Universal Cloud REST API connector workflow for Vectra Threat Detection and Response Platform
You can customize your workflow and workflow parameters based on the default workflow.
A workflow is an XML document that describes the event retrieval process. The workflow defines one or more parameters, which can be explicitly assigned values in the workflow XML or can derive values from the workflow parameter values XML document. The workflow consists of multiple actions that run sequentially.
Vectra Threat Detection and Response Platform default workflow
Use the following XML to populate the Workflow field in the Universal Cloud REST API connector parameters section.
Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.
<?xml version="1.0" encoding="UTF-8" ?>
<Workflow name="VectraAlerts" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
<Parameters>
<Parameter name="host" label="Provide the host to run the query on." required="true" />
<Parameter name="apiToken" label="Provide the API Token to use for authentication to the host." required="true" secret="true"/>
<Parameter name="apiVersion" label="Provide the version of the API we are hitting" required="true" default="v2.2" />
</Parameters>
<Actions>
<Initialize path="/vectraAlerts/starttimeMilli" value="${time() - (60000 * 60 * 24 * 7)}"/>
<Set path="/vectraAlerts/endtimeMilli" value="${time()}"/>
<Set path="/vectraAlerts/pageSize" value="1"/>
<Set path="/vectraAlerts/ordering" value="last_timestamp"/>
<Set path="/vectraAlerts/last_timestamp_gte" value="${/vectraAlerts/starttime}"/>
<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS" timeZone="UTC" savePath="/vectraAlerts/starttime" time="${/vectraAlerts/starttimeMilli}"/>
<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS" timeZone="UTC" savePath="/vectraAlerts/endtime" time="${/vectraAlerts/endtimeMilli}"/>
<Set path="/queryUrl" value="https://${/host}/api/${/apiVersion}/detections" />
<DoWhile condition="not empty(/vectraAlerts/response/body/next)">
<CallEndpoint url="${/queryUrl}" method="GET" savePath="/vectraAlerts/response">
<QueryParameter name="last_timestamp_gte" value="${/vectraAlerts/starttime}" omitIfEmpty="true"/>
<QueryParameter name="page_size" value="${/vectraAlerts/pageSize}" omitIfEmpty="true"/>
<QueryParameter name="ordering" value="last_timestamp" omitIfEmpty="true"/>
<RequestHeader name="Authorization" value="Token ${/apiToken}"/>
<RequestHeader name="Content-Type" value="application/json" />
<RequestHeader name="Accept" value="application/json" />
</CallEndpoint>
<!-- catch any status code other than 200 -->
<If condition="/vectraAlerts/response/status_code != 200">
<Log type="INFO" message="Could not retrieve data for the following reason: [${/vectraAlerts/response/body/detail}]"/>
<Delete path="/vectraAlerts"/>
<Delete path="/queryUrl"/>
<Abort reason="${/vectraAlerts/response/status_code}: ${/vectraAlerts/response/status_message}" />
</If>
<PostEvents path="/vectraAlerts/response/body/results" source="${/host}" />
<Log type="DEBUG" message="Posted ${count(/vectraAlerts/response/body/results)} entities to the pipeline."/>
<If condition="not empty(/vectraAlerts/response/body/next)">
<Log type="DEBUG" message="Next page value found, setting new query string to [${/vectraAlerts/response/body/next}]."/>
<Set path="/queryUrl" value="${/vectraAlerts/response/body/next}"/>
</If>
<Else>
<Log type="DEBUG" message="No next page value found. Completed pulling events."/>
</Else>
</DoWhile>
<!--Translate it back to epoch for incrementation-->
<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS" date="${/vectraAlerts/endtime}" timeZone="UTC" savePath="/vectraAlerts/endtimeMilli"/>
<Set path="/vectraAlerts/starttimeMilli" value="${/vectraAlerts/endtimeMilli + 1}"/>
<Log type="DEBUG" message="${/logPrefix} - Update the bookmark to the running max time: ${/vectraAlerts/starttimeMilli}" />
<Delete path="/queryUrl"/>
<Delete path="/vectraAlerts"/>
</Actions>
<Tests>
<DNSResolutionTest host="${/host}"/>
<TCPConnectionTest host="${/host}"/>
<SSLHandshakeTest host="${/host}"/>
<HTTPConnectionThroughProxyTest url="https://${/host}"/>
</Tests>
</Workflow>
Vectra Threat Detection and Response Platform default workflow parameters
Use the following XML to populate the Workflow Parameter Values field in the Universal Cloud REST API connector parameters section.
Click the Copy to clipboard icon at the upper right of the code block, and then paste the content to a text file. Replace the values for <your-vectra-hostname> and <your-api-token> with your own values. Then copy the updated content into the Workflow Parameter Values field.
<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
<Value name="host" value=""/>
<Value name="apiToken" value=""/>
<Value name="apiVersion" value="v2.5"/>
</WorkflowParameterValues>