TLS1httperror503

TAXIIVersion2.
0CommitteeSpecification0119July2017SpecificationURIsThisversion:http://docs.
oasis-open.
org/cti/taxii/v2.
0/cs01/taxii-v2.
0-cs01.
docx(Authoritative)http://docs.
oasis-open.
org/cti/taxii/v2.
0/cs01/taxii-v2.
0-cs01.
htmlhttp://docs.
oasis-open.
org/cti/taxii/v2.
0/cs01/taxii-v2.
0-cs01.
pdfPreviousversion:http://docs.
oasis-open.
org/cti/taxii/v2.
0/csprd01/taxii-v2.
0-csprd01.
docx(Authoritative)http://docs.
oasis-open.
org/cti/taxii/v2.
0/csprd01/taxii-v2.
0-csprd01.
htmlhttp://docs.
oasis-open.
org/cti/taxii/v2.
0/csprd01/taxii-v2.
0-csprd01.
pdfLatestversion:http://docs.
oasis-open.
org/cti/taxii/v2.
0/taxii-v2.
0.
docx(Authoritative)http://docs.
oasis-open.
org/cti/taxii/v2.
0/taxii-v2.
0.
htmlhttp://docs.
oasis-open.
org/cti/taxii/v2.
0/taxii-v2.
0.
pdfTechnicalCommittee:OASISCyberThreatIntelligence(CTI)TCChair:RichardStruse(Richard.
Struse@hq.
dhs.
gov),DHSOfficeofCybersecurityandCommunications(CS&C)Editors:JohnWunder(jwunder@mitre.
org),MITRECorporationMarkDavidson(Mark.
Davidson@nc4.
com),NC4BretJordan(bret_jordan@symantec.
com),SymantecCorp.
Relatedwork:Thisspecificationreplacesorsupersedes:TAXIIVersion1.
1.
1.
Part1:Overview.
EditedbyMarkDavidson,CharlesSchmidt,andBretJordan.
Latestversion:http://docs.
oasis-open.
org/cti/taxii/v1.
1.
1/taxii-v1.
1.
1-part1-overview.
html.
Thisspecificationisrelatedto:STIXVersion2.
0.
Part1:STIXCoreConcepts.
EditedbyRichPiazza,JohnWunder,andBretJordan.
Latestversion:http://docs.
oasis-open.
org/cti/stix/v2.
0/stix-v2.
0-part1-stix-core.
html.
STIXVersion2.
0.
Part2:STIXObjects.
EditedbyRichPiazza,JohnWunder,andBretJordan.
Latestversion:http://docs.
oasis-open.
org/cti/stix/v2.
0/stix-v2.
0-part2-stix-objects.
html.
STIXVersion2.
0.
Part3:CyberObservableCoreConcepts.
EditedbyIvanKirillovandTreyDarley.
Latestversion:http://docs.
oasis-open.
org/cti/stix/v2.
0/stix-v2.
0-part3-cyber-observable-core.
html.
STIXVersion2.
0.
Part4:CyberObservableObjects.
EditedbyIvanKirillovandTreyDarley.
Latestversion:http://docs.
oasis-open.
org/cti/stix/v2.
0/stix-v2.
0-part4-cyber-observable-objects.
html.
STIXVersion2.
0.
Part5:STIXPatterning.
EditedbyIvanKirillovandTreyDarley.
Latestversion:http://docs.
oasis-open.
org/cti/stix/v2.
0/stix-v2.
0-part5-stix-patterning.
html.
Abstract:TrustedAutomatedeXchangeofIntelligenceInformation(TAXII)isanapplicationlayerprotocolforthecommunicationofcyberthreatinformationinasimpleandscalablemanner.
ThisspecificationdefinestheTAXIIRESTfulAPIanditsresourcesalongwiththerequirementsforTAXIIClientandServerimplementations.
Status:ThisdocumentwaslastrevisedorapprovedbytheOASISCyberThreatIntelligence(CTI)TContheabovedate.
Thelevelofapprovalisalsolistedabove.
Checkthe"Latestversion"locationnotedaboveforpossiblelaterrevisionsofthisdocument.
AnyothernumberedVersionsandothertechnicalworkproducedbytheTechnicalCommittee(TC)arelistedathttps://www.
oasis-open.
org/committees/tc_home.
phpwg_abbrev=cti#technical.
TCmembersshouldsendcommentsonthisspecificationtotheTC'semaillist.
OthersshouldsendcommentstotheTC'spubliccommentlist,aftersubscribingtoitbyfollowingtheinstructionsatthe"SendAComment"buttonontheTC'swebpageathttps://www.
oasis-open.
org/committees/cti/.
ThisCommitteeSpecificationisprovidedundertheNon-AssertionModeoftheOASISIPRPolicy,themodechosenwhentheTechnicalCommitteewasestablished.
Forinformationonwhetheranypatentshavebeendisclosedthatmaybeessentialtoimplementingthisspecification,andanyoffersofpatentlicensingterms,pleaserefertotheIntellectualPropertyRightssectionoftheTC'swebpage(https://www.
oasis-open.
org/committees/cti/ipr.
php).
Notethatanymachine-readablecontent(ComputerLanguageDefinitions)declaredNormativeforthisWorkProductisprovidedinseparateplaintextfiles.
IntheeventofadiscrepancybetweenanysuchplaintextfileanddisplaycontentintheWorkProduct'sprosenarrativedocument(s),thecontentintheseparateplaintextfileprevails.
Citationformat:Whenreferencingthisspecificationthefollowingcitationformatshouldbeused:[TAXII-v2.
0]TAXIIVersion2.
0.
EditedbyJohnWunder,MarkDavidson,andBretJordan.
19July2017.
OASISCommitteeSpecification01.
http://docs.
oasis-open.
org/cti/taxii/v2.
0/cs01/taxii-v2.
0-cs01.
html.
Latestversion:http://docs.
oasis-open.
org/cti/taxii/v2.
0/taxii-v2.
0.
html.
NoticesCopyrightOASISOpen2017.
AllRightsReserved.
AllcapitalizedtermsinthefollowingtexthavethemeaningsassignedtothemintheOASISIntellectualPropertyRightsPolicy(the"OASISIPRPolicy").
ThefullPolicymaybefoundattheOASISwebsite.
Thisdocumentandtranslationsofitmaybecopiedandfurnishedtoothers,andderivativeworksthatcommentonorotherwiseexplainitorassistinitsimplementationmaybeprepared,copied,published,anddistributed,inwholeorinpart,withoutrestrictionofanykind,providedthattheabovecopyrightnoticeandthissectionareincludedonallsuchcopiesandderivativeworks.
However,thisdocumentitselfmaynotbemodifiedinanyway,includingbyremovingthecopyrightnoticeorreferencestoOASIS,exceptasneededforthepurposeofdevelopinganydocumentordeliverableproducedbyanOASISTechnicalCommittee(inwhichcasetherulesapplicabletocopyrights,assetforthintheOASISIPRPolicy,mustbefollowed)orasrequiredtotranslateitintolanguagesotherthanEnglish.
ThelimitedpermissionsgrantedaboveareperpetualandwillnotberevokedbyOASISoritssuccessorsorassigns.
Thisdocumentandtheinformationcontainedhereinisprovidedonan"ASIS"basisandOASISDISCLAIMSALLWARRANTIES,EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOANYWARRANTYTHATTHEUSEOFTHEINFORMATIONHEREINWILLNOTINFRINGEANYOWNERSHIPRIGHTSORANYIMPLIEDWARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.
OASISrequeststhatanyOASISPartyoranyotherpartythatbelievesithaspatentclaimsthatwouldnecessarilybeinfringedbyimplementationsofthisOASISCommitteeSpecificationorOASISStandard,tonotifyOASISTCAdministratorandprovideanindicationofitswillingnesstograntpatentlicensestosuchpatentclaimsinamannerconsistentwiththeIPRModeoftheOASISTechnicalCommitteethatproducedthisspecification.
OASISinvitesanypartytocontacttheOASISTCAdministratorifitisawareofaclaimofownershipofanypatentclaimsthatwouldnecessarilybeinfringedbyimplementationsofthisspecificationbyapatentholderthatisnotwillingtoprovidealicensetosuchpatentclaimsinamannerconsistentwiththeIPRModeoftheOASISTechnicalCommitteethatproducedthisspecification.
OASISmayincludesuchclaimsonitswebsite,butdisclaimsanyobligationtodoso.
OASIStakesnopositionregardingthevalidityorscopeofanyintellectualpropertyorotherrightsthatmightbeclaimedtopertaintotheimplementationoruseofthetechnologydescribedinthisdocumentortheextenttowhichanylicenseundersuchrightsmightormightnotbeavailable;neitherdoesitrepresentthatithasmadeanyefforttoidentifyanysuchrights.
InformationonOASIS'procedureswithrespecttorightsinanydocumentordeliverableproducedbyanOASISTechnicalCommitteecanbefoundontheOASISwebsite.
Copiesofclaimsofrightsmadeavailableforpublicationandanyassurancesoflicensestobemadeavailable,ortheresultofanattemptmadetoobtainagenerallicenseorpermissionfortheuseofsuchproprietaryrightsbyimplementersorusersofthisOASISCommitteeSpecificationorOASISStandard,canbeobtainedfromtheOASISTCAdministrator.
OASISmakesnorepresentationthatanyinformationorlistofintellectualpropertyrightswillatanytimebecomplete,orthatanyclaimsinsuchlistare,infact,EssentialClaims.
Thename"OASIS"isatrademarkofOASIS,theowneranddeveloperofthisspecification,andshouldbeusedonlytorefertotheorganizationanditsofficialoutputs.
OASISwelcomesreferenceto,andimplementationanduseof,specifications,whilereservingtherighttoenforceitsmarksagainstmisleadinguses.
Pleaseseehttps://www.
oasis-open.
org/policies-guidelines/trademarkforaboveguidance.
PortionscopyrightUnitedStatesGovernment2012-2017.
AllRightsReserved.
STIX,CYBOX,ANDTAXII(STANDARDORSTANDARDS)ANDTHEIRCOMPONENTPARTSAREPROVIDED"ASIS"WITHOUTANYWARRANTYOFANYKIND,EITHEREXPRESSED,IMPLIED,ORSTATUTORY,INCLUDING,BUTNOTLIMITEDTO,ANYWARRANTYTHATTHESESTANDARDSORANYOFTHEIRCOMPONENTPARTSWILLCONFORMTOSPECIFICATIONS,ANYIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ORFREEDOMFROMINFRINGEMENT,ANYWARRANTYTHATTHESTANDARDSORTHEIRCOMPONENTPARTSWILLBEERRORFREE,ORANYWARRANTYTHATTHEDOCUMENTATION,IFPROVIDED,WILLCONFORMTOTHESTANDARDSORTHEIRCOMPONENTPARTS.
INNOEVENTSHALLTHEUNITEDSTATESGOVERNMENTORITSCONTRACTORSORSUBCONTRACTORSBELIABLEFORANYDAMAGES,INCLUDING,BUTNOTLIMITEDTO,DIRECT,INDIRECT,SPECIALORCONSEQUENTIALDAMAGES,ARISINGOUTOF,RESULTINGFROM,ORINANYWAYCONNECTEDWITHTHESESTANDARDSORTHEIRCOMPONENTPARTSORANYPROVIDEDDOCUMENTATION,WHETHERORNOTBASEDUPONWARRANTY,CONTRACT,TORT,OROTHERWISE,WHETHERORNOTINJURYWASSUSTAINEDBYPERSONSORPROPERTYOROTHERWISE,ANDWHETHERORNOTLOSSWASSUSTAINEDFROM,ORAROSEOUTOFTHERESULTSOF,ORUSEOF,THESTANDARDS,THEIRCOMPONENTPARTS,ANDANYPROVIDEDDOCUMENTATION.
THEUNITEDSTATESGOVERNMENTDISCLAIMSALLWARRANTIESANDLIABILITIESREGARDINGTHESTANDARDSORTHEIRCOMPONENTPARTSATTRIBUTABLETOANYTHIRDPARTY,IFPRESENTINTHESTANDARDSORTHEIRCOMPONENTPARTSANDDISTRIBUTESITORTHEM"ASIS.
"TableofContents1Introduction61.
0IPRPolicy61.
1Terminology61.
2NormativeReferences61.
3DocumentConventions81.
3.
1NamingConventions81.
3.
2FontColorsandStyle81.
4Overview81.
4.
1Discovery81.
4.
2APIRoots91.
4.
3Endpoints91.
4.
4Collections101.
4.
5Channels101.
4.
6Transport101.
4.
7ContentNegotiation101.
4.
8AuthenticationandAuthorization111.
4.
9STIXandOtherContent112DataTypes123TAXIIAPI-CoreConcepts143.
1Endpoints143.
2HTTPHeaders153.
3Sorting173.
4Pagination173.
4.
1ObjectandCollectionRanges173.
4.
2Requirements173.
4.
3EndpointsSupportingPagination183.
5Filtering203.
5.
1SupportedFieldsforMatch213.
6Errors223.
6.
1ErrorMessage223.
7ObjectResource233.
8PropertyNames243.
9DNSSRVNames244TAXIIAPI-ServerInformation254.
1ServerDiscovery254.
1.
1DiscoveryResource264.
2GetAPIRootInformation274.
2.
1APIRootResource284.
3GetStatus294.
3.
1StatusResource305TAXIIAPI-Collections335.
1GetCollections335.
1.
