Add a Workflow for FireEye HX #87 #91
Conversation
…Groups-Workflow.xml
…orkflow-Parameter-Value.xml
correcting Offset to offset (caused infinite loop)
ChrisCollinsIBM
added
the
workflow-submission
|
|
||
| <!-- Authenticate and request API Token --> | ||
| <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/get_feapi_token" > | ||
| <SSLConfiguration allowUntrustedServerCertificate="true" /> |
There was a problem hiding this comment.
This parameter is usually used when the API endpoint may be located on-premesis and may have a self-signed or otherwise unverifiable certificate.
FireEye HX looks to be a SaaS solution I would expect the API endpointhexXXXXXX-hx-webui-1.hex03.helix.apps.fireeye.com to have a proper certificate on it issued by a known CA and shouldn't need this parameter (or it should be false).
If it will always have a proper certificate this parameter should be removed, and if it's possibly SaaS OR an on-prem solution this should be linked to a configurable value instead rather than always implicitly allowing untrusted certificates.
There was a problem hiding this comment.
HX is offered in 2 flavors, On-prem Controller and Cloud Controller
So this will depend on deployment type
| <Workflow name="FireEye HX" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1"> | ||
| <Parameters> | ||
| <Parameter name="host" label="Host" required="true" /> | ||
| <Parameter name="hx_port" label="Port" value="443" required="true" /> |
There was a problem hiding this comment.
This should probably be optional, and you can default it to 443 in the workflow if it's not set.
There was a problem hiding this comment.
HX is offered in 2 flavors, On-prem Controller and Cloud Controller
On-prem uses port 3000
Cloud uses port 443
FireEye HX/README.md
Outdated
|
|
||
| ## Event Types Currently Supported by the workflow: | ||
| - - Alerts: Gets a list of non-suppressed alerts known to the system | ||
| - - Alert Groups: Lists all alert_groups |
There was a problem hiding this comment.
Can you provide some context on what the second set of workflow files is for?
Without knowing the product it's unclear where there's an "Alerts" workflow and an "Alert Groups" workflow.
There was a problem hiding this comment.
HX API Contains 2 Endpoints for alerts, Alerts and Alert Groups.
Alerts endpoint will fetch a list of alerts from the systems based on search query.
Alert Groups will fetch aggregated alerts based on grouping filed criteria and search query.
Co-authored-by: Chris Collins <[email protected]>
Moving to new folder structure
Move to new folder structure
…l to Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml Move to new folder structure
…eveloped/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml Move to new folder structure
…ommunity Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml Move to new folder structure
…ed/FireEye HX/FireEye-HX-Alerts-Workflow.xml Move to new folder structure
Adding Insecure parameter to all Endpoint calls to control allowUntrustedServerCertificate
Added ignore_selfsigned_certificate parameter
Update version
Update version information
Indentation and adding allowUntrustedServerCertificate control
Added ignore_selfsigned_certificate parameter
|
Changes have been requested prior to merging this workflow, please let me know if you have any questions or require any assistance. Thanks! |
|
Closing due to inactivity. |
No description provided.