Universal Cloud REST API connector workflow for IBM Security Guardium Insights - OAuth Client

You can customize your workflow and workflow parameters based on the default workflow.

A workflow is an XML document that describes the alert retrieval process. The workflow defines one or more parameters, which can be explicitly assigned values in the workflow XML or can derive values from the workflow parameter values XML document. The workflow consists of multiple actions that run sequentially.

IBM Security Guardium Insights default workflow

If you are using the OAuth client credentials to configure the data source, use the following XML to populate the Workflow field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.

<?xml version="1.0" encoding="UTF-8" ?>
<Workflow name="IBMSecurityGuardiumInsightsRiskEvents" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
        <Parameter name="host" label="The Base URL Guardium Insights instance" required="true" />
        <Parameter name="oAuthClientID" label="OAuth Client ID" secret="true" required="true" />
        <Parameter name="oAuthClientSecret" label="OAuth Client Secret" secret="true" required="true" />
        <ClearStatus />

        <Set path="/dateTimeFormat" value="yyyy-MM-dd'T'HH:mm:ssX"/>
        <Initialize path="/dateFromMilli" value="${time() - (60000 * 60 * 24 * 7)}"/><!-- 7 days previous to initialize -->
        <Set path="/dateToMilli" value="${time()}"/>
        <FormatDate pattern="${/dateTimeFormat}" timeZone="UTC" savePath="/dateFrom" time="${/dateFromMilli}"/>
        <FormatDate pattern="${/dateTimeFormat}" timeZone="UTC" savePath="/dateTo" time="${/dateToMilli}"/>

        <Set path="/baseUrl" value="https://${/host}/api/v3"/>
        <Set path="/oAuthApiUrl" value="${/baseUrl}/oauth/token"/>
        <Set path="/riskEventsApiUrl" value="${/baseUrl}/risk_events"/>
        <Set path="/riskEventsDetailsApiUrl" value="${/baseUrl}/risk_events/details/"/>

        <Log type="DEBUG" message="Querying [${/oAuthApiUrl}] with api keys to get Access Token..." />

        <CallEndpoint url="${/oAuthApiUrl}" method="GET" savePath="/oAuthResponse">
            <BasicAuthentication username="${/oAuthClientID}" password="${/oAuthClientSecret}" />
            <RequestHeader name="Accept" value="application/json" />

        <Log type="DEBUG" message="RECEIVED OUTPUT: ${/oAuthResponse}" />

        <If condition="/oAuthResponse/status_code != 200">
            <Abort reason="Could not retrieve access token. Status code: ${/oAuthResponse/status_code}, Message: ${/oAuthResponse/status_message}" />
            <SetStatus type="INFO" message="Successfully retrieved OAuth Access Token." />

        <Set path="/access_token" value="${/oAuthResponse/body/access_token}" />

        <Log type="INFO" message="Full Request: GET - ${/riskEventsApiUrl}?status=OPENED&amp;date_from=${url_encode(/dateFrom)}&amp;date_to=${url_encode(/dateTo)}"/>
        <CallEndpoint url="${/riskEventsApiUrl}" method="GET" savePath="/riskEvents">
            <BearerAuthentication token="${/access_token}" />
            <QueryParameter name="status"    value="OPENED" />
            <QueryParameter name="date_from" value="${/dateFrom}"/>
            <QueryParameter name="date_to"     value="${/dateTo}" />
            <RequestHeader name="Accept" value="application/json" />

        <Log type="INFO" message="RECEIVED OUTPUT: ${/riskEvents}" />

        <If condition="/riskEvents/status_code != 200">
            <Abort reason="${/riskEvents/status_code}: ${/riskEvents/status_message}" />
            <SetStatus type="INFO" message="Successfully retrieved list of Risk Events for the time period from ${/dateFrom} to ${/dateTo}" />

        <Log type="INFO" message="We received a total of ${count(/riskEvents/body/risk_event_rows)} Risk Events." />

