Missing TAXII Collections for MITRE ATT&CK Profile

Go to solution
rcarmack1
Kilo Guru

‎02-02-2021 05:31 AM

I recently thought that I would try out the MITRE ATT&CK integration.  After performing all updates, I now see the MITRE ATT&CK TAXII Profile, but do not see any TAXII Collections available. I'm asking for assistance in determining why these didn't get created, or the configurations so that they can be created manually.  

Labels:
  • 3,129 Views
1 ACCEPTED SOLUTION

Go to solution
julian_azaret
ServiceNow Employee
ServiceNow Employee

‎02-03-2021 04:17 PM

Hey Ryan,

Really this feature should just work out of box, when you Get TAXII Collections.

After a bit of poking around and consulting my colleagues, the potential causes of a 404 (that we can think of) could be one of the following: 

1. Files got skipped during the upgrade

If files are skipped especially for files in sn_ti, you will not get the latest logic of retrieving the TAXII collections which can potentially cause a 404. So 'Upgrade Summary Report' would be something worth checking.

 

2. TAXII profile has been modified
To check this, compare the XML of your TAXII profile record with the one I have attached here. A modified profile would change the way we form the HTTP request sent to MITRE (endpoint, HTTP method, request headers, etc).

 

3. Network

To check if it is caused by network issue, run the following script in the background script and check the output:

var sm = new sn_ws.RESTMessageV2();

sm.setEndpoint("https://cti-taxii.mitre.org/stix/collections/");

sm.setRequestHeader("Content-Type", "application/json");

sm.setRequestHeader("Accept", "application/vnd.oasis.taxii+json; version=2.0");

sm.setHttpMethod("get");

var response = sm.execute();

var status = response.getStatusCode();

var body = response.getBody();

gs.info(status);

gs.info(body);

 

You should see a similar output as the below screenshot if there is no network issue:

find_real_file.png

 

If none of that works, then you should definitely open a ticket with support, so we can get in and have a look!
Sorry for the inconvenience - this really should be a plug n' play feature.

 

All the best,
J

 

View solution in original post

Preview file
193 KB
Preview file
2 KB
10 REPLIES 10

Go to solution
Alex Cox
ServiceNow Employee
ServiceNow Employee
In response to rcarmack1

‎02-02-2021 09:06 AM

A couple ideas:

ATT&CK was recently updated on MITRE's side - it might be worth trying Get TAXII Collections one more time now that its been a few hours.

Is it possible that the TAXII URL in the config was modified - here is what I see in my test environment:

https://cti-taxii.mitre.org/stix/collections/

Might be worth doublechecking that that is exactly correct.

Finally - is your instance on-prem / going through a proxy? In this case, it is possible (though unlikely) that the request is being redirected by something in your network.

 

Go to solution
rcarmack1
Kilo Guru
In response to Alex Cox

‎02-03-2021 05:19 AM

Still the same after the update - no collections and I receive ""No data collections found for this profile" when selecting Get Collections.

My URL is the same as you posted.  Also, this is a cloud instance so there should not be anything blocking the request.

0 Helpfuls

Go to solution
julian_azaret
ServiceNow Employee
ServiceNow Employee

‎02-03-2021 04:17 PM

Hey Ryan,

Really this feature should just work out of box, when you Get TAXII Collections.

After a bit of poking around and consulting my colleagues, the potential causes of a 404 (that we can think of) could be one of the following: 

1. Files got skipped during the upgrade

If files are skipped especially for files in sn_ti, you will not get the latest logic of retrieving the TAXII collections which can potentially cause a 404. So 'Upgrade Summary Report' would be something worth checking.

 

2. TAXII profile has been modified
To check this, compare the XML of your TAXII profile record with the one I have attached here. A modified profile would change the way we form the HTTP request sent to MITRE (endpoint, HTTP method, request headers, etc).

 

3. Network

To check if it is caused by network issue, run the following script in the background script and check the output:

var sm = new sn_ws.RESTMessageV2();

sm.setEndpoint("https://cti-taxii.mitre.org/stix/collections/");

sm.setRequestHeader("Content-Type", "application/json");

sm.setRequestHeader("Accept", "application/vnd.oasis.taxii+json; version=2.0");

sm.setHttpMethod("get");

var response = sm.execute();

var status = response.getStatusCode();

var body = response.getBody();

gs.info(status);

gs.info(body);

 

You should see a similar output as the below screenshot if there is no network issue:

find_real_file.png

 

If none of that works, then you should definitely open a ticket with support, so we can get in and have a look!
Sorry for the inconvenience - this really should be a plug n' play feature.

 

All the best,
J

 
Preview file
193 KB
Preview file
2 KB

Go to solution
rcarmack1
Kilo Guru
In response to julian_azaret

‎02-04-2021 07:30 AM

1. Reviewed skipped files and merged those that were present.  No changes.

2. XML for the Profile was exactly the same.

3. Received the same output for the script to check the network.

 

Thanks for your help so far.  I opened a case with support.

 

Go to solution
rcarmack1
Kilo Guru
In response to julian_azaret

‎03-18-2021 01:24 PM

Just as a follow up, I opened a case with Support.  It turns out that a component to Threat Intelligence was skipped during an update.  That component was restored to default, which corrected the issue.

0 Helpfuls