Universal Cloud REST API connector workflow for IBM Security QRadar

You can customize your workflow and workflow parameters based on the default workflow.

A workflow is an XML document that describes the event retrieval process. The workflow defines one or more parameters, which can be explicitly assigned values in the workflow XML or can derive values from the workflow parameter values XML document. The workflow consists of multiple actions that run sequentially.

IBM Security QRadar default workflow

Use the following XML to populate the Workflow field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.

<?xml version="1.0" encoding="UTF-8" ?><Workflow name="Offenses_Forwarder" version="1.0" minimumRecurrence="60" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
    <Parameters>
        <Parameter name="host" label="Host" required="true" />
        <Parameter name="auth_token" label="Authorized Service Token" required="true" secret="true" />
        <Parameter name="query_type" label="Query Type" default="advanced_query" />
    </Parameters>
    <Actions>
        <If condition="exists /previousRunEndTimeSeconds" >
            <Log type="DEBUG" message="Detected /previousRunEndTimeSeconds: '${/previousRunEndTimeSeconds}', now calculating polling interval to set"/>
            <Set path="/pollingIntervalInMinutes" value="${ceil(((${time() / 1000} - ${/previousRunEndTimeSeconds}) / 60) + 1)}" />
            <Log type="DEBUG" message="About to update polling interval to ${/pollingIntervalInMinutes}"/>
            <CallEndpoint url="https://${/host}/console/plugins/app_proxy:offense_results/api/app_configuration" method="POST" savePath="/app_configuration/response">
                <RequestHeader name="SEC" value="${/auth_token}" />
                <RequestHeader name="Content-Type" value="application/json" />
                <RequestBody type="application/json" encoding="UTF-8"> { "polling_interval": ${/pollingIntervalInMinutes} } </RequestBody>
            </CallEndpoint>
            <If condition="/app_configuration/response/status_code != 200">
                <Abort reason="${/app_configuration/response/status_code}: ${/app_configuration/response/status_message}" />
            </If>
        </If>
        <CallEndpoint url="https://${/host}/console/plugins/app_proxy:offense_results/api/offense_results" method="GET" savePath="/offense_results/response">
            <QueryParameter name="query_type" value="${/query_type}" />
            <RequestHeader name="SEC" value="${/auth_token}" />
        </CallEndpoint>
        <If condition="/offense_results/response/status_code != 200">
            <Abort reason="${/offense_results/response/status_code}: ${/offense_results/response/status_message}" />
        </If>

        <If condition="${count(/offense_results/response/body)} > 0">
            <Log type="DEBUG" message="Response contains ${count(/offense_results/response/body)} offenses."/>
            <Set path="/offenses" value="${values(/offense_results/response/body)}" />
            <PostEvents path="/offenses" source="${/host}" />
        </If>
        <SetStatus type="INFO" message="Successfully queried for events." />

        <Set path="/previousRunEndTimeSeconds" value="${time() / 1000}" />

        <Delete path="/offense_results/response" />
        <Delete path="/app_configuration/response" />
    </Actions>
    <Tests>
        <DNSResolutionTest host="${/host}"/>
        <TCPConnectionTest host="${/host}"/>
        <SSLHandshakeTest host="${/host}" />
        <HTTPConnectionThroughProxyTest url="https://${/host}"/>
    </Tests>
</Workflow>

IBM Security QRadar default workflow parameters

Use the following XML to populate the Workflow Parameter Values field in the Universal Cloud REST API connector parameters section.

  1. Click the Copy to clipboard icon at the upper right of the code block, and then paste the content to a text file so that you can edit the values.
  2. Replace the values for the following parameters with your own values.
    Tip:
    • Remove the angle brackets when you replace the example text with your own values.
    • You don't need to include the https:// protocol.
    Parameter Description
    <hostname/ip-address> Replace <hostname/ip-address> with the hostname or IP address of the QRadar®App Host (or QRadar Console if the app is running on the console).
    <your-auth-service-token> Replace <your-auth-service-token> with the Authorized Service Token that you obtained in step 3e in ../qof/c_Qapps_OF_authTokens.html.
    <query_type> Replace <query_type> with either "advanced_query" or "minimal_query".

    This parameter is optional. The "advanced_query" type retrieves all properties for each event and flow that is associated with offenses. The "minimal_query" type retrieves a minimal subset of properties. To reduce the size of the offense data received from the API, use "minimal_query".

  3. Copy the updated content into the Workflow Parameter Values field.
<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
    <Value name="host" value="<hostname/ip-address>" />
    <Value name="auth_token" value="<your-auth-service-token>" />
    <Value name="query_type" value="<'advanced_query' or 'minimal_query'>" />
</WorkflowParameterValues>