All,
Posting on behalf of Dean Thompson (
Dean.Thompson@anz.com)
Hi,
Does anyone see benefit in these two use cases as well:
·
Query for all known indicators given an observable
·
True/False return or return ID ref of a STIX report/package which contains whether an observable has been seen
o
Potentially very useful for tool integration
And I know that this is a use case discussion, but with regards to channels:
·
Subscribe to a channel for the detection of a certain observable/inidicator/incident and send me the package/report if you see it (long
time lurker / one time sender)
Regards,
Dean
-Mark
P.S. Friendly reminder that you cannot post to the subcommittee list as an observer, only as a member. You can update your status by requesting a change directly
to Bret or I (we have an admin panel that we can make these changes in), or you can unsubscribe / resubscribe as a member.
From:
cti-taxii@lists.oasis-open.org [mailto:
cti-taxii@lists.oasis-open.org]
On Behalf Of Jordan, Bret
Sent: Thursday, August 13, 2015 12:12 AM
To: Wunder, John A. <
jwunder@mitre.org>;
cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Query Use Cases Needed!
All these are really good use cases. Thanks for taking the time to write them down. As these are all falling in to a general theme I think we can now being to look at the ideas that we need to support them....
So what I get from this discussion is:
1) We need a way for a client to present some sort of key/value pair where the key is the object identifier and the type of dataset that the value exists in and then the value is what it contains.
2) We need the ability to say, if that value in the object equals something, does not equal something, contains, etc.
3) We need the ability to say this object AND this other object or this OR that.
Some examples...
1) Give me all indicators that contain a name of XYZ, that were seen between 2015-07-01T00:00:00 AND 2015-07-01T00:01:00 but not indicators with a TTP of FOO
2) Give me all TTPs with a name that contains ABC, and have observables in the following net block 4.0.0.0/8 and happened during January or February of 2015
The trick is going to be making this easy to do... As with all discussions on TAXII, we can easily and rapidly go from high level use-cases to putting rubber to the road.
Simple Example Structures of a Query (to get the discussion going)
Query:
Key: stix-indicator-name
Value: RedHat
Operator: contains
Query
Key: stix-indicator-id
Value: 1111-1234-1234-54321
Operator: equals
This is pretty easy to wrap our brains around.... What gets more tricky is how to do an AND or an OR operator. Any thoughts?
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Aug 12, 2015, at 13:47, Wunder, John A. <
jwunder@mitre.org > wrote:
So here’s a few I’ve needed personally (project only partially uses STIX/TAXII now, but the concepts translate):
·
Return all courses of action related to a given set of TTPs (granted this relationship does not exist in STIX now)
·
Return all TTPs for a given set of indicators
·
Return all incidents for a given set of indicators
·
Query by construct type + title (I.e. Give me all campaigns where the name matches Deep Panda)
·
The most advanced one I can think of: return incidents with specific affected asset (identified by IP or ID)
John
From:
<
cti-taxii@lists.oasis-open.org > on behalf of Jason Keirstead
Date: Wednesday, August 12, 2015 at 3:36 PM
To: Mark Davidson
Cc: "
cti-taxii@lists.oasis-open.org "
Subject: Re: [cti-taxii] Query Use Cases Needed!
Query by threat actor (with expected string search options) I would think to be important.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown
<graycol.gif> "Davidson II, Mark S" ---2015/08/12 03:22:56 PM---All, Since query was called out yesterday as a potential challenge for the Channel model that's been
From:
"Davidson II, Mark S" <
mdavidson@mitre.org >
To:
"
cti-taxii@lists.oasis-open.org " <
cti-taxii@lists.oasis-open.org >
Date:
2015/08/12 03:22 PM
Subject:
[cti-taxii] Query Use Cases Needed!
Sent by:
<
cti-taxii@lists.oasis-open.org >
All,
Since query was called out yesterday as a potential challenge for the Channel model that’s been proposed for TAXII, I’d like for us to try and validate the Channel model against query use cases. I’d like for us to start by identifying query use cases that we
think we care about. For now, a one-liner of the use case is probably the right level of abstraction (we can add more detail later).
To get the conversation started, here are some things I’ve heard on the list:
·
Query by ID
· Query by “observable” (e.g., IP / Hash)
Once we’ve collected the use cases, we can analyze their impact on the channel model. Please offer up your one-liner query use cases!
Thank you.
-Mark
P.S. We have not forgotten the query discussions of old; this is partly to generate discussion and partly to see what’s still on the forefront.
<graycol.gif>
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php