STIX 2.1 Interoperability

This page describes Intelligence Center support for STIX 2.1 interoperability test cases, based on a draft version of the STIX™/TAXII™ 2.1 Interoperability Test Document.

All sections referred to on this page are sections in the Interoperability Test Document.

For example, Part 1 Section 2.2.3.2 or Part 1 §2.2.3.2 refers to STIX™/TAXII™ 2.1 Interoperability Test Document Part 1, Section 2.2.3.2.

Interoperability Test Document test cases do not map directly to features on EclecticIQ Intelligence Center. For example, ingesting Observed Data SDOs is supported but do not result in “Observed Data” entities on EclecticIQ Intelligence Center. Instead, special indicator entities are created.

For more information on support for a given STIX 2.1 object, see documentation specific to it.

Persona Checklist for TIP

The following table is based on the checklist of test cases specified for the Persona Checklist in §4.2 Threat Intelligence Platform (TIP).

Use case	Section	Test	Verification	Incoming	Outgoing	Supported
Indicator Sharing	2.2.3.1	2.2.3.1 Indicator IPv4 Address	Mandatory	Yes	Yes	✅
Indicator Sharing	2.2.3.2	2.2.3.2 Indicator IPv4 Address CIDR	Mandatory	Yes	Yes	✅
Indicator Sharing	2.2.3.3	2.2.3.3 Two Indicators with IPv4 Address CIDR	Mandatory	Yes	Yes	✅
Indicator Sharing	2.2.3.4	2.2.3.4 Indicator with IPv6 Address	Optional	Yes	Yes	✅
Indicator Sharing	2.2.3.5	2.2.3.5 Indicator with IPv6 Address CIDR	Optional	Yes	Yes	✅
Indicator Sharing	2.2.3.6	2.2.3.6 Multiple Indicators within the same bundle	Mandatory	Yes	Yes	✅
Indicator Sharing	2.2.3.7	2.2.3.7 Indicator FQDN	Mandatory	Yes	Yes	✅
Indicator Sharing	2.2.3.8	2.2.3.8 Indicator URL	Mandatory	Yes	Yes	✅
Indicator Sharing	2.2.3.9	2.2.3.9 Indicator URL or FQDN	Mandatory	Yes	Yes	✅
Indicator Sharing	2.2.3.10	2.2.3.10 Indicator File hash with SHA256 or MD5 values	Mandatory	Yes	Yes	✅
Sighting Sharing	2.3.3	2.3.3 Producer Test Case Data	Mandatory
Sighting Sharing	2.3.5.1	2.3.5.1 Sighting + Indicator with IPv4 Address	Mandatory	Yes		✅
Sighting Sharing	2.3.5.2	2.3.5.2 Sighting + Indicator with IPv4 Address Matching CIDR	Mandatory	Yes		✅
Sighting Sharing	2.3.5.3	2.3.5.3 Sighting + Indicator with IPv6 Address Matching CIDR	Optional	Yes		✅
Sighting Sharing	2.3.5.4	2.3.5.4 Sighting + Indicator with NO observed data	Mandatory	Yes		✅
Sighting Sharing	2.3.5.5	2.3.5.5 Sighting + Indicator with URL	Mandatory	Yes		✅
Sighting Sharing	2.3.5.6	2.3.5.6 Sighting + Indicator with File Hash	Mandatory	Yes		✅
Versioning	2.4.3.1	2.4.3.1 Creation of an Indicator with Identity and Date	Mandatory
Versioning	2.4.3.2	2.4.3.2 Creation of a Sighting with Identity and Date	Mandatory
Versioning	2.4.7.1	2.4.7.1 Modification of an Indicator with Identity and Date	Mandatory
Versioning	2.4.7.2	2.4.7.2 Modification of a Sighting with Identity and Date	Mandatory
Versioning	2.4.11.1	2.4.11.1 Deletion of an Indicator with Identity; Dates	Mandatory
Versioning	2.4.11.2	2.4.11.2 Deletion of a Sighting and Associated Observed Data	Mandatory
Data Markings	2.5.3.1	2.5.3.1 TLP Green + Indicator with IPv4 Address	Mandatory	Yes	Yes	✅
Data Markings	2.5.3.2	2.5.3.2 TLP Amber + Two Indicators with IPv4 Address CIDR	Mandatory	Yes	Yes	✅
Data Markings	2.5.3.3	2.5.3.3 TLP White and TLP Red + Indicator with IPv6 Address	Optional	Yes	Yes	✅
Data Markings	2.5.3.4	2.5.3.4 TLP Red + Sighting and Indicator	Optional
Custom Object Creation	2.6.3.1	2.6.3.1 Custom Object Creation	Optional
Custom Property Creation	2.6.3.2	2.6.3.2 Custom Property Creation	Optional
Custom Ingestion	2.6.4	2.6.4 Required Respondent Support	Mandatory
Create COA	2.7.3.1	2.7.3.1 Create COA	Optional
Create COA Relationship	2.7.3.2	2.7.3.2 Create COA with Relationship	Optional

Additional interoperability tests

The following table lists additional interoperability tests that are not part of the TIP persona, but are supported by EclecticIQ Intelligence Center.

Section	Verification	Supported
2.18.5	2.18.5 Observed data of file hash	✅
2.18.5	2.18.5 Observed data of domain name and ip address	✅