Issues trying to connect to MITRE ATT&CK STIX 2.1 Feed from Sentinel Threat Intelligence

Question

Hi,

I am having issues while trying to connect to the MITRE ATT&CK STIX 2.1 Feed from within Sentinel's Threat Intelligence module.

I have the 'Threat Intelligence - TAXII' data connector enabled (with another TAXII server connected/functioning.

However when I try to connect to the MITRE TAXII server, I receive one of two errors.

I have tried the following combinations:

API root URL: https://attack-taxii.mitre.org/api/v21/

Collection ID: 1f5f1533-f617-4ca8-9ab4-6a02367fa019

Error: Failed to add TAXII connector

Encountered an error when validating the request. Please validate the provided input (ie workspace id, tenant id, collection id, ApiRoot details etc).

API root URL: https://attack-taxii.mitre.org/api/v21

Collection ID: 1f5f1533-f617-4ca8-9ab4-6a02367fa019

Error: Failed to add TAXII connector

Encountered an error when validating the request. Please validate the provided input (ie workspace id, tenant id, collection id, ApiRoot details etc).

API root URL: https://attack-taxii.mitre.org/api/

Collection ID: 1f5f1533-f617-4ca8-9ab4-6a02367fa019

Error: Failed to add TAXII connector

TAXII API root URL (https://attack-taxii.mitre.org/api/) is not valid

API root URL: https://attack-taxii.mitre.org/api

Collection ID: 1f5f1533-f617-4ca8-9ab4-6a02367fa019

Error: Failed to add TAXII connector

TAXII collectionId (1f5f1533-f617-4ca8-9ab4-6a02367fa019) is not valid

API root URL: https://attack-taxii.mitre.org/api

Collection ID: x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019

Error: Failed to add TAXII connector

TAXII collectionId (x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019) is not valid

API root URL: https://attack-taxii.mitre.org/api/v21/collections

Collection ID: 1f5f1533-f617-4ca8-9ab4-6a02367fa019

Error: Failed to add TAXII connector

Encountered an error when validating the request. Please validate the provided input (ie workspace id, tenant id, collection id, ApiRoot details etc).

API root URL: https://attack-taxii.mitre.org/api/v21/collections/

Collection ID: 1f5f1533-f617-4ca8-9ab4-6a02367fa019

Error: Failed to add TAXII connector

Encountered an error when validating the request. Please validate the provided input (ie workspace id, tenant id, collection id, ApiRoot details etc).

Both the API root URL (https://attack-taxii.mitre.org/api/v21/) and Collection ID (1f5f1533-f617-4ca8-9ab4-6a02367fa019) have been confirmed via MITRE documentation () and manually running a curl command (below):

curl command

curl --request GET \ --url https://attack-taxii.mitre.org/api/v21/collections \ --header 'Accept: application/taxii+json;version=2.1'

response

{"collections":[{"id":"x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019**","title":"Enterprise ATT&CK","description":"ATT&CK for Enterprise provides a knowledge base of real-world adversary behavior targeting traditional enterprise networks. ATT&CK for Enterprise covers the following platforms: Windows, macOS, Linux, PRE, Office 365, Google Workspace, IaaS, Network, and Containers.","can_read":true,"can_write":false,"media_types":["application/taxii+json;version=2.1","application/taxii+json"]},{"id":"x-mitre-collection------","title":"ICS ATT&CK","description":"The ATT&CK for Industrial Control Systems (ICS) knowledge base categorizes the unique set of tactics, techniques, and procedures (TTPs) used by threat actors in the ICS technology domain. ATT&CK for ICS outlines the portions of an ICS attack that are out of scope of Enterprise and reflects the various phases of an adversary’s attack life cycle and the assets and systems they are known to target.","can_read":true,"can_write":false,"media_types":["application/taxii+json;version=2.1","application/taxii+json"]},{"id":"x-mitre-collection--d----","title":"Mobile ATT&CK","description":"ATT&CK for Mobile is a matrix of adversary behavior against mobile devices (smartphones and tablets running the Android or iOS/iPadOS operating systems). ATT&CK for Mobile builds upon NIST's Mobile Threat Catalogue and also contains a separate matrix of network-based effects, which are techniques that an adversary can employ without access to the mobile device itself.","can_read":true,"can_write":false,"media_types":["application/taxii+json;version=2.1","application/taxii+json"]}]}

Answer 1

I have never setup or seen this particular feed configured. I know people are always looking for a free TAXI option for use and demo purposes. I suspect if this was easy, I would see it often.

Basic troubleshooting would be to try curl or other methods to confirm that you can get back the JSON with your credentials. Making sure it is not permissions or some other block.

I do know this Sentinel TAXI request has source IPs that can be difficult to track down. When the TAXI service is hosted behind a firewall, it is possible that the Sentinel requests are being blocked. I have seen government hosted TAXII not allow Sentinel source IPs. I unfortunately don't have a reference for those IPs, I'll try to circle back if I find them.

It looks like the MITRE indicators are also published on GitHub. It may be possible to reference or ingest from there. One example that comes to mind, some of the Sentinel TI Map rules actually query GitHub if you review the KQL. That might be something you can reuse with the MITRE repo.