From ad4533a39545b54e9169430834912fa58fd2aef8 Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 13:01:30 +0200
Subject: [PATCH 01/11] init commit

---
 .../spp-Workflow-Parameter-Values.xml                      | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml

diff --git a/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml b/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml
new file mode 100644
index 00000000..519e7fb0
--- /dev/null
+++ b/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml	
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host"       value="https://IP_or_HOSTNAME:443"/>
+    <Value name="username"   value="monitorUser" />
+    <Value name="userpwd"    value="Passw0rd" />
+	<Value name="pageSize"   value="100" />
+</WorkflowParameterValues>
\ No newline at end of file

From a5a4bfc9d748b6409570c7065493d83070bf83a0 Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 13:09:16 +0200
Subject: [PATCH 02/11] 	modified:   spp-Workflow-Parameter-Values.xml

---
 .../spp-Workflow-Parameter-Values.xml                     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml b/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml
index 519e7fb0..66e38eb5 100644
--- a/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml	
+++ b/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml	
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
-    <Value name="host"       value="https://IP_or_HOSTNAME:443"/>
-    <Value name="username"   value="monitorUser" />
-    <Value name="userpwd"    value="Passw0rd" />
-	<Value name="pageSize"   value="100" />
+   <Value name="host"       value="https://IP_or_HOSTNAME:443"/>
+   <Value name="username"   value="monitorUser" />
+   <Value name="userpwd"    value="Passw0rd" />
+   <Value name="pageSize"   value="100" />
 </WorkflowParameterValues>
\ No newline at end of file

From 57e8fd8c68a857b0562ed913109834950010bd9a Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 16:02:16 +0200
Subject: [PATCH 03/11] workflow added

---
 .../spp-Workflow-Parameter-Values.xml         |   3 +-
 .../spp-Workflow.xml                          | 135 ++++++++++++++++++
 2 files changed, 137 insertions(+), 1 deletion(-)
 create mode 100644 IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml

