From bed60edc92257f21581159d4e834246b989f68cc Mon Sep 17 00:00:00 2001
From: ibm-app-crest <ibm-app-upload@crestdata.ai>
Date: Wed, 8 Jan 2025 15:45:17 +0530
Subject: [PATCH 1/9] Uploading Netskope workflows with ReadMe

Signed-off-by: ibm-app-crest <ibm-app-upload@crestdata.ai>
Signed-off-by: ebasso <ebasso@ebasso.net>
---
 .../Netskope-Alert-Event-Workflow.xml         | 130 +++++++++++++++++
 .../Netskope-Application-Event-Workflow.xml   | 130 +++++++++++++++++
 .../Netskope-Audit-Event-Workflow.xml         | 131 +++++++++++++++++
 .../Netskope/Netskope-CTEP-Alert-Workflow.xml | 130 +++++++++++++++++
 ...-Compromised-Credential-Alert-Workflow.xml | 130 +++++++++++++++++
 .../Netskope-Connection-Event-Workflow.xml    | 130 +++++++++++++++++
 .../Netskope-Content-Alert-Workflow.xml       | 130 +++++++++++++++++
 .../Netskope/Netskope-DLP-Alert-Workflow.xml  | 130 +++++++++++++++++
 .../Netskope-Device-Alert-Workflow.xml        | 130 +++++++++++++++++
 .../Netskope-Endpoint-Event-Workflow.xml      | 130 +++++++++++++++++
 .../Netskope-Incident-Event-Workflow.xml      | 135 ++++++++++++++++++
 ...Netskope-Infrastructure-Event-Workflow.xml | 135 ++++++++++++++++++
 .../Netskope-Malsite-Alert-Workflow.xml       | 130 +++++++++++++++++
 .../Netskope-Malware-Alert-Workflow.xml       | 130 +++++++++++++++++
 .../Netskope-Network-Event-Workflow.xml       | 130 +++++++++++++++++
 .../Netskope/Netskope-Page-Event-Workflow.xml | 130 +++++++++++++++++
 .../Netskope-Policy-Alert-Workflow.xml        | 130 +++++++++++++++++
 .../Netskope-Quarantine-Alert-Workflow.xml    | 130 +++++++++++++++++
 .../Netskope-Remediation-Alert-Workflow.xml   | 130 +++++++++++++++++
 ...ope-Security-Assessment-Alert-Workflow.xml | 130 +++++++++++++++++
 .../Netskope/Netskope-UBA-Alert-Workflow.xml  | 130 +++++++++++++++++
 .../Netskope-Watchlist-Alert-Workflow.xml     | 130 +++++++++++++++++
 .../Netskope-Workflow-Parameter-Values.xml    |  22 +++
 Community Developed/Netskope/README.md        |  92 ++++++++++++
 24 files changed, 2985 insertions(+)
 create mode 100644 Community Developed/Netskope/Netskope-Alert-Event-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Application-Event-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Audit-Event-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-CTEP-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Compromised-Credential-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Connection-Event-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Content-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-DLP-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Device-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Endpoint-Event-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Incident-Event-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Infrastructure-Event-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Malsite-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Malware-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Network-Event-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Page-Event-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Policy-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Quarantine-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Remediation-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Security-Assessment-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-UBA-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Watchlist-Alert-Workflow.xml
 create mode 100644 Community Developed/Netskope/Netskope-Workflow-Parameter-Values.xml
 create mode 100644 Community Developed/Netskope/README.md

