AtlassianJira Audit logs #156
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| <?xml version="1.0" encoding="UTF-8" ?> | ||
| <WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1"> | ||
| <Value name="host" value="" /> | ||
| <Value name="user_id" value="" /> | ||
| <Value name="token" value="" /> | ||
| </WorkflowParameterValues> | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| <?xml version="1.0" encoding="UTF-8" ?> | ||
| <Workflow name="AtlassianJira" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1"> | ||
|
|
||
| <Parameters> | ||
| <Parameter name="host" label="host" required="true" /> | ||
| <Parameter name="token" label="token" required="true" /> | ||
| <Parameter name="user_id" label="user_id" required="true" /> | ||
|
There was a problem hiding this comment. Indentation cleanup. |
||
| </Parameters> | ||
|
|
||
| <Actions> | ||
|
|
||
| <Initialize path="/get_logs/bookmark" value="0" /> | ||
| <CallEndpoint url="https://${/host}/rest/api/3/auditing/record" method="GET" savePath="/get_logs"> | ||
|
There was a problem hiding this comment. There are no query parameters here, meaning no timestamp bounds have been applied, so this query will match EVERY record available EVERY time the workflow runs as it is written here. I see on line 30 you set the record count as the offset but I don't know if This will result in a workflow that missed data on the initial result, and then on subsequent runs queries all of time but pages to recent records. This is likely to cause performance issues on the Atlassian side. Normally a workflow will use a time bound query ( |
||
| <SSLConfiguration allowUntrustedServerCertificate="true" /> | ||
|
There was a problem hiding this comment. For security reasons this probably shouldn't be true by default as setting it true can cause extra work. If this is If using a self-signed certificate, then this must be set to You may have found during testing that it was needed based on whatever. I would make this a variable in the Parameters file, and include in the readme when it should be set to true (if using a self-signed certificate) and set it to false by default. |
||
| <BasicAuthentication username="${/user_id}" password="${/token}" /> | ||
| <QueryParameter name="offset=" value="${/get_logs/bookmark}" /> | ||
| <QueryParameter name="limit=" value="1000" /> | ||
| <RequestHeader name="Content-Type" value="application/json" /> | ||
| </CallEndpoint> | ||
|
|
||
| <!-- Handle Errors --> | ||
| <If condition="/get_logs/status_code != 200"> | ||
| <Abort reason="${/get_logs/status_code}" /> | ||
| </If> | ||
|
|
||
| <!-- Post Events --> | ||
| <PostEvents path="/get_logs/body/records" source="${/host}"/> | ||
|
|
||
| <!-- Update the bookmark --> | ||
| <Set path="/get_logs/bookmark" value="${/get_logs/body/total}" /> | ||
|
|
||
| </Actions> | ||
|
|
||
| <Tests> | ||
| <DNSResolutionTest host="${/host}" /> | ||
| </Tests> | ||
|
|
||
| </Workflow> | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # Atlassian Jira | ||
| The Jira workflow collects audit logs from audit API. | ||
|
|
||
| ## Authentication Set-Up | ||
| When setting up the workflow for Atlassian Cloud you will need to use the "Jira User Identifier" and "Jira API Token" fields in the Workflow Parameter Values file. These will allow connection to the [Atlassian Cloud REST API](https://developer.atlassian.com/cloud/jira/platform/basic-auth-for-rest-apis/) via [Basic Authentication](https://developer.atlassian.com/cloud/jira/platform/basic-auth-for-rest-apis/). | ||
|
|
||
| You need to uncheck Coalescing Events option during log source configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Readme should include this field along with an example, and should clearly define whether it is just the hostname or the full URL with http://, etc.
I can see from the code it's just the hostname, but providing examples in the readme help usability. Consider including how to specify an alternate port as well if not 443.