From d2cd305d0f8d65f81c3ad7e1299e4d046f5e0ed8 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Mon, 7 Jul 2025 17:44:06 -0500 Subject: [PATCH 1/3] Add notice --- .../notice-about-taxii2.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 docs/security/threat-intelligence/notice-about-taxii2.md diff --git a/docs/security/threat-intelligence/notice-about-taxii2.md b/docs/security/threat-intelligence/notice-about-taxii2.md new file mode 100644 index 0000000000..5d8e0e4dac --- /dev/null +++ b/docs/security/threat-intelligence/notice-about-taxii2.md @@ -0,0 +1,44 @@ +--- +id: notice-about-taxii-2 +title: Customer Communication – Product Defect Notification for Missing Indicators of Compromise (IOCs) for Threat Intelligence Feeds with the TAXII 2.0 Protocol +description: This article is a product defect notification for missing indicators of compromise (IOCs) for Threat Intelligence feeds with the TAXII 2.0 protocol. +--- + + + + + +## Summary of the issue + +We are notifying you of a recently identified issue that affects Sumo Logic’s Threat Intelligence feeds using the TAXII 2.0 protocol. Specifically, URL, domain, and email Indicators of Compromise (IOCs) were not processed and displayed as expected. A customer first reported the issue on June 11, 2025. + +Our investigation determined that a processing error in certain non-hash IOCs led to a breakdown in the normalization process, preventing these critical data types from appearing correctly in customer environments. + +If your environment relies on TAXII 2.0-based Threat Intelligence feeds, you may have experienced the following: +* Missing URL, domain, and email IOCs in your threat feeds +* Incomplete detection logic, resulting in gaps in dashboards, threat hunting, and alerting mechanisms that depend on these data types + +Our engineering team has traced the issue to a normalization defect in the data processing pipeline, occurring after collection but prior to feed availability. + +A fix has been developed and is scheduled for deployment on July 9, 2025. There is no action you or your team needs to take in order to correct this. + +## Important to note + +Sumo Logic-provided threat feeds, including CrowdStrike and Intel 471, are not affected. + +Customer-configured feeds using other protocols, such as TAXII 1.0, are also unaffected. + +Historical signals will not be retroactively generated. Customers can expect to receive an influx of signals related to the previously missing IOCs from the moment the fix is applied. + +## Resolution plan + +To mitigate the risk of future issues, we are implementing the following changes: +* Expanded automated and manual test coverage across all supported threat feed protocols. +* Strengthened validation and normalization processes across the pipeline. +* Continuous monitoring and alerting enhancements to detect processing anomalies earlier + +## Need help or have questions? + +Our Support team is here to help. If you have questions, please [contact Support](https://support.sumologic.com/support/s/) by submitting a request. + +We recognize how critical this functionality is and deeply regret any operational impact this may have caused. Thank you for your continued trust in us as your security partner. \ No newline at end of file From 931028aaa6b99f109b7c2543453f67b6a5d3753f Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Mon, 7 Jul 2025 17:50:07 -0500 Subject: [PATCH 2/3] Add comment --- docs/security/threat-intelligence/notice-about-taxii2.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/security/threat-intelligence/notice-about-taxii2.md b/docs/security/threat-intelligence/notice-about-taxii2.md index 5d8e0e4dac..641d182174 100644 --- a/docs/security/threat-intelligence/notice-about-taxii2.md +++ b/docs/security/threat-intelligence/notice-about-taxii2.md @@ -8,6 +8,8 @@ description: This article is a product defect notification for missing indicator + + ## Summary of the issue We are notifying you of a recently identified issue that affects Sumo Logic’s Threat Intelligence feeds using the TAXII 2.0 protocol. Specifically, URL, domain, and email Indicators of Compromise (IOCs) were not processed and displayed as expected. A customer first reported the issue on June 11, 2025. From fa30ec8ec0a7c890602de9be8280c23858802808 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Mon, 7 Jul 2025 17:55:40 -0500 Subject: [PATCH 3/3] Final formatting --- docs/security/threat-intelligence/notice-about-taxii2.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/security/threat-intelligence/notice-about-taxii2.md b/docs/security/threat-intelligence/notice-about-taxii2.md index 641d182174..b94c5079d8 100644 --- a/docs/security/threat-intelligence/notice-about-taxii2.md +++ b/docs/security/threat-intelligence/notice-about-taxii2.md @@ -26,11 +26,9 @@ A fix has been developed and is scheduled for deployment on July 9, 2025. There ## Important to note -Sumo Logic-provided threat feeds, including CrowdStrike and Intel 471, are not affected. - -Customer-configured feeds using other protocols, such as TAXII 1.0, are also unaffected. - -Historical signals will not be retroactively generated. Customers can expect to receive an influx of signals related to the previously missing IOCs from the moment the fix is applied. +* Sumo Logic-provided threat feeds, including CrowdStrike and Intel 471, are not affected. +* Customer-configured feeds using other protocols, such as TAXII 1.0, are also unaffected. +* Historical signals will not be retroactively generated. Customers can expect to receive an influx of signals related to the previously missing IOCs from the moment the fix is applied. ## Resolution plan