Workflow.xml
Use the following xml to populate the Workflow field in the Universal Cloud REST API log source protocol parameters section.
Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.
<?xml version="1.0" encoding="UTF-8" ?><Workflow name="Offenses_Forwarder" version="1.2.0" minimumRecurrence="60" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
<Parameters>
<Parameter name="host"label="Host"required="true"/>
<Parameter name="auth_token"label="Authorized Service Token"required="true"secret="true"/>
<Parameter name="query_type"label="Query Type"default="advanced_query"/>
</Parameters>
<Actions>
<CallEndpoint url="https://${/host}/console/plugins/app_proxy:offense_results/api/offense_results"method="GET"savePath="/offense_results/response">
<QueryParameter name="query_type"value="${/query_type}"/>
<RequestHeader name="SEC"value="${/auth_token}"/>
</CallEndpoint>
<If condition="/offense_results/response/status_code != 200">
<Abort reason="${/offense_results/response/status_code}: ${/offense_results/response/status_message}"/>
</If>
<If condition="${count(/offense_results/response/body)} > 0">
<Log type="DEBUG"message="Response contains ${count(/offense_results/response/body)} offenses."/>
<Set path="/offenses"value="${values(/offense_results/response/body)}"/>
<PostEvents path="/offenses"source="${/host}"/>
</If>
<SetStatus type="INFO"message="Successfully queried for events."/>
<Set path="/previousRunEndTimeSeconds"value="${time() / 1000}"/>
<Delete path="/offense_results/response"/>
</Actions>
<Tests>
<DNSResolutionTest host="${/host}"/>
<TCPConnectionTest host="${/host}"/>
<SSLHandshakeTest host="${/host}"/>
<HTTPConnectionThroughProxyTest url="https://${/host}"/>
</Tests>
</Workflow>