diff --git a/Community Developed/Netskope/Netskope-Alert-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Alert-Event-Workflow.xml
new file mode 100644
index 0000000..bc4c805
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Alert-Event-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Alert Event" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Alert_Event][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/alertEventEndpoint" value="/api/v2/events/dataexport/events/alert" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_alert_event" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Alert Event collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/alertEventEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/alertEventEndpoint}" method="GET" savePath="/alertEvent/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/alertEvent/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/alertEvent/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/alertEvent/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/alertEvent/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/alertEvent/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/alertEvent/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/alertEvent/response/status_code = 200">
+                <!-- Ingest Alert Events into QRadar -->
+                <PostEvents path="/alertEvent/response/body/result" source="netskope_alert_event" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/alertEvent/response/body/result)} Alert Events ingested in QRadar." />
+
+                <If condition="${count(/alertEvent/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Alert Event collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/alertEvent/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/alertEvent/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/alertEvent/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Alert Events with status code - ${/alertEvent/response/status_code}, Body - ${/alertEvent/response/body}" />
+                <Abort reason="API call failed for collecting Alert Events with status code - ${/alertEvent/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Application-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Application-Event-Workflow.xml
new file mode 100644
index 0000000..dd72be0
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Application-Event-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Application Event" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Application_Event][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/applicationEventEndpoint" value="/api/v2/events/dataexport/events/application" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_application_event" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Application Event collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/applicationEventEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+                
+                <CallEndpoint url="${/netskopeUrl}${/applicationEventEndpoint}" method="GET" savePath="/applicationEvent/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/applicationEvent/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/applicationEvent/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/applicationEvent/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/applicationEvent/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/applicationEvent/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/applicationEvent/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/applicationEvent/response/status_code = 200">
+                <!-- Ingest Application Events into QRadar -->
+                <PostEvents path="/applicationEvent/response/body/result" source="netskope_application_event" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/applicationEvent/response/body/result)} Application Events ingested in QRadar." />
+
+                <If condition="${count(/applicationEvent/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Application Event collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/applicationEvent/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/applicationEvent/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/applicationEvent/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Application Events with status code - ${/applicationEvent/response/status_code}, Body - ${/applicationEvent/response/body}" />
+                <Abort reason="API call failed for collecting Application Events with status code - ${/applicationEvent/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Audit-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Audit-Event-Workflow.xml
new file mode 100644
index 0000000..a6b02ff
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Audit-Event-Workflow.xml	
@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Audit Event" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Audit_Event][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/auditEventEndpoint" value="/api/v2/events/dataexport/events/audit" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_audit_event" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Audit Event collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/auditEventEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+
+                <CallEndpoint url="${/netskopeUrl}${/auditEventEndpoint}" method="GET" savePath="/auditEvent/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/auditEvent/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/auditEvent/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/auditEvent/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/auditEvent/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/auditEvent/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/auditEvent/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/auditEvent/response/status_code = 200">
+                <!-- Ingest Audit Events into QRadar -->
+                <PostEvents path="/auditEvent/response/body/result" source="netskope_audit_event" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/auditEvent/response/body/result)} Audit Events ingested in QRadar." />
+
+                <If condition="${count(/auditEvent/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Audit Event collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/auditEvent/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/auditEvent/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/auditEvent/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Audit Events with status code - ${/auditEvent/response/status_code}, Body - ${/auditEvent/response/body}" />
+                <Abort reason="API call failed for collecting Audit Events with status code - ${/auditEvent/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-CTEP-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-CTEP-Alert-Workflow.xml
new file mode 100644
index 0000000..f662319
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-CTEP-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope CTEP Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][CTEP_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/ctepAlertEndpoint" value="/api/v2/events/dataexport/alerts/ctep" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_ctep_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - CTEP Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/ctepAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/ctepAlertEndpoint}" method="GET" savePath="/ctepAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/ctepAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/ctepAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/ctepAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/ctepAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/ctepAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/ctepAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/ctepAlert/response/status_code = 200">
+                <!-- Ingest CTEP Alerts into QRadar -->
+                <PostEvents path="/ctepAlert/response/body/result" source="netskope_ctep_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/ctepAlert/response/body/result)} CTEP Alerts ingested in QRadar." />
+
+                <If condition="${count(/ctepAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - CTEP Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/ctepAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/ctepAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/ctepAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting CTEP Alerts with status code - ${/ctepAlert/response/status_code}, Body - ${/ctepAlert/response/body}" />
+                <Abort reason="API call failed for collecting CTEP Alerts with status code - ${/ctepAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Compromised-Credential-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Compromised-Credential-Alert-Workflow.xml
new file mode 100644
index 0000000..0d5fbd2
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Compromised-Credential-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Compromised Credential Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Compromised_Credential_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/compromisedcredentialAlertEndpoint" value="/api/v2/events/dataexport/alerts/compromisedcredential" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_compromisedcredential_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Compromised Credential Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/compromisedcredentialAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/compromisedcredentialAlertEndpoint}" method="GET" savePath="/compromisedcredentialAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/compromisedcredentialAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/compromisedcredentialAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/compromisedcredentialAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/compromisedcredentialAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/compromisedcredentialAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/compromisedcredentialAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/compromisedcredentialAlert/response/status_code = 200">
+                <!-- Ingest Compromised Credential Alerts into QRadar -->
+                <PostEvents path="/compromisedcredentialAlert/response/body/result" source="netskope_compromisedcredential_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/compromisedcredentialAlert/response/body/result)} Compromised Credential Alerts ingested in QRadar." />
+
+                <If condition="${count(/compromisedcredentialAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Compromised Credential Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/compromisedcredentialAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/compromisedcredentialAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/compromisedcredentialAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Compromised Credential Alerts with status code - ${/compromisedcredentialAlert/response/status_code}, Body - ${/compromisedcredentialAlert/response/body}" />
+                <Abort reason="API call failed for collecting Compromised Credential Alerts with status code - ${/compromisedcredentialAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Connection-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Connection-Event-Workflow.xml
new file mode 100644
index 0000000..bce8824
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Connection-Event-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Connection Event" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Connection_Event][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/connectionEventEndpoint" value="/api/v2/events/dataexport/events/connection" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_connection_event" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Connection Event collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/connectionEventEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/connectionEventEndpoint}" method="GET" savePath="/connectionEvent/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/connectionEvent/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/connectionEvent/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/connectionEvent/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/connectionEvent/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/connectionEvent/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/connectionEvent/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/connectionEvent/response/status_code = 200">
+                <!-- Ingest Connection Events into QRadar -->
+                <PostEvents path="/connectionEvent/response/body/result" source="netskope_connection_event" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/connectionEvent/response/body/result)} Connection Events ingested in QRadar." />
+
+                <If condition="${count(/connectionEvent/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Connection Event collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/connectionEvent/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/connectionEvent/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/connectionEvent/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Connection Events with status code - ${/connectionEvent/response/status_code}, Body - ${/connectionEvent/response/body}" />
+                <Abort reason="API call failed for collecting Connection Events with status code - ${/connectionEvent/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Content-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Content-Alert-Workflow.xml
new file mode 100644
index 0000000..8f12e23
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Content-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Content Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Content_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/contentAlertEndpoint" value="/api/v2/events/dataexport/alerts/content" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_content_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Content Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/contentAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/contentAlertEndpoint}" method="GET" savePath="/contentAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/contentAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/contentAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/contentAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/contentAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/contentAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/contentAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/contentAlert/response/status_code = 200">
+                <!-- Ingest Content Alerts into QRadar -->
+                <PostEvents path="/contentAlert/response/body/result" source="netskope_content_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/contentAlert/response/body/result)} Content Alerts ingested in QRadar." />
+
+                <If condition="${count(/contentAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Content Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/contentAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/contentAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/contentAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Content Alerts with status code - ${/contentAlert/response/status_code}, Body - ${/contentAlert/response/body}" />
+                <Abort reason="API call failed for collecting Content Alerts with status code - ${/contentAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-DLP-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-DLP-Alert-Workflow.xml
new file mode 100644
index 0000000..0369de3
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-DLP-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope DLP Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][DLP_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/dlpAlertEndpoint" value="/api/v2/events/dataexport/alerts/dlp" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_dlp_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - DLP Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/dlpAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/dlpAlertEndpoint}" method="GET" savePath="/dlpAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/dlpAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/dlpAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/dlpAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/dlpAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/dlpAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/dlpAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/dlpAlert/response/status_code = 200">
+                <!-- Ingest DLP Alerts into QRadar -->
+                <PostEvents path="/dlpAlert/response/body/result" source="netskope_dlp_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/dlpAlert/response/body/result)} DLP Alerts ingested in QRadar." />
+
+                <If condition="${count(/dlpAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - DLP Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/dlpAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/dlpAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/dlpAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting DLP Alerts with status code - ${/dlpAlert/response/status_code}, Body - ${/dlpAlert/response/body}" />
+                <Abort reason="API call failed for collecting DLP Alerts with status code - ${/dlpAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Device-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Device-Alert-Workflow.xml
new file mode 100644
index 0000000..38e882e
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Device-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Device Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Device_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/deviceAlertEndpoint" value="/api/v2/events/dataexport/alerts/device" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_device_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Device Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/deviceAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/deviceAlertEndpoint}" method="GET" savePath="/deviceAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/deviceAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/deviceAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/deviceAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/deviceAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/deviceAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/deviceAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/deviceAlert/response/status_code = 200">
+                <!-- Ingest Device Alerts into QRadar -->
+                <PostEvents path="/deviceAlert/response/body/result" source="netskope_device_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/deviceAlert/response/body/result)} Device Alerts ingested in QRadar." />
+
+                <If condition="${count(/deviceAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Device Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/deviceAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/deviceAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/deviceAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Device Alerts with status code - ${/deviceAlert/response/status_code}, Body - ${/deviceAlert/response/body}" />
+                <Abort reason="API call failed for collecting Device Alerts with status code - ${/deviceAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Endpoint-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Endpoint-Event-Workflow.xml
new file mode 100644
index 0000000..5b2b804
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Endpoint-Event-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Endpoint Event" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Endpoint_Event][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/endpointEventEndpoint" value="/api/v2/events/dataexport/events/endpoint" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_endpoint_event" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Endpoint Event collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/endpointEventEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/endpointEventEndpoint}" method="GET" savePath="/endpointEvent/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/endpointEvent/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/endpointEvent/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/endpointEvent/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/endpointEvent/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/endpointEvent/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/endpointEvent/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/endpointEvent/response/status_code = 200">
+                <!-- Ingest Endpoint Events into QRadar -->
+                <PostEvents path="/endpointEvent/response/body/result" source="netskope_endpoint_event" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/endpointEvent/response/body/result)} Endpoint Events ingested in QRadar." />
+
+                <If condition="${count(/endpointEvent/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Endpoint Event collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/endpointEvent/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/endpointEvent/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/endpointEvent/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Endpoint Events with status code - ${/endpointEvent/response/status_code}, Body - ${/endpointEvent/response/body}" />
+                <Abort reason="API call failed for collecting Endpoint Events with status code - ${/endpointEvent/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Incident-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Incident-Event-Workflow.xml
new file mode 100644
index 0000000..7b6834d
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Incident-Event-Workflow.xml	
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Incident Event" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+    
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Incident_Event][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/incidentEventEndpoint" value="/api/v2/events/dataexport/events/incident" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_incident_event" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Incident Event collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/incidentEventEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/incidentEventEndpoint}" method="GET" savePath="/incidentEvent/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/incidentEvent/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/incidentEvent/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/incidentEvent/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/incidentEvent/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/incidentEvent/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/incidentEvent/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/incidentEvent/response/status_code = 200">
+                <!-- Process and ingest collected Incident events, Add type as incident-->
+                
+                <ForEach item="/current_event" items="/incidentEvent/response/body/result">
+                    <Set path="/current_event/type" value="incident" />
+                    <PostEvent path="/current_event" source="netskope_incident_event" />
+                </ForEach>
+
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/incidentEvent/response/body/result)} Incident Events ingested in QRadar." />
+
+                <If condition="${count(/incidentEvent/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Incident Event collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/incidentEvent/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/incidentEvent/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/incidentEvent/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Incident Events with status code - ${/incidentEvent/response/status_code}, Body - ${/incidentEvent/response/body}" />
+                <Abort reason="API call failed for collecting Incident Events with status code - ${/incidentEvent/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Infrastructure-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Infrastructure-Event-Workflow.xml
new file mode 100644
index 0000000..5107eb1
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Infrastructure-Event-Workflow.xml	
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Infrastructure Event" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Infrastructure_Event][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/infrastructureEventEndpoint" value="/api/v2/events/dataexport/events/infrastructure" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_infrastructure_event" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Infrastructure Event collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/infrastructureEventEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/infrastructureEventEndpoint}" method="GET" savePath="/infrastructureEvent/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/infrastructureEvent/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/infrastructureEvent/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/infrastructureEvent/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/infrastructureEvent/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/infrastructureEvent/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/infrastructureEvent/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/infrastructureEvent/response/status_code = 200">
+                <!-- Process and ingest collected Infrastructure events, Add type as infrastructure-->
+                
+                <ForEach item="/current_event" items="/infrastructureEvent/response/body/result">
+                    <Set path="/current_event/type" value="infrastructure" />
+                    <PostEvent path="/current_event" source="netskope_infrastructure_event" />
+                </ForEach>
+
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/infrastructureEvent/response/body/result)} Infrastructure Events ingested in QRadar." />
+
+                <If condition="${count(/infrastructureEvent/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Infrastructure Event collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/infrastructureEvent/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/infrastructureEvent/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/infrastructureEvent/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Infrastructure Events with status code - ${/infrastructureEvent/response/status_code}, Body - ${/infrastructureEvent/response/body}" />
+                <Abort reason="API call failed for collecting Infrastructure Events with status code - ${/infrastructureEvent/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Malsite-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Malsite-Alert-Workflow.xml
new file mode 100644
index 0000000..7220384
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Malsite-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Malsite Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Malsite_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/malsiteAlertEndpoint" value="/api/v2/events/dataexport/alerts/malsite" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_malsite_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Malsite Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/malsiteAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/malsiteAlertEndpoint}" method="GET" savePath="/malsiteAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/malsiteAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/malsiteAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/malsiteAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/malsiteAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/malsiteAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/malsiteAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/malsiteAlert/response/status_code = 200">
+                <!-- Ingest Malsite Alerts into QRadar -->
+                <PostEvents path="/malsiteAlert/response/body/result" source="netskope_malsite_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/malsiteAlert/response/body/result)} Malsite Alerts ingested in QRadar." />
+
+                <If condition="${count(/malsiteAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Malsite Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/malsiteAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/malsiteAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/malsiteAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Malsite Alerts with status code - ${/malsiteAlert/response/status_code}, Body - ${/malsiteAlert/response/body}" />
+                <Abort reason="API call failed for collecting Malsite Alerts with status code - ${/malsiteAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Malware-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Malware-Alert-Workflow.xml
new file mode 100644
index 0000000..73c4f8c
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Malware-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Malware Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Malware_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/malwareAlertEndpoint" value="/api/v2/events/dataexport/alerts/malware" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_malware_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Malware Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/malwareAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/malwareAlertEndpoint}" method="GET" savePath="/malwareAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/malwareAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/malwareAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/malwareAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/malwareAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/malwareAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/malwareAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/malwareAlert/response/status_code = 200">
+                <!-- Ingest Malware Alerts into QRadar -->
+                <PostEvents path="/malwareAlert/response/body/result" source="netskope_malware_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/malwareAlert/response/body/result)} Malware Alerts ingested in QRadar." />
+
+                <If condition="${count(/malwareAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Malware Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/malwareAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/malwareAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/malwareAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Malware Alerts with status code - ${/malwareAlert/response/status_code}, Body - ${/malwareAlert/response/body}" />
