STIX 2.1 Interoperability
This page describes Intelligence Center support for STIX 2.1 interoperability test cases, based on a draft version of the STIX™/TAXII™ 2.1 Interoperability Test Document.
All sections referred to on this page are sections in the Interoperability Test Document.
For example, Part 1 Section 2.2.3.2 or Part 1 §2.2.3.2 refers to STIX™/TAXII™ 2.1 Interoperability Test Document Part 1, Section 2.2.3.2.
Interoperability Test Document test cases do not map directly to features on the Intelligence Center. For example, ingesting Observed Data SDOs is supported but do not result in “Observed Data” entities on the Intelligence Center. Instead, special indicator entities are created.
For more information on support for a given STIX 2.1 object, see documentation specific to it.
Persona Checklist for TIP
The following table is based on the checklist of test cases specified for the Persona Checklist in §4.2 Threat Intelligence Platform (TIP).
Use case |
Section |
Test |
Verification |
Incoming |
Outgoing |
Supported |
Indicator Sharing |
2.2.3.1 |
2.2.3.1 Indicator IPv4 Address |
Mandatory |
Yes |
Yes |
✅ |
Indicator Sharing |
2.2.3.2 |
2.2.3.2 Indicator IPv4 Address CIDR |
Mandatory |
Yes |
Yes |
✅ |
Indicator Sharing |
2.2.3.3 |
2.2.3.3 Two Indicators with IPv4 Address CIDR |
Mandatory |
Yes |
Yes |
✅ |
Indicator Sharing |
2.2.3.4 |
2.2.3.4 Indicator with IPv6 Address |
Optional |
Yes |
Yes |
✅ |
Indicator Sharing |
2.2.3.5 |
2.2.3.5 Indicator with IPv6 Address CIDR |
Optional |
Yes |
Yes |
✅ |
Indicator Sharing |
2.2.3.6 |
2.2.3.6 Multiple Indicators within the same bundle |
Mandatory |
Yes |
Yes |
✅ |
Indicator Sharing |
2.2.3.7 |
2.2.3.7 Indicator FQDN |
Mandatory |
Yes |
Yes |
✅ |
Indicator Sharing |
2.2.3.8 |
2.2.3.8 Indicator URL |
Mandatory |
Yes |
Yes |
✅ |
Indicator Sharing |
2.2.3.9 |
2.2.3.9 Indicator URL or FQDN |
Mandatory |
Yes |
Yes |
✅ |
Indicator Sharing |
2.2.3.10 |
2.2.3.10 Indicator File hash with SHA256 or MD5 values |
Mandatory |
Yes |
Yes |
✅ |
Sighting Sharing |
2.3.3 |
2.3.3 Producer Test Case Data |
Mandatory |
|
|
|
Sighting Sharing |
2.3.5.1 |
2.3.5.1 Sighting + Indicator with IPv4 Address |
Mandatory |
Yes |
|
✅ |
Sighting Sharing |
2.3.5.2 |
2.3.5.2 Sighting + Indicator with IPv4 Address Matching CIDR |
Mandatory |
Yes |
|
✅ |
Sighting Sharing |
2.3.5.3 |
2.3.5.3 Sighting + Indicator with IPv6 Address Matching CIDR |
Optional |
Yes |
|
✅ |
Sighting Sharing |
2.3.5.4 |
2.3.5.4 Sighting + Indicator with NO observed data |
Mandatory |
Yes |
|
✅ |
Sighting Sharing |
2.3.5.5 |
2.3.5.5 Sighting + Indicator with URL |
Mandatory |
Yes |
|
✅ |
Sighting Sharing |
2.3.5.6 |
2.3.5.6 Sighting + Indicator with File Hash |
Mandatory |
Yes |
|
✅ |
Versioning |
2.4.3.1 |
2.4.3.1 Creation of an Indicator with Identity and Date |
Mandatory |
|
|
|
Versioning |
2.4.3.2 |
2.4.3.2 Creation of a Sighting with Identity and Date |
Mandatory |
|
|
|
Versioning |
2.4.7.1 |
2.4.7.1 Modification of an Indicator with Identity and Date |
Mandatory |
|
|
|
Versioning |
2.4.7.2 |
2.4.7.2 Modification of a Sighting with Identity and Date |
Mandatory |
|
|
|
Versioning |
2.4.11.1 |
2.4.11.1 Deletion of an Indicator with Identity; Dates |
Mandatory |
|
|
|
Versioning |
2.4.11.2 |
2.4.11.2 Deletion of a Sighting and Associated Observed Data |
Mandatory |
|
|
|
Data Markings |
2.5.3.1 |
2.5.3.1 TLP Green + Indicator with IPv4 Address |
Mandatory |
Yes |
Yes |
✅ |
Data Markings |
2.5.3.2 |
2.5.3.2 TLP Amber + Two Indicators with IPv4 Address CIDR |
Mandatory |
Yes |
Yes |
✅ |
Data Markings |
2.5.3.3 |
2.5.3.3 TLP White and TLP Red + Indicator with IPv6 Address |
Optional |
Yes |
Yes |
✅ |
Data Markings |
2.5.3.4 |
2.5.3.4 TLP Red + Sighting and Indicator |
Optional |
|
|
|
Custom Object Creation |
2.6.3.1 |
2.6.3.1 Custom Object Creation |
Optional |
|
|
|
Custom Property Creation |
2.6.3.2 |
2.6.3.2 Custom Property Creation |
Optional |
|
|
|
Custom Ingestion |
2.6.4 |
2.6.4 Required Respondent Support |
Mandatory |
|
|
|
Create COA |
2.7.3.1 |
2.7.3.1 Create COA |
Optional |
|
|
|
Create COA Relationship |
2.7.3.2 |
2.7.3.2 Create COA with Relationship |
Optional |
|
|
|
Additional interoperability tests
The following table lists additional interoperability tests that are not part of the TIP persona, but are supported by the Intelligence Center.
Section |
Verification |
Supported |
2.18.5 |
2.18.5 Observed data of file hash |
✅ |
2.18.5 |
2.18.5 Observed data of domain name and ip address |
✅ |