1CollectionsResource345.
2GetaCollection355.
2.
1CollectionResource365.
3GetObjects375.
4AddObjects395.
5GetanObject415.
6GetObjectManifests425.
6.
1ManifestResource436TAXIIAPI-Channels467CustomizingTAXIIResources477.
1CustomProperties477.
1.
1Requirements478Conformance498.
1TAXIIServers498.
1.
1TAXII2.
0Server498.
1.
2TAXII2.
0CollectionsServer498.
1.
3TAXII2.
0ChannelsServer498.
2MandatoryServerFeatures498.
2.
1TAXIIServerCoreRequirements498.
2.
2HTTPSandAuthenticationServerRequirements498.
3OptionalServerFeatures508.
3.
1ClientCertificateVerification508.
4TAXIIClients508.
4.
1TAXII2.
0Client508.
4.
2TAXII2.
0CollectionsClient508.
4.
3TAXII2.
0ChannelsClient508.
5MandatoryClientFeatures508.
5.
1HTTPSandAuthenticationClientRequirements508.
5.
2ServerCertificateVerification51AppendixA.
Glossary52AppendixB.
Acknowledgments53AppendixC.
RevisionHistory591IntroductionTAXIIisanapplicationlayerprotocolforthecommunicationofcyberthreatinformationinasimpleandscalablemanner.
ThisspecificationdefinestheTAXIIRESTfulAPIanditsresourcesalongwiththerequirementsforTAXIIClientandServerimplementations.
1.
0IPRPolicyThisCommitteeSpecificationisprovidedundertheNon-AssertionModeoftheOASISIPRPolicy,themodechosenwhentheTechnicalCommitteewasestablished.
Forinformationonwhetheranypatentshavebeendisclosedthatmaybeessentialtoimplementingthisspecification,andanyoffersofpatentlicensingterms,pleaserefertotheIntellectualPropertyRightssectionoftheTC'swebpage(https://www.
oasis-open.
org/committees/cti/ipr.
php).
1.
1TerminologyThekeywords"MUST","MUSTNOT","REQUIRED","SHALL","SHALLNOT","SHOULD","SHOULDNOT","RECOMMENDED","MAY",and"OPTIONAL"inthisdocumentaretobeinterpretedasdescribedin[RFC2119].
Alltextisnormativeexceptforexamples,theoverview(section1.
4),andanytextmarkednon-normative.
1.
2NormativeReferences[HTTPAuth]IANA,"HypertextTransferProtocol(HTTP)AuthenticationSchemeRegistry",March2017,[Online].
Available:https://www.
iana.
org/assignments/http-authschemes/http-authschemes.
xhtml[ISO10646]"ISO/IEC10646:2014Informationtechnology--UniversalCodedCharacterSet(UCS)",2014.
[Online].
Available:http://standards.
iso.
org/ittf/PubliclyAvailableStandards/c063182_ISO_IEC_10646_2014.
zip[RFC0020]Cerf,V.
,"ASCIIformatfornetworkinterchange",STD80,RFC20,DOI10.
17487/RFC0020,October1969,http://www.
rfc-editor.
org/info/rfc20.
[RFC2119]Bradner,S.
,"KeywordsforuseinRFCstoIndicateRequirementLevels",BCP14,RFC2119,DOI10.
17487/RFC2119,March1997,http://www.
rfc-editor.
org/info/rfc2119.
[RFC2782]Gulbrandsen,A.
,Vixie,P.
,andL.
Esibov,"ADNSRRforspecifyingthelocationofservices(DNSSRV)",RFC2782,DOI10.
17487/RFC2782,February2000,http://www.
rfc-editor.
org/info/rfc2782.
[RFC3339]Klyne,G.
andC.
Newman,"DateandTimeontheInternet:Timestamps",RFC3339,DOI10.
17487/RFC3339,July2002,http://www.
rfc-editor.
org/info/rfc3339.
[RFC4033]Arends,R.
,Austein,R.
,Larson,M.
,Massey,D.
,andS.
Rose,"DNSSecurityIntroductionandRequirements",RFC4033,DOI10.
17487/RFC4033,March2005,http://www.
rfc-editor.
org/info/rfc4033.
[RFC4122]Leach,P.
,Mealling,M.
,andR.
Salz,"AUniversallyUniqueIDentifier(UUID)URNNamespace",RFC4122,DOI10.
17487/RFC4122,July2005,http://www.
rfc-editor.
org/info/rfc4122.
[RFC5246]Dierks,T.
andE.
Rescorla,"TheTransportLayerSecurity(TLS)ProtocolVersion1.
2",RFC5246,DOI10.
17487/RFC5246,August2008,http://www.
rfc-editor.
org/info/rfc5246.
[RFC5280]Cooper,D.
,Santesson,S.
,Farrell,S.
,Boeyen,S.
,Housley,R.
,andW.
Polk,"InternetX.
509PublicKeyInfrastructureCertificateandCertificateRevocationList(CRL)Profile",RFC5280,DOI10.
17487/RFC5280,May2008,http://www.
rfc-editor.
org/info/rfc5280.
[RFC6125]Saint-Andre,P.
andJ.
Hodges,"RepresentationandVerificationofDomain-BasedApplicationServiceIdentitywithinInternetPublicKeyInfrastructureUsingX.
509(PKIX)CertificatesintheContextofTransportLayerSecurity(TLS)",RFC6125,DOI10.
17487/RFC6125,March2011,http://www.
rfc-editor.
org/info/rfc6125.
[RFC6818]Yee,P.
,"UpdatestotheInternetX.
509PublicKeyInfrastructureCertificateandCertificateRevocationList(CRL)Profile",RFC6818,DOI10.
17487/RFC6818,January2013,http://www.
rfc-editor.
org/info/rfc6818.
[RFC7230]Fielding,R.
,Ed.
,andJ.
Reschke,Ed.
,"HypertextTransferProtocol(HTTP/1.
1):MessageSyntaxandRouting",RFC7230,DOI10.
17487/RFC7230,June2014,http://www.
rfc-editor.
org/info/rfc7230.
[RFC7231]Fielding,R.
,Ed.
,andJ.
Reschke,Ed.
,"HypertextTransferProtocol(HTTP/1.
1):SemanticsandContent",RFC7231,DOI10.
17487/RFC7231,June2014,http://www.
rfc-editor.
org/info/rfc7231.
[RFC7233]Fielding,R.
,Ed.
,Y.
Lafon,Ed.
,andJ.
Reschke,Ed.
,"HypertextTransferProtocol(HTTP/1.
1):RangeRequests",RFC7233,10.
17487/RFC7233,June2014,http://www.
rfc-editor.
org/info/rfc7233.
[RFC7235]Fielding,R.
,Ed.
,andJ.
Reschke,Ed.
,"HypertextTransferProtocol(HTTP/1.
1):Authentication",RFC7235,DOI10.
17487/RFC7235,June2014,http://www.
rfc-editor.
org/info/rfc7235.
[RFC7540]Belshe,M.
,Peon,R.
,andM.
Thomson,Ed.
,"HypertextTransferProtocolVersion2(HTTP/2)",RFC7540,DOI10.
17487/RFC7540,May2015,http://www.
rfc-editor.
org/info/rfc7540.
[RFC7617]Reschke,J.
,"The'Basic'HTTPAuthenticationScheme",RFC7617,DOI10.
17487/RFC7617,September2015,http://www.
rfc-editor.
org/info/rfc7617.
[RFC7671]Dukhovni,V.
andW.
Hardaker,"TheDNS-BasedAuthenticationofNamedEntities(DANE)Protocol:UpdatesandOperationalGuidance",RFC7671,DOI10.
17487/RFC7671,October2015,http://www.
rfc-editor.
org/info/rfc7671.
[TLS1.
3]E.
Rescorla,"TheTransportLayerSecurity(TLS)ProtocolVersion1.
3draft-ietf-tls-tls13-20",RFCdraft,[Online].
Available:https://tools.
ietf.
org/html/draft-ietf-tls-tls13-20.
1.
3DocumentConventions1.
3.
1NamingConventionsAlltypenames,propertynamesandliteralsareinlowercase.
Wordsinpropertynamesareseparatedwithanunderscore(_),whilewordsintypenamesandstringenumerationsareseparatedwithahyphen(Unicodehyphen-minus,U+002D,'-').
Alltypenames,propertynames,objectnames,andvocabularytermsarebetweenthreeand250characterslong.
1.
3.
2FontColorsandStyleThefollowingcolor,fontandfontstyleconventionsareusedinthisdocument:TheConsolasfontisusedforalltypenames,propertynamesandliterals.
resourceandtypenamesareinredwithalightredbackground–collectionpropertynamesareinboldstyle–descriptionparameternamesinURLsarestylizedwithangledbrackets-literals(values)areinbluewithabluebackground–completeAllexamplesinthisdocumentareexpressedinJSON.
TheyareinConsolas9-pointfont,withstraightquotes,blacktextandalightgreybackground,and2-spaceindentation.
Partsoftheexamplemaybeomittedforconcisenessandclarity.
Theseomittedpartsaredenotedwithellipses(.
.
.
).
1.
4OverviewTrustedAutomatedExchangeofIntelligenceInformation(TAXII)isanapplicationlayerprotocolusedtoexchangecyberthreatintelligence(CTI)overHTTPS.
TAXIIenablesorganizationstoshareCTIbydefininganAPIthatalignswithcommonsharingmodels.
Specifically,TAXIIdefinestwoprimaryservices,CollectionsandChannels,tosupportavarietyofcommonly-usedsharingmodels.
CollectionsallowaproducertohostasetofCTIdatathatcanberequestedbyconsumers.
Channelsallowproducerstopushdatatomanyconsumers;andallowconsumerstoreceivedatafrommanyproducers.
CollectionsandChannelscanbeorganizedbygroupingthemintoanAPIRoottosupporttheneedsofaparticulartrustgrouportoorganizetheminsomeotherway.
Note:ThisversionoftheTAXIIspecificationreservesthekeywordsrequiredforChannelsbutdoesnotspecifyChannelservices.
Channelsandtheirserviceswillbedefinedinasubsequentversionofthisspecification.
TAXIIisspecificallydesignedtosupporttheexchangeofCTIrepresentedinSTIX.
Assuch,theexamplesandsomefeaturesinthespecificationareintendedtoalignwithSTIX.
ThisdoesnotmeanTAXIIcannotbeusedtosharedatainotherformats;itisdesignedforSTIX,butisnotlimitedtoSTIX.
1.
4.
1DiscoveryThisspecificationdefinestwodiscoverymethods.
ThefirstisanetworkleveldiscoverythatusesaDNSSRVrecord[RFC2782].
ThisDNSSRVrecordcanbeusedtoadvertisethelocationofaTAXIIServerwithinanetwork(e.
g.
,sothatTAXII-enabledsecurityinfrastructurecanautomaticallylocateanorganization'sinternalTAXIIServer)ortothegeneralInternet.
Seesection3.
9forcompleteinformationonadvertisingTAXIIServersinDNS.
TheseconddiscoverymethodisaDiscoveryEndpoint(thisspecificationusesthetermEndpointtoidentifyaURLandanHTTPmethodwithadefinedrequestandresponse)thatenablesauthorizedclientstoobtaininformationaboutaTAXIIServerandgetalistofAPIRoots.
Seesection4.
1forcompleteinformationontheDiscoveryEndpoint.
1.
4.
2APIRootsAPIRootsarelogicalgroupingsofTAXIIChannels,Collections,andrelatedfunctionality.
ATAXIIserverinstancecansupportoneormoreAPIRoots.
APIRootscanbethoughtofasinstancesoftheTAXIIAPIavailableatdifferentURLs,whereeachAPIRootisthe"root"URLofthatparticularinstanceoftheTAXIIAPI.
OrganizingtheChannelsandCollectionsintoAPIRootsallowsforadivisionofcontentandaccesscontrolbytrustgrouporanyotherlogicalgrouping.
Forexample,asingleTAXIIServercouldhostmultipleAPIRoots-oneAPIRootforChannelsandCollectionsusedbySharingGroupAandanotherAPIRootforChannelsandCollectionsusedbySharingGroupB.
EachAPIRootcontainsasetofEndpointsthataTAXIIClientcontactsinordertointeractwiththeTAXIIServer.
Thisinteractioncantakeseveralforms:ServerDiscovery,asdescribedabove,canbeusedtolearnabouttheAPIRootshostedbyaTAXIIServer.
EachAPIRootmightsupportzeroormoreCollections.
InteractionswithCollectionsincludediscoveringthetypeofCTIcontainedinthatCollection,pushingnewCTItothatCollection,and/orretrievingCTIfromthatCollection.
EachpieceofCTIcontentinaCollectionisreferredtoasanObject.
EachAPIRootmighthostzeroormoreChannels.
EachAPIRootalsoallowsTAXIIClientstocheckontheStatusofcertaintypesofrequeststotheTAXIIServer.
Forexample,ifaTAXIIClientsubmittednewCTI,aStatusrequestcanallowtheClienttocheckonwhetherthenewCTIwasaccepted.
Figure1.
1summarizestherelationshipsbetweenthecomponentsofanAPIRoot.
Figure1.
11.
4.
3EndpointsAnEndpointconsistsofaspecificURLandHTTPMethodonaTAXIIServerthataTAXIIClientcancontacttoengageinone,specifictypeofTAXIIexchange.