+                <Abort reason="API call failed for collecting Malware Alerts with status code - ${/malwareAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Network-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Network-Event-Workflow.xml
new file mode 100644
index 0000000..7359940
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Network-Event-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Network Event" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Network_Event][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/networkEventEndpoint" value="/api/v2/events/dataexport/events/network" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_network_event" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Network Event collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/networkEventEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/networkEventEndpoint}" method="GET" savePath="/networkEvent/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/networkEvent/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/networkEvent/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/networkEvent/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/networkEvent/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/networkEvent/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/networkEvent/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/networkEvent/response/status_code = 200">
+                <!-- Ingest Network Events into QRadar -->
+                <PostEvents path="/networkEvent/response/body/result" source="netskope_network_event" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/networkEvent/response/body/result)} Network Events ingested in QRadar." />
+
+                <If condition="${count(/networkEvent/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Network Event collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/networkEvent/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/networkEvent/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/networkEvent/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Network Events with status code - ${/networkEvent/response/status_code}, Body - ${/networkEvent/response/body}" />
+                <Abort reason="API call failed for collecting Network Events with status code - ${/networkEvent/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Page-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Page-Event-Workflow.xml
new file mode 100644
index 0000000..7a3198b
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Page-Event-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Page Event" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Page_Event][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/pageEventEndpoint" value="/api/v2/events/dataexport/events/page" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_page_event" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Page Event collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/pageEventEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/pageEventEndpoint}" method="GET" savePath="/pageEvent/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/pageEvent/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/pageEvent/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/pageEvent/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/pageEvent/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/pageEvent/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/pageEvent/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/pageEvent/response/status_code = 200">
+                <!-- Ingest Page Events into QRadar -->
+                <PostEvents path="/pageEvent/response/body/result" source="netskope_page_event" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/pageEvent/response/body/result)} Page Events ingested in QRadar." />
+
+                <If condition="${count(/pageEvent/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Page Event collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/pageEvent/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/pageEvent/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/pageEvent/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Page Events with status code - ${/pageEvent/response/status_code}, Body - ${/pageEvent/response/body}" />
+                <Abort reason="API call failed for collecting Page Events with status code - ${/pageEvent/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Policy-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Policy-Alert-Workflow.xml
new file mode 100644
index 0000000..e291f0c
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Policy-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Policy Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Policy_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/policyAlertEndpoint" value="/api/v2/events/dataexport/alerts/policy" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_policy_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Policy Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/policyAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/policyAlertEndpoint}" method="GET" savePath="/policyAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/policyAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/policyAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/policyAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/policyAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/policyAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/policyAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/policyAlert/response/status_code = 200">
+                <!-- Ingest Policy Alerts into QRadar -->
+                <PostEvents path="/policyAlert/response/body/result" source="netskope_policy_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/policyAlert/response/body/result)} Policy Alerts ingested in QRadar." />
+
+                <If condition="${count(/policyAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Policy Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/policyAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/policyAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/policyAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Policy Alerts with status code - ${/policyAlert/response/status_code}, Body - ${/policyAlert/response/body}" />
+                <Abort reason="API call failed for collecting Policy Alerts with status code - ${/policyAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Quarantine-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Quarantine-Alert-Workflow.xml
new file mode 100644
index 0000000..c4e6b02
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Quarantine-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Quarantine Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Quarantine_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/quarantineAlertEndpoint" value="/api/v2/events/dataexport/alerts/quarantine" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_quarantine_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Quarantine Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/quarantineAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/quarantineAlertEndpoint}" method="GET" savePath="/quarantineAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/quarantineAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/quarantineAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/quarantineAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/quarantineAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/quarantineAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/quarantineAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/quarantineAlert/response/status_code = 200">
+                <!-- Ingest Quarantine Alerts into QRadar -->
+                <PostEvents path="/quarantineAlert/response/body/result" source="netskope_quarantine_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/quarantineAlert/response/body/result)} Quarantine Alerts ingested in QRadar." />
+
+                <If condition="${count(/quarantineAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Quarantine Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/quarantineAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/quarantineAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/quarantineAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Quarantine Alerts with status code - ${/quarantineAlert/response/status_code}, Body - ${/quarantineAlert/response/body}" />
+                <Abort reason="API call failed for collecting Quarantine Alerts with status code - ${/quarantineAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Remediation-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Remediation-Alert-Workflow.xml
new file mode 100644
index 0000000..785ebcf
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Remediation-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Remediation Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Remediation_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/remediationAlertEndpoint" value="/api/v2/events/dataexport/alerts/remediation" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_remediation_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Remediation Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/remediationAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/remediationAlertEndpoint}" method="GET" savePath="/remediationAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/remediationAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/remediationAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/remediationAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/remediationAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/remediationAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/remediationAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/remediationAlert/response/status_code = 200">
+                <!-- Ingest Remediation Alerts into QRadar -->
+                <PostEvents path="/remediationAlert/response/body/result" source="netskope_remediation_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/remediationAlert/response/body/result)} Remediation Alerts ingested in QRadar." />
+
+                <If condition="${count(/remediationAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Remediation Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/remediationAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/remediationAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/remediationAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Remediation Alerts with status code - ${/remediationAlert/response/status_code}, Body - ${/remediationAlert/response/body}" />
+                <Abort reason="API call failed for collecting Remediation Alerts with status code - ${/remediationAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Security-Assessment-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Security-Assessment-Alert-Workflow.xml
new file mode 100644
index 0000000..f38ec23
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Security-Assessment-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Security Assessment Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Security_Assessment_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/securityAssessmentAlertEndpoint" value="/api/v2/events/dataexport/alerts/securityassessment" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_security_assessment_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Security Assessment Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/securityAssessmentAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/securityAssessmentAlertEndpoint}" method="GET" savePath="/securityAssessmentAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/securityAssessmentAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/securityAssessmentAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/securityAssessmentAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/securityAssessmentAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/securityAssessmentAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/securityAssessmentAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/securityAssessmentAlert/response/status_code = 200">
+                <!-- Ingest Security Assessment Alerts into QRadar -->
+                <PostEvents path="/securityAssessmentAlert/response/body/result" source="netskope_security_assessment_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/securityAssessmentAlert/response/body/result)} Security Assessment Alerts ingested in QRadar." />
+
+                <If condition="${count(/securityAssessmentAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Security Assessment Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/securityAssessmentAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/securityAssessmentAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/securityAssessmentAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Security Assessment Alerts with status code - ${/securityAssessmentAlert/response/status_code}, Body - ${/securityAssessmentAlert/response/body}" />
+                <Abort reason="API call failed for collecting Security Assessment Alerts with status code - ${/securityAssessmentAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-UBA-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-UBA-Alert-Workflow.xml
new file mode 100644
index 0000000..e7cf53a
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-UBA-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope UBA Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][UBA_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/ubaAlertEndpoint" value="/api/v2/events/dataexport/alerts/uba" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_uba_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - UBA Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/ubaAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/ubaAlertEndpoint}" method="GET" savePath="/ubaAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/ubaAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/ubaAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/ubaAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/ubaAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/ubaAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/ubaAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/ubaAlert/response/status_code = 200">
+                <!-- Ingest UBA Alerts into QRadar -->
+                <PostEvents path="/ubaAlert/response/body/result" source="netskope_uba_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/ubaAlert/response/body/result)} UBA Alerts ingested in QRadar." />
+
+                <If condition="${count(/ubaAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - UBA Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/ubaAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/ubaAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/ubaAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting UBA Alerts with status code - ${/ubaAlert/response/status_code}, Body - ${/ubaAlert/response/body}" />
+                <Abort reason="API call failed for collecting UBA Alerts with status code - ${/ubaAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Watchlist-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Watchlist-Alert-Workflow.xml
new file mode 100644
index 0000000..2415fd9
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Watchlist-Alert-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Netskope Watchlist Alert" version="1.0"
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+
+    <!-- Collect configurations from workflow parameter file -->
+    <Parameters>
+        <Parameter name="tenantHostName" label="Tenant Hostname" required="true"/>
+        <Parameter name="apiToken" label="API Token" secret="true" required="true" />
+        <Parameter name="operationIndex" label="Operation Index" required="true" />
+        <Parameter name="indexParam" label="Index" required="true" />
+    </Parameters>
+
+    <Actions>
+
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Defining variables for running workflow -->
+        <Set path="/netskopeUrl" value="https://${/tenantHostName}"/>
+        <Set path="/logPrefix" value="[Netskope_App_for_QRadar][Watchlist_Alert][${/netskopeUrl}]" />
+        <Initialize path="/maxRetry" value="3" />
+        <Initialize path="/watchlistAlertEndpoint" value="/api/v2/events/dataexport/alerts/watchlist" />
+        <Initialize path="/defaultSleepTime" value="30" />
+        <Initialize path="/defaultWaitTime" value="5" />
+        <Initialize path="/appVersion" value="4.0.0" />
+        <Initialize path="/userAgentHeader" value="Netskope-QRadar-${/appVersion}" />
+        <Initialize path="/index" value="${/indexParam}_watchlist_alert" />
+
+        <!-- Operation  -->
+        <Initialize path="/operation" value="${/operationIndex}" />
+
+        <!-- Print log in the /var/log/qradar.log file with info log level -->
+        <Log type="INFO" message="${/logPrefix} - Watchlist Alert collection started." />
+
+        <Set path="/loopBreaker" value="false" />
+
+        <!-- Perform data collection continuously in case of no error -->
+        <While condition="${/loopBreaker} = false">
+
+            <Set path="/retryCount" value="0" />
+            <While condition="${/retryCount != ${/maxRetry}}">
+                <Log type="INFO" message="${/logPrefix} - Requesting URL ${/netskopeUrl}${/watchlistAlertEndpoint} with query parameters operation=${/operation}, index=${/index}." />
+
+                <CallEndpoint url="${/netskopeUrl}${/watchlistAlertEndpoint}" method="GET" savePath="/watchlistAlert/response">
+                    <QueryParameter name="operation" value="${/operation}" />
+                    <QueryParameter name="index" value="${/index}" />
+
+                    <!-- Request header -->
+                    <RequestHeader name="User-Agent" value="${/userAgentHeader}" />
+                    <RequestHeader name="Netskope-Api-Token" value="${/apiToken}" />
+                </CallEndpoint>
+
+                <!-- Retry 3 times if the status code is 429. i.e API Rate limit exceeded. -->
+                <If condition="${/watchlistAlert/response/status_code} = 429">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - API Rate limit exceeded. Status Code: 429." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code 429 exceeded." />
+                        <Abort reason="Number of retries exceeded for status code 429." />
+                    </If>
+
+                    <!-- Calculating back off time, if it is not present in header take default time -->
+                    <Set path="/sleepTime" value="${/watchlistAlert/response/headers/ratelimit-reset}" />
+                    <If condition="${/sleepTime = ''}">
+                        <Set path="/sleepTime" value="${/defaultSleepTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/sleepTime} seconds." />
+                    <Sleep duration="${/sleepTime * 1000}" />
+                </If>
+                
+                <!-- Retry 3 times if the status code is 5xx. i.e internal server error. -->
+                <ElseIf condition="${/watchlistAlert/response/status_code} >= 500">
+                    <Set path="/retryCount" value="${/retryCount + 1}" />
+                    <Log type="INFO" message="${/logPrefix} - Internal server Error. Status Code: ${/watchlistAlert/response/status_code}." />
+
+                    <If condition="${/retryCount = ${/maxRetry}}">
+                        <Log type="INFO" message="${/logPrefix} Abort - Number of retry attempts for status code ${/watchlistAlert/response/status_code} exceeded." />
+                        <Abort reason="Number of retries exceeded for status code ${/watchlistAlert/response/status_code}." />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/defaultWaitTime} seconds." />
+                    <Sleep duration="${/defaultWaitTime * 1000}" />
+                </ElseIf>
+
+                <Else>
+                    <Set path="/retryCount" value="${/maxRetry}" />
+                </Else>
+
+            </While>
+            <If condition="/watchlistAlert/response/status_code = 200">
+                <!-- Ingest Watchlist Alerts into QRadar -->
+                <PostEvents path="/watchlistAlert/response/body/result" source="netskope_watchlist_alert" />
+                <Log type="INFO" message="${/logPrefix} - Total ${count(/watchlistAlert/response/body/result)} Watchlist Alerts ingested in QRadar." />
+
+                <If condition="${count(/watchlistAlert/response/body/result) = 0}">
+                    <Log type="INFO" message="${/logPrefix} - Watchlist Alert collection completed."/>
+                    <Set path="/loopBreaker" value="true"/>
+                </If>
+                <Else>
+                    
+                    <Set path="/waitTime" value="${/watchlistAlert/response/body/wait_time}" />
+                    
+                    <If condition="${/waitTime = ''}">
+                        <Set path="/waitTime" value="${/defaultWaitTime}" />
+                    </If>
+                    <Log type="INFO" message="${/logPrefix} - Sleeping for ${/waitTime} seconds." />
+                    <Sleep duration="${/waitTime * 1000}" />
+                </Else>
+                <Set path="/operation" value="next" />
+                
+            </If>
+            <ElseIf condition="/watchlistAlert/response/status_code = 401">
+                <Log type="INFO" message="${/logPrefix} Abort - Invalid API token is provided. status code - 401, Body - ${/watchlistAlert/response/body}" />
+                <Abort reason="Invalid API token is provided. status code - 401." />
+            </ElseIf>
+            <Else>
+                <Log type="INFO" message="${/logPrefix} Abort - API call failed for collecting Watchlist Alerts with status code - ${/watchlistAlert/response/status_code}, Body - ${/watchlistAlert/response/body}" />
+                <Abort reason="API call failed for collecting Watchlist Alerts with status code - ${/watchlistAlert/response/status_code}" />
+            </Else>
+        </While>
+    </Actions>
+
+    <!-- Performing some connectivity tests -->
+    <Tests>
+        <DNSResolutionTest host="${/tenantHostName}" />
+        <TCPConnectionTest host="${/tenantHostName}" />
+        <SSLHandshakeTest host="${/tenantHostName}" />
+        <HTTPConnectionThroughProxyTest url="https://${/tenantHostName}" />
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Netskope/Netskope-Workflow-Parameter-Values.xml b/Community Developed/Netskope/Netskope-Workflow-Parameter-Values.xml
new file mode 100644
index 0000000..9f53384
--- /dev/null
+++ b/Community Developed/Netskope/Netskope-Workflow-Parameter-Values.xml	
@@ -0,0 +1,22 @@
+<?xml version="1.0" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
+
+    <!-- Do not add http or https in the below value of Tenant Hostname-->
+    <Value name="tenantHostName" value=""/>
+
+    <!-- API token for authentication. -->
+    <Value name="apiToken" value=""/>
+
+    <!-- 
+        Accepted values for 'operationIndex' are ["head","tail",<epoch timestamp>]
+        - "head": Retrieve logs from the beginning.
+        - "tail": Retrieve logs from the current timestamp.
+        - <epoch timestamp>: Retrieve logs from the specified timestamp (e.g., "1609459200").
+        
+        Note: The parameter ‘operationIndex’ is only used during the initial configuration of the workflow. Once data collection begins, the API will only use the value 'next'.
+    -->
+    <Value name="operationIndex" value=""/>
+
+    <!-- Enter a unique identifier. This will be used to create an iterator. -->
+    <Value name="indexParam" value=""/>
+</WorkflowParameterValues>
\ No newline at end of file
diff --git a/Community Developed/Netskope/README.md b/Community Developed/Netskope/README.md
new file mode 100644
index 0000000..ad22c18
--- /dev/null
+++ b/Community Developed/Netskope/README.md	
@@ -0,0 +1,92 @@
+# Collect authentication info from Netskope #
+
+To integrate with QRadar, you need to add a Netskope connector in QRadar's Universal REST connector. To do so, you'll need to first collect the following authentication information from Netskope:
+
+- Netskope Tenant Hostname
+- API Token
+
+# Netskope Tenant Hostname #
+
+To find your Netskope Tenant Hostname:
+
+1. Log in to Netskope portal, then take the hostname from the URL.
+2. Copy the Netskope URL and remove “https://” if it is there at the start of URL.
+
+# API Token #
+
+To create an API Token, Follow the steps from the documentation of Netskope - <https://docs.netskope.com/en/rest-api-v2-overview-312207>
+Make sure to add required endpoints while creating API Token. Supported Endpoints are listed [here](#supported-events-and-alerts-types)
+
+# QRadar Log Source Configuration #
+
+If you want to ingest data from an endpoint using Universal Rest API Protocol, configure a log source on the QRadar® Console using the Workflow field so that the defined endpoint can communicate with QRadar by using the Universal Rest API protocol.
+
+1. Log in to QRadar.
+2. Click the *Admin* tab.
+3. To open the app, click the *QRadar Log Source Management* app icon.
+4. Click *New Log Source* > Single Log Source.
+
+
+## 1. Select Log Source Type ##
+1. Select *Netskope* log source type. 
+2. Click *Select Protocol Type* to go to the next section.
+
+## 2. Select Protocol Type ##
+1. Select *Universal Cloud Rest API* protocol type. 
+2. Click *Configure Log Source Parameters* to go to the next section.
+3. If option "Universal Cloud Rest API" is not available in protocol type, then uninstall the Netskope app from extensions management, install the Universal Cloud Rest API Protocol and then install the Netskope app.
+
+## 3. Configure Log Source Parameters ##
+1. Name is the name of the Log Source and it can be kept anything based on the user's choice.
+2. Select "NetskopeCustom_ext" Extension. It is used for post processing of events.
+3. Disable *Coalescing Events* to avoid grouping of the events on the basis of Source and Destination IP. 
+4. Except for the above fields everything can be kept as their default values or if needed can be changed by the QRadar admin.
+5. Click *Configure Protocol Parameters* to go to the next section. 
+
+## 4. Configure Protocol Parameters ##
+1.  **Add "Log Source Identifier" from the list [here](#supported-events-and-alerts-types) for the respective data type.**
+2.  Copy the content of the any workflow file in "Workflow". List of the workflow files can be found [here](#supported-events-and-alerts-types).
+3.  Modify the content as per user specification in the file Netskope-Workflow-Parameter-Values.xml and add in "Workflow Parameter Values".
+4.  Create new log sources and repeat **QRadar Log Source Configuration** steps to collect other data and use the files as Workflow listed [here](#supported-events-and-alerts-types).
+5.  Recurrence is the time interval between each execution of the workflow. It can be modified according the user's requirement, default value would be 10 minutes. Recommended value is 1 minutes.
+6.  Except for the above fields everything can be kept as their default values or if needed can be changed by the QRadar admin.
+7.  Click *Test Protocol Parameters* to test the entered workflow files.
+
+## 5. Test Protocol Parameters ##
+1.  Click *Start Test* to start the testing of the entered workflows, once it is finished click *Finish*.
+2.  Deploy the configuration from admin panel.
+
+# Workflow Parameter Description #
+1. tenantHostName: The Netskope Tenant Hostname to fetch the events from Netskope. If your URL is https://example.com/accounts then enter example.com
+2. apiToken: The API Token obtained from Netskope portal.
+3. operationIndex: Enter the value of operationIndex. Accepted values are ["head","tail",epoch timestamp]. **Note**: The parameter ‘operationIndex’ is only used during the initial configuration of the workflow. Once data collection begins, the API will only use the value 'next'.
+4. indexParam: A unique identifier. This will be used to create an iterator.
+
+# Supported Events and Alerts Types #
+
+| Workflow Name | Events/Alerts will be collected | API Endpoint | Log Source Identifier |
+| --- | --- | --- | --- |
+| Netskope-Compromised-Credential-Alert-Workflow.xml | Compromised Credential Alert | /api/v2/events/dataexport/alerts/compromisedcredential | netskope_compromisedcredential_alert |
+| Netskope-Content-Alert-Workflow.xml | Content Alert | /api/v2/events/dataexport/alerts/content | netskope_content_alert |
+| Netskope-CTEP-Alert-Workflow.xml | CTEP Alert | /api/v2/events/dataexport/alerts/ctep | netskope_ctep_alert |
+| Netskope-Device-Alert-Workflow.xml | Device Alert | /api/v2/events/dataexport/alerts/device | netskope_device_alert |
+| Netskope-DLP-Alert-Workflow.xml | DLP Alert | /api/v2/events/dataexport/alerts/dlp | netskope_dlp_alert |
+| Netskope-Malsite-Alert-Workflow.xml | Malsite Alert | /api/v2/events/dataexport/alerts/malsite | netskope_malsite_alert |
+| Netskope-Malware-Alert-Workflow.xml | Malware Alert | /api/v2/events/dataexport/alerts/malware | netskope_malware_alert |
+| Netskope-Policy-Alert-Workflow.xml | Policy Alert | /api/v2/events/dataexport/alerts/policy | netskope_policy_alert |
+| Netskope-Quarantine-Alert-Workflow.xml | Quarantine Alert | /api/v2/events/dataexport/alerts/quarantine | netskope_quarantine_alert |
+| Netskope-Remediation-Alert-Workflow.xml | Remediation Alert | /api/v2/events/dataexport/alerts/remediation | netskope_remediation_alert |
+| Netskope-Security-Assessment-Alert-Workflow.xml | Security Assessment Alert | /api/v2/events/dataexport/alerts/securityassessment | netskope_security_assessment_alert |
+| Netskope-UBA-Alert-Workflow.xml | UBA Alert | /api/v2/events/dataexport/alerts/uba | netskope_uba_alert |
+| Netskope-Watchlist-Alert-Workflow.xml | Watchlist Alert | /api/v2/events/dataexport/alerts/watchlist | netskope_watchlist_alert |
+| Netskope-Alert-Event-Workflow.xml | Alert Event | /api/v2/events/dataexport/events/alert | netskope_alert_event |
+| Netskope-Application-Event-Workflow.xml | Application Event | /api/v2/events/dataexport/events/application | netskope_application_event |
+| Netskope-Audit-Event-Workflow.xml | Audit Event | /api/v2/events/dataexport/events/audit | netskope_audit_event |
+| Netskope-Connection-Event-Workflow.xml | Connection Event | /api/v2/events/dataexport/alerts/connection | netskope_connection_event |
+| Netskope-Endpoint-Event-Workflow.xml | Endpoint Event | /api/v2/events/dataexport/events/endpoint | netskope_endpoint_event |
+| Netskope-Incident-Event-Workflow.xml | Incident Event | /api/v2/events/dataexport/events/incident | netskope_incident_event |
+| Netskope-Infrastructure-Event-Workflow.xml | Infrastructure Event | /api/v2/events/dataexport/events/infrastructure | netskope_infrastructure_event |
+| Netskope-Network-Event-Workflow.xml | Network Event | /api/v2/events/dataexport/events/network | netskope_network_event |
+| Netskope-Page-Event-Workflow.xml | Page Event | /api/v2/events/dataexport/events/page | netskope_page_event |
+
+**Note**: The Log Source Identifier value must be the same from the above table.
\ No newline at end of file

