RE: Re: [cti-users] TAXII Collections [SEC=UNCLASSIFIED]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

RE: Re: [cti-users] TAXII Collections [SEC=UNCLASSIFIED]



Hey Josh,


We use a Collection per feed.  We have many people polling the same collection (Including a “test-data” collection so people are not using more sensitive stuff when hooking up/testing).


Would be interesting to be able to give people access to a subset of a collection based on a criteria – say TLP.


Some could see all, while others might only get say WHITE and GREEN (no AMBER).






From: [hidden email] [mailto:[hidden email]] On Behalf Of Terry MacDonald
Sent: Friday, 23 October 2015 8:27 AM
To: Josh Larkins
Cc: [hidden email]
Subject: Re: [cti-users] TAXII Collections


Hi Josh,


From my understanding, most people use Collections per feed. In general most threat feeds I've seen send out the same data available to everyone who is allowed to poll that collection. 


With your data, does each customer get their own personalized feed of threat intel? Or do groups of customers get the same intel (e.g. some are in one group, and others in another)? If its the former then you pretty much need a feed per customer. If its the later, then you can do a feed per group, and use internal access control policies or TAXII Query features to restrict the data that each individual customer receives (see section in TAXI Services Specification 1.1).


The best place to identify the differences between the Data Set and Data Feed concepts is in the TAXI Services Specification 1.1, section 5.2 (Data Collections and Content):


Data Feeds are considered to be ordered and immutable. I think of Data Feeds as logs. They effectively act as a record of what has happened at that time in the Collection and that 'record of fact' cannot be altered. You can of course issue new updated version of STIX data, but it will be a new updated version of the STIX data with a new timestamp. Anyone querying the Data Feed and requesting a time period covering the initial issue of STIX Object A and the subsequently updated STIX Object A would see two copies of it. 


Data Sets are effectively a snapshot of what it is like right now. I think of Data Sets as Database 'views'. They are a snapshot of the data in that collection right at that time. The next time the client polls the complete data set may be the same, or it may be completely different. IMHO It's like a box of chocolates...


Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | [hidden email]




On 23 October 2015 at 01:54, Josh Larkins <[hidden email]> wrote:

I’m wondering if anyone could shed some light on how they map Collections in TAXII to the data they produce. In implementation discussions with our developer, it makes logical sense to us to align a TAXII Collection with an individual feed we might provide to a customer, thus n customers results in n Collections. Does that seem like a correct approach, assuming here that individual customers might have different permissions surrounding what data they’re allowed to receive?


Similar to the above question, we’re planning to use the Data Feed type, rather than a Data Set. Since it seems that some type of order would be needed to reliably retrieve data from a Poll Service, what is the use case for a Data Set type collection? The only thing I could come up with is a canned, proof of concept, type data for use in something like a POC.


Josh Larkins

Sr Threat Intel Analyst


Office:  703-350-4321


Twitter: @phishme



If you have received this transmission in error please
notify us immediately by return e-mail and delete all
copies. If this e-mail or any attachments have been sent
to you in error, that error does not constitute waiver
of any confidentiality, privilege or copyright in respect
of information in the e-mail or attachments.