What is taxii_endpoint for stix-import?

[Waseem-farooqui]

I have a taxii server which have services discovery, collection-management, poll and inbox.
Now what is endpoint service is it discovery or collection or poll ?

[JasonKeirstead]

Hi! You want to point it at the root endpoint (remove the /poll portion)

[JasonKeirstead]

Let me know if you have any other questions.

[Waseem-farooqui]

Like I have services /services/discovery , /services/poll in this case my endpoint will be /services ?

[JasonKeirstead]

In this case it would be "/services".

[Waseem-farooqui]

Now when I run the script and specify the my open-taxii Server ip it throws.

Invalid reponse from TAXII server
{'extended_headers': {},
'in_response_to': '0',
'message': 'HTTP Error 404: NOT FOUND\r\nServer: gunicorn/19.4.5\r\nDate: Thu, 24 Mar 2016 12:21:43 GMT\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 233\r\n\r\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>\n',
'message_id': '0',
'message_type': 'Status_Message',
'status_detail': {},
'status_type': 'FAILURE'}

This was my script
sudo python ./import_stix.py -i 172.20.16.54 -t 6f178fb7-9c1c-4ecc-b8b9-8b5dcaf9b790 -x 172.20.16.36 -p 9000 --taxii_endpoint /services -y IPv4 Address -c collection-A -r Asset Reconciliation IPv4 Whitelist

While in case when I specify the hailataxii.com it works fine.
sudo python ./import_stix.py -i 172.20.16.54 -t 6f178fb7-9c1c-4ecc-b8b9-8b5dcaf9b790 -x 172.20.16.36 -p 9000 --taxii_endpoint /services -y IPv4 Address -c collection-A -r Asset Reconciliation IPv4 Whitelist
And I don't even see any request on the taxii server.

[JasonKeirstead]

It looks like the way this is structured won't work with OpenTaxii without me making some changes. I will try to do an update today.

As a reminder as well, as of QRadar 7.2.6 this script is deprecated; the suggested course is to use the supported Threat Intelligence application (located here https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:ThreatIntelligence). Since this application uses TAXII discover, it would not have this issue.

[Waseem-farooqui]

Ok my end goal is to integrate the taxii server with Threat Intelligence app.
But I have a same problem here in which i need your guidance for endpoint i will use the same /service because this app works fine in case of hailataxii but in my opentaxii server case it throws Bad Gateway.
Will you please help me out :(

[JasonKeirstead]

Hi Waseem - in the Threat Intelligence app the endpoint should point at your discovery service. The app will then perform a discovery and ask you what to poll. If you are getting a Bad Gateway message it could mean any number of things including a self-signed certificates (the app requires fully valid certificates for an SSL connection.

You should open a PMR with IBM Support if you are having issues with this app.

[JasonKeirstead]

Please open a PMR with IBM Support to troubleshoot this application.