From 42094436ccd5480ca8217e97d1d93cd2ae67626c Mon Sep 17 00:00:00 2001
From: ibm-app-crest <ibm-app-upload@crestdata.ai>
Date: Mon, 13 Jan 2025 20:24:23 +0530
Subject: [PATCH 2/9] Updated the workflow verion to 2_1

Signed-off-by: ibm-app-crest <ibm-app-upload@crestdata.ai>
Signed-off-by: ebasso <ebasso@ebasso.net>
---
 .../Netskope-Alert-Event-Workflow.xml         |  4 +-
 .../Netskope-Application-Event-Workflow.xml   |  4 +-
 .../Netskope-Audit-Event-Workflow.xml         |  4 +-
 .../Netskope/Netskope-CTEP-Alert-Workflow.xml |  4 +-
 ...-Compromised-Credential-Alert-Workflow.xml |  4 +-
 .../Netskope-Connection-Event-Workflow.xml    |  4 +-
 .../Netskope-Content-Alert-Workflow.xml       |  4 +-
 .../Netskope/Netskope-DLP-Alert-Workflow.xml  |  4 +-
 .../Netskope-Device-Alert-Workflow.xml        |  4 +-
 .../Netskope-Endpoint-Event-Workflow.xml      |  4 +-
 .../Netskope-Incident-Event-Workflow.xml      |  4 +-
 ...Netskope-Infrastructure-Event-Workflow.xml |  4 +-
 .../Netskope-Malsite-Alert-Workflow.xml       |  4 +-
 .../Netskope-Malware-Alert-Workflow.xml       |  4 +-
 .../Netskope-Network-Event-Workflow.xml       |  4 +-
 .../Netskope/Netskope-Page-Event-Workflow.xml |  4 +-
 .../Netskope-Policy-Alert-Workflow.xml        |  4 +-
 .../Netskope-Quarantine-Alert-Workflow.xml    |  4 +-
 .../Netskope-Remediation-Alert-Workflow.xml   |  4 +-
 ...ope-Security-Assessment-Alert-Workflow.xml |  4 +-
 .../Netskope/Netskope-UBA-Alert-Workflow.xml  |  4 +-
 .../Netskope-Watchlist-Alert-Workflow.xml     |  4 +-
 .../Netskope-Workflow-Parameter-Values.xml    |  2 +-
 Community Developed/Netskope/README.md        | 52 +++++++++----------
 24 files changed, 70 insertions(+), 72 deletions(-)