Forexample,eachCollectiononaTAXIIServerhasanEndpointthatcanbeusedtogetinformationaboutit;TAXIIClientscancontacttheCollection'sEndpointtorequestadescriptionofthatCollection.
AseparateEndpointisusedfortheTAXIIClienttocollectamanifestofthatCollection'sContent.
YetanotherEndpointisusedtogetobjectsfromtheCollectionand,atthesameURL,aPOSTcanbeusedtoaddobjectstothecollection.
TheEndpointssupportedbyaTAXIIServeraresummarizedinsection3.
1andfullydefinedinsections4,5,and6.
1.
4.
4CollectionsATAXIICollectionisaninterfacetoalogicalrepositoryofCTIobjectsprovidedbyaTAXIIServerandisusedbyTAXIIClientstosendinformationtotheTAXIIServerorrequestinformationfromtheTAXIIServer.
ATAXIIServercanhostmultipleCollectionsperAPIRoot,andCollectionsareusedtoexchangeinformationinarequest–responsemanner.
Figure1.
2belowillustrateshowCollectionbasedcommunicationsareusedwhenasingleTAXIIClientmakesarequesttoaTAXIIServerandtheTAXIIServerfulfillsthatrequestwithinformationavailabletotheTAXIIServer(nominallyfromadatabase).
1.
4.
5ChannelsATAXIIChannelismaintainedbyaTAXIIServerandenablesTAXIIClientstoexchangeinformationwithotherTAXIIClientsinapublish-subscribemodel.
TAXIIClientscanpublishmessagestoChannelsandsubscribetoChannelstoreceivepublishedmessages.
ATAXIIServermayhostmultipleChannelsperAPIRoot.
Figure1.
3belowillustrateshowChannelcommunicationsareusedwhenasingleauthorizedTAXIIClientsendsamessagetotheTAXIIServer,andthatTAXIIServerthendistributesthemessagetoallauthorizedTAXIIClientsthatareconnectedtotheChannel.
Thearrowsinthefollowingdiagramsrepresentdataflow.
Figure1.
2Figure1.
31.
4.
6TransportTheTAXIIprotocoldefinedinthisspecificationusesHTTPS(HTTPoverTLS)asthetransportforallcommunications.
1.
4.
7ContentNegotiationThisspecificationusesHTTPcontentnegotiation[RFC7231].
TheSTIX2.
0andTAXII2.
0mediatypesaredefinedinthefollowingtable.
MediaTypeDescriptionapplication/vnd.
oasis.
taxii+jsonAnyversionofTAXIIinJSONapplication/vnd.
oasis.
taxii+json;version=2.
0TAXIIversion2.
0inJSONapplication/vnd.
oasis.
stix+jsonAnyversionofSTIXinJSONapplication/vnd.
oasis.
stix+json;version=2.
0STIXversion2.
0inJSON1.
4.
8AuthenticationandAuthorizationAccesscontroltoaninstanceoftheTAXIIAPIisspecifictothesharingcommunity,vendor,orproductandisnotdefinedbythisspecification.
AuthenticationandAuthorizationinTAXIIisimplementedasdefinedin[RFC7235],usingtheAuthorizationandWWW-AuthenticateHTTPheadersrespectively.
HTTPBasicauthentication,asdefinedin[RFC7617]isthemandatorytoimplementauthenticationschemeinTAXII.
Asspecifiedinsections8.
2.
2and8.
5.
1,TAXIIServersandClientsarerequiredtoimplementsupportforHTTPBasic,thoughotherauthenticationschemescanalsobesupported.
ImplementerscanallowoperatorstodisabletheuseofHTTPBasicintheiroperations.
IftheTAXIIServerreceivesarequestforanyEndpointthatrequiresauthentication,regardlessofHTTPmethod,andeitheranacceptableAuthorizationheaderthatgrantstheclientaccesstothatobjectisnotsentwiththerequestortheTAXIIServerdoesnotdetermineviaalternatemeansthattheclientisauthorizedtoaccesstheresource,theTAXIIServerrespondswithaHTTP401(Unauthorized)statuscodeandaWWW-AuthenticateHTTPheader.
TheWWW-Authenticateheadercontainsoneormorechallenges,whichdefinewhichauthenticationschemesaresupportedbytheTAXIIServer.
TheformatoftheWWW-AuthenticateHTTPheaderandanychallengesaredefinedin[RFC7235].
Toensurecompatibility,itisrecommendedthatanyauthenticationschemesusedinchallengesberegisteredintheIANAHypertextTransferProtocol(HTTP)AuthenticationSchemeRegistry[HTTPAuth].
ATAXIIServermayomitobjects,information,oroptionalfieldsfromanyresponseiftheauthenticatedclientisnotauthorizedtoreceivethem,solongasthatomissiondoesnotviolatethisspecification.
1.
4.
9STIXandOtherContentTAXIIisdesignedwithSTIXinmindandsupportforexchangingSTIX2.
0[STIXVersion2.
0.
Part1:STIXCoreConcepts]contentismandatorytoimplement.
Additionalcontenttypesarepermitted,butspecificrequirementsforSTIXarepresentthroughoutthedocument.
Seesection3.
7formoredetails.
2DataTypesThissectiondefinesthenamesandpermittedvaluesofcommontypesusedthroughoutthisspecification.
Thesetypesarereferencedbythe"Type"columninothersections.
Thistabledoesnot,however,definethemeaningofanyfieldsusingthesetypes.
Thesetypesmaybefurtherrestrictedelsewhereinthedocument.
TypeDescriptionapi-rootAnAPIRootResource,seesection4.
2.
1.
booleanAbooleanisavalueofeithertrueorfalse.
PropertieswiththistypeMUSThavealiteral(unquoted)valueoftrueorfalse.
bundleASTIXBundle,seesection5ofSTIXVersion2.
0.
Part1:STIXCoreConcepts.
collectionACollectionResource,seesection5.
2.
1.
collectionsACollectionsResource,seesection5.
1.
1.
dictionaryAdictionaryisaJSONobjectthatcapturesanarbitrarysetofkey/valuepairs.
discoveryADiscoveryResource,seesection4.
1.
1.
errorAnErrorMessage,seesection3.
6.
1.
identifierAnidentifierisanRFC4122-compliantVersion4UUID.
TheUUIDMUSTbegeneratedaccordingtothealgorithm(s)definedinRFC4122,section4.
4(Version4UUID)[RFC4122].
integerTheintegerdatatyperepresentsawholenumber.
Unlessotherwisespecified,allintegersMUSTbecapableofbeingrepresentedasasigned64-bitvalue.
AdditionalrestrictionsMAYbeplacedonthetypewhereitisused.
listThelisttypedefinesasequenceofvaluesorderedbasedonhowtheyappearinthelist.
Thephrasing"listoftype"isusedtoindicatethatallvalueswithinthelistMUSTconformtothespecifiedtype.
Forinstance,listoftypeintegermeansthatallvaluesofthelistmustbeoftheintegertype.
Thisspecificationdoesnotspecifythemaximumnumberofallowedvaluesinalist,howevereveryinstanceofalistMUSThaveatleastonevalue.
SpecificTAXIIresourcepropertiesmaydefinemorerestrictiveupperand/orlowerboundsforthelengthofthelist.
EmptylistsareprohibitedinTAXIIandMUSTNOTbeusedasasubstituteforomittingoptionalproperties.
Ifthepropertyisrequired,thelistMUSTbepresentandMUSThaveatleastonevalue.
TheJSONMTIserializationusestheJSONarraytype[RFC7159],whichisanorderedlistofzeroormorevalues.
manifestAManifestResource,seesection5.
6.
1.
objectAnObjectResource,seesection3.
7.
statusAStatusResource,seesection4.
3.
1.
stringThestringdatatyperepresentsafinite-lengthstringofvalidcharactersfromtheUnicodecodedcharacterset[ISO10646]thatareencodedinUTF-8.
UnicodeincorporatesASCII[RFC0020]andthecharactersofmanyotherinternationalcharactersets.
timestampThetimestamptypedefineshowtimestampsarerepresentedinTAXIIandisrepresentedinserializationasastring.
ThetimestampfieldMUSTbeavalidRFC3339-formattedtimestamp[RFC3339]usingtheformatYYYY-MM-DDTHH:mm:ss.
[s+]Zwherethe"s+"represents1ormoresub-secondvalues.
Thebracketsdenotethatsub-secondprecisionisoptional,andthatifnodigitsareprovided,thedecimalplaceMUSTNOTbepresent.
ThetimestampMUSTberepresentedintheUTCtimezoneandMUSTusethe"Z"designationtoindicatethis.
3TAXIIAPI-CoreConceptsTheTAXIIAPIisdescribedassetsofEndpoints.
EachEndpointisidentifiedbytheURLthatitisaccessibleatandtheHTTPmethodthatisusedtomaketherequest.
Forexample,the"GetCollections"EndpointisrequestedbyissuingaGETto`/collections/`.
EachEndpointidentifiesitsURL,whichparametersitaccepts(includingbothpathparametersandstandardparameters),whichfeaturesitsupports(e.
g.
filtering,pagination),andwhichcontenttypesitdefinesonrequestandresponse.
ItalsoidentifiescommonerrorconditionsandprovidesguidanceonhowtousetheEndpoint.
ThissectiondefinesbehaviorthatappliesacrossEndpoints,suchasnormativerequirementstosupporteachEndpoint,sorting,pagination,filtering,anderrorhandling.
3.
1EndpointsSections4,5and6definethesetofTAXIIEndpointsusedintheTAXIIAPI.
ThefollowingnormativerequirementsapplytoeachEndpoint:AllTAXIIrequestsMUSTincludeamediarangeintheAcceptheader.
RequestsforTAXIIorSTIXcontentMUSTusethevaluesfromsection1.
4.
7andSHOULDincludetheversionparameter.
AllTAXIIresponsesMUSTincludetheappropriatemediatypeandversionparameterintheContent-TypeheaderasdefinedforthatEndpoint.
TAXIIresponsesSHOULDbethehighestversionofcontent(e.
g.
,TAXII,STIX)thattheserversupportsiftheversionparameterintheAcceptheaderisomittedduringcontentnegotiation.
TAXIIresponseswithanHTTPsuccesscode(200series)thatpermitaresponsebodyMUSTincludetheappropriateresponsebodyforthespecifiedcontenttypeasidentifiedinthedefinitionofthatEndpoint.
TAXIIresponseswithanHTTPerrorcode(400-seriesand500-seriesstatuscodes,definedbysections6.
5and6.
6of[RFC7231])thatpermitaresponsebody(i.
e.
arenotinresponsetoaHEADrequest)MUSTcontainanerrormessage(seesection3.
6.
1)intheresponsebody.
RequestswithmediatypesintheAcceptand/orContent-TypeheadersthataredefinedforthatEndpointMUSTNOTresultinanHTTP406(NotAcceptable)orHTTP415(UnacceptableMediaType)response.
RequestswithmediatypesintheAcceptand/orContent-TypeheadersthatarenotdefinedforthatEndpointMAYbesatisfiedwiththeappropriatecontentorMAYresultinanHTTP406(NotAcceptable)orHTTP415(UnacceptableMediaType)response.
TAXIIresponsesfromEndpointsthatsupportpaginationandincludeitemsasarequestedrangeunitMUSTcomplywiththenormativerequirementsinsection3.
4andMUSTrespondwithanappropriate200,206,or416responsepertheHTTPspecification[RFC7233].
TAXIIresponsestoEndpointsthatsupportfilteringMUSTfilterresultspertherequirementsinsection3.
5.
ThefollowingtableprovidesasummaryoftheEndpoints(URLsandHTTPMethods)definedbyTAXIIandtheResourcestheyoperateon.
URLMethodsResourceType(section2)CoreConcepts(section4)/taxii/GETdiscoveryGETapi/status//GETstatusCollections(section5)/collections/GETcollections/collections//GETcollection/collections//objects/GET,POSTobject*/collections//objects//GETobject*/collections//manifest/GETmanifestChannels(section6)*TheactualformatofobjectsisdependentonHTTPContentnegotiation,asdiscussedinsection1.
4.
73.
2HTTPHeadersThissectionsummarizestheHTTPheadersanddefinescustomheadersusedbythisspecification.
TypeDescriptionStandardHeadersAcceptTheAcceptheaderisusedbyHTTPRequeststospecifywhichContent-Typesareacceptableinresponse.
STIXandTAXIIdefinemediatypesthatcanbeusedintheAcceptheaderinsection1.
4.
7.
Seesection5.
3.
2of[RFC7231].
Accept-RangesTheAccept-RangesheaderisusedbyHTTPResponsestospecifyitsacceptanceofrangerequestsforaresource.
Seesection2.
3of[RFC7233].
AuthorizationTheAuthorizationheaderisusedbyHTTPRequeststospecifyauthenticationcredentials.
Seesection4.
2of[RFC7235].
Content-RangeTheContent-RangeheaderisusedbyHTTPtoidentifywhichsubrange(s)ofaresourcearecontainedinanHTTP206(PartialContent)response.
Seesection4.
2of[RFC7233].
Content-TypeTheContent-TypeheaderisusedbyHTTPtoidentifytheformatofHTTPRequestsandHTTPResponses.
STIXandTAXIIdefinemediatypesthatcanbeusedintheContent-Typeheaderinsection1.
4.
7.
Seesection3.
1.
1.
5of[RFC7231].
RangeTheRangeheaderisusedbyHTTPtorequestasubrangeofaresource.
TAXIIusestheRangeheader,andrelatedheaders,toperformpagination.
