Hi TC,
What is needed to incorporate an enhanced TAXII Filtering capability within TAXII 2.1?
From the initial TAXII 1.0 specification the community have requested the ability to filter data on the TAXII server rather than having to request all the data and filter locally. Through the years this request
has been echoed by those within this TC along with others in private sector, international, and federal communities. I can attest to real world scenarios where RAM, logs, and systems have crashed due to requesting all available data from a TAXII server just
in order to filter the data locally to determine the actual value. For instance, the United States Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS)
capability currently hosts over 8 million indicators and shared roughly 400 thousand indicators in October. Ingesting 8 million, for a first-time member, or 400 thousand, for a current member, locally is currently a required effort
to filter data due to the inability within TAXII to filter data on a TAXII server.
Through the development of TAXII 2, we’ve incorporated a filtering mechanism which has the ability to support many of the related filtering requests from the TC, private sector, international, and federal communities
however the current specification only lists the following supported fields (id, spec_version, type, and version). These fields alone cannot support
the current requests from the community.
There have been several proposals to officially support additional fields that will provide filtering capabilities requested by the community within the specification. Through these proposals the only change
to the current specification would be additional STIX fields to the “3.4.1 Supported Fields for Match Table” (see attachment for requested fields) yet focus on those proposals have not been prioritized over others.
Some of the additional filtering capabilities achievable from the provided proposals which have been requested by the community include but are not limited to:
·
Relationship pivoting (e.g. what are all relationships to a Campaign_X?)
·
Filtering upon specific information if an ID is not known (e.g. what is shared about 1.2.3.4?)
·
Filtering on TLP Markings (e.g. what TLP:AMBER data is available?)
·
Filtering on confidence values (e.g. what CTI has a high confidence value?)
·
Identify sighted data (e.g. what are all the sightings for Indicator_Y?)
Enhanced TAXII Filtering is a long requested capability from the community that will improve information sharing and is something the TC can provide quickly within TAXII 2.1. Releasing TAXII 2.1 without addressing
this gap will negatively reflect the priorities and focus of the TC to those whom have requested and anticipated this change for so long.
Marlon Taylor
Strategy & Resources
Cybersecurity and Infrastructure Security Agency
