Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/fortress update #37

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Feature/fortress update #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
71b77d5
Merge pull request #35 from qmasters-ltd/develop
Benimanela May 1, 2024
ce27dd2
update fortress collector
Benimanela Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion fortress-platform/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ The parameters XML document specifies the user settings for this log source, inc
Parameter | Name | Default Value | Type | Required (True/False) | Description
--- | --- | --- | --- |--- |---
api_host | API Host | https://\<your instance> | String | True | URL for the instance.
api_id | API ID | False | Authentication | True | Fortress API id for QRadar
api_key | API Key | False | Authentication | True | Fortress API key for QRadar
api_secret | API Secret | False | Authentication | True | Fortress API secret for QRadar
severity | Severity | "CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE" | array of strings | False | this parameter is an array of strings used to filter alerts by severity.
status | Status | "OPEN", "CLOSED", "DISMISSED", "QUARANTINED" | array of strings | False | this parameter is an array of strings used to filter alerts by status.
service_type | Service Type | "EDP", "MAIL", "CLOUD_STORAGE", "VMDR" | array of strings | False | this parameter is an array of strings used to filter alerts by service type.
Expand Down
12 changes: 7 additions & 5 deletions fortress-platform/fortress-parameters.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
<!-- "identifier" - The log source identifier to post the events to (required). -->
<Value name="identifier" value="fortress"/>

<!-- "api_host" - Fortress API host (Default="https://develop-api.qfortress.ai")-->
<Value name="api_host" value="<insert your api host here>"/>
<!-- "api_host" - Fortress API host (Default="api-external.fortresscyber.io")-->
<Value name="api_host" value="api-external.fortresscyber.io"/>
<!-- "api_id" - Fortress API ID for QRadar (required) -->
<Value name="api_id" value=""/>
<!-- "api_key" - Fortress API key for QRadar (required) -->
<Value name="api_key" value="<insert your api key here>"/>
<!-- "api_secert" - Fortress API secret for QRadar (required) -->
<Value name="api_secert" value="<insert your api secret here>"/>
<Value name="api_key" value=""/>

<!-- "severity" - Fortress alert severity, can be multiple separated by commas, allowed values: CRITICAL,HIGH,MEDIUM,LOW,NONE. (Default=All). (optional) -->
<Value name="severity" value='"CRITICAL","HIGH","MEDIUM","LOW","NONE"'/>
Expand Down
14 changes: 7 additions & 7 deletions fortress-platform/fortress-workflow.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
<Workflow name="Qmasters Fortress workflow for QRadar" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
<Parameters>
<Parameter name="identifier" label="Log Source Identifier" required="true" />
<Parameter name="api_host" label="Host Name" required="true" />
<Parameter name="api_key" label="API Key" required="true" secret="true" />
<Parameter name="api_secert" label="API Secret" required="true" secret="true" />
<Parameter name="api_id" label="API Key" required="true" secret="true" />
<Parameter name="api_key" label="API Secret" required="true" secret="true" />
<Parameter name="severity" label="Severity" required="false" default="CRITICAL,HIGH,MEDIUM,LOW,NONE"/>
<Parameter name="status" label="Status" required="false" default="OPEN,CLOSED,DISMISSED,QUARANTINED,NO_CAPACITY,DETECTED,MITIGATED" />
<Parameter name="service_type" label="Service Type" required="false" default="EDP,WEB,MAIL,CLOUD_STORAGE,VMDR,ATTACK_SIMULATOR,MERLIN_AI,SANDBOX" />
Expand All @@ -24,9 +25,9 @@
<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="${/time_zone}" savePath="/end_date" />

<!-- Get Alerts -->
<CallEndpoint url="${/api_host}/v1/alert/search" method="POST" savePath="/get_alerts" >
<RequestHeader name="x-api-key" value="${/api_key}" />
<RequestHeader name="x-api-secret" value="${/api_secert}" />
<CallEndpoint url="https://${/api_host}/v1/alert/search" method="POST" savePath="/get_alerts" >
<RequestHeader name="x-api-key" value="${/api_id}" />
<RequestHeader name="x-api-secret" value="${/api_key}" />
<RequestBody type="application/json" encoding="UTF-8">
{
"pagination": {
Expand Down Expand Up @@ -75,7 +76,7 @@

<!-- Post Events, if any -->
<If condition="count(/get_alerts/body/records) > 0">
<PostEvents path="/get_alerts/body/records" source="${/api_host}" />
<PostEvents path="/get_alerts/body/records" source="${/identifier}" />

<!-- Update the bookmark -->
<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss[.SSS]'Z'" timeZone="${/time_zone}" date="${max(/get_alerts/body/records/createdAt)}" savePath="/last_event_time" />
Expand All @@ -90,7 +91,6 @@
<Tests>
<DNSResolutionTest host="${/api_host}" />
<TCPConnectionTest host="${/api_host}" />
<SSLHandshakeTest host="${/api_host}" />
<HTTPConnectionThroughProxyTest url="${/api_host}" expectedResponseStatus="404" />
</Tests>
</Workflow>