Skip to content

Instantly share code, notes, and snippets.

@johnwunder

johnwunder/00-use-case.md

Last active November 2, 2016 19:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save johnwunder/be2e3f5c48641e9d35ad15e4bb851eee to your computer and use it in GitHub Desktop.
Save johnwunder/be2e3f5c48641e9d35ad15e4bb851eee to your computer and use it in GitHub Desktop.
Download ZIP
TAXII 2.0 Proposal
Raw
00-use-case.md

TAXII Use Case Example

Writeup

  1. Analyst or tool at Company A discovers a piece of malware. They generate 5 indicators based on that malware.
  2. Analyst reviews their releasability/gets permission to share indicators. They send 5 indicators to the ISAC.
  3. Company A gets permission to release the malware object. They send it and relationships to the indicators to the ISAC.
  4. Company B hears about that piece of malware and gets content related to it (malware object + indicators).
  5. Company B implements indicators, blocks one file based on the indicator.
  6. Company B returns the sighting to the ISAC.

Mechanics

  1. N/A
  2. Company A's TAXII client pushes 5 indicators to the ISAC's "emerging-malware" collection.
  3. Company A's TAXII client pushes 1 malware object and 5 relationships to the ISAC's "emerging-malware" collection.
  4. Company B's TAXII client queries the collection (perhaps by malware name) to get the malware plus any related indicators.
  5. N/A
  6. Company B's TAXII client pushes 1 sighting to the ISAC's "sightings" collection.
Raw
01-create-single-object.md

Create Single Object

Request

POST /collections/high-value-intel/objects

Accept: application/taxii+json

{
  "type": "indicator",
  "id": "indicator--ebe536de-23bd-4c1c-94d4-30e0e371a877",
  "version": 1,
  "created_by_ref": "identity--0360b2ff-7d9e-4857-a4e3-da09d2ae3d4d"
}

Response

HTTP/1.1 201 Created
Location: /collections/high-value-intel/objects/indicator--ebe536de-23bd-4c1c-94d4-30e0e371a877
{
  "data": {
    "type": "indicator",
    "id": "indicator--ebe536de-23bd-4c1c-94d4-30e0e371a877",
    "version": 1,
    "created_by_ref": "identity--0360b2ff-7d9e-4857-a4e3-da09d2ae3d4d"
  }
}
Raw
02-get-single-object.md

Get Single Object

Request

GET /collections/high-value-intel/objects/indicator--ebe536de-23bd-4c1c-94d4-30e0e371a877

Accept: application/taxii+json

Response

HTTP/1.1 200 OK
{
  "data": {
    "type": "indicator",
    "id": "indicator--ebe536de-23bd-4c1c-94d4-30e0e371a877",
    "version": 1,
    "created_by_ref": "identity--0360b2ff-7d9e-4857-a4e3-da09d2ae3d4d"
  },
  "links": {
    "identity--0360b2ff-7d9e-4857-a4e3-da09d2ae3d4d": "/collections/sources/identity--0360b2ff-7d9e-4857-a4e3-da09d2ae3d4d"
  }
}
Raw
03-get-multiple-paginated.md

Get Multiple Objects

Request

GET /collections/high-value-intel/objects?filter=some-query&page=1&per_page=10

Accept: application/stix+json

Response

HTTP/1.1 200 OK
{
  "data": {
    "indicators": [
      { ... },
      { ... },
      ...
    ],
    "malware": [
      { ... }
    ]
  },
  "links": {
    "identity--0360b2ff-7d9e-4857-a4e3-da09d2ae3d4d": "/collections/sources/identity--0360b2ff-7d9e-4857-a4e3-da09d2ae3d4d"
  },
  "total": 1423,
  "page": 1,
  "per_page": 10
}
Raw
04-bulk-create.md

Create/Update Multiple Objects

Request

POST /collections/high-value-intel/bulk

{
  "indicators": [
    { ... },
    { ... }
  ]
}

Response

HTTP/1.1 200 OK
{
  "status": "completed",
  "success": 1,
  "submitted": 2,
  "errors": {
    "indicator--123": {"code": 422, "message": "not acceptable, pattern invalid"}
  },
  "data": {
    "indicator--342": {"code": 201, "location": "/wherever"}
  }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment