Pushing content to a TAXII inbox shows no new content

After successfully pushing content to the TAXII inbox service of an incoming feed, no new content is displayed or made available in the platform.

Scenario

  • An incoming feed is configured to ingest STIX content using a TAXII inbox service.

  • New content is pushed to the incoming feed TAXII inbox using Cabby, a TAXII client with a command line interface that allows executing data discovery, polling, and fetching tasks.

Issue

You push new content to the TAXII inbox service of an incoming feed, so that the feed can retrieve it. The task is executed and it completes correctly but no new content is shown or is available in the platform.

Mitigation

  1. ensure the outgoing feed is correctly configured.

  2. Check the Cabby log file. A successful push-to-inbox action should return the following message:

    INFO: Content block successfully pushed
  3. Verify that the content type being pushed to the incoming feed TAXII inbox service matches the configured content type for that feed. To do this, you need to inspect the value of the binding parameter you pass when you push content to the inbox service with taxii-push.
    The default content binding type is urn:stix.mitre.org:xml:1.1.1.
    For example if you are fetching content in STIX 1.2 data format, change the content binding value to reflect the correct STIX version:

    --binding "urn:stix.mitre.org:xml:1.2"
     
     
    (venv) $ taxii-push --host test.taxiistand.com \
    --https \
    --discovery /read-write/services/discovery \
    --content-file /tmp/stuxnet.stix.xml \
    --binding "urn:stix.mitre.org:xml:1.2" \
    --subtype custom-subtype
  4. If the push action is successful, but it fails to return new content, the cause of the problem may be one of the following:

    • Binding/Content type mismatch: the content blocks being pushed have a content type that does not match the binding value you passed with taxii-push.
      The configured content type for the feed and the content are different. For example, the configured content type is STIX, but the pushed content is in PDF format. In this case, either reconfigure the content type as PDF to match the pushed PDF format, or push content in STIX format instead of PDF.
      Or

    • Ingestion problem: if the content type matches the content binding, the content block ingestion process failed. Check ingestion logs, ingestion, and OpenTAXII logs. To investigate any issues:

      1. Go to /var/log/eclecticiq/

      2. Browse for intel-ingestion.log and opentaxii.log