-
Notifications
You must be signed in to change notification settings - Fork 102
Expand file tree
/
Copy pathThreatCommand_workflow.xml
More file actions
77 lines (62 loc) · 3.53 KB
/
ThreatCommand_workflow.xml
File metadata and controls
77 lines (62 loc) · 3.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<Workflow name="Qmasters Rapid7 ThreatCommand workflow for QRadar" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
<Parameters>
<Parameter name="hostname" label="Host Name" required="true" />
<Parameter name="account_id" label="Account ID" required="true" secret="true" />
<Parameter name="api_key" label="API Key" required="true" secret="true" />
<Parameter name="severity" label="Severity" required="false" />
<Parameter name="is_closed" label="Is Cloased" required="false" default="false" />
</Parameters>
<Actions>
<!-- Clear the log source status before a new workflow run starts -->
<ClearStatus />
<!-- Prepare the start date filter, based on the current bookmark -->
<Initialize path="/bookmark" value="${time() - 604800000}" />
<!-- Get Alert List -->
<CallEndpoint url="${/hostname}/public/v2/data/alerts/alerts-list" method="GET" savePath="/get_alert_list" >
<BasicAuthentication username="${/account_id}" password="${/api_key}" />
<QueryParameter name="isClosed" value="${/is_closed}" />
<QueryParameter name="severity" value="${/severity}" />
<QueryParameter name="foundDateFrom" value="${/bookmark}" />
</CallEndpoint>
<!-- Handle Errors -->
<If condition="/get_alert_list/status_code != 200">
<If condition="/get_alert_list/status_code = 403" >
<Abort reason="Invalid ThreatCommand API Key" />
</If>
<If condition="/get_alert_list/status_code >= 500" >
<Abort reason="ThreatCommand API is not available" />
</If>
<Abort reason="ThreatCommand abort reason: ${/get_alert_list}" />
</If>
<!-- Initialize a list to contain all alerts -->
<Set path="/alerts" value="[]" />
<!-- Get Alerts -->
<ForEach item="/alert_id" items="/get_alert_list/body">
<CallEndpoint url="${/hostname}/public/v1/data/alerts/get-complete-alert/${/alert_id}" method="GET" savePath="/get_alert_${/alert_id}" >
<BasicAuthentication username="${/account_id}" password="${/api_key}" />
</CallEndpoint>
<!-- Handle Errors -->
<If condition="/get_alert_${/alert_id}/status_code != 200">
<If condition="/get_alert_${/alert_id}/status_code = 404">
<Abort reason="ThreatCommand abort reason: ${/get_alert_${/alert_id}}"/>
</If>
<Abort reason="ThreatCommand abort reason: ${/get_alert_${/alert_id}}" />
</If>
<Add path="/alerts" value="${/get_alert_${/alert_id}/body}" />
</ForEach>
<!-- Post Event, if any -->
<If condition="count(/alerts) > 0">
<PostEvents path="/alerts" source="${/hostname}" />
<!-- Update the bookmark -->
<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss[.SSS]'Z'" timeZone="UTC" date="${max(/alerts/FoundDate)}" savePath="/last_event_time" />
<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" time="${/last_event_time + 1}" savePath="/bookmark" />
<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss[.SSS]'Z'" timeZone="UTC" date="${/bookmark}" savePath="/bookmark" />
</If>
</Actions>
<Tests>
<DNSResolutionTest host="${/hostname}" />
<TCPConnectionTest host="${/hostname}" />
<SSLHandshakeTest host="${/hostname}" />
<HTTPConnectionThroughProxyTest url="${/hostname}" expectedResponseStatus="404" />
</Tests>
</Workflow>