Universal Cloud REST API connector workflow for Carbon Black

You can customize your workflow and workflow parameters based on the default workflow.

A workflow is an XML document that describes the event retrieval process. The workflow defines one or more parameters, which can be explicitly assigned values in the workflow XML or can derive values from the workflow parameter values XML document. The workflow consists of multiple actions that run sequentially.

Carbon Black default workflow

Use the following XML to populate the Workflow field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.

<?xml version="1.0" encoding="UTF-8" ?>
<Workflow name="CarbonBlackEDRAlerts" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">

    <Parameters>
        <Parameter name="url"             label="The Base URL For the Carbon Black EDR instance."             required="true" />
        <Parameter name="id"              label="API ID"                                                      required="true" />
        <Parameter name="organizationKey" label="The Organization Key for your Carbon Black EDR instance."    required="true" secret="true" />
        <Parameter name="secret"          label="API Secret Token"                                            required="true" secret="true" />
    </Parameters>

    <Actions>
        <ClearStatus />

        <Initialize path="/carbonBlackAlerts/startTimeMilli" value="${time() - (60000 * 60 * 24 * 15)}"/>
        <Set path="/carbonBlackAlerts/endTimeMilli" value="${time() - (60000 * 15)}"/>

        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" savePath="/carbonBlackAlerts/startTime" time="${/carbonBlackAlerts/startTimeMilli}"/>
        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" savePath="/carbonBlackAlerts/endTime" time="${/carbonBlackAlerts/endTimeMilli}"/>

        <Set path="/carbonBlackAlerts/rows" value="1000"/>
        <Set path="/carbonBlackAlerts/startRow" value="1"/>

        <DoWhile condition="${/carbonBlackAlerts/response/body/num_found} > ${/carbonBlackAlerts/startRow}"> <!-- Loop while we have retrievable alerts remaining -->
            <Log type="INFO" message="About to send request: startTime='${/carbonBlackAlerts/startTime}', endTime='${/carbonBlackAlerts/endTime}', startRow='${/carbonBlackAlerts/startRow}'" />
            <CallEndpoint url="https://${/url}/api/alerts/v7/orgs/${/organizationKey}/alerts/_search" method="POST" savePath="/carbonBlackAlerts/response">
                <RequestHeader name="X-Auth-Token"          value="${/secret}/${/id}" />
                <RequestHeader name="Content-Type"          value="application/json" />
                <RequestBody type="application/json" encoding="UTF-8">
                    {
                        "time_range": {
                            "end": "${/carbonBlackAlerts/endTime}",
                            "start": "${/carbonBlackAlerts/startTime}"
                        },
                        "rows": "${/carbonBlackAlerts/rows}",
                        "sort": [{
                            "field": "backend_timestamp",
                            "order": "ASC"
                        }],
                        "start": "${/carbonBlackAlerts/startRow}"
                    }
                </RequestBody>
            </CallEndpoint>

            <If condition="/carbonBlackAlerts/response/status_code != 200">
                <Delete path="/carbonBlackAlerts/response" />
                <Delete path="/carbonBlackAlerts/rows" />
                <Delete path="/carbonBlackAlerts/startRow" />
                <Abort reason="${/carbonBlackAlerts/response/status_code}: ${/carbonBlackAlerts/response/status_message}" />
            </If>

            <SetStatus type="INFO" message="Successfully retrieved alerts." />
            <Log type="INFO" message="Received ${count(/carbonBlackAlerts/response/body/results)} alerts" />

            <PostEvents path="/carbonBlackAlerts/response/body/results" source="${/url}" />
            <Set path="/carbonBlackAlerts/startRow" value="${/carbonBlackAlerts/startRow + count(/carbonBlackAlerts/response/body/results)}"/>
            <Log type="INFO" message="Updating startRow to ${/carbonBlackAlerts/startRow}" />
        </DoWhile>
        <Log type="INFO" message="Received a total of ${/carbonBlackAlerts/response/body/num_found} alerts" />

        <Set path="/carbonBlackAlerts/startTimeMilli" value="${/carbonBlackAlerts/endTimeMilli + 1}"/>
        <Log type="INFO" message="Setting next startTimeMilli to ${/carbonBlackAlerts/startTimeMilli}" />

        <Delete path="/carbonBlackAlerts/response" />
        <Delete path="/carbonBlackAlerts/rows" />
        <Delete path="/carbonBlackAlerts/startRow" />
    </Actions>

    <Tests>
        <DNSResolutionTest              host="${/url}"/>
        <TCPConnectionTest              host="${/url}"/>
        <SSLHandshakeTest               host="${/url}"/>
        <HTTPConnectionThroughProxyTest url="https://${/url}"/>
    </Tests>
</Workflow>

Carbon Black default workflow parameter values

Use the following XML to populate the Workflow Parameter Values field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content to a text file. Replace the value placeholders with your own values. Then copy the updated content into the Workflow Parameter Values field.

<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
    <Value name="url"               value="<Base URL for Carbon Black EDR instance>"/>
    <Value name="id"                value="<API ID>"/>
    <Value name="organizationKey"   value="<Organization key for Carbon Black EDR instance>"/>
    <Value name="secret"            value="<API secret token>"/>
</WorkflowParameterValues>