Add new workflow for Trellix HX

Community Developed/Trellix HX/Alert Groups/Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="hexXXXXXX-hx-webui-1.hex03.helix.apps.fireeye.com" />
+    <Value name="hx_port" value="443" /> <!-- 443 for CLoud and 3000 for On-Prem -->
+    <Value name="username" value="api_analyst" />
+    <Value name="password" value="api_analyst" />
+    <!-- Number of alert records to fetch per request -->
+    <Value name="limit" value="100" />
+</WorkflowParameterValues>

Community Developed/Trellix HX/Alert Groups/Trellix-HX-Alert_Groups-Workflow.xml

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="FireEye HX" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+	<Parameters>
+		<Parameter name="host" label="Host" required="true" />
+		<Parameter name="hx_port" label="Port" value="443" required="true" />
+		<Parameter name="username" label="Username" required="true" />
+		<Parameter name="password" label="Password" required="true" secret="true" />
+	</Parameters>
+	<Actions>
+		<!-- Initialize the Bookmark -->
+		<Initialize path="/bookmark" value="${time() - 86400000}" />
+
+		<!-- Use bookmark -10 mins as start time -->
+		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/startTime" />
+
+		<!-- Authenticate and request API Token -->
+        <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getApiToken" >
+		<BasicAuthentication username="${/username}" password="${/password}" />
+		<RequestHeader name="Accept" value="application/json" />
+        </CallEndpoint>
+
+        <!-- Handle Errors -->
+	<If condition="/getApiToken/status_code != 204">
+		<Log type="Error" message="FE HX API: Error Authenticating to API: ${/getApiToken/body}" />
+		<Abort reason="Error login: ${/getApiToken/body}" />
+        </If>
+	<Else>
+		<!-- Extract the API Token -->
+		<Set path="/x_feapi_token" value="${/getApiToken/headers/X-FeApi-Token}" />
+		<!-- Build filterQuery -->
+		<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/startTime}"],"field":"last_event_at"}' />
+
+		<!-- Get Alerts -->
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alert_groups/?" method="GET" savePath="/getAlerts">
+			<QueryParameter name="offset" value="0" />
+			<QueryParameter name="limit" value="100" />
+			<QueryParameter name="sort" value="last_event_at" />
+			<!-- URL Encoded Filter for last_event_at greater than Start Time -->
+			<QueryParameter name="filterQuery" value="${/filterQuery}" />
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+
+		<!-- Handle Errors -->
+		<If condition="/getAlerts/status_code != 200">
+			<Log type="Error" message="FE HX API: Error fetching alerts ${/getAlerts/body}" />
+		</If>
+		<Else>
+			<Log type="INFO" message="FE HX API: Got ${/getAlerts/body/data/total} events" />
+
+			<!-- Alert are returned in JSON format-->
+			<!-- Extract Alerts-->
+			<If condition="${/getAlerts/body/data/total} > 0">
+				<Set path="/alerts" value="${/get_alerts/body/data/entries}" />
+				<Set path="/bookmark" value="${max(/alerts/reported_at)}" />
+			</If>
+			<!-- Post Alerts -->
+			<PostEvents path="/alerts" source="${/host}" />
+		</Else>
+
+		<!-- Dispose generated token to clear active session -->
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delApiToken" >
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+
+		<!-- Handle Errors -->
+		<If condition="/del_feapi_token/status_code != 204">
+			<Log type="Error" message="FE HX API: Error Deleting Session: ${/del_feapi_token/body/message}" />
+			<Abort reason="${/get_feapi_token/body/message}" />
+		</If>
+		</Else>
+	</Actions>
+	<Tests>
+		<DNSResolutionTest host="${/host}" />
+		<TCPConnectionTest host="${/host}" port="${/hx_port}" />
+		<SSLHandshakeTest host="${/host}" port="${/hx_port}"/>
+		<HTTPConnectionThroughProxyTest url="https://${/host}:${/hx_port}" />
+	</Tests>
+</Workflow>

Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow-Parameter-Value.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="hexXXXXXX-hx-webui-1.hex03.helix.apps.fireeye.com" />
+    <Value name="hx_port" value="443" /> <!-- 443 for CLoud and 3000 for On-Prem -->
+    <Value name="username" value="api_analyst" />
+    <Value name="password" value="api_analyst" />
+    <!-- Number of alert records to fetch per request -->
+    <Value name="limit" value="100" />
+</WorkflowParameterValues>

Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow.xml

@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Trellix HX" version="1.0.4" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+	<Parameters>
+		<Parameter name="host" label="Host" required="true" />
+		<Parameter name="hx_port" label="Port" required="true" />
+		<Parameter name="username" label="Username" required="true" />
+		<Parameter name="password" label="Password" required="true" secret="true" />
+		<Parameter name="limit" label="Limit" required="true" />
+	</Parameters>
+	<Actions>
+		<!-- Initialize the Bookmark -->
+		<Initialize path="/bookmark" value="0" />
+		<!-- Authenticate and request API Token -->
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getFeApiToken" >
+			<BasicAuthentication username="${/username}" password="${/password}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+		<!-- Handle Errors -->
+		<If condition="/getFeApiToken/status_code != 204">
+			<Log type="Error" message="Trellix HX API: API Authentication Error: ${/getFeApiToken/body}" />
+			<Abort reason="Trellix HX API: API Authentication Error: ${/getFeApiToken/body}" />
+		</If>
+		<Else>
+			<!-- Extract the API Token -->
+			<Set path="/x_feapi_token" value="${/getFeApiToken/headers/X-FeApi-Token}" />
+		</Else>
+		<!-- Get First Alert -->
+		<Set path="/offset" value="0" />
+		<Set path="limit" value="1" />
+
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getFirstAlert">
+			<QueryParameter name="offset" value="${/offset}" />
+			<QueryParameter name="limit" value="${/limit}" />
+			<QueryParameter name="sort" value="_id" />
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+		<!-- Handle Errors -->
+		<If condition="/getFirstAlert/status_code != 200">
+			<Log type="Error" message="Trellix HX API: Error fetching first alert ${/getFirstAlert/body}" />
+			<Abort reason="Trellix HX API: API Authentication Error: ${/getFirstAlert/body}">
+		</If>
+		<Else>
+		<Set path="/firstAlertId" value="${/getFirstAlert/body/data/entries[0]/_id}" />
+			<Log type="INFO" message="Trellix HX API: Got ${/getFirstAlert/body/data/total} alerts" />
+			<If condition="${/getFirstAlert/body/data/total} > 0">
+				<set path="/entries" value="${/getAlerts/body/data/total}">
+			</If>
+			<Else>
+				<Log type="Notice" message="Trellix HX API: No Alerts to fetch" />
+				<Abort reason="Trellix HX API: No Alerts to fetch">
+			</Else>
+		</Else>
+
+		<!-- Get Last Alert -->
+		<Set path="/offset" value="${/entries -1}" />
+		<Set path="limit" value="1" />
+
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getLastAlert">
+			<QueryParameter name="offset" value="${/offset}" />
+			<QueryParameter name="limit" value="${/limit}" />
+			<QueryParameter name="sort" value="_id" />
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+		<!-- Handle Errors -->
+		<If condition="/getLastAlert/status_code != 200">
+			<Log type="Error" message="Trellix HX API: Error fetching last alert ${/getLastAlert/body}" />
+			<Abort reason="Trellix HX API: Error fetching last alert ${/getLastAlert/body}">
+		</If>
+		<Else>
+			<Set path="/firstAlertId" value="${/getLastAlert/body/data/entries[0]/_id}" />
+			<Log type="INFO" message="Trellix HX API: Last Alert ID: ${/getLastAlert/body/data/total}" />
