CTI-TC Weekly Working Sessions

Similar documents
CTI-TC Weekly Working Sessions

CTI-TC Weekly Working Sessions

CTI-TC Weekly Working Sessions

CTI-TC Monthly Meeting - Notes

CTI-TC Working Session

CTI-TC Interoperability Subcommittee

CTI-TC Working Session

CTI-TC. Monthly Meeting UPDATE ON MVP RELEASE FOR DRAFT SPECIFICATIONS. Session #1: 15:00:00 UTC July 21, 2016*

CTI-TC Monthly Meeting - Notes

Close Your File Template

TAXII 1.0 (DRAFT) Capabilities and Services. Charles Schmidt & Mark Davidson

Modern Cyber Defense with Automated Real-Time Response: A Standards Update

TAXII 2.0 Specification Pre Draft

Chapter01.fm Page 1 Monday, August 23, :52 PM. Part I of Change. The Mechanics. of Change

Voyant Connect User Guide

RavenDB & document stores

Git. all meaningful operations can be expressed in terms of the rebase command. -Linus Torvalds, 2015

Notes from the OASIS WSRF TC teleconference 24 th January 2005

The next generation of Google APIs

Clickbank Domination Presents. A case study by Devin Zander. A look into how absolutely easy internet marketing is. Money Mindset Page 1

Dealer Reviews Best Practice Guide

Effective Communication in Research Administration

Digital Marketing Manager, Marketing Manager, Agency Owner. Bachelors in Marketing, Advertising, Communications, or equivalent experience

Participants. Results & Recommendations. Summary of Findings from User Study Round 3. Overall. Dashboard

Good afternoon, everyone. Thanks for joining us today. My name is Paloma Costa and I m the Program Manager of Outreach for the Rural Health Care

Module 6. Campaign Layering

Lifehack #1 - Automating Twitter Growth without Being Blocked by Twitter

Frequently Asked Questions about the NDIS

Intro. Scheme Basics. scm> 5 5. scm>

Meet our Example Buyer Persona Adele Revella, CEO

Sept 2018 CTI TC F2F Summary Notes

ICANN Start, Episode 1: Redirection and Wildcarding. Welcome to ICANN Start. This is the show about one issue, five questions:

Understanding Managed Services

Evaluation Guide for ASP.NET Web CMS and Experience Platforms

Welcome to today s Webcast. Thank you so much for joining us today!

THE MORE THINGS CHANGE THE MORE THEY STAY THE SAME FOR BACKUP!

If Statements, For Loops, Functions

Roc Model and Density Dependence, Part 1

Day in the Life of an SAP Consultant using IntelliCorp s LiveCompare Software

The name of our class will be Yo. Type that in where it says Class Name. Don t hit the OK button yet.

SharePoint Designer Advanced

UTILIZING THE NEW ALDA WEBSITE (CHAPTER LEADERS GROUP) PRESENTER: BRIAN JENSEN SEPTEMBER 16, 2016

HOW TO TEXT OUT THE VOTE (TOTV)

EmberJS A Fitting Face for a D8 Backend. Taylor Solomon

TA hours and labs start today. First lab is out and due next Wednesday, 1/31. Getting started lab is also out

Google Docs Tipsheet. ABEL Summer Institute 2009

15 Minute Traffic Formula. Contents HOW TO GET MORE TRAFFIC IN 15 MINUTES WITH SEO... 3

Tim moves to accept, Chris Z seconds. No objections or comments.

Netalyzr Updates. Christian Kreibich (ICSI), Nicholas Weaver (ICSI), and Vern Paxson (ICSI & UC Berkeley) Netalyzr Updates

Using Images in FF&EZ within a Citrix Environment

Jump to: Using AAUP Photos AAUP Logos Embedding the AAUP Twitter Feed Embedding the AAUP News Feed CREATING A WEBSITE


Git Workbook. Self-Study Guide to Git. Lorna Mitchell. This book is for sale at

Python & Web Mining. Lecture Old Dominion University. Department of Computer Science CS 495 Fall 2012

FIGURING OUT WHAT MATTERS, WHAT DOESN T, AND WHY YOU SHOULD CARE

Gratitude Journal Presented by

The COS 333 Project. Robert M. Dondero, Ph.D. Princeton University

Media-Ready Network Transcript

In today s video I'm going show you how you can set up your own online business using marketing and affiliate marketing.