diff --git a/Community Developed/Netskope/Netskope-Alert-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Alert-Event-Workflow.xml
index bc4c805..9dad407 100644
--- a/Community Developed/Netskope/Netskope-Alert-Event-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Alert-Event-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Alert Event" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/alertEvent/response/status_code = 200">
                 <!-- Ingest Alert Events into QRadar -->
-                <PostEvents path="/alertEvent/response/body/result" source="netskope_alert_event" />
+                <PostEvents path="/alertEvent/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/alertEvent/response/body/result)} Alert Events ingested in QRadar." />
 
                 <If condition="${count(/alertEvent/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Application-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Application-Event-Workflow.xml
index dd72be0..5531e55 100644
--- a/Community Developed/Netskope/Netskope-Application-Event-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Application-Event-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Application Event" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/applicationEvent/response/status_code = 200">
                 <!-- Ingest Application Events into QRadar -->
-                <PostEvents path="/applicationEvent/response/body/result" source="netskope_application_event" />
+                <PostEvents path="/applicationEvent/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/applicationEvent/response/body/result)} Application Events ingested in QRadar." />
 
                 <If condition="${count(/applicationEvent/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Audit-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Audit-Event-Workflow.xml
index a6b02ff..d1a82ae 100644
--- a/Community Developed/Netskope/Netskope-Audit-Event-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Audit-Event-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Audit Event" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -90,7 +90,7 @@
             </While>
             <If condition="/auditEvent/response/status_code = 200">
                 <!-- Ingest Audit Events into QRadar -->
-                <PostEvents path="/auditEvent/response/body/result" source="netskope_audit_event" />
+                <PostEvents path="/auditEvent/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/auditEvent/response/body/result)} Audit Events ingested in QRadar." />
 
                 <If condition="${count(/auditEvent/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-CTEP-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-CTEP-Alert-Workflow.xml
index f662319..fa1565e 100644
--- a/Community Developed/Netskope/Netskope-CTEP-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-CTEP-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope CTEP Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/ctepAlert/response/status_code = 200">
                 <!-- Ingest CTEP Alerts into QRadar -->
-                <PostEvents path="/ctepAlert/response/body/result" source="netskope_ctep_alert" />
+                <PostEvents path="/ctepAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/ctepAlert/response/body/result)} CTEP Alerts ingested in QRadar." />
 
                 <If condition="${count(/ctepAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Compromised-Credential-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Compromised-Credential-Alert-Workflow.xml
index 0d5fbd2..2602532 100644
--- a/Community Developed/Netskope/Netskope-Compromised-Credential-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Compromised-Credential-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Compromised Credential Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/compromisedcredentialAlert/response/status_code = 200">
                 <!-- Ingest Compromised Credential Alerts into QRadar -->
-                <PostEvents path="/compromisedcredentialAlert/response/body/result" source="netskope_compromisedcredential_alert" />
+                <PostEvents path="/compromisedcredentialAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/compromisedcredentialAlert/response/body/result)} Compromised Credential Alerts ingested in QRadar." />
 
                 <If condition="${count(/compromisedcredentialAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Connection-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Connection-Event-Workflow.xml
index bce8824..8042a10 100644
--- a/Community Developed/Netskope/Netskope-Connection-Event-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Connection-Event-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Connection Event" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/connectionEvent/response/status_code = 200">
                 <!-- Ingest Connection Events into QRadar -->
-                <PostEvents path="/connectionEvent/response/body/result" source="netskope_connection_event" />
+                <PostEvents path="/connectionEvent/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/connectionEvent/response/body/result)} Connection Events ingested in QRadar." />
 
                 <If condition="${count(/connectionEvent/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Content-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Content-Alert-Workflow.xml
index 8f12e23..873543f 100644
--- a/Community Developed/Netskope/Netskope-Content-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Content-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Content Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/contentAlert/response/status_code = 200">
                 <!-- Ingest Content Alerts into QRadar -->
-                <PostEvents path="/contentAlert/response/body/result" source="netskope_content_alert" />
+                <PostEvents path="/contentAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/contentAlert/response/body/result)} Content Alerts ingested in QRadar." />
 
                 <If condition="${count(/contentAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-DLP-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-DLP-Alert-Workflow.xml
index 0369de3..0c13ceb 100644
--- a/Community Developed/Netskope/Netskope-DLP-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-DLP-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope DLP Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/dlpAlert/response/status_code = 200">
                 <!-- Ingest DLP Alerts into QRadar -->
-                <PostEvents path="/dlpAlert/response/body/result" source="netskope_dlp_alert" />
+                <PostEvents path="/dlpAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/dlpAlert/response/body/result)} DLP Alerts ingested in QRadar." />
 
                 <If condition="${count(/dlpAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Device-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Device-Alert-Workflow.xml
index 38e882e..43fbdd9 100644
--- a/Community Developed/Netskope/Netskope-Device-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Device-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Device Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/deviceAlert/response/status_code = 200">
                 <!-- Ingest Device Alerts into QRadar -->
-                <PostEvents path="/deviceAlert/response/body/result" source="netskope_device_alert" />
+                <PostEvents path="/deviceAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/deviceAlert/response/body/result)} Device Alerts ingested in QRadar." />
 
                 <If condition="${count(/deviceAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Endpoint-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Endpoint-Event-Workflow.xml
index 5b2b804..3c9f09a 100644
--- a/Community Developed/Netskope/Netskope-Endpoint-Event-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Endpoint-Event-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Endpoint Event" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/endpointEvent/response/status_code = 200">
                 <!-- Ingest Endpoint Events into QRadar -->
-                <PostEvents path="/endpointEvent/response/body/result" source="netskope_endpoint_event" />
+                <PostEvents path="/endpointEvent/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/endpointEvent/response/body/result)} Endpoint Events ingested in QRadar." />
 
                 <If condition="${count(/endpointEvent/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Incident-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Incident-Event-Workflow.xml
index 7b6834d..3a5699d 100644
--- a/Community Developed/Netskope/Netskope-Incident-Event-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Incident-Event-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Incident Event" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -92,7 +92,7 @@
                 
                 <ForEach item="/current_event" items="/incidentEvent/response/body/result">
                     <Set path="/current_event/type" value="incident" />
-                    <PostEvent path="/current_event" source="netskope_incident_event" />
+                    <PostEvent path="/current_event" />
                 </ForEach>
 
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/incidentEvent/response/body/result)} Incident Events ingested in QRadar." />
diff --git a/Community Developed/Netskope/Netskope-Infrastructure-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Infrastructure-Event-Workflow.xml
index 5107eb1..c074a1a 100644
--- a/Community Developed/Netskope/Netskope-Infrastructure-Event-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Infrastructure-Event-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Infrastructure Event" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -92,7 +92,7 @@
                 
                 <ForEach item="/current_event" items="/infrastructureEvent/response/body/result">
                     <Set path="/current_event/type" value="infrastructure" />
-                    <PostEvent path="/current_event" source="netskope_infrastructure_event" />
+                    <PostEvent path="/current_event" />
                 </ForEach>
 
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/infrastructureEvent/response/body/result)} Infrastructure Events ingested in QRadar." />
diff --git a/Community Developed/Netskope/Netskope-Malsite-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Malsite-Alert-Workflow.xml
index 7220384..2c64101 100644
--- a/Community Developed/Netskope/Netskope-Malsite-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Malsite-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Malsite Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/malsiteAlert/response/status_code = 200">
                 <!-- Ingest Malsite Alerts into QRadar -->
-                <PostEvents path="/malsiteAlert/response/body/result" source="netskope_malsite_alert" />
+                <PostEvents path="/malsiteAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/malsiteAlert/response/body/result)} Malsite Alerts ingested in QRadar." />
 