Seesection3.
1of[RFC7233].
WWW-AuthenticateTheWWW-AuthenticateheaderisusedbyHTTPResponsestoindicatethatauthenticationisrequiredandtospecifytheauthenticationschemesandparametersthataresupported.
Seesection4.
1of[RFC7235].
CustomHeadersX-TAXII-Date-Added-FirstTheX-TAXII-Date-Added-Firstheaderisanextensionheader.
Itindicatesthedate_addedtimestampofthefirstobjectoftheresponse.
ThevalueofthisheaderMUSTbeatimestamp.
AllHTTP200and206responsestothefollowingEndpointsMUSTincludetheX-TAXII-Date-Added-Firstheader:GET/collections/objects/GET/collections/manifest/X-TAXII-Date-Added-LastTheX-TAXII-Date-Added-Lastheaderisanextensionheader.
Itindicatesthedate_addedtimestampofthelastobjectoftheresponse.
ThevalueofthisheaderMUSTbeatimestamp.
AllHTTP200and206responsestothefollowingEndpointsMUSTincludetheX-TAXII-Date-Added-Lastheader:GET/collections/objects/GET/collections/manifest/3.
3SortingFortheCollectionandManifestEndpoints,objectsMUSTbesortedinascendingorderbythedatetheobjectfirstappearedintheTAXIICollection(i.
e.
,theaddeddate).
Themostrecentlyaddedobjectislastinthelist.
FortheObjectSearchEndpoint,objectsMUSTbesortedinascendingorderbythedatetheobjectfirstappearedinobjectsearch(i.
e.
,theaddeddate).
Ifanobjectwouldappearmultipletimes,allappearancesafterthefirstappearanceMUSTbeomittedfromtheresult.
Thatis,ifanobjectwouldhaveappearedfirstinthelistandagainhalfwaydown,onlythefirstentryshouldbepresentintheresult.
FortheCollectionsEndpoint,CollectionsMUSTbesortedandMAYbesortedinanyorder.
Paginationrequiresaconsistentsortorder,andthereforemultipleresponsesfromthesameendpointneedtobesortedinaconsistentmanner.
SortorderMUSTbeconsistentacrossresponses.
3.
4PaginationPaginationisafeaturethatisusedtobreakupresultsetsovermultiplerequest/responsepairs.
TAXIIusesHTTP'sRangeandContent-Rangeheaders,anddefinestheitemsrangeunit,toperformpaginationasdefinedinsection2of[RFC7233].
itemsisthemandatorytoimplementrangeunitforTAXII.
OtherrangeunitsMAYbeimplementedbyclientsandservers.
3.
4.
1ObjectandCollectionRangesTheitemsrangeunitisdefinedforexpressingsubrangesofaresource[HTTP7233].
FortheEndpointsthatreturnobject,itemsrepresentsobjects.
FortheEndpointsthatreturncollections,itemsrepresentsCollections.
ThefirstitemsvalueintheRangeandContent-Rangeheadersgivesthefirstiteminarange.
ThelastitemsvalueintheRangeandContent-Rangeheadersgivesthelastitemintherange;thatis,itemsrangesspecifiedareinclusive.
itemsarezero-indexed;thatis,thefirstitemisobjectzero.
AContent-Rangeheaderwillhaveathirdvaluethatidentifiesthesizeoftheavailabledataset.
Forexample:IftheRangeheadercontains"items10-49","10"representsthefirstitemrequested;and"49"representsthelastitemrequested.
iftheContent-Rangeheadercontains"items10-49/500","10"representsthefirstobjectintheresponse;"49"representsthelastobjectintheresponse;and"500"representsthetotalnumberofitemsavailable.
AllitemsvaluesMUSTbe:anon-negativeintegerzeroindexed(i.
e.
,thefirstobjectisobject"0")3.
4.
2RequirementsThefollowingrequirementsonlyapplytoitemsbasedrangerequests(akapagination).
TheAccept-Rangesheaderallowsaservertoindicatethatitsupportsrangerequestsforthetargetresource[RFC7233]aswellaswhichrangeunitsaresupported.
Forresourceswhereitems-basedpaginationissupported,andwheretheAccept-Rangesheaderispresent,theAccept-RangesheaderMUSTcontainitemsasanacceptablerange.
TheAccept-RangesheaderMAYcontainotheracceptableranges,iftheserversupportsthem.
RequestsMAYusetheRangeheadertorequestasubsetofdatathatwouldotherwisebereturned.
AsdefinedintheHTTPspecification,HTTP206(PartialContent)[RFC7233]responsesincludeaContent-Rangeheader,eveniftheentireresourceiscontainedintheresponse.
AsdefinedintheHTTPspecification,iftherequestedRangecannotbesatisfied,anHTTP416(RequestedRangeNotSatisfiable)[RFC7233]responseisused.
Forexample,ifarangerequestsitems500-600,butonly0-100areavailable,anHTTP416(RequestedRangeNotSatisfiable)isused.
AnHTTP206(PartialContent)responsewithaContent-RangeheaderMAYbereturnedeveniftheoriginalrequestdidnothaveaRangeheader.
NotethatthisisadeviationfromtheHTTPspecification,whichindicatesthatHTTP206responsesareonlypermittedwhentheRangeheaderispresentintherequest.
ResponsestorequestswithaRangeheaderSHOULDcontainonlytherequestedrangeandMAYincludearangesmallerthanwhatwasrequested.
TAXIIfollowsstandardHTTPrulesfortheContent-RangeandRangeheaders,withtheexceptionofallowinga206responsetoarequestwithoutaRangeheader:The206(PartialContent)statuscodeindicatesthattheserverissuccessfullyfulfillingarangerequestforthetargetresourceseesection4.
1of[RFC7233]Ifasinglepartisbeingtransferred,theservergeneratingthe206responseMUSTgenerateaContent-Rangeheaderfield,describingwhatrangeoftheselectedrepresentationisenclosed,andapayloadconsistingoftherange.
Seesection4.
2of[RFC7233].
NOTE:Thetotalnumberofitemsavailableinaresultmaychangewitheachrequestforanewpageinthepaginatedresultset.
Thiscanhappenifitemshavebeenaddedordeletedbetweensubsequentrequests.
3.
4.
3EndpointsSupportingPaginationThefollowingURLEndpointssupportPagination.
GET/collections/-seesection5.
1.
GET/collections//objects/-seesection5.
3.
GET/collections//manifest/-seesection5.
6.
ExamplesClientmakesarequestwithnoRangeheaderandserverreturnsallresults,nopagination.
GETRequestGET.
.
.
/collections/my-collection/objects/added_after=2016-02-01T00:00:01.
000ZHTTP/1.
1Accept:application/vnd.
oasis.
stix+json;version=2.
0GetResponseHTTP/1.
1200OkContent-Type:application/vnd.
oasis.
stix+json;version=2.
0Clientmakesarequestforitems0-49(50items)andtheserverrespondswith0-49.
GETRequestGET.
.
.
/collections/my-collection/objects/added_after=2016-02-01T00:00:01.
000ZHTTP/1.
1Range:items0-49Accept:application/vnd.
oasis.
stix+json;version=2.
0GETResponseHTTP/1.
1206PartialContentContent-Type:application/vnd.
oasis.
stix+json;version=2.
0X-TAXII-Date-Added-First=2016-02-21T05:01:01.
000ZX-TAXII-Date-Added-Last=2016-02-21T12:01:01.
000ZContent-Range:items0-49/500Clientmakesarequestforitems0-999(1000items)andtheserverrespondswith0-49(50items).
GETRequestGET.
.
.
/collections/my-collection/objects/added_after=2016-02-01T00:00:01.
000ZHTTP/1.
1Range:items0-999Accept:application/vnd.
oasis.
stix+json;version=2.
0GETResponseHTTP/1.
1206PartialContentContent-Type:application/vnd.
oasis.
stix+json;version=2.
0X-TAXII-Date-Added-First=2016-02-21T05:01:01.
000ZX-TAXII-Date-Added-Last=2016-02-21T12:01:01.
000ZContent-Range:items0-49/500ClientmakesarequestwithnoRangeheaderandserverrespondswithpagination.
Thisexampleshowsthefirstandsecondrequestsinthisseries.
Note:theclientneedstoaddthe"Range"headertothesecondrequest.
GETRequest1GET.
.
.
/collections/my-collection/objects/added_after=2016-02-01T00:00:01.
000ZHTTP/1.
1Accept:application/vnd.
oasis.
stix+json;version=2.
0GETResponse1HTTP/1.
1206PartialContentContent-Type:application/vnd.
oasis.
stix+json;version=2.
0X-TAXII-Date-Added-First=2016-02-21T05:01:01.
000ZX-TAXII-Date-Added-Last=2016-02-21T12:01:01.
000ZContent-Range:items0-99/500GETRequest2GET.
.
.
/collections/my-collection/objects/added_after=2016-02-01T00:00:01.
000ZHTTP/1.
1Range:items100-199Accept:application/vnd.
oasis.
stix+json;version=2.
0GETResponse2HTTP/1.
1206PartialContentContent-Type:application/vnd.
oasis.
stix+json;version=2.
0X-TAXII-Date-Added-First=2016-02-21T05:01:01.
000ZX-TAXII-Date-Added-Last=2016-02-21T12:01:01.
000ZContent-Range:items100-199/5003.
5FilteringThissectiondefinestheURLparametersusedformatchingandfilteringcontent.
ATAXIIClientmayrequestspecificcontentfromaTAXIIServerbyspecifyingasetoffiltersincludedintherequesttotheserver.
ThematchparameterspecifieswhattoincludeintheresponsefromtheTAXIIServer.
IfnomatchparameterisspecifiedthentheTAXIIClientisrequestingallcontentbereturnedforthatEndpoint.
URLParametersDescriptionadded_afterAtimestampthatfiltersobjectstoonlyincludethoseaddedtotheChannelorCollectionafterthespecifiedtimestamp.
Thevalueofthisparameterisatimestamp.
Theadded_afterparameterisnotinanywayrelatedtodatesortimesinaSTIXobjectoranyotherCTIobject.
Note:TheHTTPDateheadercanbeusedtoidentifyandcorrectanytimeskewbetweenclientandserver.
match[]Thematchparameterdefinesfilteringonthespecified.
ThelistoffieldsthatmustbesupportedisdefinedperEndpointasdefinedinsections4,5,and6.
Thematchparametercanbespecifiedanynumberoftimes,whereeachmatchinstancespecifiesanadditionalfiltertobeappliedtotheresultingdata.
Saidanotherway,allmatchfieldsareANDedtogether.
Allparametersaredefinedinthistable.
RequestsMAYuseanotdefinedinthisspecification,andserversMAYignorefieldstheydonotunderstand.
EachMUSTNOToccurmorethanonceinarequest.
EachmatchMAYcontainoneormorevalues.
Multiplevaluesareseparatedbyacomma(U+002CCOMMA,",")withoutanyspaces.
Ifmultiplevaluesarepresent,thematchistreatedasalogicalOR.
Forinstance,match[type]=incident,ttpspecifiesafilterforobjectsthatareoftypeincidentORttp.
Examplesmatch[type]=incident,ttp,actormatch[type]=incident&match[version]=2016-01-01T01:01:01.
000Z3.
5.
1SupportedFieldsforMatchMatchFieldDescriptionidTheidentifieroftheobject(s)thatarebeingrequested.
WhensearchingforaSTIXObject,thisisaSTIXID.
Examplesmatch[id]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffbmatch[id]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb,sighting--4600ad1b-fff1-4c58-bcc9-4de3bc5e2ffdtypeThetypeoftheobject(s)thatarebeingrequested.
Onlythetypeslistedinthisparameterarepermittedintheresponse.
Requestsfortypesdefinedin[STIXVersion2.
0.
Part2:STIXObjectsSTIX2.
0]MUSTNOTresultinanerrorduetoaninvalidtype.
Requestsforothertypesnotdefinedin[STIXVersion2.
0.
Part2:STIXObjectsSTIX2.
0]MAYbefulfilled.
Examplesmatch[type]=indicatormatch[type]=indicator,sightingversionTheversionoftheobject(s)thatarebeingrequested.
Ifnoversionparameterisprovided,theserverMUSTreturnthelatestversionoftheobject.
Validvaluesfortheversionparameterare:last-requeststhelatestversionofanobject.
Thisisthedefaultparametervalue.
first-requeststheearliestversionofanobjectall-requestsallversionsofanobject-requestsaspecificversionofanobject.
ForSTIXobjectsthisrequestsobjectswhosemodifiedtimematchesexactlytheprovidedvalue.
ThisvalueMUSTfollowtherulesfortimestampasdefinedin[STIXVersion2.
0.
Part1:STIXCoreConcepts].
Forexample:"2016-01-01T01:01:01.
000Z"tellstheservertogiveyoutheexactSTIXobjectwithamodifiedtimeof"2016-01-01T01:01:01.
000Z".
Fornon-STIXobjectsthisvalueMAYbeanystringthatrepresentstheversionofthatobjecttype.
Ifthetargetformatdoesnotsupportobjectversions,thisparameterMUSTbeignored.
3.
6ErrorsTAXIIprimarilyreliesonthestandardHTTPerrorsemantics(400-seriesand500-seriesstatuscodes,definedbysections6.
5and6.
6of[RFC7231])toallowTAXIIServerstoindicatewhenanerrorhasoccurred.
Forexample,anHTTP404(NotFound)statuscodeinresponsetoarequesttogetinformationaboutaCollectionmeansthattheCollectioncouldnotbefound.
