TAXII 2.1

List of integrations

• Incoming feed - TAXII 2.1 inbox
• Incoming feed - TAXII 2.1 poll
• Outgoing feed - TAXII 2.1 poll
• Outgoing feed - TAXII 2.1 push

Release notes

# Release History


## EclecticIQ Incoming TAXII extensions

## 2.14.4, 3.0.4, 3.1.4

Release date: 26 September 2023

*Fixed*

- SSL certificate is not mandatory field.

## 2.14.3, 3.0.3, 3.1.3

Release date: 27 July 2023

**Changed**

- Users can authenticate using an SSL certificate in addition to a username and a password.


## EclecticIQ MISP Extension
## 3.2.0, 3.1.1, 3.0.1, 2.14.1
Release date: 30 June 2023

**Added:**
- Workaround for reference resolution on taxii servers that incorrectly send 404 when filtering by id

Known issues

Affected versions: TAXII 2.1 outgoing feeds on EclecticIQ Intelligence Center 3.3.1, 3.2.2, 3.1.3, and newer.

• Default behavior for match[version] filters diverged from TAXII 2.1 specification. If the match[version] parameter is unspecified when querying a TAXII 2.1 collection, match[version]="all" is used by default.

  The TAXII 2.1 specification states that when querying a collection, when the match[version] is left unspecified, the TAXII server should return results for match[version]="last".

  Our TAXII 2.1 implementation however returns results for match[version]="all" for optimal performance. That is, when an EclecticIQ Intelligence Center TAXII 2.1 outgoing feed endpoint is queried without specifying match[version], the endpoint by default returns all “versions” of objects that match the query.

  Because STIX 2.1 versioning is not supported, "all" versions may still return a single result. See further known issues.

• Queries using match[version] set to first or last may see same SDOs

  STIX 2.1 versioning is not fully supported. This means that every change made to an entity, which is subsequently packed by a TAXII 2.1 outgoing feed, generates a distinct STIX 2.1 object with a new STIX ID. This also means that every entity that is modified or created on EclecticIQ Intelligence Center has created and modified timestamps that are the same.

  This means that when using the match[version] filter, first and last is likely to return the same STIX 2.1 object if the originating entity was created or modified on Intelligence Center.

  STIX 2.1 objects that are ingested from an external source and are unmodified before exporting or packing in a TAXII 2.1 feed are unaffected by this known issue.

• Slower queries with match[version] set to first or last

  Queries that set match[version] to first or last are slower than queries that use all. These parameters have an additive effect on performance. This means that running match[version]="first,last" incurs the time taken to run queries with both first and last paramters applied independently.

  We recommend using the default (match[version]="all") when querying collections, and filtering the results post-hoc.