connectors
connectors copied to clipboard
OpenCTI-Platform
[QRADAR] - Error - Qradar connector integration
Description
Unable to interconnect Qradar with OpenCTI. Errors in log.
Environment
- OS : Ubuntu 22.04
- OpenCTI version: 5.9.6
- OpenCTI client: frontend
- Other environment details:
Reproducible Steps
Steps to create the smallest reproducible scenario:
Implement connector qradar in docker-compose.yml OpenCTI file.
connector-qradar:
image: opencti/connector-qradar:5.9.6
environment:
- OPENCTI_URL=http://opencti:8080
- OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
- CONNECTOR_ID=${CONNECTOR_QRADAR_ID}
- CONNECTOR_TYPE=STREAM
- CONNECTOR_LIVE_STREAM_ID=live # ID of the live stream created in the OpenCTI UI
- CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true
- CONNECTOR_LIVE_STREAM_NO_DEPENDENCIES=true
- CONNECTOR_NAME="Qradar OpenCTI Connector"
- CONNECTOR_SCOPE=qradar
- CONNECTOR_CONFIDENCE_LEVEL=80 # From 0 (Unknown) to 100 (Fully trusted)
- CONNECTOR_LOG_LEVEL=debug
- QRADAR_URL=${QRADAR_URL}
- QRADAR_TOKEN=${QRADAR_TOKEN}
- QRADAR_SSL_VERIFY=false
- QRADAR_REFERENCE_NAME=opencti
- QRADAR_IGNORE_TYPES=label,marking-definition,identity
restart: always
Expected Output
OpenCTI provisioning ref set in Qradar
Actual Output
Connector Qradar error log in debug :
ERROR 'NoneType' object has no attribute 'group'
INFO Listing Threat-Actors with filters null. | timestamp=2023-09-28T13:20:22.561689Z name=pycti.entities
DEBUG Starting new HTTP connection (1): opencti:8080 | timestamp=2023-09-28T13:20:22.562781Z name=urllib3.connectionpool
DEBUG http://opencti:8080 "POST /graphql HTTP/1.1" 200 144 | timestamp=2023-09-28T13:20:22.619631Z name=urllib3.connectionpoolDEBUG http://opencti:8080 "POST /graphql HTTP/1.1" 200 630 | timestamp=2023-09-28T13:20:22.722871Z name=urllib3.connectionpool
INFO Connector registered with ID: 0b664b89-1cb6-4f30-a01b-1e06fea52ef3 | timestamp=2023-09-28T13:20:22.723773Z name=pycti.connector
INFO Starting ping alive thread | timestamp=2023-09-28T13:20:22.724137Z name=pycti.connector
INFO connector helper initialized | timestamp=2023-09-28T13:20:22.724573Z name=pycti.connector
INFO reference_set created | timestamp=2023-09-28T13:20:22.724801Z name=pycti.connector
INFO starting 10 consumer threads | timestamp=2023-09-28T13:20:22.726288Z name=pycti.connector
INFO Starting stream alive thread | timestamp=2023-09-28T13:20:22.726769Z name=pycti.connector
INFO Starting to listen stream events on "http://opencti:8080/stream/live?recover=2023-09-28T13:20:22Z" (listen-delete: true, no-dependencies: true, with-inferences: false) | timestamp=2023-09-28T13:20:22.726965Z name=pycti.connector
DEBUG Starting new HTTP connection (1): opencti:8080 | timestamp=2023-09-28T13:20:22.728096Z name=urllib3.connectionpool
DEBUG http://opencti:8080 "GET /stream/live?recover=2023-09-28T13:20:22Z HTTP/1.1" 200 None | timestamp=2023-09-28T13:20:22.785173Z name=urllib3.connectionpool
DEBUG http://opencti:8080 "POST /graphql HTTP/1.1" 200 98 | timestamp=2023-09-28T13:20:22.823978Z name=urllib3.connectionpool
DEBUG processing message with id f0458705-5ab1-4203-95aa-127d90b331f6 | timestamp=2023-09-28T13:20:22.974875Z name=pycti.connector
ERROR an error occurred while consuming messages | timestamp=2023-09-28T13:20:22.975171Z name=pycti.connector
ERROR 'NoneType' object has no attribute 'group' | timestamp=2023-09-28T13:20:22.975310Z name=pycti.connector
Additional information
Screenshots (optional)
I have the same problem, the problem could be the "recover" parameter, If I test the url (http://opencti:8080/stream/live?recover=2023-09-28T13:20:22Z) in a browser I'll get an empty page, instead, removing it, I'll get the file of the stream.
I don't know how to remove it from the query since it is embedded in the OpenCTIConnectorHelper object, also the CONNECTOR_LIVE_STREAM_START_TIMESTAMP could be related but I can't find how can I set it to remove the "recover" parameter.
Hello,
I did'nt find a solution to this problem @daniele2010, perhap's @khanafeer could help us on this issue ? Thank you
Hello,
Could we have more information on which version of Qradar and which version of OpenCTI did you test and implement it @khanafeer ? Thank you
@Guear : I think the connector only works with a stream that exposes objects of type "indicator" and not "observables". I reproduce the error with a stream exposing "Domain-Name" observable for example. Try to update your stream to expose entity_type="Indicator".
Hello @Guear,
In fact, this error "ERROR 'NoneType' object has no attribute 'group'" occurs when the stream detects the creation, the update of an entity other than an indicator, while the connector will look for the main_observable_type d 'an indicator, if this is an observable then the connector causes this error.
Another solution would be, as @rguignard points out, to create a stream with entity_type=" Indicator" as a filter (which will have the effect of only retrieving events associated with the indicator), then retrieve the stream id and replace live with your id (in the live_stream_id environment variable).
But note that if you set "live_stream_no_dependencies" to false, then the stream will detect the observables linked to the indicator, but also their relationships, it would be wise to add the "relationship" value to "ignore_types" to limit errors.
If another unwanted entity appears frequently in your error logs, you can ignore it with the "ignore_types" environment variable.
PS : As I don't have direct access to qradar, I would appreciate your feedback once the proposed fix is validated ;)
Hello @Megafredo @rguignard,
Unfortunately I don't have access to a Qradar anymore.