STIX 2.1 Interoperability

This page describes Intelligence Center support for STIX 2.1 interoperability test cases, based on a draft version of the STIX™/TAXII™ 2.1 Interoperability Test Document.

All sections referred to on this page are sections in the Interoperability Test Document.

For example, Part 1 Section 2.2.3.2 or Part 1 §2.2.3.2 refers to STIX™/TAXII™ 2.1 Interoperability Test Document Part 1, Section 2.2.3.2.

Interoperability Test Document test cases do not map directly to features on the Intelligence Center. For example, ingesting Observed Data SDOs is supported but do not result in “Observed Data” entities on the Intelligence Center. Instead, special indicator entities are created.

For more information on support for a given STIX 2.1 object, see documentation specific to it.

Persona Checklist for TIP

The following table is based on the checklist of test cases specified for the Persona Checklist in §4.2 Threat Intelligence Platform (TIP).

Use case

Section

Test

Verification

Incoming

Outgoing

Supported

Indicator Sharing

2.2.3.1

2.2.3.1 Indicator IPv4 Address

Mandatory

Yes

Yes

Indicator Sharing

2.2.3.2

2.2.3.2 Indicator IPv4 Address CIDR

Mandatory

Yes

Yes

Indicator Sharing

2.2.3.3

2.2.3.3 Two Indicators with IPv4 Address CIDR

Mandatory

Yes

Yes

Indicator Sharing

2.2.3.4

2.2.3.4 Indicator with IPv6 Address

Optional

Yes

Yes

Indicator Sharing

2.2.3.5

2.2.3.5 Indicator with IPv6 Address CIDR

Optional

Yes

Yes

Indicator Sharing

2.2.3.6

2.2.3.6 Multiple Indicators within the same bundle

Mandatory

Yes

Yes

Indicator Sharing

2.2.3.7

2.2.3.7 Indicator FQDN

Mandatory

Yes

Yes

Indicator Sharing

2.2.3.8

2.2.3.8 Indicator URL

Mandatory

Yes

Yes

Indicator Sharing

2.2.3.9

2.2.3.9 Indicator URL or FQDN

Mandatory

Yes

Yes

Indicator Sharing

2.2.3.10

2.2.3.10 Indicator File hash with SHA256 or MD5 values

Mandatory

Yes

Yes

Sighting Sharing

2.3.3

2.3.3 Producer Test Case Data

Mandatory




Sighting Sharing

2.3.5.1

2.3.5.1 Sighting + Indicator with IPv4 Address

Mandatory

Yes


Sighting Sharing

2.3.5.2

2.3.5.2 Sighting + Indicator with IPv4 Address Matching CIDR

Mandatory

Yes


Sighting Sharing

2.3.5.3

2.3.5.3 Sighting + Indicator with IPv6 Address Matching CIDR

Optional

Yes


Sighting Sharing

2.3.5.4

2.3.5.4 Sighting + Indicator with NO observed data

Mandatory

Yes


Sighting Sharing

2.3.5.5

2.3.5.5 Sighting + Indicator with URL

Mandatory

Yes


Sighting Sharing

2.3.5.6

2.3.5.6 Sighting + Indicator with File Hash

Mandatory

Yes


Versioning

2.4.3.1

2.4.3.1 Creation of an Indicator with Identity and Date

Mandatory




Versioning

2.4.3.2

2.4.3.2 Creation of a Sighting with Identity and Date

Mandatory




Versioning

2.4.7.1

2.4.7.1 Modification of an Indicator with Identity and Date

Mandatory




Versioning

2.4.7.2

2.4.7.2 Modification of a Sighting with Identity and Date

Mandatory




Versioning

2.4.11.1

2.4.11.1 Deletion of an Indicator with Identity; Dates

Mandatory




Versioning

2.4.11.2

2.4.11.2 Deletion of a Sighting and Associated Observed Data

Mandatory




Data Markings

2.5.3.1

2.5.3.1 TLP Green + Indicator with IPv4 Address

Mandatory

Yes

Yes

Data Markings

2.5.3.2

2.5.3.2 TLP Amber + Two Indicators with IPv4 Address CIDR

Mandatory

Yes

Yes

Data Markings

2.5.3.3

2.5.3.3 TLP White and TLP Red + Indicator with IPv6 Address

Optional

Yes

Yes

Data Markings

2.5.3.4

2.5.3.4 TLP Red + Sighting and Indicator

Optional




Custom Object Creation

2.6.3.1

2.6.3.1 Custom Object Creation

Optional




Custom Property Creation

2.6.3.2

2.6.3.2 Custom Property Creation

Optional




Custom Ingestion

2.6.4

2.6.4 Required Respondent Support

Mandatory




Create COA

2.7.3.1

2.7.3.1 Create COA

Optional




Create COA Relationship

2.7.3.2

2.7.3.2 Create COA with Relationship

Optional




Additional interoperability tests

The following table lists additional interoperability tests that are not part of the TIP persona, but are supported by the Intelligence Center.

Section

Verification

Supported

2.18.5

2.18.5 Observed data of file hash

2.18.5

2.18.5 Observed data of domain name and ip address