|
| 1 | +--- |
| 2 | +id: notice-about-taxii-2 |
| 3 | +title: Customer Communication – Product Defect Notification for Missing Indicators of Compromise (IOCs) for Threat Intelligence Feeds with the TAXII 2.0 Protocol |
| 4 | +description: This article is a product defect notification for missing indicators of compromise (IOCs) for Threat Intelligence feeds with the TAXII 2.0 protocol. |
| 5 | +--- |
| 6 | + |
| 7 | +<head> |
| 8 | + <meta name="robots" content="noindex" /> |
| 9 | +</head> |
| 10 | + |
| 11 | +<!-- Article added by DOCS-981. --> |
| 12 | + |
| 13 | +## Summary of the issue |
| 14 | + |
| 15 | +We are notifying you of a recently identified issue that affects Sumo Logic’s Threat Intelligence feeds using the TAXII 2.0 protocol. Specifically, URL, domain, and email Indicators of Compromise (IOCs) were not processed and displayed as expected. A customer first reported the issue on June 11, 2025. |
| 16 | + |
| 17 | +Our investigation determined that a processing error in certain non-hash IOCs led to a breakdown in the normalization process, preventing these critical data types from appearing correctly in customer environments. |
| 18 | + |
| 19 | +If your environment relies on TAXII 2.0-based Threat Intelligence feeds, you may have experienced the following: |
| 20 | +* Missing URL, domain, and email IOCs in your threat feeds |
| 21 | +* Incomplete detection logic, resulting in gaps in dashboards, threat hunting, and alerting mechanisms that depend on these data types |
| 22 | + |
| 23 | +Our engineering team has traced the issue to a normalization defect in the data processing pipeline, occurring after collection but prior to feed availability. |
| 24 | + |
| 25 | +A fix has been developed and is scheduled for deployment on July 9, 2025. There is no action you or your team needs to take in order to correct this. |
| 26 | + |
| 27 | +## Important to note |
| 28 | + |
| 29 | +* Sumo Logic-provided threat feeds, including CrowdStrike and Intel 471, are not affected. |
| 30 | +* Customer-configured feeds using other protocols, such as TAXII 1.0, are also unaffected. |
| 31 | +* Historical signals will not be retroactively generated. Customers can expect to receive an influx of signals related to the previously missing IOCs from the moment the fix is applied. |
| 32 | + |
| 33 | +## Resolution plan |
| 34 | + |
| 35 | +To mitigate the risk of future issues, we are implementing the following changes: |
| 36 | +* Expanded automated and manual test coverage across all supported threat feed protocols. |
| 37 | +* Strengthened validation and normalization processes across the pipeline. |
| 38 | +* Continuous monitoring and alerting enhancements to detect processing anomalies earlier |
| 39 | + |
| 40 | +## Need help or have questions? |
| 41 | + |
| 42 | +Our Support team is here to help. If you have questions, please [contact Support](https://support.sumologic.com/support/s/) by submitting a request. |
| 43 | + |
| 44 | +We recognize how critical this functionality is and deeply regret any operational impact this may have caused. Thank you for your continued trust in us as your security partner. |
0 commit comments