Conversation
Signed-off-by: suraj-metron <suraj@metronlabs.com>
suraj-metron
force-pushed
the
add-wiz-detection
branch
from
aca1703 to
8dacdad
Compare
|
Hi @ChrisCollinsIBM , Thanks |
|
Hi @ChrisCollinsIBM , Thanks |
There was a problem hiding this comment.
Thanks for the submission and my apologies for the delay. We can merge this as-is if you like, but I do have a few suggestions regarding the parameters and where they reside.
Please have a look and let me know and we can merge or I can wait and re-check.
Thanks!
| <Parameter name="audit_logs_gql_query" label="GraphQL Query" required="false" /> | ||
| <Parameter name="detections_gql_query" label="Detections GraphQL Query" required="false" /> |
There was a problem hiding this comment.
These 2 queries audit_logs_gql_query and detections_gql_query don't seem to be referenced in this workflow, does some validation fail if they aren't referenced?
| /> | ||
|
|
||
| <Value | ||
| name="detections_gql_query" |
There was a problem hiding this comment.
If the detections_gql_query is only used in the Detections-Workflow, would it make more sense that this query is in that workflow? Parameters are usually intended for things the customer would modify.
If you did want to keep it as a parameter still in case it requires editing, I'd suggest having a unique parameter file for each of AuditLogs and Detections so keep their required parameters isolated..
| </If> | ||
| <Else> | ||
| <!-- Set the date for 14 days before Historical Polling --> | ||
| <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${time() - 14 * 86400000}" savePath="/detection_timestamp" /> |
There was a problem hiding this comment.
I'm sure things are always coming in as 2026-01-02T03:04:05Z style format so this works, but ultimately Z in the timestamp is what denotes UTC.
The proper way to handle this style of timestamp is with a pattern of yyyy-MM-dd'T'HH:mm:ssX which uses X to interpret a variety of timezone formats rather than the current 'Z' character literal, and then you would omit the hardcoded timeZone="UTC" value. In the current setup if you ever got anything other than UTC you'd be missing the 'Z' character literal and would fail to parse anything.
You don't need to change it, but just wanted to make a note of this as I see it often.
|
|
||
| <!-- Post Events, if any --> | ||
| <If condition="count(/get_detections/body/data/detections/nodes) > 0"> | ||
| <PostEvents path="/get_detections/body/data/detections/nodes" source="${/host}__Detection" /> |
There was a problem hiding this comment.
You should consider updating your workflows to schema version 2.1 by updating the namespace from http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1 to http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1.
This would put you on the latest schema versions and allow you to omit the source value from PostEvent and PostEvents.
This makes it easier for customers to configure log sources as they can now use whatever log source identifier they like instead of having to make it ${/host}__Detection which often causes customers confusion and has logs go to SIM-Generic until they set the "correct" identifier.
Again, you don't need to do this now, but it's something you should plan for to make integrating these Workflows a little easier.
2 participants
No description provided.