search

eclecticiq / OpenTAXII

TAXII server implementation in Python from EclecticIQ
BSD 3-Clause "New" or "Revised" License
184 stars 87 forks source link

How to add collection in TAXII ver2.1 #257

Open over320 opened 10 months ago

over320 commented 10 months ago

Hello!

I am using TAXII Ver2.1 in OpenTAXII. I would like to know how to create a collection to TAXII Ver2.1 in OpanTAXII.

If you create a collection in TAXII Ver1.1 in OpenTAXII, you can add a collection by setting the collection in data-configuration.yaml. Unlike TAXII Ver1.1, if you create a collection in TAXII Ver2.1, you use the command [opentaxii-add-collection] to add a Collection, associating it with an API root ID. Below is an example of command usage. opentaxii-add-collection -r -t

However, using the command as above, I am unable to create a collection on the TAXII Ver2.1 server. Is there a different way to create a collection to the TAXII Ver2.1 server? If not, please let me know the correct procedure for adding them.

Thanks.

aams-eam commented 6 months ago

Hi @over320,

You can create the api root with:

opentaxii-add-api-root -t "baseapiroot" -d "This is the default api root" --default --public

Then you can create the collection with:

opentaxii-add-collection --rootid 3289b4eb-5f15-475d-a336-c3a03eb0975e -t "MyCollection" -d "This is a collection" -a "MyCollectionAlias" --public --public-write

In this case 3289b4eb-5f15-475d-a336-c3a03eb0975e is the uuid of the api-root previously created. The --public argument in opentaxii-add-api-root does not exist, but I have added it in this pull request. I have also fixed other issues. Additionally, I have created this post with more details, in case you want to check: How to Deploy, Configure and Use a TAXII 2 Server to Exchange Cyber Threat Intelligence.

It would also be helpful if you give more details about the process that you have followed when trying to create the collection. Including the output of each step.

arelli commented 5 months ago

Hi @aams-eam. Even though I merged your pull request locally, the --public functionality is not working, and I keep encountering the same exact problem as before I git switched. I've followed your exact steps from your article to run it as a dev-server in a venv, and the output I get when I try to create an api root is this: [an image]

Update:

Cleared the venv, and done a clean git clone again, merged the pull request, and AFTER that I ran the setup.py. Now it works fine!

ThanhPhuongw commented 3 months ago

Hi, @aams-eam. i've deployed a taxii server step by step flow your article, my taxii server2.1 works fine, but it have some problems. when i push data to server, if i push STIX Domain Objects everything is ok data can push to server, but if i try to push STIX Cyber-observable Objects then it cannot push and have this error Screenshot 2024-03-27 145749 you have any idea to fix this? thank you!

aams-eam commented 3 months ago

Hi @ThanhPhuongw

Can you please provide the STIX Cyber-Observable Object you are using as an example? Provide as well the logs of OpenTAXII before returning that 500 Server Error.

ThanhPhuongw commented 3 months ago

Hi @aams-eam,, I use this exxample: {

"type": "user-account",

"spec_version": "2.1",

"id": "user-account--0d5b424b-93b8-5cd8-ac36-306e1789d63c",

"user_id": "1001",

"account_login": "jdoe",

"account_type": "unix",

"display_name": "John Doe",

"is_service_account": false,

"is_privileged": false,

"can_escalate_privs": true,

"account_created": "2016-01-20T12:31:12Z",

"credential_last_changed": "2016-01-20T14:27:43Z",

"account_first_login": "2016-01-20T14:26:07Z",

"account_last_login": "2016-07-22T16:08:28Z"

} from here https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_azo70vgj1vm2

Here are the logs when i push STIX Domain Objects log1 And here are the logs when i push STIX Cyber-observable Objects: log2 and the errors: Screenshot 2024-03-27 145749 i still cannot find the bugs. I hope you can help! Thanks in advance!

ThanhPhuongw commented 3 months ago

Hi @aams-eam, i have just pushed data STIX Cyber-observable Objects successfully, i think i have read old doc, i used the example: {

"type": "user-account",

"spec_version": "2.1",

"id": "user-account--0d5b424b-93b8-5cd8-ac36-306e1789d63c",

"user_id": "1001",

"account_login": "jdoe",

"account_type": "unix",

"display_name": "John Doe",

"is_service_account": false,

"is_privileged": false,

"can_escalate_privs": true,

"account_created": "2016-01-20T12:31:12Z",

"credential_last_changed": "2016-01-20T14:27:43Z",

"account_first_login": "2016-01-20T14:26:07Z",

"account_last_login": "2016-07-22T16:08:28Z"

} but i have to add "modified" field. Only add that field and i everything is perfect. I'm not sure why?

aams-eam commented 3 months ago

Hi @ThanhPhuongw

Happy everything works now!