ThetablesdefiningtheEndpointsinsections4and5identifycommonerrorsandwhichresponseshouldbeused,butarenotexhaustiveanddonotdescribeallpossibleerrors.
Inadditiontothis,TAXIIdefinesanerrormessagestructurethatisprovidedintheresponsebodywhenanerrorstatusisbeingreturned.
Itdoesnot,however,defineanyerrorcodesorerrorconditionsbeyondthosedefinedbyHTTP.
3.
6.
1ErrorMessageMessageName:errorTheerrormessageisprovidedbyTAXIIServersintheresponsebodywhenreturninganHTTPerrorstatusandcontainsmoreinformationdescribingtheerror,includingahuman-readabletitleanddescription,anerror_codeanderror_id,andadetailsstructuretocapturefurtherstructuredinformationabouttheerror.
Allofthefieldsareapplication-specificandclientsshouldn'tassumeconsistentmeaningacrossTAXIIServersevenifthecodes,IDs,ortitlesarethesame.
PropertyNameTypeDescriptiontitle(required)stringAhumanreadableplaintexttitleforthiserror.
description(optional)stringAhumanreadableplaintextdescriptionthatgivesdetailsabouttheerrororproblemthatwasencounteredbytheapplication.
error_id(optional)stringAnidentifierforthisparticularerrorinstance.
ATAXIIServermightchoosetoassigneacherroroccurrenceit'sownidentifierinordertofacilitatedebugging.
error_code(optional)stringTheerrorcodeforthiserrortype.
ATAXIIServermightchoosetoassignacommonerrorcodetoallerrorsofthesametype.
Errorcodesareapplication-specificandnotintendedtobemeaningfulacrossdifferentTAXIIServers.
http_status(optional)stringTheHTTPstatuscodeapplicabletothiserror.
external_details(optional)stringAURLthatpointstoadditionaldetails.
Forexample,thiscouldbeaURLpointingtoaknowledgebasearticledescribingtheerrorcode.
Absenceofthisfieldindicatesthattherearenoadditionaldetails.
details(optional)dictionaryThedetailspropertycapturesadditionalserver-specificdetailsabouttheerror.
ThekeysandvaluesaredeterminedbytheTAXIIServerandMAYbeanyvalidJSONobjectstructure.
Examples{"title":"ErrorconditionXYZ","description":"Thiserroriscausedwhentheapplicationtriestoaccessdata.
.
.
","error_id":"1234","error_code":"581234","http_status":"409","external_details":"http://example.
com/ticketnumber1/errorid-1234","details":{"somekey1":"somevalue","somekey2":"someothervalue"}}3.
7ObjectResourceResourceName:objectThisresourcetypeisnegotiatedbasedonthemediatype.
Thisspecificationdoesnotdefineanyformofcontentwrapperforobjects.
Instead,objectsarethedirectpayloadofHTTPmessages.
WhenreturningSTIX2content(theContent-Typeheadercontainsapplication/vnd.
oasis.
stix+json;version=2.
0)inaTAXIIresponse,therootobjectMUSTbeaSTIXbundlepersection5ofSTIXVersion2.
0.
Part1:STIXCoreConcepts.
Forexample:AsingleindicatorinresponsetoarequestforanindicatorbyIDisenclosedinabundle.
AlistofcampaignsreturnedfromaCollectionisenclosedinabundle.
AnemptyresponsewithnoSTIXobjectsresultsinanemptybundle.
DefinitionsformediatypesotherthanSTIXcanbefoundintheirrespectivespecifications.
Examples{"type":"bundle",.
.
.
,"indicators":[{"type":"indicator","id":"indicator--252c7c11-daf2-42bd-843b-be65edca9f61",.
.
.
,}]}3.
8PropertyNamesAllpropertynamesandstringliteralsMUSTbeexactlythesame,includingcase,asthenameslistedinthepropertytablesinthisspecification.
Forexample,thediscoveryresourcehasapropertycalledapi_rootsanditmustresultintheJSONkeyname"api_roots".
PropertiesmarkedrequiredinthepropertytablesMUSTbepresentintheJSONserializationofthatresource.
3.
9DNSSRVNamesOrganizationsthatchoosetoimplementaDNSSRVrecordintheirDNSservertoadvertisethelocationoftheirTAXIIServerMUSTusetheservicenametaxii.
ExamplesThefollowingexampleisforaDNSSRVrecordadvertisingaTAXIIServerforthedomain"example.
com"locatedattaxii-hub-1.
example.
com:443:_taxii.
_tcp.
example.
com.
86400INSRV05443taxii-hub-1.
example.
com4TAXIIAPI-ServerInformationThefollowingtableprovidesasummaryoftheServerInformationEndpoints(URLsandHTTPMethods)definedbyTAXIIandtheResourcestheyoperateon.
URLMethodsResourceType/taxii/GETdiscovery/GETapi-root/status//GETstatus4.
1ServerDiscoveryThisEndpointprovidesgeneralinformationaboutaTAXIIServer,includingtheadvertisedAPIRoots.
It'sacommonentrypointforTAXIIClientsintothedataandservicesprovidedbyaTAXIIServer.
Forexample,clientsauto-discoveringTAXIIServersviatheDNSSRVrecorddefinedinsection1.
4.
1willbeabletoautomaticallyretrieveadiscoveryresponseforthatserverbyrequestingthe/taxii/pathonthatdomain.
DiscoveryAPIresponsesMAYadvertiseanyTAXIIAPIRootthattheyhavepermissiontoadvertise,includedthosehostedonotherservers.
PropertiesSupportedMethodGETURL/taxii/ParametersN/APaginationNoFilteringNoValidRequestTypeAccept:application/vnd.
oasis.
taxii+json;version=2.
0SuccessfulResponseStatus:200(OK)Content-Type:application/vnd.
oasis.
taxii+json;version=2.
0Body:discoveryCommonErrorCodes404-Nodiscoveryinformationcouldbefoundortherequesterdoesnothaveaccesstogetdiscoveryinformation.
401,403-Theclienteitherneedstoauthenticateordoesnothaveaccesstogetdiscoveryinformation4.
1.
1DiscoveryResourceResourceName:discoveryThediscoveryresourcecontainsinformationaboutaTAXIIServer,suchasahuman-readabletitle,description,andcontactinformation,aswellasalistofAPIRootsthatitisadvertising.
ItalsohasanindicationofwhichAPIRootitconsidersthedefault,ortheonetouseintheabsenceofotherinformation/userchoice.
PropertyNameTypeDescriptiontitle(required)stringAhumanreadableplaintextnameusedtoidentifythisserver.
description(optional)stringAhumanreadableplaintextdescriptionforthisserver.
contact(optional)stringThehumanreadableplaintextcontactinformationforthisserverand/ortheadministratorofthisserver.
default(optional)stringThedefaultAPIRootthataTAXIIClientMAYuse.
AbsenceofthisfieldindicatesthatthereisnodefaultAPIRoot.
ThedefaultAPIRootMUSTbeaniteminapi_roots.
api_roots(optional)listoftypestringAlistofURLsthatidentifyknownAPIRoots.
ThislistMAYbefilteredonaper-clientbasis.
ExamplesURLshttps://taxii.
example.
com:443/taxii/https://someserver.
example.
net/taxii/GETRequestGET/taxii/HTTP/1.
1Host:example.
comAccept:application/vnd.
oasis.
taxii+json;version=2.
0GETResponseHTTP/1.
1200OKContent-Type:application/vnd.
oasis.
taxii+json;version=2.
0{"title":"SomeTAXIIServer","description":"ThisTAXIIServercontainsalistingof.
.
.
","contact":"stringcontainingcontactinformation","default":"https://example.
com/api2/","api_roots":["https://example.
com/api1/","https://example.
com/api2/","https://example.
net/trustgroup1/"]}4.
2GetAPIRootInformationThisEndpointprovidesgeneralinformationaboutanAPIRoot,whichcanbeusedtohelpusersandclientsdecidewhetherandhowtheywanttointeractwithit.
MultipleAPIRootsMAYbehostedonasingleTAXIIServer.
Often,anAPIRootrepresentsasingletrustgroup.
EachAPIRootMUSThaveauniqueURL.
EachAPIRootMAYhavedifferentauthenticationandauthorizationschemes.
PropertiesSupportedMethodGETURL//Parameters-thebaseURLoftheAPIRootcontainingtheCollectionsPaginationNoFilteringNoValidRequestTypeAccept:application/vnd.
oasis.
taxii+json;version=2.
0SuccessfulResponseStatus:200(OK)Content-Type:application/vnd.
oasis.
taxii+json;version=2.
0Body:api-rootCommonErrorCodes404-NoAPIRootcouldbefoundortherequesterdoesnothaveaccesstogetAPIRootinformation.
401,403-TheclienteitherneedstoauthenticateordoesnothaveaccesstogetAPIRootinformation.
4.
2.
1APIRootResourceResourceName:api-rootTheapi-rootresourcecontainsgeneralinformationabouttheAPIRoot,suchasahuman-readabletitleanddescription,theTAXIIversionsitsupports,andthemaximumsizeofthecontentbodyitwillacceptinaPUTorPOST(max_content_length).
PropertyNameTypeDescriptiontitle(required)stringAhumanreadableplaintextnameusedtoidentifythisAPIinstance.
description(optional)stringAhumanreadableplaintextdescriptionforthisAPIRoot.
versions(required)listoftypestringThelistofTAXIIversionsthatthisAPIRootiscompatiblewith.
Avalueoftaxii-2.
0MUSTbeincludedinthislisttoindicateconformancewiththisspecification.
max_content_length(required)integerThemaximumsizeoftherequestbodyinoctets(8-bitbytes)thattheservercansupport.
Thisappliestorequestsonlyandisdeterminedbytheserver.
RequestswithtotalbodylengthvaluessmallerthanthisvalueMUSTNOTresultinanHTTP413(RequestEntityTooLarge)response.
ExamplesURLshttps://example.
com/api1/https://example.
com/api2/https://example.
org/trustgroup1/GETRequestGET/api1/HTTP/1.
1Host:example.
comAccept:application/vnd.
oasis.
taxii+json;version-2.
0GETResponseHTTP/1.
1200OKContent-Type:application/vnd.
oasis.
taxii+json;version=2.
0{"title":"MalwareResearchGroup","description":"Atrustgroupsetupformalwareresearchers","versions":["taxii-2.
0"],"max_content_length":9765625}4.
3GetStatusThisEndpointprovidesinformationaboutthestatusofapreviousrequest.
InTAXII2.
0,theonlyrequestthatcanbemonitoredisonetoaddobjectstoaCollection(seesection5.
4).
ItistypicallyusedbyTAXIIClientstomonitorarequestthattheymadeinordertotakeactionwhenitiscomplete.
TAXIIServersSHOULDprovidestatusmessagesatthisEndpointwhiletherequestisinprogressuntilatleast24hoursafterithasbeenmarkedcompleted.
PropertiesSupportedMethodGETURL//status//Parameters-thebaseURLoftheAPIRootcontainingtheCollections-theidentifierofthestatusmessagebeingrequestedPaginationNoFilteringNoValidRequestTypeAccept:application/vnd.
oasis.
taxii+json;version=2.
0SuccessfulResponseStatus:200(OK)Content-Type:application/vnd.
oasis.
taxii+json;version=2.
0Body:statusCommonErrorCodes404-Nostatuscouldbefoundortherequesterdoesnothaveaccesstogetstatusinformation.
401,403-Theclienteitherneedstoauthenticateordoesnothaveaccesstogetstatusinformation4.
3.
1StatusResourceResourceName:statusThestatusresourcerepresentsinformationaboutarequesttoaddobjectstoaCollection.
Itcontainsinformationaboutthestatusoftherequest,suchaswhetherornotit'scompleted(status)andthestatusofindividualobjectswithintherequest(i.
e.
whethertheyarestillpending,completedandfailed,orcompletedandsucceeded).
Thestatusresourceisreturnedintwoplaces:asaresponsetotheinitialrequest(seesection5.
4)andinresponsetoagetstatusrequest(seesection4.
3),whichcanbemadeaftertheinitialrequesttocontinuouslymonitoritsstatus.
Thelistofobjectsthatarestillpendingandthelistofobjectsthathavebeenaddedarebothlistsofstringscontainingtheidentifieroftheobject(e.
g.
,forSTIXobjects,theirid).
Thelistofobjectsthatfailedtobeaddedisasimpletypesothatboththeidandamessageindicatingwhyitfailedcanbeprovided.
PropertyNameTypeDescriptionid(required)stringTheidentifierofthisStatusresource.
status(required)stringTheoverallstatusofapreviousPOSTrequestwhereanHTTP202(Accept)wasreturned.
ThevalueofthispropertyMUSTbeoneofcompleteorpending.
AvalueofcompleteindicatesthatthisresourcewillnotbeupdatedfurtherandMAYberemovedinthefuture.
AstatusofpendingindicatesthatthisresourceMAYupdateinthefuture.
request_timestamp(optional)timestampThedatetimeoftherequestthatthisstatusresourceismonitoring.
total_count(required)integerThetotalnumberofobjectsthatwereintherequest.
ForaSTIXbundlethiswouldbethenumberofobjectsinthebundle.
success_count(required)integerThenumberofobjectsthatweresuccessfullycreated.
successes(optional)listoftypestringAlistofobjectIDsthatweresuccessfullyprocessed.
