Nozomi Networks Add Alert Update Workflow and Improve Authentication Resilience #303

Community Developed/NozomiNetworks/Universal/NN-Universal-Alert-Updated-Workflow.xml

@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<Workflow name="NN-Universal-Alert-Updated" version="1.0" minimumRecurrence="180" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+  <Parameters>
+    <Parameter name="host" label="Host" required="true" />
+    <Parameter name="key_name" label="Key Name" required="true" />
+    <Parameter name="key_token" label="Key Token" required="true" secret="true" />
+  </Parameters>
+
+  <Actions>
+<!--    <Initialize path="/bookmark_alert" value="0" />-->
+    <Initialize path="/bookmark_alert" value="${time() - 36000000}" />
+    <Initialize path="/size" value="500" />
+    <Initialize path="/alert_page" value="1" />
+
+    <CallEndpoint url="https://${/host}/api/open/sign_in" method="POST" savePath="/sign_in">
+      <RequestBody type="application/json" encoding="UTF-8">{ "key_name": "${/key_name}", "key_token": "${/key_token}" }</RequestBody>
+    </CallEndpoint>
+
+    <Log type="INFO" message="NN Universal Alert Updated sign_in ${/sign_in/status_code}"/>
+
+    <If condition="/sign_in/status_code != 200">
+      <Log type="ERROR" message="NN Universal Alert Updated sign_in fail ${/sign_in/status_code}" />
+      <Abort reason="${/sign_in/status_code}" />
+    </If>
+
+    <Set path="/bearer_token" value="${/sign_in/headers/Authorization}"/>
+    <If condition="/bearer_token = null">
+      <Set path="/bearer_token" value="${/sign_in/headers/authorization}"/>
+    </If>
+
+    <Log type="INFO" message="NN Universal Alert Updated Sign in successfully done alert bookmark ${/bookmark_alert}" />
+
+    <!--  GET ALERTS-->
+    <DoWhile condition="${count(/alerts/body/result)} = ${/size}">
+      <CallEndpoint url="https://${/host}/api/open/query/do?query=alerts%20%7C%20select%20id%20type_id%20name%20protocol%20description%20ip_src%20ip_dst%20mac_src%20mac_dst%20time%20port_dst%20type_name%20appliance_host%20port_src%20port_dst%20severity%20risk%20src_roles%20dst_roles%20ack%20closed_time%20is_incident%20note%20transport_protocol%20is_security%20label_src%20label_dst%20created_time%20status%20zone_src%20zone_dst%20threat_name%20record_updated_at%20%7C%20where%20record_updated_at%20%3E%20${/bookmark_alert}%20%7C%20sort%20record_updated_at%20asc" method="GET" savePath="/alerts">
+        <QueryParameter name="count" value="${/size}"/>
+        <QueryParameter name="page" value="${/alert_page}"/>
+        <QueryParameter name="default_filters" value="false"/>
+        <QueryParameter name="skip_total_count" value="true"/>
+        <RequestHeader name="Authorization" value="${/bearer_token}"/>
+        <RequestHeader name="nn-app" value="qradar-app"/>
+        <RequestHeader name="nn-app-version" value="1.0.1"/>
+      </CallEndpoint>
+
+      <If condition="/alerts/status_code != 200">
+        <Log type="ERROR" message="NN Universal Alert Updated fail status code ${/alerts/status_code}" />
+        <Abort reason="${/alerts/status_code}"/>
+      </If>
+
+      <If condition="${count(/alerts/body/result)} != 0">
+        <PostEvents path="/alerts/body/result" source="${/host}_${/key_name}_Alert" />
+
+        <Set path="/alert_page" value="${/alert_page + 1}" />
+
+        <If condition="${count(/alerts/body/result)} != ${/size} or ${/alert_page} = 100">
+          <If condition="max(/alerts/body/result/record_updated_at) != null">
+            <Set path="/alert_page" value="1" />
+            <Set path="/bookmark_alert" value="${max(/alerts/body/result/record_updated_at)}" />
+            <Log type="INFO" message="NN Universal Alert Updated bookmark upgraded to ${/bookmark_alert}" />
+          </If>
+        </If>
+      </If>
+
+      <Log type="INFO" message="NN Universal Alert Updated notified count => ${count(/alerts/body/result)} alert_page ${/alert_page} and bookmark ${/bookmark_alert}" />
+    </DoWhile>
+  </Actions>
+  <Tests>
+    <DNSResolutionTest host="${/host}" />
+    <TCPConnectionTest host="${/host}" />
+    <SSLHandshakeTest host="${/host}" />
+    <HTTPConnectionThroughProxyTest url="https://${/host}" />
+  </Tests>
+</Workflow>

