IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Universal Cloud REST API - troubleshooting help

    Posted Fri January 24, 2025 11:52 AM

    I am working on a custom Universal Cloud REST API log source.   I created the workflow.xml and workflow parameter values.xml.  I tested the Log Source from the GUI without error, and I see records returned.  I also tried the /opt/qradar/bin/test-workflow.sh command with no errors and I see JSON records in the output.  The Log Source status is "OK" but it never downloaded any logs.  I did the payload search and confirmed the logs are not in Qradar

    Can anyone help review the Workflow xml if I am missing anything?

    <?xml version="1.0" encoding="UTF-8"?>
    <Workflow name="Sailpoint" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
     
        <Parameters>
            <Parameter name="host" label="Host" required="true" />
            <Parameter name="client_id" label="Client ID" required="true" />
            <Parameter name="client_secret" label="Client Secret" required="true" secret="true" />
        </Parameters>
     
        <Actions>
     
            <!--
            //////////////////////////
            // Request Access Token //
            //////////////////////////
            -->
            <CallEndpoint url="https://${/host}/oauth/token" method="POST" savePath="/get_access_token">
                <UrlEncodedFormRequestBody>
                    <Parameter name="grant_type" value="client_credentials" />
                    <Parameter name="client_id" value="${/client_id}" />
                    <Parameter name="client_secret" value="${/client_secret}" />
                </UrlEncodedFormRequestBody>
            </CallEndpoint>
     
            <!-- Handle Errors -->
            <If condition="/get_access_token/status_code != 200">
                <Abort reason="${/get_access_token/body}" />
            </If>
     
            <!-- Extract the Access Token -->
            <Set path="/access_token" value="${/get_access_token/body/access_token}" />
     
            <!--
            ///////////////////////////////////////
            // Initialize bookmark default value //
            ///////////////////////////////////////
    --> 
    <Initialize path="/bookmark" value="2025-01-23T00:00:00Z" />
    <!-- 
    ////////////////////
            // Request Events //
            ////////////////////
            -->
            <CallEndpoint url="https://${/host}/v3/search" method="POST" savePath="/search">
                <QueryParameter name="limit" value="5000" />
                <RequestHeader name="Content-Type" value="application/json" />
                <RequestHeader name="Accept" value="application/json" />
                <RequestHeader name="Authorization" value="Bearer ${/access_token}" />
                <RequestBody type="application/json" encoding="UTF-8">
                    <![CDATA[
                    {
                        "query": {
                            "query": "created:[${/bookmark} TO now]"
                        },
                        "indices": [
                            "events"
                        ],
                        "includeNested": true,
                        "sort": [
                            "-created"
                        ]
                    }
                    ]]>
                </RequestBody>
            </CallEndpoint>
     
            <!-- Handle Errors -->
            <If condition="/search/status_code != 200">
                <Abort reason="${/search/body/error_description}" />
            </If>
     
            <!-- Post the Events -->
            <PostEvents path="/search/body" source="${/host}" />
     
            <!-- Update the Bookmark -->
            <If condition="/search/body != null">
                <Set path="/bookmark" value="${/search/body[0]/created}" />
            </If>
     
        </Actions>
     
        <Tests>
            <DNSResolutionTest host="${/host}" />
            <TCPConnectionTest host="${/host}" />
            <HTTPConnectionThroughProxyTest url="https://${/host}" />
        </Tests>
    </Workflow>






    ------------------------------
    Raymond Tam
    ------------------------------


  • 2.  RE: Universal Cloud REST API - troubleshooting help
    Best Answer

    Posted Mon January 27, 2025 01:29 AM

    Hi Raymond,

    The workflow test seems to be working fine, so the workflow itself must be good. Events are displaying correctly, but it appears they aren't being tagged properly to the log source.

    Could you confirm the value set for ${/host} in the workflow parameters? Ensure the same value is used in the log source identifier for consistency.

    Best regards,



    ------------------------------
    Vishal Tangadkar
    IBM INDIA PVT LTD
    ------------------------------

    Original Message


  • 3.  RE: Universal Cloud REST API - troubleshooting help

    Posted Mon January 27, 2025 11:57 AM

    Thanks for the advice.  I changed the Log Source Identifier and logs started to make it to the Log source.  I will let it run and see if it is working as expected.   This is the first time I work on the custom Universal Cloud RESTful API.  I want to see fi the bookmark I created actual works to pull the log correctly at each poll interval.



    ------------------------------
    Raymond Tam
    ------------------------------

    Original Message


  • 4.  RE: Universal Cloud REST API - troubleshooting help

    Posted Mon February 03, 2025 07:47 AM

    Hi Vishal!
    Im experiencing similar issues with Universal Cloud REST API integration that used to be working properly and have been interrupted in the last 2 months.