                 <If condition="${count(/malsiteAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Malware-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Malware-Alert-Workflow.xml
index 73c4f8c..817dd64 100644
--- a/Community Developed/Netskope/Netskope-Malware-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Malware-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Malware Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/malwareAlert/response/status_code = 200">
                 <!-- Ingest Malware Alerts into QRadar -->
-                <PostEvents path="/malwareAlert/response/body/result" source="netskope_malware_alert" />
+                <PostEvents path="/malwareAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/malwareAlert/response/body/result)} Malware Alerts ingested in QRadar." />
 
                 <If condition="${count(/malwareAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Network-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Network-Event-Workflow.xml
index 7359940..b10b62d 100644
--- a/Community Developed/Netskope/Netskope-Network-Event-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Network-Event-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Network Event" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/networkEvent/response/status_code = 200">
                 <!-- Ingest Network Events into QRadar -->
-                <PostEvents path="/networkEvent/response/body/result" source="netskope_network_event" />
+                <PostEvents path="/networkEvent/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/networkEvent/response/body/result)} Network Events ingested in QRadar." />
 
                 <If condition="${count(/networkEvent/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Page-Event-Workflow.xml b/Community Developed/Netskope/Netskope-Page-Event-Workflow.xml
index 7a3198b..a409094 100644
--- a/Community Developed/Netskope/Netskope-Page-Event-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Page-Event-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Page Event" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/pageEvent/response/status_code = 200">
                 <!-- Ingest Page Events into QRadar -->
-                <PostEvents path="/pageEvent/response/body/result" source="netskope_page_event" />
+                <PostEvents path="/pageEvent/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/pageEvent/response/body/result)} Page Events ingested in QRadar." />
 
                 <If condition="${count(/pageEvent/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Policy-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Policy-Alert-Workflow.xml
index e291f0c..979bd4c 100644
--- a/Community Developed/Netskope/Netskope-Policy-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Policy-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Policy Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/policyAlert/response/status_code = 200">
                 <!-- Ingest Policy Alerts into QRadar -->
-                <PostEvents path="/policyAlert/response/body/result" source="netskope_policy_alert" />
+                <PostEvents path="/policyAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/policyAlert/response/body/result)} Policy Alerts ingested in QRadar." />
 
                 <If condition="${count(/policyAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Quarantine-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Quarantine-Alert-Workflow.xml
index c4e6b02..2d6b447 100644
--- a/Community Developed/Netskope/Netskope-Quarantine-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Quarantine-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Quarantine Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/quarantineAlert/response/status_code = 200">
                 <!-- Ingest Quarantine Alerts into QRadar -->
-                <PostEvents path="/quarantineAlert/response/body/result" source="netskope_quarantine_alert" />
+                <PostEvents path="/quarantineAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/quarantineAlert/response/body/result)} Quarantine Alerts ingested in QRadar." />
 
                 <If condition="${count(/quarantineAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Remediation-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Remediation-Alert-Workflow.xml
index 785ebcf..df97290 100644
--- a/Community Developed/Netskope/Netskope-Remediation-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Remediation-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Remediation Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/remediationAlert/response/status_code = 200">
                 <!-- Ingest Remediation Alerts into QRadar -->
-                <PostEvents path="/remediationAlert/response/body/result" source="netskope_remediation_alert" />
+                <PostEvents path="/remediationAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/remediationAlert/response/body/result)} Remediation Alerts ingested in QRadar." />
 
                 <If condition="${count(/remediationAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Security-Assessment-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Security-Assessment-Alert-Workflow.xml
index f38ec23..32e15bf 100644
--- a/Community Developed/Netskope/Netskope-Security-Assessment-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Security-Assessment-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Security Assessment Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/securityAssessmentAlert/response/status_code = 200">
                 <!-- Ingest Security Assessment Alerts into QRadar -->
-                <PostEvents path="/securityAssessmentAlert/response/body/result" source="netskope_security_assessment_alert" />
+                <PostEvents path="/securityAssessmentAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/securityAssessmentAlert/response/body/result)} Security Assessment Alerts ingested in QRadar." />
 
                 <If condition="${count(/securityAssessmentAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-UBA-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-UBA-Alert-Workflow.xml
index e7cf53a..a05911c 100644
--- a/Community Developed/Netskope/Netskope-UBA-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-UBA-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope UBA Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/ubaAlert/response/status_code = 200">
                 <!-- Ingest UBA Alerts into QRadar -->
-                <PostEvents path="/ubaAlert/response/body/result" source="netskope_uba_alert" />
+                <PostEvents path="/ubaAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/ubaAlert/response/body/result)} UBA Alerts ingested in QRadar." />
 
                 <If condition="${count(/ubaAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Watchlist-Alert-Workflow.xml b/Community Developed/Netskope/Netskope-Watchlist-Alert-Workflow.xml
index 2415fd9..2d0813f 100644
--- a/Community Developed/Netskope/Netskope-Watchlist-Alert-Workflow.xml	
+++ b/Community Developed/Netskope/Netskope-Watchlist-Alert-Workflow.xml	
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <Workflow name="Netskope Watchlist Alert" version="1.0"
-    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">
 
     <!-- Collect configurations from workflow parameter file -->
     <Parameters>
@@ -89,7 +89,7 @@
             </While>
             <If condition="/watchlistAlert/response/status_code = 200">
                 <!-- Ingest Watchlist Alerts into QRadar -->
-                <PostEvents path="/watchlistAlert/response/body/result" source="netskope_watchlist_alert" />
+                <PostEvents path="/watchlistAlert/response/body/result" />
                 <Log type="INFO" message="${/logPrefix} - Total ${count(/watchlistAlert/response/body/result)} Watchlist Alerts ingested in QRadar." />
 
                 <If condition="${count(/watchlistAlert/response/body/result) = 0}">
diff --git a/Community Developed/Netskope/Netskope-Workflow-Parameter-Values.xml b/Community Developed/Netskope/Netskope-Workflow-Parameter-Values.xml
index 9f53384..4c0bd80 100644
--- a/Community Developed/Netskope/Netskope-Workflow-Parameter-Values.xml	
+++ b/Community Developed/Netskope/Netskope-Workflow-Parameter-Values.xml	
@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2_1">
 
     <!-- Do not add http or https in the below value of Tenant Hostname-->
     <Value name="tenantHostName" value=""/>
diff --git a/Community Developed/Netskope/README.md b/Community Developed/Netskope/README.md
index ad22c18..b7155d3 100644
--- a/Community Developed/Netskope/README.md	
+++ b/Community Developed/Netskope/README.md	
@@ -44,7 +44,7 @@ If you want to ingest data from an endpoint using Universal Rest API Protocol, c
 5. Click *Configure Protocol Parameters* to go to the next section. 
 
 ## 4. Configure Protocol Parameters ##
-1.  **Add "Log Source Identifier" from the list [here](#supported-events-and-alerts-types) for the respective data type.**
+1.  Add "Log Source Identifier" of your choice.
 2.  Copy the content of the any workflow file in "Workflow". List of the workflow files can be found [here](#supported-events-and-alerts-types).
 3.  Modify the content as per user specification in the file Netskope-Workflow-Parameter-Values.xml and add in "Workflow Parameter Values".
 4.  Create new log sources and repeat **QRadar Log Source Configuration** steps to collect other data and use the files as Workflow listed [here](#supported-events-and-alerts-types).
@@ -64,29 +64,27 @@ If you want to ingest data from an endpoint using Universal Rest API Protocol, c
 
