Error 400

[WednesdayAd]

Hello! I managed to integrate MISP and Qradar, but it only works IP. When I try post all IOCs I have error 400 - Bad request. Element Type of the reference set is AlphaNumeric. What am I doing wrong?

15:03:31 -- MISP API Query (Success) 15:03:32 -- 239737 IOCs imported 15:03:32 -- Initiating, IOC POST to QRadar 15:03:35 -- Could not POST IOCs to QRadar (Failure)

[JamesCullum]

Add the following command above that error for debugging: print(qradar_response.content) (if its just IP, at line 88, otherwise line 97).

This should show you the error message from qradar.

[WednesdayAd]

This is not an IP, it happened when importing the URL. After adding the recommended line, received the following information

15:49:23 -- Initiating, IOC POST to QRadar b'{"http_response":{"code":400,"message":"Invalid syntax for this request was provided"},"code":1001,"description":"An error occurred parsing the JSON formatted message body","details":{},"message":"JSON Parse Error!! Colon encountered but was not in a JSON Object"}' 15:49:24 -- Could not POST IOCs to QRadar (Failure)

[JamesCullum]

Sounds like you entered an incorrect URL, which contains a colon. Is it just IP or hostname (no protocol)?

[WednesdayAd]

It's like "http://animalclub[.]co/"

[JamesCullum]

Just use "animalclub.co" then - as mentioned, no protocol or slashes