Symantec ATP App For QRadar showing “Response Code – 422”
Last Updated April 03, 2019
When running QRadar 7.3.1 or later and Symantec ATP 3.x or Endpoint Detection and Response (SEDR) 4.0 or later and have installed the Symantec ATP App For QRadar, you may start seeing errors 422 reported in the app logs.
In order to resolve this issue, you will need to completely remove and reinstall the Symantec ATP App for QRadar. Please follow these steps:
Delete the log source of the old ATP app
To delete the custom properties go to Admin -> Custom Event Properties, search for “symantec atp” and select all by pressing ctrl+a. Make sure the log source type associated is Symantec ATP and then click on Delete button