ForSTIXobjectstheSTIXIDMUSTbeusedhere.
Forobjecttypesthatdonothavetheirownidentifier,theserverMAYuseanyvalueastheid.
failure_count(required)integerThenumberofobjectsthatfailedtobecreated.
failures(optional)listoftypestatus-failureAlistofobjectsthatwerenotsuccessfullyprocessed.
pending_count(required)integerThenumberofobjectsthathaveyettobeprocessed.
pendings(optional)listoftypestringAlistofobjectsforobjectsthathaveyettobeprocessed.
ForSTIXobjectstheSTIXIDMUSTbeusedhere.
Forobjecttypesthatdonothavetheirownidentifier,theserverMAYuseanyvalueastheid.
TypeName:status-failureThistyperepresentsanobjectthatwasnotaddedtotheCollection.
Itcontainstheidoftheobjectandamessagedescribingwhyitcouldn'tbeadded.
PropertyNameTypeDescriptionid(required)stringTheidentifieroftheobjectthatfailedtobecreated.
ForSTIXobjectstheidMUSTbetheSTIXObjectid.
Forobjecttypesthatdonothavetheirownidentifier,theserverMAYuseanyvalueastheid.
message(optional)stringAmessageindicatingwhytheobjectfailedtobecreated.
ExamplesURLshttps://example.
com/api1/status/2d086da7-4bdc-4f91-900e-d77486753710/https://example.
com/api2/status/88dc8293-827e-44f0-a592-4b5302fbe9d3/https://example.
org/trustgroup1/status/5d26743b-4ade-4b7d-8fea-f68119d4f909/GETRequestGET/api1/status/2d086da7-4bdc-4f91-900e-d77486753710/HTTP/1.
1Host:example.
comAccept:application/vnd.
oasis.
taxii+json;version=2.
0GETResponseHTTP/1.
1200OKContent-Type:application/vnd.
oasis.
taxii+json;version=2.
0{"id":"2d086da7-4bdc-4f91-900e-d77486753710","status":"pending","request_timestamp":"2016-11-02T12:34:34.
12345Z","total_objects":4,"success_count":1,"successes":["indicator--c410e480-e42b-47d1-9476-85307c12bcbf"],"failure_count":1,"failures":[{"id":"malware--664fa29d-bf65-4f28-a667-bdb76f29ec98","message":"Unabletoprocessobject"}],"pending_count":2,"pendings":["indicator--252c7c11-daf2-42bd-843b-be65edca9f61","relationship--045585ad-a22f-4333-af33-bfd503a683b5"]}5TAXIIAPI-CollectionsATAXIICollectionisalogicalgroupingofthreatintelligencethatenablestheexchangeofinformationbetweenaTAXIIClientandaTAXIIServerinarequest-responsemanner.
CollectionsarehostedinthecontextofanAPIRoot.
EachAPIRootMAYhavezeroormoreCollections.
AswithotherTAXIIEndpoints,theabilityofTAXIIClientstoreadfromandwritetoCollectionscanberestricteddependingontheirpermissionslevel.
ThissectionsdefinestheTAXIIAPICollectionEndpoints(URLsandmethods),validmediatypes,andresponses.
ThefollowingtableprovidesasummaryoftheEndpoints(URLsandHTTPMethods)definedbyTAXIIandtheResourcestheyoperateon.
URLMethodsResourceType/collections/GETcollections/collections//GETcollection/collections//objects/GET,POSTobject/collections//objects//GETobject/collections//manifest/GETmanifest5.
1GetCollectionsThisEndpointprovidesinformationabouttheCollectionshostedunderthisAPIRoot.
ThisissimilartotheresponsetogetaCollection(seesection5.
2),butratherthanprovidinginformationaboutoneCollectionitprovidesinformationaboutalloftheCollections.
Mostimportantly,itprovidestheCollection'sid,whichisusedtorequestobjectsormanifestentriesfromtheCollection.
PropertiesSupportedMethodGETURL//collections/Parameters-thebaseURLoftheAPIRootcontainingtheCollectionsPaginationYesFilteringNoValidRequestTypeAccept:application/vnd.
oasis.
taxii+json;version=2.
0SuccessfulResponseStatus:200(OK)Content-Type:application/vnd.
oasis.
taxii+json;version=2.
0Body:collectionsCommonErrorCodes404-TheCollectionsresourcedoesnotexistortheclientdoesnothaveaccesstotheCollectionsresource.
401,403-TheclienteitherneedstoauthenticateordoesnothaveaccesstogetCollectioninformation.
5.
1.
1CollectionsResourceResourceName:collectionsThecollectionsresourceisasimplewrapperaroundalistofcollectionresources.
PropertyNameTypeDescriptioncollections(optional)listoftypecollectionAlistofCollections.
IftherearenoCollectionsinthelist,thiskeyMUSTbeomittedandtheresponseisanemptyobject.
Thecollectionresourceisdefinedinsection5.
2.
1.
ExamplesGETRequestGET/api1/collections/HTTP/1.
1Host:example.
comAccept:application/vnd.
oasis.
taxii+json;version=2.
0GETResponseHTTP/1.
1200OKContent-Type:application/vnd.
oasis.
taxii+json;version=2.
0{"collections":[{"id":"91a7b528-80eb-42ed-a74d-c6fbd5a26116","title":"HighValueIndicatorCollection","description":"ThisdatacollectionisforcollectinghighvalueIOCs","can_read":true,"can_write":false,"media_types":["application/vnd.
oasis.
stix+json;version=2.
0"]},{"id":"52892447-4d7e-4f70-b94d-d7f22742ff63","title":"Indicatorsfromthepast24-hours","description":"ThisdatacollectionisforcollectingcurrentIOCs","can_read":true,"can_write":false,"media_types":["application/vnd.
oasis.
stix+json;version=2.
0"]}]}5.
2GetaCollectionThisEndpointprovidesgeneralinformationaboutaCollection,whichcanbeusedtohelpusersandclientsdecidewhetherandhowtheywanttointeractwithit.
Forexample,itwilltellclientswhatit'scalledandwhatpermissionstheyhavetoit.
PropertiesSupportedMethodGETURL//collections//Parameters-thebaseURLoftheAPIRootcontainingtheCollection-theidentifieroftheCollectionbeingrequestedPaginationNoFilteringNoValidRequestTypeAccept:application/vnd.
oasis.
taxii+json;version=2.
0SuccessfulResponseStatus:200(OK)Content-Type:application/vnd.
oasis.
taxii+json;version=2.
0Body:collectionCommonErrorCodes404-TheCollectioncouldnotbefoundortherequesterdoesnothaveaccesstogetCollectioninformation.
401,403-TheclienteitherneedstoauthenticateordoesnothaveaccesstogetCollectioninformation5.
2.
1CollectionResourceResourceName:collectionThecollectionresourcecontainsgeneralinformationaboutaCollection,suchasitsid,ahuman-readabletitleanddescription,anoptionallistofsupportedmedia_types(representingthemediatypeofobjectscanberequestedfromoraddedtoit),andwhethertheTAXIIClient,asauthenticated,cangetobjectsfromtheCollectionand/oraddobjectstoit.
PropertyNameTypeDescriptionid(required)identifierTheidpropertyuniversallyanduniquelyidentifiesthisCollection.
ItisusedintheGetCollectionEndpoint(seesection5.
2)astheparametertoretrievetheCollection.
title(required)stringAhumanreadableplaintexttitleusedtoidentifythisCollection.
description(optional)stringAhumanreadableplaintextdescriptionforthisCollection.
can_read(required)booleanIndicatesiftherequestercanread(i.
e.
,GET)objectsfromthisCollection.
can_write(required)booleanIndicatesifthetherequestercanwrite(i.
e.
,POST)objectstothisCollection.
media_types(optional)listoftypestringAlistofsupportedmediatypesforObjectsinthisCollection.
Absenceofthisfieldisequivalenttoasingle-valuelistcontainingapplication/vnd.
oasis.
stix+json.
ExamplesGETRequestGET/api1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/HTTP/1.
1Host:example.
comAccept:application/vnd.
oasis.
taxii+json;version=2.
0GETResponseHTTP/1.
1200OKContent-Type:application/vnd.
oasis.
taxii+json;version=2.
0{"id":"91a7b528-80eb-42ed-a74d-c6fbd5a26116","title":"HighValueIndicatorCollection","description":"ThisdatacollectionisforcollectinghighvalueIOCs","can_read":true,"can_write":false,"media_types":["application/vnd.
oasis.
stix+json;version=2.
0"]}5.
3GetObjectsThisEndpointretrievesobjectsfromaCollection.
ClientscansearchforobjectsintheCollection,retrieveallobjectsinaCollection,orpaginatethroughobjectsintheCollection.
TosupportsearchingtheCollection,theEndpointsupportsfilteringasdefinedinsection3.
5.
ClientscanprovideoneormorefilterparameterstogetobjectswithaspecificID,ofaspecifictype,orwithaspecificversion.
FutureversionsofTAXIIwilladdmoreadvancedfilteringcapabilities.
Tosupportrequestingalargenumberofobjects,theEndpointsupportspaginationasdefinedinsection3.
4.
Clientscanoptionallyprovidetheirdesirednumberofitemsperpageandwhichpagetheywantandserverswillreturnthatresultset.
Serverscanalsooverrideclient-providedpaginationparameters,includingrequiringpaginationwhenitisn'trequested.
Assuch,allclientsshouldbeawarethatresponsestothisEndpointmaybepaginatedandbepreparedtoproperlyhandlethat.
WhenrequestingSTIX2.
0content,thecontentwillalwaysbedeliveredinaSTIXbundle(evenifthere'sonlyzerooroneobjects,inwhichcasethebundlewillbeemptyoronlycontainoneobject).
OthercontenttypescanberequestedbyusingadifferentAcceptheader,howeverthespecificrepresentationofothercontenttypesisnotdefined.
PropertiesSupportedMethodGETURL//collections//objects/Parameters-thebaseURLoftheAPIRootcontainingtheCollection-theidentifieroftheCollectionfromwhichobjectsarebeingrequestedPaginationYesFilteringYes-id,type,versionValidRequestTypeAccept:application/vnd.
oasis.
stix+json;version=2.
0SuccessfulResponseStatus:200(OK)Content-Type:application/vnd.
oasis.
stix+json;version=2.
0Body:bundleRequestsforothercontenttypesarepermittedandmayresultinotherresponsebodies.
CommonErrorCodes404-TheObjectsresourcedoesnotexistortheclientdoesnothaveaccesstotheObjectsresource.
401,403-TheclienteitherneedstoauthenticateordoesnothaveaccesstogetobjectsintheCollection.
ExamplesGETRequestGET/api1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/HTTP/1.
1Host:example.
comAccept:application/vnd.
oasis.
stix+json;version=2.
0GETResponseHTTP/1.
1200OKContent-Type:application/vnd.
oasis.
stix+json;version=2.
0{"type":"bundle",.
.
.
"objects":[{"type":"indicator",.
.
.
}]}5.
4AddObjectsThisEndpointaddsobjectstoaCollection.
SuccessfulresponsestothisEndpointwillcontainastatusresourcedescribingthestatusoftherequest.
Thestatusresourcecontainsanid,whichcanbeusedtomakerequeststothegetstatusEndpoint(seesection4.
3),astatusflagtoindicatewhethertherequestiscompletedorstillbeingprocessed,andinformationaboutthestatusoftheparticularobjectsintherequest.
Iftherequestismarkedpendinginthestatusfield,theclientSHOULDperiodicallypollthegetstatusEndpointtogetanupdatedstatusuntilsuchatimethatthestatuspropertyreturnsavalueofcomplete.
Atthatpoint,therequestcanbeconsideredcomplete.
WhenaddingSTIX2.
0content,clientsMUSTdeliverallobjectsinaSTIXbundle.
OthercontenttypesMAYbeadded(iftheCollectionsupportsit)byusingadifferentContent-Typeheader,howeverthespecificrepresentationofothercontenttypesisnotdefined.
PropertiesSupportedMethodPOSTURL//Collections//objects/Parameters-thebaseURLoftheAPIRootcontainingtheCollection-theidentifieroftheCollectiontowhichobjectsarebeingaddedPaginationNoFilteringNoValidRequestTypeAccept:application/vnd.
oasis.
taxii+json;version=2.
0Content-Type:application/vnd.
oasis.
stix+json;version=2.
0Body:bundlePOSTscontainingotherContent-Typesarepermittedandmayhaveadifferentbody.
SuccessfulResponseStatus:202(Accepted)Content-Type:application/vnd.
oasis.
taxii+json;version=2.
0Body:statusCommonErrorCodes422-Theobjecttypeorversionisnotsupportedorcouldnotbeprocessed.
Thiscanhappen,forexample,whensendingaversionofSTIXthatthisTAXIIServerdoesnotsupportandcannotprocess,whensendingamalformedbody,orotherunprocessablecontent.
401,403-TheclienteitherneedstoauthenticateordoesnothaveaccesstogetCollectioninformationExamplesPOSTRequestPOST/api1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/objects/HTTP/1.
1Host:example.
comAccept:application/vnd.
oasis.
taxii+json;version=2.
0Content-Type:application/vnd.
oasis.
stix+json;version=2.
0{"type":"bundle",.
.
.
"objects":[{"type":"indicator","id":"indicator--c410e480-e42b-47d1-9476-85307c12bcbf",.
.
.
}]}POSTResponseHTTP/1.