diff --git a/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml b/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml
index 66e38eb5..8ab20253 100644
--- a/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml	
+++ b/IBM Spectrum Protect Plus Auditlog/spp-Workflow-Parameter-Values.xml	
@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
-   <Value name="host"       value="https://IP_or_HOSTNAME:443"/>
+   <Value name="host"       value="IP_or_HOSTNAME"/>
+   <Value name="port"       value="443"/>
    <Value name="username"   value="monitorUser" />
    <Value name="userpwd"    value="Passw0rd" />
    <Value name="pageSize"   value="100" />
diff --git a/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml b/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml
new file mode 100644
index 00000000..4c95691e
--- /dev/null
+++ b/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml	
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!-- IBM Spectrum Protect Plus Audit logs -->
+<Workflow name="SPPauditLogCollector" version="1.0" minimumRecurrence="180" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+
+    <Parameters>
+        <Parameter name="host" label="host" required="true" />
+        <Parameter name="port" label="port" required="true" />
+        <Parameter name="username" label="username" required="true" />
+        <Parameter name="userpwd" label="userpwd" required="true" secret="true" />
+		<Parameter name="pageSize" label="pageSize" required="false" />
+    </Parameters>
+
+
+    <Actions>
+        <Set path="/debug" value="true" />
+        <Set path="/sppaddress" value="https://${/host}:${/port}" />
+        <!-- get Access Token aka SPP sessionid -->
+        <CallEndpoint url="${/sppaddress}/api/endeavour/session" method="POST" savePath="/get_access_token">
+            <BasicAuthentication username="${/username}" password="${/userpwd}" />
+            <RequestHeader name="Accept" value="application/json" />
+            <RequestHeader name="Content-type" value="application/json" />
+        </CallEndpoint>
+
+        <!-- Handle Errors -->
+        <If condition="/get_access_token/status_code != 200">
+            <Abort reason="${/get_access_token/body}" />
+        </If>
+
+        <!-- Extract the Access Token -->
+        <Set path="/access_token" value="${/get_access_token/body/sessionid}" />
+
+
+		<Set path="/next_page" value="${/sppaddress}/api/endeavour/log/audit" />
+		<Set path="/counter" value="0" />
+        
+        <!-- the first API call differs from subsequent calls by its parameters -->
+		<Set path="/firstApiCall" value="true" />
+		
+		<!-- 
+            initialize the bookmark, will only set the below value if bookmark is not already initialized 
+            The bookmark value is epoch time in milliseconds. If no value is set, the start time is calculated
+            one week back.
+            Example: <set path="/bookmark" value="1647868275392" />
+            converts to "Mon, Mar 28, 2022  1:26:38 PM"
+            date +%s               # converts local time to epoch time in seconds (not MS)
+            date -d @1648466798    #c onvert timestamp in seconds (not MS) to local date
+        -->
+        
+        <If condition="/debug = true">
+             <Set path="/bookmark" value="1648461176749" /> 
+             <Log type="INFO" message="SPP IQUCRA> debug: true" />	
+        </If>
+		<Else>             
+            <Initialize path="/bookmark" value="${time() -  7 * 24 * 60 * 60 * 1000}" />
+        </Else>
+		 
+		<Log type="INFO" message="SPP IQUCRA> bookmark (start): ${/bookmark}" />		
+		<Log type="INFO" message="SPP IQUCRA> counter (start): ${/counter}" />		
+		
+		
+		<!-- Get List of logs with API token -->
+		<DoWhile condition="/next_page != null">
+			<Log type="INFO" message="SPP IQUCRA> URL: ${/next_page}" />
+
+			<!-- 
+				Due to a feature in the Spectrum Protect Plus REST API code we should add the parameters
+				pageSize, filter and search >>>> ONLY <<<< for the FIRST page query, all subsequent 
+				page queries contain already the search, filter and pageSize parameters
+			--> 
+			<If condition="/firstApiCall = true">
+				<CallEndpoint url="${/next_page}" method="GET" savePath="/response">
+					<QueryParameter name="pageSize" value="${/pageSize}" omitIfEmpty="true" />
+					<QueryParameter name="sort" value='[{"property": "accessTime", "direction": "ASC"}]' omitIfEmpty="true" />
+					<QueryParameter name="filter" value='[{"property": "accessTime", "op": ">=", "value": "${/bookmark}"}]' omitIfEmpty="true" /> 
+					
+					<RequestHeader name="Accept" value="application/json" />
+					<RequestHeader name="Content-type" value="application/json" />
+					<RequestHeader name="x-endeavour-sessionid" value="${/access_token}" />
+				</CallEndpoint>
+				<Set path="/firstApiCall" value="false" />
+			</If>
+			<Else>
+				<CallEndpoint url="${/next_page}" method="GET" savePath="/response">
+					<RequestHeader name="Accept" value="application/json" />
+					<RequestHeader name="Content-type" value="application/json" />
+					<RequestHeader name="x-endeavour-sessionid" value="${/access_token}" />
+				</CallEndpoint>
+			</Else>
+			
+ 
+			<!-- Handle Errors -->
+			<If condition="/response/status_code != 200">
+				<Abort reason="API endpoint query not successfull, error: ${/response/body}" />
+			</If>
+			
+
+			<!-- here itemList is the array of Logs -->
+			<Set path="/itemList" value="${/response/body/logs}" />
+			
+			<ForEach item="/item" items="/itemList">
+                <!-- remote HATEOAS information from responses and leave audit log info only -->
+                <Delete path="/item/links" />
+                <Delete path="/item/up" />
+                
+                <!-- add the SPP server IP or Hostname as JSON attribute into response for easy parsing with DSM -->
+                <Set path="/item/sppserver" value="${/host}" />
+                <Set path="/itemMessage" value="${/item}" />
+				<PostEvent path="/itemMessage" source="${/host}"/> 
+				<Set path="/counter" value="${/counter + 1}" />
+			</ForEach>
+			
+			<If condition="exists /response/body/links/nextPage/href">
+				<Set path="/next_page" value="${/response/body/links/nextPage/href}" />
+			</If>
+			<Else>
+				<Delete path="/next_page" />
+			</Else>
+			
+			<!-- get timestamp of last item in the itemList (in this loop) -->
+			<Set path="/lastItem" value="${count(/itemList) -(1)}" />
+			<Set path="/bookmark" value="${/itemList[/lastItem]/accessTime}" />
+			<Log type="INFO" message="SPP IQUCRA> bookmark (queryPage): ${/bookmark}" />		
+			
+		</DoWhile>
+		
+		<Log type="INFO" message="SPP IQUCRA> bookmark (final): ${/bookmark}" />		
+		<Log type="INFO" message="SPP IQUCRA> collected events: ${/counter}" />
+
+    </Actions>
+
+    <Tests>
+        <TCPConnectionTest host="${/host}" />
+    </Tests>
+
+</Workflow>
\ No newline at end of file

