Closed stne-uk closed 1 year ago
Hi. Do you try directly with your browser to see if information are correct. Looking good on the demo with url like
Hi, Yes I tried via the browser and get the same as the demo site.
So not sure how to help you. Looks like every Url doesnt return any 404.
Here are the screenshots, Does OpenCTI only use TAXII 2.1 or TAXII2.0 aswell? I saw a note that 2.0 was upgraded to 2.1 but nothing about any backwards compatability. Thanks.
OpenCTI now only publish STIX 2.1 (with extensions) data.
Understood thanks, This explains the discovery issues then. Don't suppose these is any method of running both Taxii 2.0 and 2.1 in the most recent OpenCTI version? Or just 2.0?
In fact there is not a lot of difference between STIX2 and the new 2.1 implementations where we introduce the extensions mechanism. Are you sure cabby is compatible with TAXII 2?
I did check earlier and cabby is not although Anomali STAXX and QRadar are 2.0 compatible but also return the same 404 when trying the various endpoints.
Really difficult to help you. As you see when you access it through your browser you dont have a 404. Please check the exact URL called by STAXX or QRadar.
The issue that I traced in Qradar Threat Intelligence app is, that it's doing discover by a POST request to the URL with XML data.
Even in cabby it's doing a post request, as below to do discovery response = session.post( url, data=request_body, stream=True, timeout=timeout, headers=headers) but OpenCTI not supporting POST in discovery.
If the client use XML and a post request to discovery it seems the the client use TAXII 1.1 format.
For TAXII 2.1, the discovery is a GET request
thanks for the answer, for the Qradar TI app "Version 2.3.0", it supporting TAXII 2, and for python TAXII clients you can use this library taxii2-client.
Description
404 while attempt to discover TAXII collection using Cabby and also while using AnomaliSTAXX
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Create Taxii collection
Attempt to discover taxii collection via any of the following a. https:// /taxii2/root/
b. https:// /taxii2/
c. https:// /
Cabby client returns 404, AnoamliSTAXX client also returns similar "Could not discover. Check Site Information is correct" a. Used the following cabby command with different discovery paths as above taxii-collections \ --path 'https:///taxii2/ \
--username '' \
--password ''
Expected Output
Display list of taxii collection
Actual Output
2022-06-09 14:54:41,301 INFO: Sending Collection_Information_Request to https:///taxii2
2022-06-09 14:54:41,449 ERROR: HTTP Error: status code 404
Tried the same via multiple taxii clients all with similar responses, I am however able to browse to the individual collections.
Had a look at this issue too but still not able to resolve my issue https://github.com/OpenCTI-Platform/connectors/issues/259
I was able to configure Sentinel to query the taxii output which worked fine
Any help would by much appreciated.
-----edit-----
I've also just tried this in QRadar 7.5 using the latest Threat Intel App which allows for Taxii 2.0 collection however also receive a 404.