Community Developed/NozomiNetworks/Universal/NN-Universal-Alert-Workflow.xml

@@ -8,7 +8,7 @@
   </Parameters>
 
   <Actions>
-    <!--    <Initialize path="/bookmark_alert" value="0" />-->
+  <!--    <Initialize path="/bookmark_alert" value="0" />-->
     <Initialize path="/bookmark_alert" value="${time() - 36000000}" />
     <Initialize path="/size" value="500" />
     <Initialize path="/alert_page" value="1" />
@@ -25,6 +25,9 @@
     </If>
 
     <Set path="/bearer_token" value="${/sign_in/headers/Authorization}"/>
+    <If condition="/bearer_token = null">
+      <Set path="/bearer_token" value="${/sign_in/headers/authorization}"/>
+    </If>
 
 <!--    <Log type="INFO" message="NN Universal Alert Sign in successfully done alert bookmark ${/bookmark_alert}" />-->
 
@@ -37,7 +40,7 @@
         <QueryParameter name="skip_total_count" value="true"/>
         <RequestHeader name="Authorization" value="${/bearer_token}"/>
         <RequestHeader name="nn-app" value="qradar-app"/>
-        <RequestHeader name="nn-app-version" value="1.0.0"/>
+        <RequestHeader name="nn-app-version" value="1.1.0"/>
       </CallEndpoint>
 
       <If condition="/alerts/status_code != 200">

Community Developed/NozomiNetworks/Universal/NN-Universal-Asset-Workflow.xml

@@ -24,6 +24,9 @@
       <Abort reason="${/sign_in/status_code}" />
     </If>
     <Set path="/bearer_token" value="${/sign_in/headers/Authorization}"/>
+    <If condition="/bearer_token = null">
+      <Set path="/bearer_token" value="${/sign_in/headers/authorization}"/>
+    </If>
 
     <!--    <Log type="INFO" message="NN Universal Asset Sign in successfully done asset bookmark ${/bookmark_asset}" />-->
 
@@ -36,7 +39,7 @@
         <QueryParameter name="skip_total_count" value="true"/>
         <RequestHeader name="Authorization" value="${/bearer_token}"/>
         <RequestHeader name="nn-app" value="qradar-app"/>
-        <RequestHeader name="nn-app-version" value="1.0.0"/>
+        <RequestHeader name="nn-app-version" value="1.1.0"/>
       </CallEndpoint>
 
       <If condition="/assets/status_code != 200">

Community Developed/NozomiNetworks/Universal/README.md

@@ -2,7 +2,7 @@
 
 #### Author Name: Nozomi Networks
 #### Maintainer Name: NozomiNetworks
-#### Version Number: 1.0.0
+#### Version Number: 1.2.0
 #### Event Types Currently Supported by the workflows: Alerts and Assets
 
 #### Workflow Parameter Values
@@ -13,12 +13,26 @@ To generate the `key_name` and the `key_token` follow the Vantage guide.
 The host must without the protocol `http`
 ```nozominetworkscom.customers.vantage.io```
 
-
 #### Workflows
-The workflows are two, are thought to be used to configure LogSource to get Assets and Alerts from an host.
-It could be useful to get the Alerts only from a given time, to do it you can modify the Workflow bookmark initialization; for example if you want to get the Alerts from the last hour you can initialize the bookmark as:
+The workflows included are used to configure Log Sources to retrieve **Assets** and **Alerts** from a Vantage host.
+
+Two workflows are provided for Alerts depending on the desired behavior:
+
+- **NN-Universal-Alert**  
+  Retrieves alerts based on the `record_created_at` field.  
+  This workflow sends only **newly created alerts** to QRadar.
+
+- **NN-Universal-Alert-Updated**  
+  Retrieves alerts based on the `record_updated_at` field.  
+  This workflow sends **new alerts and updates to existing alerts** (for example when an alert is acknowledged, modified, or closed).
 
-```<Initialize path="/bookmark" value="${time() - 3600000}" />```
+The `NN-Universal-Alert-Updated` workflow can be useful when QRadar needs to track the **lifecycle changes of alerts**, not only their creation.
+
+It could be useful to get the Alerts only from a given time; to do it you can modify the Workflow bookmark initialization. For example if you want to get the Alerts from the last hour you can initialize the bookmark as:
+
+```xml
+<Initialize path="/bookmark" value="${time() - 3600000}" />
+```
 
 ### Event Mappings