Hey Ryan,
Really this feature should just work out of box, when you Get TAXII Collections.
After a bit of poking around and consulting my colleagues, the potential causes of a 404 (that we can think of) could be one of the following:
1. Files got skipped during the upgrade
If files are skipped especially for files in sn_ti, you will not get the latest logic of retrieving the TAXII collections which can potentially cause a 404. So 'Upgrade Summary Report' would be something worth checking.
2. TAXII profile has been modified
To check this, compare the XML of your TAXII profile record with the one I have attached here. A modified profile would change the way we form the HTTP request sent to MITRE (endpoint, HTTP method, request headers, etc).
3. Network
To check if it is caused by network issue, run the following script in the background script and check the output:
var sm = new sn_ws.RESTMessageV2();
sm.setEndpoint("https://cti-taxii.mitre.org/stix/collections/");
sm.setRequestHeader("Content-Type", "application/json");
sm.setRequestHeader("Accept", "application/vnd.oasis.taxii+json; version=2.0");
sm.setHttpMethod("get");
var response = sm.execute();
var status = response.getStatusCode();
var body = response.getBody();
gs.info(status);
gs.info(body);
You should see a similar output as the below screenshot if there is no network issue:
If none of that works, then you should definitely open a ticket with support, so we can get in and have a look!
Sorry for the inconvenience - this really should be a plug n' play feature.
All the best,
J
Error in fetching data from MITRE TAXII server
MITRE TAXII servers are crashing due to heavy influx of download/update requests from Servicenow instances. MITRE doesn’t have enough resources/infra to maintain TAXII servers. They are temporarily blocking the ip addresses that are resulting in the crash.
Path forward: -
- use MITRE github endpoint instead of TAXII endpoint as suggested by MITRE.
- scheduled update set to ‘On-demand’ instead of daily.
- more info is present in the KB0955837.
