Workflow.xml

Use the following xml to populate the Workflow field in the Universal Cloud REST API log source protocol parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.

<?xml version="1.0" encoding="UTF-8" ?>
<Workflow name="Offenses_Forwarder" version="1.0" minimumRecurrence="60" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
    <Parameters>
        <Parameter name="host" label="Host" required="true" />
        <Parameter name="auth_token" label="Authorized Service Token" required="true" secret="true" />
    </Parameters>
    <Actions>
        <CallEndpoint url="https://${/host}/console/plugins/app_proxy:offense_results/api/offense_results" method="GET" savePath="/offense_results/response">
            <RequestHeader name="SEC" value="${/auth_token}" />
        </CallEndpoint>
        <If condition="/offense_results/response/status_code != 200">
            <Abort reason="${/offense_results/response/status_code}: ${/offense_results/response/status_message}" />
        </If>
        
        <If condition="${count(/offense_results/response/body)} > 0">
            <Log type="DEBUG" message="Response contains ${count(/offense_results/response/body)} offenses."/>
            <Set path="/offenses" value="${values(/offense_results/response/body)}" />
            <PostEvents path="/offenses" source="${/host}" />
        </If>
        <SetStatus type="INFO" message="Successfully queried for events." />
    </Actions>
    <Tests>
        <DNSResolutionTest host="${/host}"/>
        <TCPConnectionTest host="${/host}"/>
        <SSLHandshakeTest host="${/host}" />
        <HTTPConnectionThroughProxyTest url="https://${/host}"/>
    </Tests>
</Workflow>