Excel for Algebra 1 Lesson 5: The Solver

Using GitHub to Share with SparkFun a

2013 edition (version 1.1)

Keeping Sane - Managing your

WebDirect Configuration Guide

GETTING STARTED GUIDE

Group Leader Quickstart Guide. Original photo by Trey Ratcliff

Dental Buyers Guide 101

Vulnerability Disclosure Policy. v.1.1

TDDC88 Lab 4 Software Configuration Management

(Refer Slide Time: 06:01)

PROFILE_<PARAM>_QC. What should the variable be and how should it be defined?

THREAT MANAGEMENT AND OUR TECHNICAL LEARNINGS IMPLEMENTING CTI

Welcome to today s Webcast. Thank you so much for joining us today!

Learning Objectives. Description. Your AU Expert(s) Trent Earley Behlen Mfg. Co. Shane Wemhoff Behlen Mfg. Co.

ONS Beta website. 7 December 2015

[Maria Jackson Hittle] Thanks, Michael. Since the RSR was implemented in 2009, HAB has been slowing shifting its focus from data submission to data

WEBINARS FOR PROFIT. Contents

CLIENT ONBOARDING PLAN & SCRIPT

Filter and PivotTables in Excel

Getting Started With Squeeze Server

Resilient Linked Data. Dave Reynolds, Epimorphics

Data Protection and Information Security. Presented by Emma Hawksworth Slater and Gordon

The Rise of the Purple Team

ICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017

CLIENT ONBOARDING PLAN & SCRIPT

XDI Link Contract Deep Dive

CREATE YOUR CONTENT STRATEGY & LAUNCH PLAN Amanda Genther Inc. & Irresistible Offerings

In this white paper we want to look at seven basic principles that can help make your website be the best it can be.

Pair projects due Thursday I do not anticipate giving any extensions for this assignment. 3/2/ Larry Snyder, CSE 1

Anatomy of a Standard Transcript

How do we make the transition less painful? IPv6 & recursive resolvers:

CSE P 501 Compilers. Parsing & Context-Free Grammars Hal Perkins Spring UW CSE P 501 Spring 2018 C-1

So, you re child wants to sign up for Myspace...

facebook a guide to social networking for massage therapists

Reading How the Web Works

Versioned APIs with Phoenix. Elvio Vicosa

New user introduction to Attend

Considerations for Mobilizing your Lotus Notes Applications

What s new in SketchUp Pro?

Testing. So let s start at the beginning, shall we

Transcription:

CTI-TC Weekly Working Sessions Meeting Date: October 18, 2016 Time: 15:00:00 UTC Purpose: Weekly CTI-TC Joint Working Session Attendees: Agenda: Jordan - Moderator Darley Christian Hunt Rich Piazza TAXII 2.0 Discussions Meeting Notes Greg Back Dave Cridland Davidson Taylor Jon Baker Katz Jane Ginn - Recorder Others Had a discussion after last call on working on a TAXII Workflow to illustrate various Questions, potential problems, gaps We ve had some people on Slack - Started with idea that you have a STIX report then have a series of Refs - How would a customer or End-User de-reference all of these Refs? - How to automatically dereference them - We d like to step through this Workflow today to see if there are any questions - Has everyone had a chance to go through it? Why don t you go through it? I ve written code so I can push a button and go through this One of the things we came across is that we see that what people wanted Say you have a STIX object and you want to dereference it Say SoltraEdge is advertising info from there you can go and identify the domain names What we discovered was that there is no way to go and identify a Domain Name We need to develop a solution for That is a potential gap that we have identified For each Referenced object there would be an Object in the Collections Resource Used the example for foo Have an ID Filter Issue a GET Request and filter it by ID We ve also talked about a Version Filter or specify All If the Version is not specified, then you would be returned the most recent Version One open question that we had some discussion on Slack Should TAXII be married to STIX IDs? Reference in a normal, RESTful way or URL parameter We are leaning towards NOT being married to STIX We want to make sure that everyone agrees on this.

I don t mind if TAXII supports different schemes But, we must have as an MTI that STIX Can be returned Then that is the question How to do that This would be a Filter of the Objects For TAXII API, are we going to require the exact ID of the STIX Object Are we putting requirements on the STIX Schema, or not. My feeling - Beyond being a valid URL, we should be able to use any ID I ll chime in it should be a requirement of the Filter I also agree with MTI My only concern is that that we need to make sure the TAXII server supports the ID Can we cover this through a Discovery Request? From how the Discovery Request return show how the format should be? Yea, we could (gave example of how it might work) Explained further what he means I think it makes a lot more sense to have it discover it through the URI Discusses how it might work We are not hearing people complain about the Filter All done in one way I think we need to be cautious about building in too much optionality we ve been down that road Let s focus on the MTI for this this release OK One of the other things we ve talked about for a later release We need to be able to tell server About how much content the client can receive at one time Provide an X-header that limits the amount of data One of the things that has been brought up is a Range-header instead of X-header If anyone else knows of other native commands, let us know With ID, it should be available as a Filter and Type as a Filter Type would be like Indicator Incident, etc. - Also some discussion on Versioning - Also, idea behind the Depth parameter then would tell them to resolve We are not yet talking about how it would be encapsulated Gave example of how would work With a Report object - It might have a Sighting object - In sighting objects they have the ability to have other references - The Depth idea is really a way to pull information about Sighting objects - There are people with mixed feelings about this Page 2