    Wondered if you can help me with that issue:

    I have used the Community Developed XML workflow and provided the needed parameters for the integration:

    XML Workflow:

    <?xml version="1.0" encoding="UTF-8" ?>
    <Workflow name="Ariel" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
        <Parameters>
            <Parameter name="host" label="Host" required="true" />
            <Parameter name="path" label="Path" required="true" />
    <Parameter name="username" label="Username" required="true" />
            <Parameter name="password" label="Password" required="true" />
        </Parameters>
        <Actions>
            <!--
            /////////////////////
            // Post the Search //
            /////////////////////
            -->
            <!-- Initialize the Bookmark -->
    <Initialize path="/bookmark" value="51" />
            <CallEndpoint url="https://${/host}/${/path}/logs.index" method="GET" savePath="/logs_index">
                <SSLConfiguration allowUntrustedServerCertificate="true" />
    <BasicAuthentication username="${/username}" password="${/password}" />
                <RequestHeader name="Accept" value="*/*" />
            </CallEndpoint>
            <!-- Handle Errors -->
            <If condition="/logs_index/status_code != 200">
                <Abort reason="${/logs_index/status_message}: ${/logs_index/body/message}" />
            </If>
            <!-- Extract the Search -->
            <Set path="/index" value="${/logs_index/body}" /> 
    <Split value="${/logs_index/body}" delimiter="\n" savePath="/log_files" />
    <ForEach item="/log_file" items="/log_files">
    <RegexCapture pattern="[0-9]+_([0-9]+)\.log" value="${/log_file}" savePath="/current_file" />
    <If condition="/current_file > /bookmark" >
    <!-- Update Bookmark -->
    <CallEndpoint url="https://${/host}/${/path}/${/log_file}" method="GET" savePath="/log_content">
    <SSLConfiguration allowUntrustedServerCertificate="true" />
    <BasicAuthentication username="${/username}" password="${/password}" />
    <RequestHeader name="Accept" value="*/*" />
    </CallEndpoint>
    <If condition="/log_content/status_code != 200">
    <Abort reason="${/log_content/status_message}: ${/log_content/body/message}" />
    </If>
    <Set path="/log_events" value="${/log_content/body}" /> 
    <Split value="${/log_events}" delimiter="\n" savePath="/events" /> 
    <Set path="/recordcount" value="${count(/events)}" />
    <If condition="/recordcount > 1" >
    <ForEach item="/current_event" items="/events">
    <RegexCapture pattern="(LEEF):1.0\|Incapsula" value="${/current_event}" savePath="/event_header" />
    <If condition="/event_header = 'LEEF'" >
    <PostEvent path="/current_event" source="${/username}" />
    </If>
    </ForEach>
    </If>
    <RegexCapture pattern="[0-9]+_([0-9]+)\.log" value="${/log_file}" savePath="/bookmark" />
    </If>
    <!-- Handle Errors -->
    </ForEach>
        </Actions>
        <Tests>
            <DNSResolutionTest host="${/host}" />
            <TCPConnectionTest host="${/host}" />
            <HTTPConnectionThroughProxyTest url="https://${/host}" />
        </Tests>
    </Workflow>

    XML Workflow Parametrs:

    <?xml version="1.0" encoding="UTF-8" ?>
    <WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Work
    flowParameterValues/V1">
        <Value name="host"      value="logs1.incapsula.com" />
        <Value name="path"      value="1111_2222222" />
        <Value name="username"  value="123456" />
        <Value name="password"  value="000aa0a0-1111-22b2-cc33-dd44d55555d5" />
    </WorkflowParameterValues>

    First, we used Postman in order to validate that there are logs present under the designated folder in the cloud.
    After we saw a lot of logs, we moved further to the QRadar Test.

    First the "Start Test" was not fetching logs so we tried modifying certain values in the script like the bookmark
    value, which led us to successfully receiving the logs, only on the Test mentioned but not on the Log Activity Tab.

    When we perform a "Start Test" in the Log Source Management Interface, we were able seeing that logs are present and indeed being fetched as needed (with the desired format (LEEF)), but according to their epoch timestamp, the logs are from 2 days ago (2 days gap) and not winding up in the Log Activity Tab (Therefore, the logs are probably not arriving to the associated Collector).

    Also, i saw a README.md file in the Community Developed that suggests that Log Compression must be off if you
    already produce logs from before - you can adjust the value of the bookmark to bigger than 1.

    According to the component venodr (Imperva Incapsula) seems like a python script is needed (on the associated collector) that will download the logs.
    But as far as i know, there is a functionality in the XML Workflow that is able fetching logs actively from the Incapsula Cloud (Correct me if im wrong).

    I have already tried consulting the QRadar Support, apparently there is no support for the Community Developed Scripts.

    Also, seems like the identifier of the log source being extracted from the XML Workflow in this line:

    <PostEvent path="/current_event" source="${/username}" />


    I would highly appreciate your help since this issue persist for too long.