From 650d2772b68b24bf5670df51927cddb71803a738 Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 16:11:47 +0200
Subject: [PATCH 04/11] workflow modified

---
 .../spp-Workflow.xml                          | 150 +++++++++---------
 1 file changed, 73 insertions(+), 77 deletions(-)

diff --git a/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml b/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml
index 4c95691e..b620c94d 100644
--- a/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml	
+++ b/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml	
@@ -7,13 +7,14 @@
         <Parameter name="port" label="port" required="true" />
         <Parameter name="username" label="username" required="true" />
         <Parameter name="userpwd" label="userpwd" required="true" secret="true" />
-		<Parameter name="pageSize" label="pageSize" required="false" />
+        <Parameter name="pageSize" label="pageSize" required="false" />
     </Parameters>
 
-
     <Actions>
         <Set path="/debug" value="true" />
         <Set path="/sppaddress" value="https://${/host}:${/port}" />
+
+
         <!-- get Access Token aka SPP sessionid -->
         <CallEndpoint url="${/sppaddress}/api/endeavour/session" method="POST" savePath="/get_access_token">
             <BasicAuthentication username="${/username}" password="${/userpwd}" />
@@ -26,17 +27,15 @@
             <Abort reason="${/get_access_token/body}" />
         </If>
 
-        <!-- Extract the Access Token -->
+        <!-- Extract the Access Token and set the initial query URL in nextpage -->
         <Set path="/access_token" value="${/get_access_token/body/sessionid}" />
-
-
-		<Set path="/next_page" value="${/sppaddress}/api/endeavour/log/audit" />
-		<Set path="/counter" value="0" />
+        <Set path="/next_page" value="${/sppaddress}/api/endeavour/log/audit" />
+        <Set path="/counter" value="0" />
         
         <!-- the first API call differs from subsequent calls by its parameters -->
-		<Set path="/firstApiCall" value="true" />
-		
-		<!-- 
+        <Set path="/firstApiCall" value="true" />
+      
+        <!-- 
             initialize the bookmark, will only set the below value if bookmark is not already initialized 
             The bookmark value is epoch time in milliseconds. If no value is set, the start time is calculated
             one week back.
@@ -47,57 +46,55 @@
         -->
         
         <If condition="/debug = true">
-             <Set path="/bookmark" value="1648461176749" /> 
-             <Log type="INFO" message="SPP IQUCRA> debug: true" />	
+            <Set path="/bookmark" value="1648461176749" /> 
+            <Log type="INFO" message="SPP IQUCRA> debug: true" />   
         </If>
-		<Else>             
+        <Else>             
             <Initialize path="/bookmark" value="${time() -  7 * 24 * 60 * 60 * 1000}" />
         </Else>
-		 
-		<Log type="INFO" message="SPP IQUCRA> bookmark (start): ${/bookmark}" />		
-		<Log type="INFO" message="SPP IQUCRA> counter (start): ${/counter}" />		
-		
-		
-		<!-- Get List of logs with API token -->
-		<DoWhile condition="/next_page != null">
-			<Log type="INFO" message="SPP IQUCRA> URL: ${/next_page}" />
+       
+        <Log type="INFO" message="SPP IQUCRA> bookmark (start): ${/bookmark}" />      
+        <Log type="INFO" message="SPP IQUCRA> counter (start): ${/counter}" />      
+      
+      
+        <!-- Get List of logs with API token -->
+        <DoWhile condition="/next_page != null">
+            <Log type="INFO" message="SPP IQUCRA> URL: ${/next_page}" />
 
