[cti-users] TAXII Collections

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cti-users] TAXII Collections

Josh Larkins

I’m wondering if anyone could shed some light on how they map Collections in TAXII to the data they produce. In implementation discussions with our developer, it makes logical sense to us to align a TAXII Collection with an individual feed we might provide to a customer, thus n customers results in n Collections. Does that seem like a correct approach, assuming here that individual customers might have different permissions surrounding what data they’re allowed to receive?

 

Similar to the above question, we’re planning to use the Data Feed type, rather than a Data Set. Since it seems that some type of order would be needed to reliably retrieve data from a Poll Service, what is the use case for a Data Set type collection? The only thing I could come up with is a canned, proof of concept, type data for use in something like a POC.

 

Josh Larkins

Sr Threat Intel Analyst

PhishMe 

Office:  703-350-4321

Web: www.phishme.com

Twitter: @phishme

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cti-users] TAXII Collections

Terry MacDonald-3

Hi Josh,

 

From my understanding, most people use Collections per feed. In general most threat feeds I've seen send out the same data available to everyone who is allowed to poll that collection. 

 

With your data, does each customer get their own personalized feed of threat intel? Or do groups of customers get the same intel (e.g. some are in one group, and others in another)? If its the former then you pretty much need a feed per customer. If its the later, then you can do a feed per group, and use internal access control policies or TAXII Query features to restrict the data that each individual customer receives (see section 5.2.2.1 in TAXI Services Specification 1.1).

 

The best place to identify the differences between the Data Set and Data Feed concepts is in the TAXI Services Specification 1.1, section 5.2 (Data Collections and Content): https://taxiiproject.github.io/releases/1.1/TAXII_Services_Specification.pdf. 

 

Data Feeds are considered to be ordered and immutable. I think of Data Feeds as logs. They effectively act as a record of what has happened at that time in the Collection and that 'record of fact' cannot be altered. You can of course issue new updated version of STIX data, but it will be a new updated version of the STIX data with a new timestamp. Anyone querying the Data Feed and requesting a time period covering the initial issue of STIX Object A and the subsequently updated STIX Object A would see two copies of it. 

 

Data Sets are effectively a snapshot of what it is like right now. I think of Data Sets as Database 'views'. They are a snapshot of the data in that collection right at that time. The next time the client polls the complete data set may be the same, or it may be completely different. IMHO It's like a box of chocolates...


Cheers

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | [hidden email]

 

 

 

On 23 October 2015 at 01:54, Josh Larkins <[hidden email]> wrote:

I’m wondering if anyone could shed some light on how they map Collections in TAXII to the data they produce. In implementation discussions with our developer, it makes logical sense to us to align a TAXII Collection with an individual feed we might provide to a customer, thus n customers results in n Collections. Does that seem like a correct approach, assuming here that individual customers might have different permissions surrounding what data they’re allowed to receive?

 

Similar to the above question, we’re planning to use the Data Feed type, rather than a Data Set. Since it seems that some type of order would be needed to reliably retrieve data from a Poll Service, what is the use case for a Data Set type collection? The only thing I could come up with is a canned, proof of concept, type data for use in something like a POC.

 

Josh Larkins

Sr Threat Intel Analyst

PhishMe 

Office:  703-350-4321

Web: www.phishme.com

Twitter: @phishme

 

 

Loading...