John-Mark


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]