        <If condition="${count(/riskEvents/body/risk_event_rows)} > 0">
            <Set path="/callCount" value="0"/>
            <Set path="/riskEventIdsWithError" value="" />
            <ForEach item="/specificRiskEvent" items="/riskEvents/body/risk_event_rows">
                <ParseDate pattern="${/dateTimeFormat}" timeZone="UTC" date="${/specificRiskEvent/from_date}" savePath="/specificRiskEvent/from_date_millis" />
                <If condition="/specificRiskEvent/from_date_millis > /dateFromMilli" >
                    <CallEndpoint url="${/riskEventsDetailsApiUrl}${/specificRiskEvent/risk_id}" method="GET" savePath="/specificDetailRiskEvent">
                        <BearerAuthentication token="${/access_token}" />
                        <RequestHeader name="Accept" value="application/json" />

                    <Set path="/callCount" value="${${/callCount} + 1}"/>
                    <Log type="INFO" message="Specific Risk Event request (ID=${/specificRiskEvent/risk_id}), RESPONSE: ${/specificDetailRiskEvent}"/>

                    <If condition="/specificDetailRiskEvent/status_code != 200">
                        <Log type="WARN" message="Non-200 status received trying to query details for Risk Event with Risk ID: ${/specificRiskEvent/risk_id}" />
                        <Log type="WARN" message="${/specificDetailRiskEvent/status_code}: ${/specificDetailRiskEvent/status_message}" />
                        <Set path="/riskEventIdsWithError" value="${/riskEventIdsWithError}${/specificRiskEvent/risk_id}," />
                    <If condition="not empty(/specificDetailRiskEvent)">
                        <PostEvent path="/specificDetailRiskEvent/body" source="${/host}" />
                        <Log type="WARN" message="The Risk Event we attempted to receive details on (ID = ${/specificRiskEvent/risk_id}) was not retrieved. Continuing..." />

                    <If condition="${/callCount} % 99 = 0">
                        <Log type="INFO" message="99 subsequent calls have been made, sleeping for 1 second for throttle."/>
                        <Sleep duration="1000"/>
            <If condition="not empty(/riskEventIdsWithError)" >
                <Set path="/riskEventIdsWithError" value="${substring(/riskEventIdsWithError,0,${${count(/riskEventIdsWithError)} - 1})}" />
                <SetStatus type="WARN" message="Non-200 status received when querying Risk Event detail for Risk Event Ids: ${/riskEventIdsWithError}" />
            <Log type="INFO" message="No Risk Events were found for the current time period." />

        <Log type="INFO" message="Completed Risk Event request for the current time period." />

        <ParseDate pattern="${/dateTimeFormat}" timeZone="UTC" date="${/dateTo}" savePath="/dateFromMilli" />

        <Delete path="/oAuthResponse" />
        <Delete path="/access_token" />
        <Delete path="/baseUrl" />
        <Delete path="/oAuthApiUrl" />
        <Delete path="/riskEvents" />
        <Delete path="/riskEventsApiUrl" />
        <Delete path="/riskEventsDetailsApiUrl" />

        <DNSResolutionTest host="${/host}"/>
        <TCPConnectionTest host="${/host}"/>
        <SSLHandshakeTest host="${/host}"/>
        <HTTPConnectionThroughProxyTest url="https://${/host}"/>

IBM Security Guardium Insights default workflow parameters

If you are using the OAuth client credentials to configure the data source, use the following XML to populate the Workflow Parameter Values field in the Universal Cloud REST API connector parameters section.

  1. Click the Copy to clipboard icon at the upper right of the code block, and then paste the content to a text file.
  2. Replace the values for <your-hostname>, <your-OAuth-client-id>, and <your-OAuth-client-secret> with your own values.
  3. Copy the updated content into the Workflow Parameter Values field.
<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
    <Value name="host" value="<your-hostname>"/>
    <Value name="oAuthClientID" value="<your-OAuth-client-id>"/>
    <Value name="oAuthClientSecret" value="<your-OAuth-client-secret>"/>