Calling for input on a TAXII Query capability

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Calling for input on a TAXII Query capability

Charles Schmidt (MITRE)
Administrator
Hello all,

I apologize for the cross-post, but I wanted to make sure that this got to all
potentially interested parties.

We have received multiple requests that TAXII 1.1 support some sort of
attribute-based query and we need your help in determining what that
capability should look like. Towards this end, we are actively soliciting
your input on what you need in a TAXII query capability. We welcome any
contributions of requirements, use-cases, etc. While TAXII is capable of
sharing content expressed in any format, we are especially interested in
making sure we can serve the needs of the STIX/CybOX/MAEC users. Towards that
end, any query capability needs to meaningful for retrieving data expressed
using those languages.

We are asking community members to send us examples of the kinds of queries
that they would like to see TAXII facilitate. The more concrete the example in
terms of what characteristics of data are considered, the more useful it will
be to us. Examples might include:
- "Return all objects that mention IP address X.X.X.X "
- "Return the STIX object with the ID
'example:Indicator-ba1d406e-937c-414f-9231-6e1dbe64fe8b'"
- "Return all incident reports that mention one of the following 6 IP
addresses {...} and report incidents that occurred between the following
dates (A, B)."
- "Return any malware analysis that includes any one of the following 5 file
hashes."

Our goal is to, relatively quickly, provide a standard TAXII query
capability that can handle the most common use-cases and which will cleanly
allow further evolution over time. If you could note whether certain types
of examples are more useful/common for you than others, as well as any other
requirements your local operation might have (e.g., any query needs to be
mappable to an SQL query), that would also help us better prioritize our
focus.

Please send responses to [hidden email]. All responses will be held in
strictest confidence and will not be shared outside the TAXII team without
prior permission from the sender.

We look forward to hearing from you.

Sincerely,
Charles
(For the TAXII Team)