TAXII Query help required... (using Soltra Edge)

Hi all,

So, fully appreciate that we’re talking future in the CTI TC and SC’s, but I’m playing with an experiment on the current version of taxii for which I could use some help. I’m reasonably comfortable with stix, but taxii is still a bit new for me.

I’m trying to set up a method of querying a taxii service for a specific observable (initially an IP address, but hopefully for different observable types too) and – at first – just return a yes/no whether it exists in the repo. I’ve been trying to follow the guidance in https://taxiiproject.github.io/releases/1.1/TAXII_Default_Query_Specification.pdf and I’m sending requests to an offline copy of Soltra Edge using a customised version of the TAXIIExample.py script. I’m building the query as per the examples in the above linked spec, but the response I’m getting is a fully formed taxii error message (which at least means it understands what I’m asking, I suppose) saying that ‘Query’ is an unknown message type.

The good news is that I have control of the repository that I’m searching in, so I can predetermine the structure of the hosted stix objects (and, hence, can be explicit with the Target in the tdq declarations). However, I can’t even seem to get it to like the taxii:Query message type first – so it’s not even dropping in to the tdq sections. None of the taxii 1.1 spec information seems to make reference to anything outside discovery, poll, inbox and feed_info – was the query message type deprecated? Am I missing something?

Thanks in advance for your help!

Chris

cti-users message