Is there a way that you can specify that you want the full depth? I m sure you could you want to make sure you are not getting too much For a consumer there should be a way to set a Max Depth Plus 1 to Negative 1 I ll make note of that You might be making too many HTTP Requests in order to get a full report I agree, but we need to look at what that means for Implementers in terms of the volume of data We also need to make sure that pagination is there. Gave example of how a server would respond That opens up the pagination question If we do depth, we need to handle this Can we exchange IDs for each Object You would only have 2 HTTP requests You still go to that recursion, because that is one off Explains how it works I don t think it is a substitute for Depth, just for Depth equals 1 It feels like a simpler solution and more predictable Do we have query parameter for Time? Gave example We had Long Polling as a discussion early on We discussed in Brussels But we tabled for now Open to standard Time-outs There are some standard things that we will use with HTTP Another issue is when you want to start doing recursion through the graph [Gave example of recursion through the graph] It may work in conjunction with Depth the idea of how to Walk through the Graph I think that would be a combination of the Depth with the Query It might be as simple as setting up a series of Calls We don t really If I have a Threat Actor ID, and then gave example of how We could all that support How many of the STIX properties we will make as URL properties This ability to walk the graph, it will be very useful We provided that kind of capability in our system you need to define which properties you Can pivot on We had to add a lot of additional information Gave example of Time Information We don t want to bite off more than we can chew for this version Gray Pivoting and referencing are two key things Page 3

Are we still looking at 6-month releases? My personal opinion is that we would like to have that The reason I asked is to let the Community know what to expect I agree with you we need to get the opinions of all What will be life boated to the next release The point of this exercise is to walk through end-to-end so we can walk through Went on to describe the Server Response section Two ways that encoding of version can be handled Discussed how MIME type handles it Showed how MIME type syntax would be used for Versioning For clarification, we won t have to change the MIME type, right? That is a decision the STIX SC needs to make With a Version that is not required, right? Explained how I like that Moving down Talked about JSON representation and how the data is returned One of the open questions How to handle HTTP redirect to a different location If you went to a TAXII API Is there a reason to prohibit redirects? In TAXII, what would be the purpose of that? Gave example of how it would be used in a rewrite Another Use Case would be Vanity IDs HTTP 206 Jason found this as an option we added explained how it would work Discussed more about Error Codes This came up in Jan/Feb when we first started talking about Collections Gave examples of high volume versus low volume Servers Gave examples of how to do optimizations We want to make sure that the Spec can accommodate the high throughput vendors So stepping through the example here You ask for some number then ask for a Filter Described how the 4.3 Example would work I think it is a pretty good, pretty useful Workflow Jane Asked the question about referencing Domain Names I think we need to get the Workflow done, then we need to identify how to Identify where that we find that exists Page 4

This is something that Terry has talked about for a while how things are discoverable It is a lot more complex than it seems I think it is more than how to identify where to get a data feed Maybe you have the producers tagged Created by Ref Or, maybe you join a new Trust Group and you need to retrieve Data ings I think it needs to be a parking lot item for now Now it has been identified in a theoretical exercise but, not an issue in practice One of the things that need to be done end-to-end How does the client know that the Client and Server can talk to each other? We need to make sure that things just work Along those lines, we need to be clear about the quality of the data feed for That report The assumption of this that you get some random report needs clarification Going further if a Server does not want to be a Broker Good point That is something that is left to implementation and that is where it should stay Gave example of how it would work could you add those comments into the document to your point if I go and ask for an indicator How do I dereference that? Gave example of how it would work I chose the Report as an example I wanted to do something that could help us illustrate problems We are making an assumption of getting a series of data I want to make sure that this part works first Yea, that makes sense, I just want to make sure that assumptions are written down Started adding text on potential gaps in the Workflow document I would encourage you all to go through and add your comments Jason has been pretty vocal so far telling us where we are going wrong Thanks everybody for dialing in We d like to stabilize this document by the end of this week. With that, we ll close the call. ******************************************************** ****** Meeting Terminated Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback