mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-14 23:14:55 +03:00
mukul975
2.8 KiB
2.8 KiB
STIX/TAXII Feed Integration Workflows
Workflow 1: TAXII Feed Consumption
[TAXII Discovery] --> [API Root Enumeration] --> [Collection Selection] --> [Object Polling]
|
v
[STIX Parsing] --> [IOC Extraction]
|
v
[SIEM/TIP Ingestion]
Steps:
- Discovery: Query TAXII server discovery endpoint for available API roots
- Root Enumeration: List available API roots and their supported features
- Collection Listing: Enumerate collections with read/write permissions
- Incremental Polling: Fetch new objects using added_after timestamp filter
- STIX Parsing: Deserialize JSON into typed STIX objects
- IOC Extraction: Extract indicators, observables, and relationships
- Platform Ingestion: Push to SIEM, MISP, or OpenCTI
Workflow 2: STIX Bundle Production
[IOC Sources] --> [Normalization] --> [STIX Object Creation] --> [Bundle Assembly]
|
v
[TAXII Publication]
Steps:
- Source Collection: Gather IOCs from internal analysis, feeds, incident response
- Normalization: Standardize IOC formats and remove duplicates
- Object Creation: Create STIX Indicators, Observables, and Relationships
- TLP Marking: Apply appropriate TLP marking definitions
- Bundle Assembly: Package objects into STIX 2.1 bundles
- TAXII Push: POST bundles to writable TAXII collections
Workflow 3: Multi-Feed Aggregation
[TAXII Feed A] --+
|--> [Deduplication] --> [Correlation] --> [Unified Store]
[TAXII Feed B] --+ |
| v
[STIX File C] ---+ [Dashboard/Alerts]
Steps:
- Feed Registration: Configure multiple TAXII and file-based STIX sources
- Parallel Polling: Poll all feeds concurrently with rate limiting
- Deduplication: Remove duplicate objects by STIX ID and modified timestamp
- Correlation: Link related objects across feeds via relationships
- Unified Storage: Store in MemoryStore, FileSystemStore, or database-backed store
- Output: Generate alerts, dashboards, or exports for downstream consumers