1202AcceptedContent-Type:application/vnd.
oasis.
taxii+json;version=2.
0{"id":"2d086da7-4bdc-4f91-900e-d77486753710","status":"pending","request_timestamp":"2016-11-02T12:34:34.
12345Z","total_count":4,"success_count":1,"successes":["indicator--c410e480-e42b-47d1-9476-85307c12bcbf"],"failure_count":0,"pending_count":3}5.
5GetanObjectThisEndpointgetsanobjectfromaCollectionbyitsid.
Itcanbethoughtofasasearchwherethematch[id]parameterissettotheinthepath.
ForSTIX2.
0objects,theMUSTbetheSTIXid.
Tosupportgettingaparticularversionofanobject,thisEndpointsupportsfilteringasdefinedinsection3.
5.
Theonlyvalidmatchparameterisversion.
WhenrequestingSTIX2.
0content,thecontentwillalwaysbedeliveredinaSTIXbundle(evenifthere'sonlyzerooroneobjects,inwhichcasethebundlewillbeemptyoronlycontainoneobject).
OthercontenttypesMAYberequestedbyusingadifferentAcceptheader,howeverthespecificrepresentationofothercontenttypesisnotdefined.
PropertiesSupportedMethodGETURL//collections//objects//Parameters-thebaseURLoftheAPIRootcontainingtheCollection-theidentifieroftheCollectionbeingrequested-theIDoftheobjectbeingrequestedPaginationNoFilteringYes-versionValidRequestTypeAccept:application/vnd.
oasis.
stix+json;version=2.
0SuccessfulResponseStatus:200(OK)Content-Type:application/vnd.
oasis.
stix+json;version=2.
0Body:bundleRequestsforothercontenttypesarepermittedandmayresultinotherresponsebodies.
CommonErrorCodes404-Theobjectcouldnotbefoundortherequesterdoesnothaveaccesstogettheobject.
401,403-Theclienteitherneedstoauthenticateordoesnothaveaccesstogettheobject.
ExamplesGETRequestGET/api1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/object/indicator--252c7c11-daf2-42bd-843b-be65edca9f61/HTTP/1.
1Host:example.
comAccept:application/vnd.
oasis.
stix+json;version=2.
0GETResponseHTTP/1.
1200OKContent-Type:application/vnd.
oasis.
stix+json;version=2.
0{"type":"bundle",.
.
.
,"indicators":[{"type":"indicator","id":"indicator--252c7c11-daf2-42bd-843b-be65edca9f61",.
.
.
,}]}5.
6GetObjectManifestsThisEndpointretrievesamanifestaboutobjectsfromaCollection.
ItsupportsfilteringandpaginationidenticaltothegetobjectsEndpoint(seesection5.
3)butratherthanreturningtheobjectitselfitreturnsmetadataabouttheobject.
Itcanbeusedtoretrievemetadatatodecidewhetherit'sworthretrievingtheactualobjects.
ThisEndpointsupportsfiltering,whichisappliedagainstthesourceobjectratherthanthemanifestentryforanobject.
Thus,searchingthemanifestforatypeofindicatorwillreturnthemanifestentriesforobjectswithatypeofindicator,eventhoughthemanifestdoesn'thaveatypefield.
PropertiesSupportedMethodGETURL//collections//manifest/Parameters-thebaseURLoftheAPIRootcontainingtheCollection-theidentifieroftheCollectionbeingrequestedPaginationYesFilteringYes-id,type,versionFilteringisbasedonpropertiesoftheobjectsthatthemanifestentriesrepresent.
Forexample,filteringbytype=indicatorwillreturnmanifestentriesforobjectswithatypeofindicator.
ValidRequestTypeAccept:application/vnd.
oasis.
taxii+json;version=2.
0SuccessfulResponseStatus:200(OK)Content-Type:application/vnd.
oasis.
taxii+json;version=2.
0Body:manifestCommonErrorCodes404-TheManifestresourcedoesnotexistortheclientdoesnothaveaccesstotheManifestresource.
401,403-TheclienteitherneedstoauthenticateordoesnothaveaccesstogetmanifestsforobjectsintheCollection.
5.
6.
1ManifestResourceResourceName:manifestThemanifestresourceisasimplewrapperaroundalistofmanifest-entryitems.
PropertyNameTypeDescriptionobjects(optional)listoftypemanifest-entryThelistofmanifestentriesforobjectsreturnedbytherequest.
Iftherearenomanifest-entryitemsinthelist,thiskeyMUSTbeomittedandtheresponseisanemptyobject.
TypeName:manifest-entryThemanifest-entrytypecapturesmetadataaboutasingleobject,indicatedbytheidproperty.
ThemetadataincludesinformationsuchaswhentheobjectwasaddedtotheCollection,whatversionsoftheobjectareavailable,andwhatmediatypestheobjectisavailablein.
PropertyNameTypeDescriptionid(required)identifierTheidentifieroftheobjectthatthismanifestentrydescribes.
date_added(optional)timestampThedateandtimethisobjectwasaddedtotheserver.
versions(optional)listoftypestringAlistofavailableversions,sortedinorderfrommostrecentversiontoleastrecentversion.
Forexampleversions[0]containsthenewestversionandversions[len-1]containstheoldestversion.
ForobjectsinSTIXformat,theSTIXmodifiedfieldistheversion.
media_types(optional)listoftypestringThemediatypesthatthisobjectcanberequestedin.
ExamplesGETRequestGET/api1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/manifest/HTTP/1.
1Host:example.
comAccept:application/vnd.
oasis.
taxii+json;version=2.
0GETResponseHTTP/1.
1200OKContent-Type:application/vnd.
oasis.
taxii+json;version=2.
0{"objects":[{"id":"indicator--29aba82c-5393-42a8-9edb-6a2cb1df070b","date_added":"2016-11-01T03:04:05Z","versions":["2016-11-03T12:30:59.
000Z","2016-12-03T12:30:59.
000Z"],"media_types":["application/vnd.
oasis.
stix+json;version=2.
0"]},{"id":"indicator--ef0b28e1-308c-4a30-8770-9b4851b260a5","date_added":"2016-11-01T10:29:05Z","versions":["2016-11-03T12:30:59.
000Z"],"media_types":["application/vnd.
oasis.
stix+json;version=2.
0"]}]}6TAXIIAPI-ChannelsRESERVED7CustomizingTAXIIResourcesThissectiondefineshowtoextentTAXIIinaninteroperablemanner.
7.
1CustomPropertiesItisunderstoodthattherewillbecaseswherecertaininformationexchangescanbeimprovedbyaddingpropertiesthatarenotspecifiednorreservedinthisdocument;thesepropertiesarecalledCustomProperties.
ThissectionprovidesguidanceandrequirementsforhowTAXIIServersandClientsshoulduseandinterpretCustomPropertiesinordertoextendTAXIIinaninteroperablemanner.
Note:ThepresenceofCustomPropertiesmayintroducevariabilityofbehaviordependingonwhetherornottheTAXIIServerorClientunderstandstheCustomProperties.
AreasonablestrategytominimizeunwantedvariationsinbehavioristoprovidewelldefinedandconsistentrulesforprocessingCustomPropertiestoanyTAXIIServerorClientthatwouldbereasonablyexpectedtoparsethem.
7.
1.
1RequirementsATAXIIresourceMAYhaveanynumberofCustomProperties.
CustomPropertynamesMUSTbeinASCIIandarelimitedtocharactersa-z(lowercaseASCII)andunderscore(_).
CustomPropertynamesSHOULDstartwith"x_"followedbyasourceuniqueidentifier(likeadomainname),anunderscoreandthenthename.
Forexample:x_examplecom_customfield.
CustomPropertynamesSHOULDbenolongerthan30ASCIIcharactersinlength.
CustomPropertynamesMUSThaveaminimumlengthof3ASCIIcharacters.
CustomPropertynamesMUSTbenolongerthan256ASCIIcharactersinlength.
CustomPropertynamesthatarenotprefixedwith"x_"maybeusedinafutureversionofthespecificationforadifferentmeaning.
Ifcompatibilitywithfutureversionsofthisspecificationisrequired,the"x_"prefixMUSTbeused.
CustomPropertynamesSHOULDbeuniquewhenproducedbythesamesourceandSHOULDuseaconsistentnamespaceprefix(e.
g.
,adomainname).
CustomPropertiesSHOULDonlybeusedwhentherearenoexistingpropertiesdefinedbytheTAXIIspecificationthatfulfillthatneed.
TAXIIServersthatreceiveaTAXIIResourcewithoneormoreCustomPropertiesitdoesnotunderstandMAYrespondinoneoftwoways:EitherrefusetoprocessthecontentfurtherandrespondtothemessagewithanHTTP422(UnprocessableEntity)statuscode,orsilentlyignorenon-understoodpropertiesandcontinueprocessingthemessage.
TAXIIClientsthatreceiveaTAXIIResourcewithoneormoreCustomPropertiesitdoesnotunderstandMAYsilentlyignorenon-understoodpropertiesandcontinueprocessingthemessage.
ThereportingandloggingoferrorsoriginatingfromtheprocessingofCustomPropertiesdependsontheTAXIIServerandClientimplementationsandisthereforenotcoveredinthisspecification.
Examples{.
.
.
,"x_acmeinc_scoring":{"impact":"high","probability":"low"},.
.
.
}8Conformance8.
1TAXIIServersThissectiondescribesthetypesofTAXIIServersthatcanbeimplementedandwhichnormativerequirementsthosetypesofserversmustconformto.
8.
1.
1TAXII2.
0ServerA"TAXII2.
0Server"isanysoftwarethatconformstothefollowingnormativerequirements:ItMUSTsupportallrequirementsforaTAXIICollectionsServerasdefinedinsection8.
1.
2.
8.
1.
2TAXII2.
0CollectionsServerA"TAXII2.
0CollectionsServer"isanysoftwarethatconformstothefollowingnormativerequirements:ItMUSTsupportallrequirementsasdefinedinsection3,section4andsection5.
ItMUSTincludeallrequiredpropertieswithinTAXIIResources,asdefinedinsection4andsection5.
ItMUSTsupportallfeatureslistedinsection8.
2,MandatoryServerFeatures.
ItMAYsupportanyfeatureslistedinsection8.
3,OptionalServerFeatures.
SoftwaresupportinganoptionalfeatureMUSTcomplywiththenormativerequirementsofthatfeature.
8.
1.
3TAXII2.
0ChannelsServerRESERVED8.
2MandatoryServerFeaturesThissectionsdefinesthemandatoryfeaturesthatallTAXIIServersmustimplement.
8.
2.
1TAXIIServerCoreRequirementsItMUSTdefinetheURLoftheDiscoveryAPItobe/taxii/anditMUSTbelocatedattherootoftheserver,e.
g.
,https://example.
com/taxii/ItMUSTsupportatleastoneAPIRoot.
ItMAYsupportmultipleAPIRoots.
ItMAYimplementotherHTTPMethods,ContentTypes,and/orURLsbeyondthosedefinedinthisspecification.
ItMUSTbecapableofsendingHTTPresponsesforfeaturesthatitsupportswhosecontentisvalidTAXIIasdefinedinsections3,4,5,and6orSTIXasdefinedin[STIXVersion2.
0.
Part1:STIXCoreConcepts].
AllpropertiesMUSTconformtothedatatypeandnormativerequirementsforthatproperty.
8.
2.
2HTTPSandAuthenticationServerRequirementsItMUSTacceptTAXII2.
0requestsusingHTTPS[RFC7230].
ItMUSTacceptconnectionsusingTLSversion1.
2[RFC5246]andSHOULDacceptconnectionsusingTLSversion1.
3[TLS1.
3]orhigherItSHOULDNOTacceptanyTLS1.
2connectionsthatuseanyoftheciphersuitesthatarelistedintheciphersuiteblacklistinAppendixAof[RFC7540].
ItMUSTimplementtheHTTPBasicauthenticationschemeper[RFC7617].
ItMAYpermitconfigurationsthatenableand/ordisableallauthenticationschemes,includingHTTPBasicauthentication.
ItMAYimplementadditionalauthenticationandauthorizationschemesbeyondHTTPBasic,seesection1.
4.
8.
ItMAYrestrictaccesstoclientsbyomittingspecificobjects,information,oroptionalfieldsfromanyTAXIIresponse.
ItMAYpermitoperatorstodisableallauthentication.
ItMAYchoosetonotrespondto(a.
k.
a.
silentlyignore)unauthorizedrequests.
8.
3OptionalServerFeaturesThissectionsdefinestheoptionalfeaturesthataTAXIIServerMAYimplement.
8.
3.
1ClientCertificateVerificationTAXII2.
0serversMAYchoosetoverifyaclient'scertificateanduseitforauthentication.
TAXIIServerssupportingclientcertificateverificationandauthenticationMUSTfollowthenormativerequirementslistedinthissection.
ThedefaultstrategyforTAXIIServersauthenticatingandverifyingcertificatesSHOULDbePKIXasdefinedin[RFC5280],[RFC6818],[RFC6125]etal.
ItMAYsupportothercertificateverificationpoliciessuchasCertificatePinning.
8.
4TAXIIClientsThissectiondescribesthetypesofTAXIIClientsthatcanbeimplementedandwhichnormativerequirementsthosetypesofclientsmustconformto.
8.
4.
1TAXII2.
0ClientA"TAXII2.
0Client"isanysoftwarethatconformstothefollowingnormativerequirements:ItMUSTsupportallrequirementsforaTAXIICollectionsClientasdefinedinsection8.
4.
2.
8.
4.
2TAXII2.
0CollectionsClientA"TAXII2.
0CollectionsClient"isanysoftwarethatexchangesCTIdatawithaTAXII2.
0CollectionsServeroraTAXII2.
0Server.
ATAXII2.
0CollectionsClientconformstothefollowingnormativerequirements:ItSHOULDbecapableoflookingupandusingtheTAXIISRVrecordfromDNS.
ItMUSTsupportparsingallpropertiesforresourcesdefinedinsection4andsection5.
ItMUSTsupportallfeatureslistedinsection8.
5,MandatoryClientFeatures.
8.
4.
3TAXII2.
0ChannelsClientRESERVED8.
5MandatoryClientFeaturesThissectiondefinesthemandatoryfeaturesthatallTAXIIClientsMUSTsupport.
8.
5.
1HTTPSandAuthenticationClientRequirementsItMUSTinitiateTAXII2.
0requeststoaTAXII2.
0ServerusingHTTPS[RFC7230].
ItMUSTsupportTLS1.
2andSHOULDuseTLSversion1.
3[TLS1.
3]orhigherItSHOULDNOTuseTLS1.
2withanyoftheciphersuitesthatarelistedintheciphersuiteblacklistinAppendixAof[RFC7540].
ItMUSTimplementtheHTTPBasicauthenticationschemeasaclientper[RFC7617].
ItMAYimplementadditionalauthenticationandauthorizationschemesbeyondHTTPBasic,seesection1.
4.
8.
8.
5.
2ServerCertificateVerificationThedefaultstrategyforTAXIIClientsauthenticatingandverifyingtheserver'sTLScertificateSHOULDbePKIXasdefinedin[RFC5280],[RFC6818],[RFC6125]etal.
TAXIIClientsMAYsupportothercertificationverificationpoliciessuchas:CertificatePinning:Asingleorlimitedsetofeitherhard-codedorphysicallydistributedpinnedcertificateauthoritiesorend-entitycertificates.
DANE:DNS-basedAuthenticationofNamedEntities[RFC7671].
SystemsimplementingDANESHOULDalsoimplementDNSSEC[RFC4033].
NotethatSelf-SignedCertificates(likeothercertificateswhichcannotbeverifiedbyPKIX)MAYbesupportedviaCertificatePinningand/orDANEasnotedabove.
AppendixA.
GlossaryAPIRoot-AgroupingofTAXIIChannels,Collections,andrelatedfunctionality.
Channel-Apublish-subscribecommunicationsmethodwheremessagesareexchanged.
CTI-CyberThreatIntelligenceCollection-AlogicalgroupofCTIobjects.
Endpoint-AcombinationofaURLandHTTPmethodwithdefinedbehaviorinTAXII.
STIX-StructuredThreatInformationExpression(STIX)isalanguageandserializationformatusedtoexchangecyberthreatintelligence(CTI).
STIXContent-STIXdocuments,includingSTIXObjects,groupedasSTIXBundles.
STIXObject-ASTIXDomainObject(SDO)orSTIXRelationshipObject(SRO).
TAXII-TrustedAutomatedeXchangeofIntelligenceInformation(TAXII)isanapplicationlayerprotocolforthecommunicationofcyberthreatintelligence(CTI).
TAXIIClient-AsoftwarepackagethatconnectstoaTAXIIServerandsupportstheexchangeofCTI.
TAXIIServer-AsoftwarepackagethatsupportstheexchangeofCTI.
AppendixB.
AcknowledgmentsTAXIISubcommitteeChairs:BretJordan,SymantecCorp.
MarkDavidson,NC4SpecialThanks:Substantialcontributionstothisspecificationfromthefollowingindividualsaregratefullyacknowledged:TerryMacDonald,CosiveJaneGinn,CyberThreatIntelligenceNetwork,Inc.
(CTIN)RichardStruse,DHSOfficeofCybersecurityandCommunicationsSergeyPolzunov,EclecticIQIainBrown,GDSEricBurger,GeorgetownUniversityJasonKeirstead,IBMAllanThomson,LookingGlassCyberRichPiazza,MITRECorporationCharlesSchmidt,MITRECorporationJohnWunder,MITRECorporationMarkDavidson,NC4John-MarkGurney,NewContextServices,Inc.
DaveCridland,SurevineBretJordan,SymantecCorp.
Participants:ThefollowingindividualsweremembersoftheOASISCTITechnicalCommitteeduringthecreationofthisspecificationandtheircontributionsaregratefullyacknowledged:DavidCrawford,AetnaMarcosOrallo,AirbusGroupSASRomanFiedler,AITAustrianInstituteofTechnologyFlorianSkopik,AITAustrianInstituteofTechnologyRussellSpitler,AlienVaultRyanClough,AnomaliNicholasHayden,AnomaliWeiHuang,AnomaliAngelaNichols,AnomaliHughNjemanze,AnomaliKatiePelusi,AnomaliDeanThompson,AustraliaandNewZealandBankingGroup(ANZBank)AlexanderFoley,BankofAmericaSounilYu,BankofAmericaVickyLaurens,BankofMontrealHumphreyChristian,BayDynamicsRyanStolte,BayDynamicsAlexandreDulaunoy,CIRCLAndrasIklody,CIRCLRapha'lVinot,CIRCLSarahKelley,CISSyamAppala,CiscoSystemsTedBedwell,CiscoSystemsDavidMcGrew,CiscoSystemsMark-DavidMcLaughlin,CiscoSystemsPavanReddy,CiscoSystemsOmarSantos,CiscoSystemsJyotiVerma,CiscoSystemsDougDePeppe,CyberThreatIntelligenceNetwork,Inc.
(CTIN)JaneGinn,CyberThreatIntelligenceNetwork,Inc.
(CTIN)BenOthman,CyberThreatIntelligenceNetwork,Inc.
(CTIN)JeffOdom,DellSreejithPadmajadevi,DellRaviSharda,DellWillUrbanski,DellSeanSobieraj,DHSOfficeofCybersecurityandCommunications(CS&C)RichardStruse,DHSOfficeofCybersecurityandCommunications(CS&C)MarlonTaylor,DHSOfficeofCybersecurityandCommunications(CS&C)JensAabol,Difi-AgencyforPublicManagementandeGovernmentWouterBolsterlee,EclecticIQMarkoDragoljevic,EclecticIQOliverGheorghe,EclecticIQJoepGommers,EclecticIQSergeyPolzunov,EclecticIQRutgerPrins,EclecticIQAndreiS"rghi,EclecticIQRaymonvanderVelde,EclecticIQBenSooter,ElectricPowerResearchInstitute(EPRI)ChrisRicard,FinancialServicesInformationSharingandAnalysisCenter(FS-ISAC)PhillipBoles,FireEye,Inc.
PrasadGaikwad,FireEye,Inc.
RajeevJha,FireEye,Inc.
AnujKumar,FireEye,Inc.
ShyamalPandya,FireEye,Inc.
PaulPatrick,FireEye,Inc.
ScottShreve,FireEye,Inc.
JonWarren,FireEye,Inc.
RemkoWeterings,FireEye,Inc.
GavinChow,FortinetInc.
SteveFossen,FortinetInc.
KenichiTerashita,FortinetInc.
RyusukeMasuoka,FujitsuLimitedDaisukeMurabayashi,FujitsuLimitedDerekNorthrope,FujitsuLimitedJonathanAlgar,GDSIainBrown,GDSAdamCooper,GDSMikeMcLellan,GDSTyroneNembhard,GDSChrisO'Brien,GDSJamesPenman,GDSHowardStaple,GDSChrisTaylor,GDSLaurieThomson,GDSAlastairTreharne,GDSJulianWhite,GDSBethanyYates,GDSRobertvanEngelen,GeniviaEricBurger,GeorgetownUniversityAllisonMiller,GoogleInc.
MarkRisher,GoogleInc.
YoshihideKawada,Hitachi,Ltd.
JunNakanishi,Hitachi,Ltd.
KazuoNoguchi,Hitachi,Ltd.
AkihitoSawada,Hitachi,Ltd.
YutakaTakami,Hitachi,Ltd.
MasatoTerada,Hitachi,Ltd.
PeterAllor,IBMEldanBen-Haim,IBMAllenHadden,IBMSandraHernandez,IBMJasonKeirstead,IBMJohnMorris,IBMLauraRusu,IBMRonWilliams,IBMPaulMartini,iboss,Inc.
JeromeAthias,IndividualPeterBrown,IndividualJoergEschweiler,IndividualStefanHagen,IndividualElysaJones,IndividualSanjivKalkar,IndividualTerryMacDonald,IndividualAlexPinto,IndividualTimCasey,IntelCorporationKentLandfield,IntelCorporationKarinMarr,JohnsHopkinsUniversityAppliedPhysicsLaboratoryJulieModlin,JohnsHopkinsUniversityAppliedPhysicsLaboratoryMarkMoss,JohnsHopkinsUniversityAppliedPhysicsLaboratoryMarkMunoz,JohnsHopkinsUniversityAppliedPhysicsLaboratoryNathanReller,JohnsHopkinsUniversityAppliedPhysicsLaboratoryPamelaSmith,JohnsHopkinsUniversityAppliedPhysicsLaboratoryDavidLaurance,JPMorganChaseBank,N.
A.
RussellCulpepper,KaiserPermanenteBethPumo,KaiserPermanenteMichaelSlavick,KaiserPermanenteTreyDarley,KingfisherOperations,sprlGusCreedon,LogisticsManagementInstituteWesleyBrown,LookingGlassJamisonDay,LookingGlassKinshukPahare,LookingGlassAllanThomson,LookingGlassIanTruslove,LookingGlassChrisWood,LookingGlassGregBack,MitreCorporationJonathanBaker,MitreCorporationSeanBarnum,MitreCorporationDesireeBeck,MitreCorporationMichaelChisholm,MitreCorporationNicoleGong,MitreCorporationIvanKirillov,MitreCorporationMichaelKouremetis,MitreCorporationChrisLenk,MitreCorporationRichardPiazza,MitreCorporationLarryRodrigues,MitreCorporationJonSalwen,MitreCorporationCharlesSchmidt,MitreCorporationAlexTweed,MitreCorporationEmmanuelleVargas-Gonzalez,MitreCorporationJohnWunder,MitreCorporationJamesCabral,MTGManagementConsultants,LLC.
ScottAlgeier,NationalCouncilofISACs(NCI)DeniseAnderson,NationalCouncilofISACs(NCI)JoshPoster,NationalCouncilofISACs(NCI)MikeBoyle,NationalSecurityAgencyJoeBrule,NationalSecurityAgencyJessicaFitzgerald-McKay,NationalSecurityAgencyDavidKemp,NationalSecurityAgencyShaunMcCullough,NationalSecurityAgencyJohnAnderson,NC4MichaelButt,NC4MarkDavidson,NC4DanielDye,NC4AngeloMendonca,NC4MichaelPepin,NC4NatalieSuarez,NC4BenjaminYates,NC4DaichiHasumi,NECCorporationTakahiroKakumaru,NECCorporationLauriKorts-P_rn,NECCorporationJohn-MarkGurney,NewContextServices,Inc.
ChristianHunt,NewContextServices,Inc.
DanielRiedel,NewContextServices,Inc.
AndrewStorms,NewContextServices,Inc.
StephenBanghart,NISTDavidDarnell,NorthAmericanEnergyStandardsBoardCoryCasanave,ObjectManagementGroupAharonChernin,PerchDaveEilken,PerchSourabhSatish,PhantomJoshLarkins,PhishMeInc.
JohnTolbert,QueraltInc.
TedJulian,ResilientSystems,Inc.
.
IgorBaikalov,SecuronixJosephBrand,SemperFortisSolutionsDuncanSparrell,sFractalConsultingLLCThomasSchreck,SiemensAGRobRoel,SouthernCaliforniaEdisonDaveCridland,SurevineLtd.
BretJordan,SymantecCorp.
CurtisKostrosky,SymantecCorp.
JuhaHaaga,SynopsysMasoodNasir,TELUSGregReaume,TELUSAlanSteer,TELUSCrystalHayes,TheBoeingCompanyWadeBaker,ThreatConnect,Inc.
ColeIliff,ThreatConnect,Inc.
AndrewPendergast,ThreatConnect,Inc.
BenSchmoker,ThreatConnect,Inc.
JasonSpies,ThreatConnect,Inc.
RyanTrost,ThreatQuotient,Inc.
PatrickCoughlin,TruSTARTechnologyChrisRoblee,TruSTARTechnologyMarkAngel,U.
S.
BankBrianFay,U.
S.
BankJosephFrazier,U.
S.
BankMarkHeidrick,U.
S.
BankMonaMagathan,U.
S.
BankYevgenSautin,U.
S.
BankRichardShok,U.
S.
BankJamesBohling,USDepartmentofDefense(DoD)EoghanCasey,USDepartmentofDefense(DoD)GaryKatz,USDepartmentofDefense(DoD)JeffreyMates,USDepartmentofDefense(DoD)EvetteMaynard-Noel,USDepartmentofHomelandSecurityRobertCoderre,VeriSignKyleMaxwell,VeriSignEricOsterweil,VeriSignPatrickMaroney,WapackLabsLLCAnthonyRutkowski,YannaTechnologiesLLCAppendixC.
RevisionHistoryRevisionDateEditorChangesMade012017-04-24BretJordan,MarkDavidson,JohnWunderInitialVersion