-
Notifications
You must be signed in to change notification settings - Fork 102
Expand file tree
/
Copy pathOrca-Security-Workflow.xml
More file actions
118 lines (94 loc) · 4.26 KB
/
Orca-Security-Workflow.xml
File metadata and controls
118 lines (94 loc) · 4.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
<?xml version="1.0" encoding="UTF-8"?>
<!--
The Workflow is used to get Orca Alerts via REST API.
Instructions:
https://docs.orcasecurity.io/docs/integrating-ibm-qradar
Parameters:
- "api_host" - Orca API host (required, default="api.orcasecurity.io")
- "api_key" - Orca API key for QRadar (required)
-->
<Workflow name="Orca Security" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
<Parameters>
<Parameter name="api_host" label="API Host" required="true" default="api.orcasecurity.io" />
<Parameter name="api_token" label="API Token" required="true" secret="true" />
<Parameter name="api_start_date" label="API Start Date" required="true" default="0" />
</Parameters>
<Actions>
<!-- Clear the log source status before a new workflow run starts -->
<ClearStatus />
<Set path="/event_start_time" value="${time()}" />
<If condition="/successful_event_start_time != null">
<Set path="/last_updated" value="${/successful_event_start_time}" />
</If>
<Else>
<Set path="/last_updated" value="${/api_start_date}" />
</Else>
<CallEndpoint url="https://${/api_host}/api/rules/query/alerts" method="POST" savePath="/get_alerts">
<RequestHeader name="authorization" value="Token ${/api_token}" />
<RequestBody type="application/json" encoding="UTF-8">
{
"limit": "100",
"next_page_token":"${/get_alerts/body/next_page_token}",
"dsl_filter": [
{
"field": "state.last_updated",
"range": {"gte": "${/last_updated}"}
}
]
}
</RequestBody>
</CallEndpoint>
<If condition="/get_alerts/status_code = 403">
<Abort reason="Invalid Orca API Key" />
</If>
<If condition="/get_alerts/status_code >= 500">
<Abort reason="Orca API is not available" />
</If>
<If condition="/get_alerts/status_code != 200">
<Abort reason="${/get_alerts/body}" />
</If>
<If condition="count(/get_alerts/body/data) > 0">
<PostEvents path="/get_alerts/body/data" source="${/api_host}" />
</If>
<!-- Fetch the rest of alerts -->
<While condition="/get_alerts/body/has_next_page_token">
<CallEndpoint url="https://${/api_host}/api/rules/query/alerts" method="POST" savePath="/get_alerts">
<RequestHeader name="authorization" value="Token ${/api_token}" />
<RequestBody type="application/json" encoding="UTF-8">
{
"limit": "100",
"next_page_token":"${/get_alerts/body/next_page_token}",
"dsl_filter": [
{
"field": "state.last_updated",
"range": {"gte": "${/last_updated}"}
}
]
}
</RequestBody>
</CallEndpoint>
<!-- Handle Errors -->
<If condition="/get_alerts/status_code = 403">
<Abort reason="Invalid Orca API Key" />
</If>
<If condition="/get_alerts/status_code >= 500">
<Abort reason="Orca API is not available" />
</If>
<If condition="/get_alerts/status_code != 200">
<Abort reason="${/get_alerts/body}" />
</If>
<Log type="DEBUG" message="ORCA: Fetched ${count(/get_alerts/body/data)} Orca Alerts." />
<!-- Post Events -->
<If condition="count(/get_alerts/body/data) > 0">
<PostEvents path="/get_alerts/body/data" source="${/api_host}" />
</If>
</While>
<Set path="/successful_event_start_time" value="${/event_start_time}" />
</Actions>
<Tests>
<DNSResolutionTest host="${/api_host}" />
<TCPConnectionTest host="${/api_host}" />
<SSLHandshakeTest host="${/api_host}" />
<HTTPConnectionThroughProxyTest url="https://${/api_host}" />
</Tests>
</Workflow>