STIX 2.1 Known issues#

Invalid STIX 2.1 objects are not ingested#

Invalid STIX 2.1 objects are ignored by this feed.

For example, if a STIX 2.1 Indicator SDO object is missing the pattern field, that SDO is not ingested because pattern is a required field according to the STIX 2.1 specifications.

Outgoing feeds#

TLP overrides and TLP filtering#

When you apply TLP overrides or TLP filters to an outgoing feed that uses the STIX 2.1 content type, you may encounter the following issues:

  • TLP overrides result in new IDs being generated for each resulting STIX 2.1 object. In effect, this creates

    • new “versions” of these IC entities, and

    • new “derived-from” relationships between the new and original “versions” of these entities.

    when these IC entities are transformed into STIX 2.1 objects.

    In particular, multiple “versions” of Identity SDOs and statement marking objects may appear where you would expect only a single instance of these STIX 2.1 objects.

  • When TLP overrides are applied to an outgoing feed, ingesting data packaged by that feed in another IC instance produces disjointed relations.

    In order to override or filter TLPs applied to the packed objects, EclecticIQ Intelligence Center generates new versions of these objects. This consequently breaks the references that entity relations rely on. You will have to reconcile these relations manually after ingestion.

Indicators are only packed with specific configuration#

Most EclecticIQ indicators can be packed as STIX 2.1 Indicator SDOs without further configuration. However, there are certain cases where EclecticIQ indicator entities may be dropped by an outgoing feed.

Currently, EclecticIQ indicator entities must have at least one of the following in order for them to be packed as STIX 2.1 Indicator SDOs by outgoing feeds:

  • A test mechanism, with one of the following types:

    • Generic

    • SNORT

    • YARA

  • A related observable with one of the supported SCO types.

    Caution

    If your EclecticIQ indicator entity only has related observables and no test mechanism, you must include the related observable types in your outgoing feed configuration’s Observable and Enrichment Observable types > Observable types field.

Tip

For more information about the STIX 2.1 Indicator SDO and how EclecticIQ indicator entities are mapped to and from it, see the STIX 2.1 documentation.