Implement "TAXII inbox" (supporting pushing data to TAXII endpoint as part of the TAXII protocol)

[SamuelHassine]

Use case

Implement "TAXII inbox" (supporting pushing data to TAXII endpoint as part of the TAXII protocol)

[damians-filigran]

This is to implement TAXII Inbox support in the OpenCTI 2.1 TAXII server, so that clients may POST STIX documents to the /objects endpoint. May need another issue for the OpenCTI TAXII client to be able to push this data.

[damians-filigran]

More internal requirement notes here

[damians-filigran]

It's worth noting that the term Inbox appears to be a legacy term from the TAXII 1.X standard, and is simply referred to as a POST method in TAXII 2.1.

It is also worth noting that the mapping and handling of data sent from client to server may need to be highly configurable.

For example, the current TAXII POST connector removes the created_by key value, presumably to improve confidentiality of the client user when sending data to the ISAC.

However, for example, at least one ISAC/CERT specifies that the created_by key value must be populated by the contributor for attribution in handling by the CERT team.

While filters for the data stream can also be used in the UI, the connector configuration serves as a hard block on any confidential data being uploaded, so this should be a system config or Danger Zone config. MISP Guard gives an example of how this is done elsewhere.

If any CERTs and ISACs can share examples of their TAXII POST requirements, this would help inform the configuration options needed.

[richard-julien]

For me misp guard is a way to prevent unwanted sharing but not security posting (https://www.misp-project.org/2022/09/13/misp-guard.html/). Do we really need a kind of post protection to prevent specific data to be written? @damians-filigran , @SamuelHassine, @romain-filigran ?

[romain-filigran]

It's not clear to me why we should implement a control mechanism for data published in OpenCTI.
Such a mechanism would make more sense if we planned to implement an Outbound TAXII Exchange Feed capability that would push STIX-formatted data to the inbox of an external TAXII server.
This feature concern only the capability to push STIX2.1-formatted data into OpenCTI through a POST API endpoint respecting the TAXII standard.

[damians-filigran]

Yes @romain-filigran @richard-julien , please ignore references to MISP Guard; this would relate to adding this feature to the TAXII client, but this FR relates to implementing it on the OCTI TAXII Server.