Open MaxwellDPS opened 1 month ago
Linking #7403 as this was previously not an issue
Feed seems to have started running, still seeing intermittent errors and hangin on a single data however
Hello, you should not need to add "/collections/abcd/objects
" it's automatically added in the code. So potato.taxi/taxii2
and potato.taxi/taxii2/
should both work.
Yeah I am not adding that it is set to potato.taxi/taxii2/
- Was previously working in the exact same config, just upgraded to fix this https://github.com/OpenCTI-Platform/opencti/issues/7403
Yeah I am not adding that it is set to
potato.taxi/taxii2/
- Was previously working in the exact same config, just upgraded to fix this #7403
This fix changed nothing on trailing /;, it's just allowing "next" cursor to be undefined from Taxii response in which case the date is used in 'X-TAXII-Date-Added-Last' for requests. Does your taxii server answer with a empty "next" field but still requires a "next" in the follow up query ?
Where do you see that there is a missing '/' if you are using "potato.taxi/taxii2/" in configuration because it's still there in code so I don't understand what is happening.
So looking into this more, there seems to be little to no logging on this, / was an assumption due to this. But whenever the user is set it wont consume the taxii feed (even if set to an admin user). Only time the feed runs on 6.2.6 is if you dont fill in a user and let SYSTEM
run the import.
So looking into this more, there seems to be little to no logging on this, / was an assumption due to this. But whenever the user is set it wont consume the taxii feed (even if set to an admin user). Only time the feed runs on 6.2.6 is if you dont fill in a user and let
SYSTEM
run the import.
Ok thanks I should be able to reproduce that
Awesome, thanks! If you reach out over slack I can provide some more detail
I'm not reproducing any issue with a user different from SYSTEM, I am getting data from taxii feed with bith a user that has bypass, and another user that has this role:
I am adding some logs at info level to better understand. Does you taxii feed requires both "next" and "added_after" parameter or is using only one of them, or it's not a paginated feed ?
Do you have maybe an organisation setup at platform level and is the taxii feed user in the platform organization too ? The user is not used to query data to the taxii server, so you should have some error at ingestion time in workers and/opencti logs.
@aHenryJard did you get more details?
Do you have maybe an organisation setup at platform level and is the taxii feed user in the platform organization too ? The user is not used to query data to the taxii server, so you should have some error at ingestion time in workers and/opencti logs.
Hey @aHenryJard Thanks! But nope no org platform level 🙁
Description
In the event a TAXII server is requires a trailing
/
the taxii ingestion fails with Undefined taxii objectsIn this instance for the TAXII server that is failing
potato.taxi/taxii2/collections/abcd/objects/
potato.taxi/taxii2/collections/abcd/objects
and will return{}
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
/
or returns{}
w/o a trailing slash expotato.taxi/taxii2/collections/abcd/objects
Expected Output
N/A
Actual Output
N/A
Additional information