 # Supported Events and Alerts Types #
 
-| Workflow Name | Events/Alerts will be collected | API Endpoint | Log Source Identifier |
-| --- | --- | --- | --- |
-| Netskope-Compromised-Credential-Alert-Workflow.xml | Compromised Credential Alert | /api/v2/events/dataexport/alerts/compromisedcredential | netskope_compromisedcredential_alert |
-| Netskope-Content-Alert-Workflow.xml | Content Alert | /api/v2/events/dataexport/alerts/content | netskope_content_alert |
-| Netskope-CTEP-Alert-Workflow.xml | CTEP Alert | /api/v2/events/dataexport/alerts/ctep | netskope_ctep_alert |
-| Netskope-Device-Alert-Workflow.xml | Device Alert | /api/v2/events/dataexport/alerts/device | netskope_device_alert |
-| Netskope-DLP-Alert-Workflow.xml | DLP Alert | /api/v2/events/dataexport/alerts/dlp | netskope_dlp_alert |
-| Netskope-Malsite-Alert-Workflow.xml | Malsite Alert | /api/v2/events/dataexport/alerts/malsite | netskope_malsite_alert |
-| Netskope-Malware-Alert-Workflow.xml | Malware Alert | /api/v2/events/dataexport/alerts/malware | netskope_malware_alert |
-| Netskope-Policy-Alert-Workflow.xml | Policy Alert | /api/v2/events/dataexport/alerts/policy | netskope_policy_alert |
-| Netskope-Quarantine-Alert-Workflow.xml | Quarantine Alert | /api/v2/events/dataexport/alerts/quarantine | netskope_quarantine_alert |
-| Netskope-Remediation-Alert-Workflow.xml | Remediation Alert | /api/v2/events/dataexport/alerts/remediation | netskope_remediation_alert |
-| Netskope-Security-Assessment-Alert-Workflow.xml | Security Assessment Alert | /api/v2/events/dataexport/alerts/securityassessment | netskope_security_assessment_alert |
-| Netskope-UBA-Alert-Workflow.xml | UBA Alert | /api/v2/events/dataexport/alerts/uba | netskope_uba_alert |
-| Netskope-Watchlist-Alert-Workflow.xml | Watchlist Alert | /api/v2/events/dataexport/alerts/watchlist | netskope_watchlist_alert |
-| Netskope-Alert-Event-Workflow.xml | Alert Event | /api/v2/events/dataexport/events/alert | netskope_alert_event |
-| Netskope-Application-Event-Workflow.xml | Application Event | /api/v2/events/dataexport/events/application | netskope_application_event |
-| Netskope-Audit-Event-Workflow.xml | Audit Event | /api/v2/events/dataexport/events/audit | netskope_audit_event |
-| Netskope-Connection-Event-Workflow.xml | Connection Event | /api/v2/events/dataexport/alerts/connection | netskope_connection_event |
-| Netskope-Endpoint-Event-Workflow.xml | Endpoint Event | /api/v2/events/dataexport/events/endpoint | netskope_endpoint_event |
-| Netskope-Incident-Event-Workflow.xml | Incident Event | /api/v2/events/dataexport/events/incident | netskope_incident_event |
-| Netskope-Infrastructure-Event-Workflow.xml | Infrastructure Event | /api/v2/events/dataexport/events/infrastructure | netskope_infrastructure_event |
-| Netskope-Network-Event-Workflow.xml | Network Event | /api/v2/events/dataexport/events/network | netskope_network_event |
-| Netskope-Page-Event-Workflow.xml | Page Event | /api/v2/events/dataexport/events/page | netskope_page_event |
-
-**Note**: The Log Source Identifier value must be the same from the above table.
\ No newline at end of file
+| Workflow Name | Events/Alerts will be collected | API Endpoint |
+| --- | --- | --- |
+| Netskope-Compromised-Credential-Alert-Workflow.xml | Compromised Credential Alert | /api/v2/events/dataexport/alerts/compromisedcredential |
+| Netskope-Content-Alert-Workflow.xml | Content Alert | /api/v2/events/dataexport/alerts/content |
+| Netskope-CTEP-Alert-Workflow.xml | CTEP Alert | /api/v2/events/dataexport/alerts/ctep |
+| Netskope-Device-Alert-Workflow.xml | Device Alert | /api/v2/events/dataexport/alerts/device |
+| Netskope-DLP-Alert-Workflow.xml | DLP Alert | /api/v2/events/dataexport/alerts/dlp |
+| Netskope-Malsite-Alert-Workflow.xml | Malsite Alert | /api/v2/events/dataexport/alerts/malsite |
+| Netskope-Malware-Alert-Workflow.xml | Malware Alert | /api/v2/events/dataexport/alerts/malware |
+| Netskope-Policy-Alert-Workflow.xml | Policy Alert | /api/v2/events/dataexport/alerts/policy |
+| Netskope-Quarantine-Alert-Workflow.xml | Quarantine Alert | /api/v2/events/dataexport/alerts/quarantine |
+| Netskope-Remediation-Alert-Workflow.xml | Remediation Alert | /api/v2/events/dataexport/alerts/remediation |
+| Netskope-Security-Assessment-Alert-Workflow.xml | Security Assessment Alert | /api/v2/events/dataexport/alerts/securityassessment |
+| Netskope-UBA-Alert-Workflow.xml | UBA Alert | /api/v2/events/dataexport/alerts/uba |
+| Netskope-Watchlist-Alert-Workflow.xml | Watchlist Alert | /api/v2/events/dataexport/alerts/watchlist | 
+| Netskope-Alert-Event-Workflow.xml | Alert Event | /api/v2/events/dataexport/events/alert |
+| Netskope-Application-Event-Workflow.xml | Application Event | /api/v2/events/dataexport/events/application |
+| Netskope-Audit-Event-Workflow.xml | Audit Event | /api/v2/events/dataexport/events/audit |
+| Netskope-Connection-Event-Workflow.xml | Connection Event | /api/v2/events/dataexport/alerts/connection | 
+| Netskope-Endpoint-Event-Workflow.xml | Endpoint Event | /api/v2/events/dataexport/events/endpoint | 
+| Netskope-Incident-Event-Workflow.xml | Incident Event | /api/v2/events/dataexport/events/incident | 
+| Netskope-Infrastructure-Event-Workflow.xml | Infrastructure Event | /api/v2/events/dataexport/events/infrastructure | 
+| Netskope-Network-Event-Workflow.xml | Network Event | /api/v2/events/dataexport/events/network |
+| Netskope-Page-Event-Workflow.xml | Page Event | /api/v2/events/dataexport/events/page |

From 67353f7aa183f13ac4e86b7ce7753a9f9d7aa638 Mon Sep 17 00:00:00 2001
From: Bahdan Bakunovich <bahdan.bakunovich@orca.security>
Date: Thu, 5 Dec 2024 15:34:41 +0100
Subject: [PATCH 3/9] Added diff pulling capabilities for Orca workflow

Signed-off-by: Bahdan Bakunovich <bahdan.bakunovich@orca.security>
Signed-off-by: ebasso <ebasso@ebasso.net>
---
 .../Orca Security/Orca-Security-Workflow.xml  | 47 ++++++++++++++-----
 1 file changed, 36 insertions(+), 11 deletions(-)

diff --git a/Community Developed/Orca Security/Orca-Security-Workflow.xml b/Community Developed/Orca Security/Orca-Security-Workflow.xml
index 3abc848..a124869 100644
--- a/Community Developed/Orca Security/Orca-Security-Workflow.xml	
+++ b/Community Developed/Orca Security/Orca-Security-Workflow.xml	
@@ -4,7 +4,7 @@
 The Workflow is used to get Orca Alerts via REST API.
 
 Instructions:
-https://orcasecurity.zendesk.com/hc/en-us/articles/4401950668180
+https://docs.orcasecurity.io/docs/integrating-ibm-qradar
 
 Parameters:
 - "api_host" - Orca API host (required, default="api.orcasecurity.io")
@@ -22,13 +22,29 @@ Parameters:
         <!-- Clear the log source status before a new workflow run starts -->
         <ClearStatus />
 
+        <Set path="/event_start_time" value="${time()}" />
+
+        <If condition="/successful_event_start_time != null">
+            <Set path="/last_updated" value="${/successful_event_start_time}" />
+        </If>
+        <Else>
+            <Set path="/last_updated" value="0" />
+        </Else>
+
         <CallEndpoint url="https://${/api_host}/api/rules/query/alerts" method="POST" savePath="/get_alerts">
             <RequestHeader name="authorization" value="Token ${/api_token}" />
-            <UrlEncodedFormRequestBody>
-                <!-- keep this parameter at 100 to avoid request timeouts and large response payload size -->
-                <Parameter name="limit" value="100" />
-                <Parameter name="next_page_token" value="${/get_alerts/body/next_page_token}" />
-            </UrlEncodedFormRequestBody>
+            <RequestBody type="application/json" encoding="UTF-8">
+                {
+                    "limit": "100",
+                    "next_page_token":"${/get_alerts/body/next_page_token}",
+                    "dsl_filter": [
+                        {
+                            "field": "state.last_updated",
+                            "range": {"gte": "${/last_updated}"}
+                        }
+                    ]
+                }
+            </RequestBody>
         </CallEndpoint>
 
         <If condition="/get_alerts/status_code = 403">
@@ -51,11 +67,18 @@ Parameters:
         <While condition="/get_alerts/body/has_next_page_token">
             <CallEndpoint url="https://${/api_host}/api/rules/query/alerts" method="POST" savePath="/get_alerts">
                 <RequestHeader name="authorization" value="Token ${/api_token}" />
-                <UrlEncodedFormRequestBody>
-                    <!-- keep this parameter at 100 to avoid request timeouts and large response payload size -->
-                    <Parameter name="limit" value="100" />
-                    <Parameter name="next_page_token" value="${/get_alerts/body/next_page_token}" />
-                </UrlEncodedFormRequestBody>
+                <RequestBody type="application/json" encoding="UTF-8">
+                    {
+                        "limit": "100",
+                        "next_page_token":"${/get_alerts/body/next_page_token}",
+                        "dsl_filter": [
+                            {
+                                "field": "state.last_updated",
+                                "range": {"gte": "${/last_updated}"}
+                            }
+                        ]
+                    }
+                </RequestBody>
             </CallEndpoint>
 
             <!-- Handle Errors -->
@@ -80,6 +103,8 @@ Parameters:
 
         </While>
 
+        <Set path="/successful_event_start_time" value="${/event_start_time}" />
+
     </Actions>
 
     <Tests>

From 826427fd68ed11dbae7d5effb3165322afc78f18 Mon Sep 17 00:00:00 2001
From: Bahdan Bakunovich <bahdan.bakunovich@orca.security>
Date: Fri, 6 Dec 2024 10:37:40 +0100
Subject: [PATCH 4/9] 123

Signed-off-by: Bahdan Bakunovich <bahdan.bakunovich@orca.security>
Signed-off-by: ebasso <ebasso@ebasso.net>

From c35df37ea03e29157dcf00a770ae1ef23fcbdf79 Mon Sep 17 00:00:00 2001
From: ebasso <ebasso@ebasso.net>
Date: Fri, 24 Jan 2025 13:57:33 -0300
Subject: [PATCH 5/9] New Dynatrace Workflow

Signed-off-by: ebasso <ebasso@ebasso.net>
---
 ...atrace-Audit-Workflow-Parameter-Values.xml |  6 ++
 .../Dynatrace-Audit-Workflow.xml              | 63 +++++++++++++++++
 Community Developed/Dynatrace Audit/README.md | 70 +++++++++++++++++++
 3 files changed, 139 insertions(+)
 create mode 100644 Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow-Parameter-Values.xml
 create mode 100644 Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow.xml
 create mode 100644 Community Developed/Dynatrace Audit/README.md