+			<If condition="${/getFirstAlert/body/data/total} > 0">
+				<set path="/entries" value="${/getAlerts/body/data/total}">
+			</If>
+		</Else>
+
+		<If condition="/bookmark > 0">
+
+		</If>
+		<Else>
+
+		</Else>
+
+		<!-- Extract Alerts-->
+		<DoWhile condition="(/entries) > 0">
+			<Set path="/alerts" value="${/getAlerts/body/data/entries}" />
+			<!-- Enrich Alerts -->
+			<ForEach item="/alert" items="/alerts">
+				<Set path="/alertID" value="${/alert/_id}">
+				<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/getAagent">
+					<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+					<RequestHeader name="Accept" value="application/json" />
+				</CallEndpoint>
+				<If condition="/getAagent/status_code != 200">
+					<Log type="Error" message="Trellix HX API: Error fetching Agnet information: ${/getAagent/body}" />
+					<Abort reason="Error login: ${/getAagent/body}" />
+				</If>
+				<Log type="Info" message="Trellix HX API: Host found for ID: ${/alert/agent/_id}" />
+				<!-- Add host information to alert-->
+				<Set path="/alert/agent/hostname" value="${/getAagent/body/data/hostname}"  />
+				<Set path="/alert/agent/domain" value="${/getAagent/body/data/domain}"  />
+				<Set path="/alert/agent/primary_ip_address" value="${/getAagent/body/data/primary_ip_address}"  />
+				<Set path="/alert/agent/last_poll_ip" value="${/getAagent/body/data/last_poll_ip}"  />
+				<PostEvent path="/alert" source="${/host}" />
+			</ForEach>
+			<!-- Update bookmark -->
+			<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" date="${max(/alerts/reported_at)}" savePath="/bookmark" />
+			<Log type="Info" message="Trellix HX API: Last Alert Time set to: ${/bookmark}" />
+
+			<!-- Next Page -->
+			<Set path="/offset" value="${/offset + /limit - 1}" />
+			<!-- Get next page of alerts -->
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
+				<QueryParameter name="offset" value="${/offset}" />
+				<QueryParameter name="limit" value="${/limit}" />
+				<QueryParameter name="sort" value="_id" />
+				<QueryParameter name="filterQuery" value="${/filterQuery}" />
+				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+				<RequestHeader name="Accept" value="application/json" />
+			</CallEndpoint>
+			<If condition="/getAlerts/status_code != 200">
+				<Log type="Error" message="Trellix HX API: Error getting alerts: ${/getAlerts/body}" />
+				<Abort reason="Error login: ${/getAlerts/body}" />
+			</If>
+		</DoWhile>
+
+		<!-- Dispose generated token to clear active session -->
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
+			<If condition="/ignore_selfsigned_certificate == 1">
+				<SSLConfiguration allowUntrustedServerCertificate="true" />
+			</If>
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+		<!-- Handle Errors -->
+		<If condition="/delFeApiToken/status_code != 204">
+			<Log type="Error" message="Trellix HX API: Error Deleteing Session: ${/delFeApiToken/body}" />
+			<Abort reason="${/delFeApiToken/body}" />
+		</If>
+	</Actions>
+
+	<Tests>
+		<DNSResolutionTest host="${/host}" />
+		<TCPConnectionTest host="${/host}" port="${/hx_port}" />
+		<SSLHandshakeTest host="${/host}" port="${/hx_port}"/>
+		<HTTPConnectionThroughProxyTest url="https://${/host}:${/hx_port}" />
+	</Tests>
+</Workflow>

Community Developed/Trellix HX/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Mohamed Al-Shabrawy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Community Developed/Trellix HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="hexXXXXXX-hx-webui-1.hex03.helix.apps.fireeye.com" />
+    <Value name="hx_port" value="443" /> <!-- 443 for CLoud and 3000 for On-Prem -->
+    <Value name="username" value="api_analyst" />
+    <Value name="password" value="api_analyst" />
+</WorkflowParameterValues>