Universal Cloud REST API connector workflow for Cisco Secure Email

You can customize your workflow and workflow parameters based on the supported workflow.

A workflow is an XML document that describes the event retrieval process. The workflow defines one or more parameters, which can be explicitly assigned values in the workflow XML or can derive values from the workflow parameter values XML document. The workflow consists of multiple actions that run sequentially.

Cisco Secure Email supported workflow

Use the following XML to populate the Workflow field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.

<?xml version="1.0" encoding="UTF-8" ?>
<Workflow name="CiscoSecureCloudAnalytics" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">

    <Parameters>
        <Parameter name="username"    label="Cisco Secure Email Username"     required="true" />
        <Parameter name="password"    label="Cisco Secure Email Password"     required="true" secret = "true"/>
        <Parameter name="host"        label="Cisco Secure Email Host / IP"    required="true" />
    </Parameters>

    <Actions>
        <ClearStatus/>
        <!-- Initialize both timestamps and format them properly. New startDate will be updated after each run. -->
        <Initialize path="/ciscoSecureEmailData/startDate" value="${time() - (60000 * 60 * 24 * 10)}" /> <!-- 7 days prior. Get updated at end of doWhile to current time to prepare for next run. -->
        <Set path="/ciscoSecureEmailData/endDate" value="${time()}" />

        <FormatDate pattern="yyyy-MM-dd'T'HH:mm" timeZone="GMT" time="${/ciscoSecureEmailData/startDate}" savePath="/ciscoSecureEmailData/startDateFormatted" />
        <FormatDate pattern="yyyy-MM-dd'T'HH:mm" timeZone="GMT" time="${/ciscoSecureEmailData/endDate}" savePath="/ciscoSecureEmailData/endDateFormatted" />

        <!-- endpoint needs seconds and milliseconds to be all 0's, so we append them in that format -->
        <Set path="/ciscoSecureEmailData/startDateFormatted" value="${/ciscoSecureEmailData/startDateFormatted}:00.000Z" />
        <Set path="/ciscoSecureEmailData/endDateFormatted" value="${/ciscoSecureEmailData/endDateFormatted}:00.000Z" />
        <Initialize path="/ciscoSecureEmailData/offset" value="1" /> <!-- 1 indexed, not 0 -->

        <Set path="/ciscoSecureEmailData/limit" value="100" />
        <Set path="/ciscoSecureEmailData/keepRequesting" value="false"/>
        <Set path="/ciscoSecureEmailData/url" value="https://${/host}/sma/api/v2.0/message-tracking/messages"/>

        <DoWhile condition="${/ciscoSecureEmailData/offset} &lt; ${/ciscoSecureEmailData/limit}"> <!-- While there are still events to post -->
            <SetStatus type="INFO" message="Querying for events" />
            <CallEndpoint url="${/ciscoSecureEmailData/url}" method="GET" savePath="/ciscoSecureEmailData/response">
                <BasicAuthentication username="${/username}" password="${/password}" />

                <QueryParameter name="startDate" value="${/ciscoSecureEmailData/startDateFormatted}" omitIfEmpty="true" />
                <QueryParameter name="endDate" value="${/ciscoSecureEmailData/endDateFormatted}" omitIfEmpty="true" />

                <QueryParameter name="ciscoHost" value="All_Hosts" />
                <QueryParameter name="searchOption" value="messages" />
                <QueryParameter name="limit" value="${/ciscoSecureEmailData/limit}" />
                <QueryParameter name="offset" value="${/ciscoSecureEmailData/offset}" omitIfEmpty="true" />

                <RequestHeader name="Content-Type" value="application/json" />
                <RequestHeader name="Accept" value="application/json" />
            </CallEndpoint>

            <SetStatus type="INFO"
                       message="We still have more events to poll: totalCount is equal to the limit. Polling again."/>
            <Set path="/ciscoSecureEmailData/keepRequesting" value="true" />
            <Set path="/ciscoSecureEmailData/offset" value="${/ciscoSecureEmailData/offset + /ciscoSecureEmailData/limit}" />
            <Log type="INFO" message="New Offset: ${/ciscoSecureEmailData/offset}" />
            <!-- Catch any status code other than 200 -->
            <If condition="/ciscoSecureEmailData/response/status_code != 200">
                <SetStatus type="WARN" message="Status code was not 200" />
                <Set path="/ciscoSecureEmailData/status_code" value="${/ciscoSecureEmailData/response/status_code}" />
                <Set path="/ciscoSecureEmailData/status_message" value="${/ciscoSecureEmailData/response/status_message}" />
                <Delete path="/ciscoSecureEmailData/startDateFormatted"/>
                <Delete path="/ciscoSecureEmailData/endDateFormatted"/>
                <Delete path="/ciscoSecureEmailData/response"/>
                <Abort reason="${/ciscoSecureEmailData/status_code}: ${/ciscoSecureEmailData/status_message}" />
            </If>
            <Else>
                <SetStatus type="INFO" message="We received a total of ${count(/ciscoSecureEmailData/response/body/data)} events with this query." />
                <If condition="${count(/ciscoSecureEmailData/response/body/data)} > 0">
                    <!-- Post the events -->
                    <PostEvents path="/ciscoSecureEmailData/response/body/data" source="${/host}" />
                </If>

                <SetStatus type="INFO" message="totalCount is (${/ciscoSecureEmailData/response/body/meta/totalCount}), and the limit is (${/ciscoSecureEmailData/limit}). " />
            </Else>
        </DoWhile>

        <Set path="/ciscoSecureEmailData/startDate" value="${/ciscoSecureEmailData/endDate + (60 * 1000)}"/> <!-- Adding 1 minute to the query as this is the smallest accepted increment. This will be formatted again once the workflow starts again -->
        <Delete path="/ciscoSecureEmailData/response"/>
        <SetStatus type="INFO" message="Finished querying for events" />
    </Actions>

    <Tests>
        <DNSResolutionTest host="${/host}"/>
        <TCPConnectionTest host="${/host}"/>
        <SSLHandshakeTest  host="${/host}"/>
        <HTTPConnectionThroughProxyTest url="https://${/host}"/>
    </Tests>

</Workflow>

Cisco Secure Email supported workflow parameter values

Use the following XML to populate the Workflow Parameter Values field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content to a text file. Replace the value placeholders with your own values. Then copy the updated content into the Workflow Parameter Values field.

<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
        <Value name="username"          value=""/>
        <Value name="password"          value=""/>
        <Value name="host"              value=""/>
</WorkflowParameterValues>