Universal Cloud REST API connector workflow for QRadar EDR

You can customize your workflow and workflow parameters based on the default workflow.

A workflow is an XML document that describes the alert retrieval process. The workflow defines one or more parameters, which can be explicitly assigned values in the workflow XML or can derive values from the workflow parameter values XML document. The workflow consists of multiple actions that run sequentially.

IBM Security QRadar EDR default workflow

Use the following XML to populate the Workflow field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.

<?xml version="1.0" encoding="UTF-8" ?>
<Workflow name="QRadarEDR" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
    <Parameters>
        <Parameter name="app_id"           label="QRadar EDR Application ID"       required="true" />
        <Parameter name="secret_key"       label="QRadar EDR secret key"           required="true"     secret = "true"/>
        <Parameter name="qradarEdr_host"   label="QRadar EDR Host / IP Address"    required="true" />
        <Parameter name="port"             label="QRadar EDR Host Port"            required="false"    default="443"/>
    </Parameters>
    <Actions>
        <Initialize path="/qradarEdrData/receivedAfterMilli" value="${time() - (60000 * 60 * 24 * 7)}" />
        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="GMT" time="${/qradarEdrData/receivedAfterMilli}" savePath="/qradarEdrData/receivedAfter_Formatted" />

        <Set path="/qradarEdrData/url" value="https://${/qradarEdr_host}:${/port}/rqt-api/1/alerts"/>

        <!-- Get Auth Token -->
        <CallEndpoint url="https://${/qradarEdr_host}:${/port}/rqt-api/1/authenticate" method="POST" savePath="/qradarEdrAuth/response">
            <RequestHeader name="Content-Type" value="application/json" />
            <RequestHeader name="Host" value="${/qradarEdr_host}" />
            <RequestBody type="application/json" encoding="UTF-8">
                {
                "secret":"${/secret_key}",
                "id": "${/app_id}"
                }
            </RequestBody>
        </CallEndpoint>

        <If condition="/qradarEdrAuth/response/status_code != 200">
            <Abort reason="${/qradarEdrAuth/response/status_code}: ${/qradarEdrAuth/response/status_message}" />
        </If>
        <Set path="/qradarEdrAuth/token" value="${/qradarEdrAuth/response/body/token}"/>
        <Set path="/qradarEdrData/sortBy" value="receivedAt:asc"/>

        <!-- Get alerts -->
        <DoWhile condition="not empty(/qradarEdrData/response/body/nextPage)">
            <CallEndpoint url="${/qradarEdrData/url}" method="GET" savePath="/qradarEdrData/response">
                <QueryParameter name="receivedAfter" value="${/qradarEdrData/receivedAfter_Formatted}" omitIfEmpty="true" />
                <QueryParameter name="sortBy" value="${/qradarEdrData/sortBy}" omitIfEmpty="true" />

                <RequestHeader name="Content-Type" value="application/json" />
                <RequestHeader name="Authorization" value="Bearer ${/qradarEdrAuth/token}" />
                <RequestHeader name="Host" value="${/qradarEdr_host}" />
            </CallEndpoint>

            <If condition="/qradarEdrData/response/status_code != 200">
                <Abort reason="${/qradarEdrData/response/status_code}: ${/qradarEdrData/response/status_message}" />
            </If>

            <Log type="DEBUG" message="We received a total of ${count(/qradarEdrData/response/body/result)} Offenses." />
            <Log type="DEBUG" message="Remaining alerts to retrieve: ${/qradarEdrData/response/body/remainingItems}" />

            <!--            request alert info-->
            <ForEach item="/qradarEdrData/currentEvent" items="/qradarEdrData/response/body/result">

                <!-- Creating url for fetching addition alert information-->
                <Set path="/qradarEdrData/alertDetailsUrl" value="https://${/qradarEdr_host}:${/port}/rqt-api/1/alert/${/qradarEdrData/currentEvent/id}/events"/>

                <CallEndpoint url="${/qradarEdrData/alertDetailsUrl}" method="GET" savePath="/qradarEdrData/responseAlertDetails">
                    <QueryParameter name="eventType" value="65" />
                    <QueryParameter name="eventType" value="90" />
                    <RequestHeader name="Content-Type" value="application/json" />
                    <RequestHeader name="Authorization" value="Bearer ${/qradarEdrAuth/token}" />
                    <RequestHeader name="Host" value="${/qradarEdr_host}" />
                </CallEndpoint>

                <If condition="${count(/qradarEdrData/currentEvent)} > 0">
                    <!-- adding additional alert information to new field mergedAlertDetails in main event-->
                    <Copy targetPath="/qradarEdrData/currentEvent/mergedAlertDetails" sourcePath="/qradarEdrData/responseAlertDetails/body/result" />
                    <!-- Post the alert -->
                    <PostEvent path="/qradarEdrData/currentEvent" source="${/qradarEdr_host}" />
                </If>
            </ForEach>

            <!-- Set the next page if present -->
            <If condition="not empty(/qradarEdrData/response/body/nextPage)">
                <Log type="DEBUG" message="Response contained a next page link." />
                <Set path="/qradarEdrData/url" value="${/qradarEdrData/response/body/nextPage}" />
                <!-- Unset parameters so they do not affect loop -->
                <Set path="/qradarEdrData/sortBy" value=""/>

                <ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" date="${max(/qradarEdrData/response/body/result/receivedAt)}" timeZone="UTC" savePath="/qradarEdrData/receivedAfterMilli"/>
                <Set path="/qradarEdrData/receivedAfterMilli" value="${/qradarEdrData/receivedAfterMilli + 1}" />
                <!-- Unset this for subsequent loops -->
                <Set path="/qradarEdrData/receivedAfter_Formatted" value="" />
            </If>

        </DoWhile>
        <SetStatus type="INFO" message="Successfully queried for events." />
        <Delete path="/qradarEdrData/response" />
        <Delete path="/qradarEdrData/responseAlertDetails" />
        <Delete path="/qradarEdrData/alertDetailsUrl" />
        <Delete path="/qradarEdrAuth/response" />
        <Delete path="/qradarEdrAuth/token" />
    </Actions>
    <Tests>
        <DNSResolutionTest host="https://${/qradarEdr_host}"/>
        <TCPConnectionTest host="${/qradarEdr_host}" port="${/port}"/>
        <HTTPConnectionThroughProxyTest url="https://${/qradarEdr_host}:${/port}"/>
    </Tests>
</Workflow>

QRadar EDR default workflow parameters

Use the following XML to populate the Workflow Parameter Values field in the Universal Cloud REST API connector parameters section.

  1. Click the Copy to clipboard icon at the upper right of the code block, and then paste the content to a text file.
  2. Replace the values for <app_id>, <secret_key> <reaqta_host>, and <port> with your own values.
  3. Copy the updated content into the Workflow Parameter Values field.
<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
        <Value name="app_id"                            value="App ID goes here"/>
        <Value name="secret_key"                        value="Secret Key Goes here"/>
        <Value name="qradarEdr_host"                    value="QRadar EDR Hostname or IP goes here"/>
        <Value name="port"                              value="443"/>
</WorkflowParameterValues>