diff --git a/Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow-Parameter-Values.xml b/Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow-Parameter-Values.xml
new file mode 100644
index 0000000..7b8b9cd
--- /dev/null
+++ b/Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow-Parameter-Values.xml	
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="dynlocal.company.com/e/XXXXX-XXXXX-XXXXX-XXXX" />
+    <Value name="apiToken" value="dt0c01.XXXXXX.XXXXXXXXXXXXXXXXXXXX" />    
+    <Value name="fromTime" value="now-1d" />
+</WorkflowParameterValues>
diff --git a/Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow.xml b/Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow.xml
new file mode 100644
index 0000000..568d3d5
--- /dev/null
+++ b/Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow.xml	
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+Dynatrace Audit Logs API - QRadar Integration (Universal Cloud REST API)
+-->
+<Workflow name="DynatraceAuditLogs" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+
+    <Parameters>
+        <Parameter name="host" label="Dynatrace API URL" required="true" />
+        <Parameter name="apiToken" label="API Token" required="true" secret="true" />
+        <!-- Look parameter from for possible values of fromTime
+            https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log 
+        -->
+        <Parameter name="fromTime" label="From Time" required="false" default="now-2w"/>
+    </Parameters>
+
+    <Actions>
+        <!-- Clear status of log source -->
+        <ClearStatus />
+                
+        <!-- Set max retry to 3 in case of API rate limit error and timeout for 60 secs -->
+        <Initialize path="/dynatrace_audit/maxRetry" value="3" />
+        
+        <Initialize path="/dynatrace_audit/logPrefix" value="Dynatrace::AuditLogs" />
+        
+        <!-- Set limit for max fetch to now -->
+        <Set path="/dynatrace_audit/max_created" value="${time()}" />
+        
+        <!-- Fetch the audit logs from Dynatrace -->
+        <CallEndpoint url="https://${/host}/api/v2/auditlogs" method="GET" savePath="/get_audit_logs">
+            <QueryParameter name="from" value="${fromTime}" />
+            <RequestHeader name="Accept" value="application/json" />
+            <RequestHeader name="Authorization" value="Api-Token ${/apiToken}" />
+        </CallEndpoint>
+
+        <!-- Check for errors during log fetch -->
+        <If condition="/get_audit_logs/status_code != 200">
+            <Log type="INFO" message="${/dynatrace_audit/logPrefix} - Abort - Fetch logs failed ${/get_audit_logs/status_code} : ${/get_audit_logs/status_message}" />
+            <Abort reason="${/get_audit_logs/status_message}" />
+        </If>
+        
+        <!-- Log the status of the API call -->
+        <Log type="INFO" message="${/dynatrace_audit/logPrefix} - ${/get_audit_logs/status_code} : ${/get_audit_logs/status_message}" />
+        <Log type="INFO" message="${/dynatrace_audit/logPrefix} - ${/get_audit_logs/total_count} : ${/get_audit_logs/totalCount}" />
+        <Log type="INFO" message="${/dynatrace_audit/logPrefix} - ${/get_audit_logs/page_size} : ${/get_audit_logs/pageSize}" />
+ 
+        <!-- Loop through each audit log entry -->
+        <ForEach item="/current_audit_log" items="/get_audit_logs/body/auditLogs">
+            <!-- Process each audit log entry -->
+            <Log type="INFO" message="${/dynatrace_audit/logPrefix} - Processing audit log entry with ID: ${/current_audit_log/id}" />
+            <!-- Post each audit log entry to QRadar -->
+            <PostEvent path="/current_audit_log" source="${/host}" />
+        </ForEach>
+        
+        <!-- Update bookmark to last running max time (start from this next time) -->
+        <Set path="/dynatrace_audit/bookmark" value="${/dynatrace_audit/max_created}" />
+        
+    </Actions>
+    
+    <Tests>
+        <DNSResolutionTest host="${/host}"/>
+        <TCPConnectionTest host="${/host}"/>
+    </Tests>
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/Dynatrace Audit/README.md b/Community Developed/Dynatrace Audit/README.md
new file mode 100644
index 0000000..ad63de2
--- /dev/null
+++ b/Community Developed/Dynatrace Audit/README.md	
@@ -0,0 +1,70 @@
+Dynatrace Audit Configuration
+-----------------
+
+1). Steps to obtain an integration with QRadar:
+
+Easily check configuration changes or environment sign ins with the new Audit logs API
+https://www.dynatrace.com/news/blog/easily-check-configuration-changes-or-environment-sign-ins-with-the-new-audit-logs-api/
+
+2). There are the following source type:
+
+Audit logs API - GET audit log
+https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log
+
+
+QRadar Log Source Configuration
+--------------------------------
+Please follow the root ReadMe for configuring within QRadar.
+
+
+Workflow parameters
+--------------------------------
+
+```xml
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="dynlocal.company.com/e/XXXXX-XXXXX-XXXXX-XXXX" />
+    <Value name="apiToken" value="dt0c01.XXXXXX.XXXXXXXXXXXXXXXXXXXX" />    
+    <Value name="fromTime" value="now-1d" />
+</WorkflowParameterValues>
+```
+
+where:
+
+- `host`: hostname of your Dynatrace instance
+- `apiToken`: Access Token with admin privileges
+- `fromTime`: The start of the requested timeframe. Default value: `now-2w`, the last 2 weeks.
+
+
+In `host`, depends on your environment. For:
+
+- SaaS	{your-environment-id}.live.dynatrace.com/api/v2/auditlogs
+- Environment ActiveGateCluster ActiveGate	{your-activegate-domain}:9999/e/{your-environment-id}
+
+In `fromTime`. You can use multiple formats, but my sugestion is to use Relative timeframe, back from now. Example: `now-5m`, the last 5 minutes.
+
+Supported time units for the relative timeframe are:
+
+- `m`: minutes
+- `h`: hours
+- `d`: days
+- `w`: weeks
+- `M`: months
+- `y`: years
+
+Troubleshooting 
+-------------------
+You can extract the debug run of the workflow from /var/log/qradar.log into a file and share the file with Cyberark support. Each workflow has 
+a specific prefix for logging.
+
+For Dynatrace Audit Logs workflow:
+
+```bash
+grep "Dynatrace::AuditLogs" /var/log/qradar.log  > dynaudit.log
+```
+
+You can also grep on the “Dynatrace:: prefix to capture logs workflows. Here is a sample where the password was changed in EPM but not 
+reflected in the workflow parameter xml file in Qradar.
+
+```bash
+[root@host-1 log]# grep "Dynatrace::" /var/log/qradar.log
+```

From a0816b1ce842fcec44ea9bae5fa9b31673ee8297 Mon Sep 17 00:00:00 2001
From: ebasso <ebasso@ebasso.net>
Date: Fri, 24 Jan 2025 14:05:11 -0300
Subject: [PATCH 6/9] New Dynatrace audit

Signed-off-by: ebasso <ebasso@ebasso.net>
---
 Community Developed/Dynatrace Audit/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Community Developed/Dynatrace Audit/README.md b/Community Developed/Dynatrace Audit/README.md
index ad63de2..728b8e3 100644
--- a/Community Developed/Dynatrace Audit/README.md	
+++ b/Community Developed/Dynatrace Audit/README.md	
@@ -37,8 +37,8 @@ where:
 
 In `host`, depends on your environment. For:
 
-- SaaS	{your-environment-id}.live.dynatrace.com/api/v2/auditlogs
-- Environment ActiveGateCluster ActiveGate	{your-activegate-domain}:9999/e/{your-environment-id}
+- SaaS:	{your-environment-id}.live.dynatrace.com/api/v2/auditlogs
+- Environment ActiveGateCluster ActiveGate:	{your-activegate-domain}:9999/e/{your-environment-id}
 
 In `fromTime`. You can use multiple formats, but my sugestion is to use Relative timeframe, back from now. Example: `now-5m`, the last 5 minutes.
 

From 96790df0e642b62afcf4fee2d840b8cae5583c16 Mon Sep 17 00:00:00 2001
From: Enio Basso <ebasso@ebasso.net>
Date: Fri, 24 Jan 2025 14:22:36 -0300
Subject: [PATCH 7/9] Update README.md

Signed-off-by: ebasso <ebasso@ebasso.net>
---
 Community Developed/Dynatrace Audit/README.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/Community Developed/Dynatrace Audit/README.md b/Community Developed/Dynatrace Audit/README.md
index 728b8e3..05ac13a 100644
--- a/Community Developed/Dynatrace Audit/README.md	
+++ b/Community Developed/Dynatrace Audit/README.md	
@@ -1,12 +1,12 @@
 Dynatrace Audit Configuration
 -----------------
 
-1). Steps to obtain an integration with QRadar:
+1) Steps to obtain an integration with QRadar:
 
 Easily check configuration changes or environment sign ins with the new Audit logs API
 https://www.dynatrace.com/news/blog/easily-check-configuration-changes-or-environment-sign-ins-with-the-new-audit-logs-api/
 
-2). There are the following source type:
+2) There are the following source type:
 
 Audit logs API - GET audit log
 https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log
@@ -68,3 +68,10 @@ reflected in the workflow parameter xml file in Qradar.
 ```bash
 [root@host-1 log]# grep "Dynatrace::" /var/log/qradar.log
 ```
+
+About
+---------------
+Author Name: Enio Basso
+Maintainer Name: @ebasso
+Version Number: 1
+Event type: Audit trail events from Dynatrace.

From ecec5f3013ec170cb074b94a912debfdc52ced2a Mon Sep 17 00:00:00 2001
From: Enio Basso <ebasso@ebasso.net>
Date: Fri, 24 Jan 2025 14:23:07 -0300
Subject: [PATCH 8/9] Update README.md

Signed-off-by: ebasso <ebasso@ebasso.net>
---
 Community Developed/Dynatrace Audit/README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Community Developed/Dynatrace Audit/README.md b/Community Developed/Dynatrace Audit/README.md
index 05ac13a..f949dae 100644
--- a/Community Developed/Dynatrace Audit/README.md	
+++ b/Community Developed/Dynatrace Audit/README.md	
@@ -72,6 +72,9 @@ reflected in the workflow parameter xml file in Qradar.
 About
 ---------------
 Author Name: Enio Basso
+
 Maintainer Name: @ebasso
+
 Version Number: 1
+
 Event type: Audit trail events from Dynatrace.

From f989ec00fb0f5830faccee605556858cf72fffc6 Mon Sep 17 00:00:00 2001
From: Enio Basso <ebasso@ebasso.net>
Date: Fri, 24 Jan 2025 14:30:11 -0300
Subject: [PATCH 9/9] Update README.md

Signed-off-by: ebasso <ebasso@ebasso.net>
---
 Community Developed/Dynatrace Audit/README.md | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/Community Developed/Dynatrace Audit/README.md b/Community Developed/Dynatrace Audit/README.md
index f949dae..4aff452 100644
--- a/Community Developed/Dynatrace Audit/README.md	
+++ b/Community Developed/Dynatrace Audit/README.md	
@@ -3,13 +3,11 @@ Dynatrace Audit Configuration
 
 1) Steps to obtain an integration with QRadar:
 
-Easily check configuration changes or environment sign ins with the new Audit logs API
-https://www.dynatrace.com/news/blog/easily-check-configuration-changes-or-environment-sign-ins-with-the-new-audit-logs-api/
+- [Easily check configuration changes or environment sign ins with the new Audit logs API](https://www.dynatrace.com/news/blog/easily-check-configuration-changes-or-environment-sign-ins-with-the-new-audit-logs-api/)
 
 2) There are the following source type:
 
-Audit logs API - GET audit log
-https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log
+- [Audit logs API - GET audit log](https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log)
 
 
 QRadar Log Source Configuration
@@ -71,10 +69,9 @@ reflected in the workflow parameter xml file in Qradar.
 
 About
 ---------------
-Author Name: Enio Basso
+- Author Name: Enio Basso
+- Maintainer Name: @ebasso
+- Version Number: 1
+- Event Types Currently Supported by the workflow: Audit events from Dynatrace.
+- Endpoint Documentation: https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log
 
-Maintainer Name: @ebasso
-
-Version Number: 1
-
-Event type: Audit trail events from Dynatrace.