There are a number of use cases that been brought up by various members of the community that could be easily supported via TAXII Filtering.
Some of the additional filtering capabilities achievable from the provided proposals which have been requested by the community include but are not limited to:
Relationship pivoting (e.g. what are all relationships to a Campaign_X?)
Filtering upon specific information if an ID is not known (e.g. what is shared about 1.2.3.4?)
Filtering on TLP Markings (e.g. what TLP:AMBER data is available?)
Filtering on confidence values (e.g. what CTI has a high confidence value?)
Identify sighted data (e.g. what are all the sightings for Indicator_Y?)
Relevant Issues:
RFE: TAXII Observed Data Query. #4
Add ability to find all objects related to a particular STIX object ID, to prevent an indeterminate number of queries to find them all. #6
Need ability to request related objects in one request to a distance of 1(?). #7
As a User, I want to traverse the STIX graph over TAXII in an efficient manner, so I don't waste resources. #15
No way to query internal references. #68
We are not requesting a full solution to this but some of these issues can be addressed and added to TAXII2.1 while a new solution can be designed for a future specification.
The current fields identified that could be added to the document follows (Section 3.4.1: Supported Fields for Matching)
The source STIX identifier of the object(s) contained in a relationship object. Examples ?match[source_ref]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb ?match[source_ref]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb,indicator--4600ad1b-fff1-4c58-bcc9-4de3bc5e2ffd
target_ref
The target STIX identifier of the object(s) contained in a relationship object. Examples ?match[target_ref]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb ?match[target_ref]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb,indicator--4600ad1b-fff1-4c58-bcc9-4de3bc5e2ffd
relationship_type
The relationship type of the object(s) contained in a relationship object. Examples ?match[relationship_type]=indicates ?match[relationship_type]=indicates,uses
sighting_of_ref
The STIX identifier of the object(s) reference from a sighting object. Examples ?match[sighting_of_ref]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb ?match[sighting_of_ref]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb,sigthing--4600ad1b-fff1-4c58-bcc9-4de3bc5e2ffd
object_marking_refs
The marking-definition identifier applied to any STIX object(s). Examples ?match[object_marking_refs]=marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9 ?match[object_marking_refs]=marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9,marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da
tlp
The marking-definition identifier applied to object(s). This is a shorthand to objects specifically marked with a TLP marking. The only allowed values MUST are white, green, amber, and red. Specific IDs for each TLP color MUST be mapped as defined on the TLP Marking Object Type section in [STIX™ Version 2.1]. Examples ?match[tlp]=white ?match[tlp]=white,green
external_id
An identifier present in any STIX object(s) external_references property. Examples ?match[external_id]=CVE-2016-1234 ?match[external_id]=CWE-20,T1245
source_name
A source name present in any STIX object(s) external_references property. Examples ?match[source_name]=cve ?match[source_name]=capec,veris
created_by_ref
The identity creator identifier applied to any STIX object(s). Examples ?match[created_by_ref]=identity--caa40b90-15b0-4833-8475-712dfec0ff5e ?match[created_by_ref]=identity--caa40b90-15b0-4833-8475-712dfec0ff5e,identity--07ab6eac-cb81-4ae3-8e09-ab1e185fc31f
confidence
The confidence value applied to any STIX object(s). Examples ?match[confidence]=90 ?match[confidence]=90,91,92,93,94,95,96,97,98,99,100
sectors
The sectors property present in identity object(s). Examples ?match[sectors]=energy ?match[sectors]=financial-services,manufacturing
labels
The label value(s) applied to any STIX object(s). Examples ?match[labels]=trickbot ?match[labels]=totbrick,tspy_trickload
object_refs
The identifier present in STIX grouping, observed-data or report object(s) object_refs property. Examples ?match[object_refs]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb ?match[object_refs]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb,sigthing--4600ad1b-fff1-4c58-bcc9-4de3bc5e2ffd
value
The value present in STIX SCOs ipv4-addr, ipv6-addr, domain-name, email-addr, mac-addr, and url object(s) value property. Examples ?match[value]=198.51.100.3 ?match[value]=john@example.com,doe@example.com
There is concern that latest draft additional filters document presents a mix of what "match" means. Suggested that additional URL query parameters be defined in some cases. See #111 Additional URL query parameters.
There are a number of use cases that been brought up by various members of the community that could be easily supported via TAXII Filtering.
Some of the additional filtering capabilities achievable from the provided proposals which have been requested by the community include but are not limited to:
Relevant Issues:
We are not requesting a full solution to this but some of these issues can be addressed and added to TAXII2.1 while a new solution can be designed for a future specification.
The current fields identified that could be added to the document follows (Section 3.4.1: Supported Fields for Matching)
TAXII Additional Filters Proposal - MarlonEmmanuelle - Dec 9 - V1.0.pdf