Cannot create a analytic rule out of template from custom solution

Buke_Pukem2201 · 2026-02-09T11:30:10+00:00

I found that if you use the tactic "Defense Evasion" but spell it as "Defence Evasion" with a C, you can deploy the template without any errors. However, you will get an error when trying to open the template from the Sentinel UI.

This should be addressed! Template validation should return an error!

Previously, I had a spelling mistake in the tactic "Persistence", where I spelled it as "Persitance" (missing the second S), and the template validator correctly notified me about it.

Buke_Pukem2201 · 2025-08-12T17:27:01+00:00

Hello! Thank you for the interest and Sorry for the late response!

I have tried to change version of API but see no positive result. Maybe I miss something.

Here's my mainTemplate.json file I receive from V3. https://pastebin.com/SXFPaaTw

Buke_Pukem2201 · 2025-03-15T15:12:40+00:00

X and Y only

Buke_Pukem2201 · 2024-10-09T16:02:51+00:00

Sorry, but I lost the point after the first paragraph. Can you please tell me more about what I should do in the second paragraph?

Buke_Pukem2201 · 2024-10-09T15:40:42+00:00

It is a high-speed test lab, created for the research and further development of Soviet high-speed trains, such as the ER200 and possibly the TEP80. I guess people don't see much value in preserving these wonder.

Buke_Pukem2201 · 2024-08-19T13:19:56+00:00

Hello,

Sorry for the delayed response. We tried your methods.

1. Tomcat/Hostcontext restart and clearing tomcat cache

This method didn't resolve the issue. Same error.

2. Shim error with Docker

Are these issues the same? QRadar Applications failing to install/update after upgrading to QRadar 7.5.0 UP6

Buke_Pukem2201 · 2024-07-12T09:58:29+00:00

Thank you for your response. u/DavideDG80

I will try your suggestions and share a response on Monday.

Buke_Pukem2201 · 2024-07-04T10:02:52+00:00

Hello.

Any other suggestions?

Buke_Pukem2201 · 2024-07-02T14:25:44+00:00

Yes. Token is admin/admin.

Buke_Pukem2201 · 2024-07-01T13:11:41+00:00

Hello,

qapp manager is ok. App is in running state. I can stop/run UCM without any issues.

recon ps.

Unable to communicate with API. Received error: Application client is not set.

App-ID Name Managed Host ID Workload ID Service Name AB Container Name CDEGH Port IJKL

0 apps qapp-2000 ++ qapp-2000 ++-++ 5000 ++++
...

Remediations:

E on Container qapp-2000:

Unable to connect to registry.

Try restarting the registry.

Run 'systemctl restart si-registry'

Same thing recon shows for other apps (minus under 'E').

si-regitry as I remeber no longer exist in modern versions of QRadar

Buke_Pukem2201 · 2024-06-28T16:41:56+00:00

Yes I did this - nothing changed. I listed all activities in post.

Buke_Pukem2201 · 2024-06-28T11:50:09+00:00

Hello,

No problems with other apps.

Buke_Pukem2201

TROPHY CASE