Worfklow for Dynatrace

Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow-Parameter-Values.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="dynlocal.company.com/e/XXXXX-XXXXX-XXXXX-XXXX" />
+    <Value name="apiToken" value="dt0c01.XXXXXX.XXXXXXXXXXXXXXXXXXXX" />    
+    <Value name="fromTime" value="now-1d" />
+</WorkflowParameterValues>

Community Developed/Dynatrace Audit/Dynatrace-Audit-Workflow.xml

@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+Dynatrace Audit Logs API - QRadar Integration (Universal Cloud REST API)
+-->
+<Workflow name="DynatraceAuditLogs" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+
+    <Parameters>
+        <Parameter name="host" label="Dynatrace API URL" required="true" />
+        <Parameter name="apiToken" label="API Token" required="true" secret="true" />
+        <!-- Look parameter from for possible values of fromTime
+            https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log 
+        -->
+        <Parameter name="fromTime" label="From Time" required="false" default="now-2w"/>
+    </Parameters>
+
+    <Actions>
+        <!-- Clear status of log source -->
+        <ClearStatus />
+
+        <!-- Set max retry to 3 in case of API rate limit error and timeout for 60 secs -->
+        <Initialize path="/dynatrace_audit/maxRetry" value="3" />
+
+        <Initialize path="/dynatrace_audit/logPrefix" value="Dynatrace::AuditLogs" />
+
+        <!-- Set limit for max fetch to now -->
+        <Set path="/dynatrace_audit/max_created" value="${time()}" />
+
+        <!-- Fetch the audit logs from Dynatrace -->
+        <CallEndpoint url="https://${/host}/api/v2/auditlogs" method="GET" savePath="/get_audit_logs">
+            <QueryParameter name="from" value="${fromTime}" />
+            <RequestHeader name="Accept" value="application/json" />
+            <RequestHeader name="Authorization" value="Api-Token ${/apiToken}" />
+        </CallEndpoint>
+
+        <!-- Check for errors during log fetch -->
+        <If condition="/get_audit_logs/status_code != 200">
+            <Log type="INFO" message="${/dynatrace_audit/logPrefix} - Abort - Fetch logs failed ${/get_audit_logs/status_code} : ${/get_audit_logs/status_message}" />
+            <Abort reason="${/get_audit_logs/status_message}" />
+        </If>
+
+        <!-- Log the status of the API call -->
+        <Log type="INFO" message="${/dynatrace_audit/logPrefix} - ${/get_audit_logs/status_code} : ${/get_audit_logs/status_message}" />
+        <Log type="INFO" message="${/dynatrace_audit/logPrefix} - ${/get_audit_logs/total_count} : ${/get_audit_logs/totalCount}" />
+        <Log type="INFO" message="${/dynatrace_audit/logPrefix} - ${/get_audit_logs/page_size} : ${/get_audit_logs/pageSize}" />
+
+        <!-- Loop through each audit log entry -->
+        <ForEach item="/current_audit_log" items="/get_audit_logs/body/auditLogs">
+            <!-- Process each audit log entry -->
+            <Log type="INFO" message="${/dynatrace_audit/logPrefix} - Processing audit log entry with ID: ${/current_audit_log/id}" />
+            <!-- Post each audit log entry to QRadar -->
+            <PostEvent path="/current_audit_log" source="${/host}" />
+        </ForEach>
+
+        <!-- Update bookmark to last running max time (start from this next time) -->
+        <Set path="/dynatrace_audit/bookmark" value="${/dynatrace_audit/max_created}" />
+
+    </Actions>
+
+    <Tests>
+        <DNSResolutionTest host="${/host}"/>
+        <TCPConnectionTest host="${/host}"/>
+    </Tests>
+</Workflow>

Community Developed/Dynatrace Audit/README.md

@@ -0,0 +1,77 @@
+Dynatrace Audit Configuration
+-----------------
+
+1) Steps to obtain an integration with QRadar:
+
+- [Easily check configuration changes or environment sign ins with the new Audit logs API](https://www.dynatrace.com/news/blog/easily-check-configuration-changes-or-environment-sign-ins-with-the-new-audit-logs-api/)
+
+2) There are the following source type:
+
+- [Audit logs API - GET audit log](https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log)
+
+
+QRadar Log Source Configuration
+--------------------------------
+Please follow the root ReadMe for configuring within QRadar.
+
+
+Workflow parameters
+--------------------------------
+
+```xml
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="dynlocal.company.com/e/XXXXX-XXXXX-XXXXX-XXXX" />
+    <Value name="apiToken" value="dt0c01.XXXXXX.XXXXXXXXXXXXXXXXXXXX" />    
+    <Value name="fromTime" value="now-1d" />
+</WorkflowParameterValues>
+```
+
+where:
+
+- `host`: hostname of your Dynatrace instance
+- `apiToken`: Access Token with admin privileges
+- `fromTime`: The start of the requested timeframe. Default value: `now-2w`, the last 2 weeks.
+
+
+In `host`, depends on your environment. For:
+
+- SaaS:	{your-environment-id}.live.dynatrace.com/api/v2/auditlogs
+- Environment ActiveGateCluster ActiveGate:	{your-activegate-domain}:9999/e/{your-environment-id}
+
+In `fromTime`. You can use multiple formats, but my sugestion is to use Relative timeframe, back from now. Example: `now-5m`, the last 5 minutes.
+
+Supported time units for the relative timeframe are:
+
+- `m`: minutes
+- `h`: hours
+- `d`: days
+- `w`: weeks
+- `M`: months
+- `y`: years
+
+Troubleshooting 
+-------------------
+You can extract the debug run of the workflow from /var/log/qradar.log into a file and share the file with Cyberark support. Each workflow has 
+a specific prefix for logging.
+
+For Dynatrace Audit Logs workflow:
+
+```bash
+grep "Dynatrace::AuditLogs" /var/log/qradar.log  > dynaudit.log
+```
+
+You can also grep on the “Dynatrace:: prefix to capture logs workflows. Here is a sample where the password was changed in EPM but not 
+reflected in the workflow parameter xml file in Qradar.
+
+```bash
+[root@host-1 log]# grep "Dynatrace::" /var/log/qradar.log
+```
+
+About
+---------------
+- Author Name: Enio Basso
+- Maintainer Name: @ebasso
+- Version Number: 1
+- Event Types Currently Supported by the workflow: Audit events from Dynatrace.
+- Endpoint Documentation: https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log
+