LLMpediaThe first transparent, open encyclopedia generated by LLMs

STIX/TAXII

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Tornado IDS Hop 4
Expansion Funnel Raw 127 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted127
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
STIX/TAXII
NameSTIX/TAXII
FocusCyber threat intelligence exchange
OriginMITRE
First published2012
LanguagesEnglish

STIX/TAXII STIX/TAXII is a pair of interoperable specifications for cyber threat intelligence exchange that aims to enable sharing between organizations such as MITRE Corporation, Department of Homeland Security, NATO, Europol and INTERPOL. The specifications influenced collaboration among technology vendors like IBM, Microsoft, Google, Cisco Systems and FireEye, and were adopted by standards bodies and consortia including OASIS, FIRST, ENISA and ISO. Stakeholders across sectors — for example Amazon (company), Microsoft Azure, JPMorgan Chase, Siemens, and Lockheed Martin — leveraged the specifications to integrate with products from Splunk, Palo Alto Networks, Recorded Future, CrowdStrike and Carbon Black. The work sits at the intersection of initiatives such as Cybersecurity and Infrastructure Security Agency, NIST, SANS Institute and ISACA.

Overview

STIX/TAXII comprises two complementary elements: a structured content language and a transport mechanism used by entities like CERT Coordination Center, US-CERT, Cyber Command (United States) and GCHQ. The content language provided machine-readable representations adopted by vendors Symantec Corporation, Trend Micro, Kaspersky Lab, McAfee and Sophos, while the transport protocol enabled push/pull communication patterns implemented by platforms such as AlienVault, TheHive Project, MISP and OpenDXL. Designers referenced prior and parallel standards from XML, JSON, XMPP, STIX 1.0 specification committee and CAP (Common Alerting Protocol) to ensure compatibility with enterprise stacks at Deutsche Telekom, Orange S.A., Verizon Communications and BT Group.

History and Development

Initial design work began within MITRE Corporation and the US federal community in the early 2010s with input from Department of Homeland Security, DHS S&T Directorate and industry partners such as IBM Security and McAfee. Subsequent iterations saw formalization efforts at OASIS and operational trials by NATO Cooperative Cyber Defence Centre of Excellence, EUROPOL's EC3, Australian Signals Directorate and national CERTs including CERT-UK and JPCERT/CC. Influential public disclosures and threat reports from Mandiant, Kaspersky Lab, Cisco Talos and Symantec Threat Hunter prompted schema extensions and mappings to taxonomies from MITRE ATT&CK, VERIS, CAPEC and CVE. The roadmap included community-driven implementations at events such as Black Hat, DEF CON, RSA Conference, BSides and workshops hosted by FIRST and ENISA.

Technical Architecture

The architecture divided responsibilities: a structured schema layer consumed by analytics stacks from Splunk, Elastic NV, HPE ArcSight and IBM QRadar, and a transport layer compatible with HTTP, RESTful APIs, push/pull brokers and messaging systems like Apache Kafka, RabbitMQ and MQTT. Models relied on serialization formats originating from JSON Schema and designers referenced authentication and integrity mechanisms used in OAuth 2.0, TLS, SAML 2.0 and X.509. Interoperability testing used toolkits maintained by MITRE ATT&CK contributors, OASIS Open working groups, and open-source projects from GitHub and Apache Software Foundation.

Data Models and Content (STIX)

The STIX content model represented core cyber threat constructs including indicators, observables, intrusion sets, campaigns, threat actors, attack patterns, courses of action, malware, tools and vulnerability references such as those in CVE. Mappings connected STIX entities to MITRE ATT&CK techniques, CAPEC attack pattern identifiers, Common Vulnerability Scoring System metrics and incident taxonomies used by VERIS. Schema evolution added language for granular timestamps, confidence scoring, kill chain phases referenced in Lockheed Martin kill chain publications, and relationships interoperable with Graphviz and graph databases such as Neo4j and JanusGraph.

Transport and Services (TAXII)

TAXII defined services and message bindings supporting collection management, polling, and subscription semantics consumed by platforms from Anomali, Phantom Cyber (Splunk Phantom), Siemplify and Demisto (Cortex XSOAR). Implementations used RESTful endpoints secured with OAuth 2.0 and TLS 1.2/1.3, and aligned with logging and SIEM ingestion patterns at CrowdStrike Falcon, McAfee MVISION, Microsoft Sentinel and Google Chronicle. Service models supported sharing models prompted by policy guidance from NIST SP 800-series, EU General Data Protection Regulation and data handling practices advocated by ENISA.

Implementations and Tools

Open-source implementations included MISP (Malware Information Sharing Platform), OpenDXL, Stix2 Python, cabby and repositories maintained on GitHub and by communities at OASIS Open. Commercial integrations were offered by Anomali ThreatStream, Recorded Future Intelligence Platform, FireEye Helix, Palo Alto Networks AutoFocus and Splunk Enterprise Security. Academic and research integrations appeared in projects at MIT, Carnegie Mellon University, Stanford University, University of Cambridge and ETH Zurich, and in exercises coordinated by NATO CCDCOE and US Cyber Command.

Security, Privacy, and Governance

Operational security considerations required threat feed provenance, signing, and access controls used by agencies like DHS, NSA, GCHQ and Australian Signals Directorate, and compliance with privacy regimes such as GDPR and sectoral guidance from HIPAA and PCI DSS. Governance models adopted community stewardship similar to IETF and OASIS processes and incorporated liability and information-sharing frameworks seen in memoranda between FBI and private firms. Risk management referenced standards and best practices from NIST Cybersecurity Framework, ISO/IEC 27001 and audit regimes used by PwC, Deloitte, KPMG and EY.

Category:Cybersecurity standards