    Best Regards, and Thank you in advance.

    Nehoray Kanizo.



    ------------------------------
    Nehoray Kanizo
    ------------------------------

    Original Message


  • 5.  RE: Universal Cloud REST API - troubleshooting help

    Posted Mon March 17, 2025 11:30 AM

    Hi Vishal,

    Thank you for your outstanding contribution to this space and on this topic. I'm writing to see if you can assist with my issue.

    We have a DMARC solution called DMARCLY (DMARCLY | Email Security, Authentication, Anti-Phishing, SPF, DKIM, DMARC Monitoring, and DMARC Analyzer) we're trying to pull logs from into QRadar SIEM using the Universal Cloud REST API protocol.

    When I run the test on the workflow and the workflow parameters, I get the error shown below in the capture. 

    However, when I test by directly querying the API endpoint using the "curl" command, it works as shown in the screenshot below.

    I've been struggling so hard with that for months. I'm stuck and completely clueless. I'm totally a newbie in this API workflow matter, having never touched it before.

    Please help me figure this out. 

    I pasted below the workflow and the workflow parameters I'm running.

    Thanks,

    Hermann 

    ---workflow---

    <?xml version="1.0" encoding="UTF-8" ?>
    <Workflow name="DMARCLY" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
     <Parameters>
        <Parameter name="api_key"        label="DMARCLY secret key"           required="true" secret = "true"/>
        <Parameter name="dmarcly_host"       label="https://dmarcly.com/api"    required="true" />
      </Parameters>
        <Actions>

            <CallEndpoint url="https://dmarcly.com/api/aggregate_by_unaligned" method="GET">

                        <SSLConfiguration allowUntrustedServerCertificate="true" />
                            <BearerAuthentication token="${/access_token}" />

            </CallEndpoint>

        </Actions>

    </Workflow>

    ---parameters---

    <?xml version="1.0" encoding="UTF-8" ?>
    <WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
            <Value name="api_key"        value="fc600bb3c894d5497b61ea2145ae79f0"/>
                    <Value name="dmarcly_host"       value="https://dmarcly.com/api"/>
    </WorkflowParameterValues>



    ------------------------------
    Hermann Kodom
    ------------------------------

    Original Message


  • 6.  RE: Universal Cloud REST API - troubleshooting help

    Posted Mon January 27, 2025 10:09 AM

    The workflow looks fine, other than the hardcoded bookmark I don't see anything that raises an eyebrow. Plus, you see events in the tests.

    Any chance you've run the debug classpath on the target EC? com.q1labs.semsources.sources.universalcloudrestapi

    This will help you see where it's getting in the process. It's possible it is posting the events, look for something like com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.PostEventsAction: [DEBUG] Posting 15 events


    If the events are being posted, there might be a FormatException further along. I've seen a lot of dates cause issues. Check for something like this (or just FormatException) in qradar.error on the EC:
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-2633018] java.lang.NumberFormatException: For input string: "2024-07-05T20:27:25.702Z"



    ------------------------------
    Joseph Gilbrook
    ------------------------------

    Original Message


  • 7.  RE: Universal Cloud REST API - troubleshooting help

    Posted Mon January 27, 2025 10:10 AM

    The workflow looks fine as far as I can tell, plus you see the events in the tests alright.

    Any chance you're getting any kind of "java.lang.NumberFormatException" or other FormatException errors on the target EC? 
    And, have you given the debug classpath a shot? com.q1labs.semsources.sources.universalcloudrestapi

    Debug classpath will help you see if they're being Posted (look for something like com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.PostEventsAction: [DEBUG] Posting 15 events), which might help pinpoint a problem further along the line (like format exceptions).



    ------------------------------
    Joseph Gilbrook
    ------------------------------

    Original Message


  • 8.  RE: Universal Cloud REST API - troubleshooting help

    Posted Mon January 27, 2025 12:02 PM

    Thanks! those are good debug tips.    I looked into the qradar.error and qradar.java.debug logs.  No errors showed up when I filter by the keyword "sources.universalcloudrestapi.

    To check my understanding, are the debug errors logged by default? Do I need to enable the debug in the workflow?



    ------------------------------
    Raymond Tam
    ------------------------------

    Original Message


  • 9.  RE: Universal Cloud REST API - troubleshooting help

    Posted Mon January 27, 2025 12:06 PM

    Didn't mean to double post - sorry!

    Debug should not be enabled by default for protocols, you will need to run the mod_log4j.pl script to enable it. For URest, it would be:
    /opt/qradar/support/mod_log4j.pl -al com.q1labs.semsources.sources.universalcloudrestapi -w <user>

    Then when you're done, it will either turn itself off in 1 hour or you can turn it off with -r:
    /opt/qradar/support/mod_log4j.pl -r -w <user>



    ------------------------------
    Joseph Gilbrook
    ------------------------------

    Original Message


Related Content