-			<!-- 
-				Due to a feature in the Spectrum Protect Plus REST API code we should add the parameters
-				pageSize, filter and search >>>> ONLY <<<< for the FIRST page query, all subsequent 
-				page queries contain already the search, filter and pageSize parameters
-			--> 
-			<If condition="/firstApiCall = true">
-				<CallEndpoint url="${/next_page}" method="GET" savePath="/response">
-					<QueryParameter name="pageSize" value="${/pageSize}" omitIfEmpty="true" />
-					<QueryParameter name="sort" value='[{"property": "accessTime", "direction": "ASC"}]' omitIfEmpty="true" />
-					<QueryParameter name="filter" value='[{"property": "accessTime", "op": ">=", "value": "${/bookmark}"}]' omitIfEmpty="true" /> 
-					
-					<RequestHeader name="Accept" value="application/json" />
-					<RequestHeader name="Content-type" value="application/json" />
-					<RequestHeader name="x-endeavour-sessionid" value="${/access_token}" />
-				</CallEndpoint>
-				<Set path="/firstApiCall" value="false" />
-			</If>
-			<Else>
-				<CallEndpoint url="${/next_page}" method="GET" savePath="/response">
-					<RequestHeader name="Accept" value="application/json" />
-					<RequestHeader name="Content-type" value="application/json" />
-					<RequestHeader name="x-endeavour-sessionid" value="${/access_token}" />
-				</CallEndpoint>
-			</Else>
-			
- 
-			<!-- Handle Errors -->
-			<If condition="/response/status_code != 200">
-				<Abort reason="API endpoint query not successfull, error: ${/response/body}" />
-			</If>
-			
+            <!-- 
+                Due to a feature in the Spectrum Protect Plus REST API code we should add the parameters
+                pageSize, filter and search >>>> ONLY <<<< for the FIRST page query, all subsequent 
+                page queries contain already the search, filter and pageSize parameters
+            --> 
+            <If condition="/firstApiCall = true">
+                <CallEndpoint url="${/next_page}" method="GET" savePath="/response">
+                    <QueryParameter name="pageSize" value="${/pageSize}" omitIfEmpty="true" />
+                    <QueryParameter name="sort" value='[{"property": "accessTime", "direction": "ASC"}]' omitIfEmpty="true" />
+                    <QueryParameter name="filter" value='[{"property": "accessTime", "op": ">=", "value": "${/bookmark}"}]' omitIfEmpty="true" /> 
+                    <RequestHeader name="Accept" value="application/json" />
+                    <RequestHeader name="Content-type" value="application/json" />
+                    <RequestHeader name="x-endeavour-sessionid" value="${/access_token}" />
+                </CallEndpoint>
+                <Set path="/firstApiCall" value="false" />
+            </If>
+            <Else>
+                <CallEndpoint url="${/next_page}" method="GET" savePath="/response">
+                    <RequestHeader name="Accept" value="application/json" />
+                    <RequestHeader name="Content-type" value="application/json" />
+                    <RequestHeader name="x-endeavour-sessionid" value="${/access_token}" />
+                </CallEndpoint>
+            </Else>
+         
+            <!-- Handle Errors -->
+            <If condition="/response/status_code != 200">
+               <Abort reason="API endpoint query not successfull, error: ${/response/body}" />
+            </If>
+         
 
-			<!-- here itemList is the array of Logs -->
-			<Set path="/itemList" value="${/response/body/logs}" />
-			
-			<ForEach item="/item" items="/itemList">
+            <!-- here itemList is the array of Logs -->
+            <Set path="/itemList" value="${/response/body/logs}" />
+         
+            <ForEach item="/item" items="/itemList">
                 <!-- remote HATEOAS information from responses and leave audit log info only -->
                 <Delete path="/item/links" />
                 <Delete path="/item/up" />
@@ -105,31 +102,30 @@
                 <!-- add the SPP server IP or Hostname as JSON attribute into response for easy parsing with DSM -->
                 <Set path="/item/sppserver" value="${/host}" />
                 <Set path="/itemMessage" value="${/item}" />
-				<PostEvent path="/itemMessage" source="${/host}"/> 
-				<Set path="/counter" value="${/counter + 1}" />
-			</ForEach>
-			
-			<If condition="exists /response/body/links/nextPage/href">
-				<Set path="/next_page" value="${/response/body/links/nextPage/href}" />
-			</If>
-			<Else>
-				<Delete path="/next_page" />
-			</Else>
-			
-			<!-- get timestamp of last item in the itemList (in this loop) -->
-			<Set path="/lastItem" value="${count(/itemList) -(1)}" />
-			<Set path="/bookmark" value="${/itemList[/lastItem]/accessTime}" />
-			<Log type="INFO" message="SPP IQUCRA> bookmark (queryPage): ${/bookmark}" />		
-			
-		</DoWhile>
-		
-		<Log type="INFO" message="SPP IQUCRA> bookmark (final): ${/bookmark}" />		
-		<Log type="INFO" message="SPP IQUCRA> collected events: ${/counter}" />
+                <PostEvent path="/itemMessage" source="${/host}"/> 
+                <Set path="/counter" value="${/counter + 1}" />
+            </ForEach>
+         
+            <If condition="exists /response/body/links/nextPage/href">
+                <Set path="/next_page" value="${/response/body/links/nextPage/href}" />
+            </If>
+            <Else>
+                <Delete path="/next_page" />
+            </Else>
+         
+            <!-- get timestamp of last item in the itemList (in this loop) -->
+            <Set path="/lastItem" value="${count(/itemList) -(1)}" />
+            <Set path="/bookmark" value="${/itemList[/lastItem]/accessTime}" />
+            <Log type="INFO" message="SPP IQUCRA> bookmark (queryPage): ${/bookmark}" />      
+         
+        </DoWhile>
+      
+        <Log type="INFO" message="SPP IQUCRA> bookmark (final): ${/bookmark}" />      
+        <Log type="INFO" message="SPP IQUCRA> collected events: ${/counter}" />
 
