DXL Event payload contents (or the absence of a payload standard)

  • Isn’t it an issue not having a “payload standard”? AFAIK, OpenDXL came to avoid things like “full mesh, one-to-one, messy security integrations”. But then, imagine this situation where a message publisher is created. All other clients subscribed to the topics will have to know how to “parse” the payload and get important info. And that for each one of the publishers. Otherwise, if we had some sort of spec we wouldn’t have that issue. What do you think?

    It would be good to have some “protocol” in order to cover all (or most) situations. Like:

    I understand the need for “openness” of the protocol, but maybe it comes with some caveats. Do you guys agree? Or am I not seeing the bigger picture here?
  • Great question!


    DXL intentionally does not dictate the format of the payload. This allows for a wide variety of integrations to be published on the fabric.


    Currently, the vast majority of solutions utilize JSON, but there are some that use XML, and others that use raw binary.


    With that said, for a particular sets of topics, it absolutely make sense to standardize the payloads. As you mention standardizing on the topics that utilize STIX and CEF makes sense. We have discussed adding a new section to this site that documents the "catalog" of topics and related formats that are available on DXL. I think something like this will be necessary as the number of integrations available on DXL continues to grow.


    Hope this helps,

    Chris

  • We need general naming conventions as well. No matter which message format (json, xml, stix etc) or topic is used. Otherwise It can cause that potentially compatible solutions will not be able to talk with each over because the names are hardcoded.

    E.g. IPv4 address field can be named: ipv4, ipv4address, IPv4, ip4addr, etc.


    Vadim

  • ...We have discussed adding a new section to this site that documents the "catalog" of topics and related formats that are available on DXL. I think something like this will be necessary as the number of integrations available on DXL continues to grow.

    Thanks Chris. I'm looking forward to this. Please advise if there's anything I can help you guys on this.


    We need general naming conventions as well. No matter which message format (json, xml, stix etc) or topic is used. Otherwise It can cause that potentially compatible solutions will not be able to talk with each over because the names are hardcoded.

    E.g. IPv4 address field can be named: ipv4, ipv4address, IPv4, ip4addr, etc.


    Vadim

    Agreed, vadim.