STIX 2.1 Known issues#
Invalid STIX 2.1 objects are not ingested#
Invalid STIX 2.1 objects are ignored by this feed.
For example, if a
STIX 2.1 Indicator SDO
object is missing the pattern
field,
that SDO is not ingested because
pattern
is a required field
according to the STIX 2.1 specifications.
Outgoing feeds#
TLP overrides and TLP filtering#
When you apply TLP overrides or TLP filters to an outgoing feed that uses the STIX 2.1 content type, you may encounter the following issues:
TLP overrides result in new IDs being generated for each resulting STIX 2.1 object. In effect, this creates
new “versions” of these EclecticIQ Intelligence Center entities, and
new “derived-from” relationships between the new and original “versions” of these entities.
when these EclecticIQ Intelligence Center entities are transformed into STIX 2.1 objects.
In particular, multiple “versions” of Identity SDOs and
statement
marking objects may appear where you would expect only a single instance of these STIX 2.1 objects.When TLP overrides are applied to an outgoing feed, ingesting data packaged by that feed in another EclecticIQ Intelligence Center instance produces disjointed relations.
In order to override or filter TLPs applied to the packed objects, EclecticIQ Intelligence Center generates new versions of these objects. This consequently breaks the references that entity relations rely on. You will have to reconcile these relations manually after ingestion.
Indicators are only packed with specific configuration#
Most EclecticIQ indicators can be packed as STIX 2.1 Indicator SDOs without further configuration. However, there are certain cases where EclecticIQ indicator entities may be dropped by an outgoing feed.
Currently, EclecticIQ indicator entities must have at least one of the following in order for them to be packed as STIX 2.1 Indicator SDOs by outgoing feeds:
A test mechanism, with one of the following types:
Generic
SNORT
YARA
A related observable with one of the supported SCO types.
Caution
If your EclecticIQ indicator entity only has related observables and no test mechanism, you must include the related observable types in your outgoing feed configuration’s Observable and Enrichment Observable types > Observable types field.
Tip
For more information about the STIX 2.1 Indicator SDO and how EclecticIQ indicator entities are mapped to and from it, see the STIX 2.1 documentation.