Aflaviani Post Symantec Endpoint Security ICDM Connector #63
Conversation
|
What does it take to get an approving review? |
|
Hi @aflaviani, could you writeup a README.md to go along with this workflow? I know the Contributing.md doesn't currently ask for it but we'll be updating that soon with some more guidance. Also could you tidy up some of the XML formatting with indentation based on open/close tags? Helps a LOT for readability and troublshooting. Thank you. |
| @@ -0,0 +1,60 @@ | |||
| <?xml version="1.0" encoding="UTF-8" ?> | |||
| <Workflow name="Symantec Cloud" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1"> | |||
There was a problem hiding this comment.
Can you update the workflow name with the detailed product name?
|
|
||
| <Actions> | ||
| <Initialize path="/next" value="10000000000" /> | ||
| <Initialize path="/next1" value="11111" /> |
There was a problem hiding this comment.
Space indentation mixed with previous tab indentation here.
|
|
||
|
|
||
| <CallEndpoint url="https://${/host}/v1/event-export" method="POST" savePath="/get_events" > | ||
| <RequestHeader name="authorization" value="${/access_token}" /> |
There was a problem hiding this comment.
Can you fix up the XML tag indentation such that elements within tags are indented as they are opened or closed?
<CallEndpoint url="https://${/host}/v1/event-export" method="POST" savePath="/get_events" >
<RequestHeader name="authorization" value="${/access_token}" />
...
...
</CallEndpoint>
It makes overall readability much better.
|
|
||
|
|
||
| <If condition="/get_events/status_code != 200"> | ||
| <Abort reason="${/get_events/status_code}" /> |
|
|
||
|
|
||
| <Actions> | ||
| <Initialize path="/next" value="10000000000" /> |
There was a problem hiding this comment.
Could you add some comments or context around what the different values are used for? /next seems to be initialized as a baseline timestamp but looks to be to small to be in milliseconds and too large to be seconds.
For /next1/ not sure what the usage is. The appear to go into a range style parameter in the CallEndpoint but I'd like to see the API doc for the usage to better understand and review.
Could you maybe include a reference to the API documentation for the specific product in a Readme.md?
| </CallEndpoint> | ||
|
|
||
| <If condition="/get_access_token/status_code != 200"> | ||
| <Abort reason="${/get_access_token/body/message}" /> |
|
Hi @aflaviani, just wanted to follow up on this pull request. Overall things look very good but I did have a few questions. Thanks. |
|
This is still an open pull request awaiting changes. @aflaviani when you have a chance to review we'd love to get this merged in, thanks! |
|
Changes have been requested prior to merging this workflow, please let me know if you have any questions or require any assistance. Thanks! |
|
is this in active development or needs to be reactivated again? I need this integration. |
|
This was initially a proof of concept using the universal collector. Since
it's creation we have created and posted a QRadar collector on our website
that supersedes this.
*Anthony Flaviani*
Solution Engineering Management
Americas Product Specialists
Symantec Enterprise Division (SED) | *Broadcom Software*
*mobile:* 832.298.6016
4003 N Rondelet Dr | Spring, TX 77386
***@***.*** | broadcom.com
…On Thu, Jan 12, 2023 at 6:40 AM trizzosk ***@***.***> wrote:
is this in active development or needs to be reactivated again? I need
this integration.
—
Reply to this email directly, view it on GitHub
<#63 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AVNCGQVIHCCYDTQEDAIVGBLWR73S3ANCNFSM5DCDLFXQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
This electronic communication and the information and any files transmitted
with it, or attached to it, are confidential and are intended solely for
the use of the individual or entity to whom it is addressed and may contain
information that is confidential, legally privileged, protected by privacy
laws, or otherwise restricted from disclosure to anyone else. If you are
not the intended recipient or the person responsible for delivering the
e-mail to the intended recipient, you are hereby notified that any use,
copying, distributing, dissemination, forwarding, printing, or copying of
this e-mail is strictly prohibited. If you received this e-mail in error,
please return the e-mail to the sender, delete it from your computer, and
destroy any printed copy of it.
|
|
@aflaviani Oki, I saw the announcement abut ICDx which indeed does not support SES streaming API for feeding events to any SIEM system. (link ) However I cannot find any article which you mention above (...we have created and posted a QRadar collector on our website that supersedes this) - any clues how to find it? |
|
Correct,
The current collector posted to (
https://tipp-integrations.broadcom.com/icdx <http://link/>) uses the
Universal Collector. The app uses the current public export API to pull
events and incidents directly into QRadar without the need for the ICDx
middleware application and pulls directly from ICDM.
We have released a streaming export API that will be able to handle the
larger event volume. However, to my knowledge, the current QRadar REST API
integration does not support integration with a streaming API. We have
created a Feature Request with IBM to have this capability added. Once
implemented we'll be able to update our app to use this method.
This is the link for the feature request:
https://ibmsecurity.ideas.ibm.com/ideas/SIEMCORE-I-3382
*Anthony Flaviani*
Solution Engineering Management
Americas Product Specialists
Symantec Enterprise Division (SED) | *Broadcom Software*
*mobile:* 832.298.6016
4003 N Rondelet Dr | Spring, TX 77386
***@***.*** | broadcom.com
…On Thu, Jan 12, 2023 at 7:54 AM trizzosk ***@***.***> wrote:
@aflaviani <https://github.com/aflaviani> Oki, I saw the announcement
abut ICDx which indeed does not support SES streaming API for feeding
events to any SIEM system. (https://tipp-integrations.broadcom.com/icdx
<http://link>)
However I cannot find any article which you mention above (...we have
created and posted a QRadar collector on our website that supersedes this)
- any clues how to find it?
—
Reply to this email directly, view it on GitHub
<#63 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AVNCGQVHVX2ZLRWVB6FWKXDWSAEHZANCNFSM5DCDLFXQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
This electronic communication and the information and any files transmitted
with it, or attached to it, are confidential and are intended solely for
the use of the individual or entity to whom it is addressed and may contain
information that is confidential, legally privileged, protected by privacy
laws, or otherwise restricted from disclosure to anyone else. If you are
not the intended recipient or the person responsible for delivering the
e-mail to the intended recipient, you are hereby notified that any use,
copying, distributing, dissemination, forwarding, printing, or copying of
this e-mail is strictly prohibited. If you received this e-mail in error,
please return the e-mail to the sender, delete it from your computer, and
destroy any printed copy of it.
|
|
Any updates for integrating the export stream API with Qradar Rest API? |
@karimmms - We've definitely had requests to support the Symantec Streaming API, we're looking at possibly supporting it within this framework but the streaming model doesn't quite line up with the "page at a time" processing that REST calls follow. We are looking to support this streaming API from Symantec in some way, whether through this framework or a standalone connecter designed to talk to the Symantec Streaming Endpoint specifically but ideally work with multiple products. |
Closing this pull request due to the comment above about a superseding workflow being available from Symantec directly. |
No description provided.