connector state null

[NaufalIhsan2002]

can anyone help me? my connector doesn't working is there something wrong with my configuration?

[misje]

Do you have anything that indicates that it isn't working? This is an enrichment connector, so it will only perform work when a new entity is ingested into your platform. Alternatively, you can enrich an entity manually (see the documentation in the Usage section).

The state field is not used for enrichment connectors. I believe they are only used by stream connectors, possibly other types.

I'll take this cause confusion into consideration when updating the manual.

[NaufalIhsan2002]

i have try to manually enrich but i got this error. what should i do?

[misje]

You most likely have a self-signed certificate in OpenSearch (which is the norm). You will have to skip TLS verification. See important settings in the documentation. The env. var. would be WAZUH_OPENSEARCH_VERIFY_TLS=false.

[NaufalIhsan2002]

im sorry but can you help me one more time do my manual enrichment working right? i also have error like this

[misje]

Your last screenshot is not an error. Have a look in the documentation:

• Indicator is not based on any observables
• Indicator support

As for your errors in the previous runs, please provide information about what they say, and I will try to help.

[NaufalIhsan2002]

is it normal that the operations complete and total number of operation is 0? i run docker compose logs -f --tail=100 connector-wazuh, and i got this.

im sorry for bothering you so much. i really want to learn this

[misje]

It appears that you are enriching indicators. As I pointed out earlier with the references to the documentation, enriching indicators only work if those indicators have relationships to observables, as there is no direct STIX indicator pattern support. The only workaround I can offer for now, is using automation to create these relationships automatically.

is it normal that the operations complete and total number of operation is 0?

It is if there is nothing for the connector to do, or if the indicator was not found in Wazuh. It only creates STIX objects when the search is performed, and results are found.

[NaufalIhsan2002]

do i have to manually make incident or the connector make incident automatically?

i also trying to search for "Wazuh SIEM" in opencti and i can't found it. can you help me please?

[misje]

do i have to manually make incident or the connector make incident automatically?

Incidents are created depending on your configuration. See the documentation on the topic.

i also trying to search for "Wazuh SIEM" in opencti and i can't found it. can you help me please?

This is an identity of type system. You'll find this under "systems" in OpenCTI, and linked to in all incidents.