[QRADAR] API Error

[cattleindigo]

Description

Setting up Qradar connector with OpenCTI and seems to have a few issues with the sent information. Error code 422: The request was well-formed but was unable to be followed due to semantic errors.

Environment

1. OS Ubuntu 16.4
2. OpenCTI version: 6.2.12
3. OpenCTI client: docker deployment
4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Pulled opencti/connector-qradar:6.2.12
2. Configured yml file as in github
3. Update the stack

Expected Output

Creation of reference sets in qradar

Actual Output

Error logs created for error 422

Additional information

Screenshots (optional)

[romain-filigran]

Hello @cattleindigo : The QRadar connector was designed to push entities of type "indicator" only in QRadar. In your logs, it seems that you are also trying to push "Report" entity. Can you reconfigure your stream definition to include only entity of type "indicator" to prevent this error ?

[cattleindigo]

Done, this is the current error log

[romain-filigran]

This error is different and indicate that the connector is not able to communicate with your OpenCTI live stream. Does your connector and your OpenCTI are running in the same docker context ?

[cattleindigo]

Yes, it's a docker deployment with portainer used to deploy our OpenCTI stack. There isn't anything else running on it.

[cattleindigo]

Seems to be working when I added URL to the data stream filtering. But I'm still not able to bring over domain names, email addresses, ip addresses or hashes