     </Actions>
 
     <Tests>
         <TCPConnectionTest host="${/host}" />
     </Tests>
-
 </Workflow>
\ No newline at end of file

From 37c6e32244fc10c4b0e35b711b1c4e98cf3d6b3d Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 16:37:34 +0200
Subject: [PATCH 05/11] readme added

---
 IBM Spectrum Protect Plus Auditlog/README.md | 74 ++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 IBM Spectrum Protect Plus Auditlog/README.md

diff --git a/IBM Spectrum Protect Plus Auditlog/README.md b/IBM Spectrum Protect Plus Auditlog/README.md
new file mode 100644
index 00000000..ccbb23a9
--- /dev/null
+++ b/IBM Spectrum Protect Plus Auditlog/README.md	
@@ -0,0 +1,74 @@
+### IBM Spectrum Protect Plus REST API:
+* [SPP landing page](https://www.ibm.com/docs/en/spp/10.1.10)
+* [SPP REST API Doc](https://www.ibm.com/docs/en/SSNQFQ_10.1.10/pdf/restapi.pdf)
+
+### tested Spectrum Protect Plus versions:
+This Workflow has been tested against SPP version 10.1.9 and 10.1.10. 
+The API in versions 10.1.8 and earlier do not provide the required 
+information and functionalities required by this Workflow
+
+
+### sample API response of an audit log entry
+
+```
+{
+  "accessTime": 1648475990938,
+  "serverTime": 1648475990938,
+  "user": "monitorUser",
+  "groups": "",
+  "operation": "Login",
+  "description": "Login failed for user monitorUser.",
+  "requesterIp": "AAA.BBB.CCC.100",
+  "sppserver": "AAA.BBB.CCC.120"
+}
+```
+
+
+### conversion from epoch time to date and vice versa
+
+**Note:** SPP utilizes epoch timestamp in milliseconds -> multiply / device by 1000 may be required
+
+```
+date +%s               # converts local time to epoch time in seconds (not MS)
+date -d @1648466798    # convert epoch timestamp in seconds (not MS) to local date
+```
+
+
+### sample test tool execution and debug logs - sanitized
+
+> time /opt/qradar/bin/test-workflow.sh -u -w /tmp/spp/spp-Workflow.xml -wp /tmp/spp/spp-Workflow-Parameter-Values.xml
+
+```
+SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
+2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> debug: true
+2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (start): 1648461176749
+2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> counter (start): 0
+2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> URL: https://AAA.BBB.CCC.100:443/api/endeavour/log/audit
+2022-03-28 16:30:59 [INFO ][UniversalCloudRESTAPITest] Received 1 events from AAA.BBB.CCC.100
+2022-03-28 16:30:59 [INFO ][UniversalCloudRESTAPITest] {"accessTime":1648461176749,"serverTime":1648461176749,"user":"restapiuser","groups":"","operation":"Login","description":"Login failed for user restapiuser (request originated from IP address: AAA.BBB.CCC.120).","requesterIp":"AAA.BBB.CCC.120","sppserver":"AAA.BBB.CCC.100"}
+
+...
+
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (queryPage): 1648475895751
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> URL: https://AAA.BBB.CCC.100/api/endeavour/log/audit?sort=%5B%7B%22property%22%3A+%22accessTime%22%2C+%22direction%22%3A+%22ASC%22%7D%5D&filter=%5B%7B%22property%22%3A+%22accessTime%22%2C+%22op%22%3A+%22%3E%3D%22%2C+%22value%22%3A+%221648461176749%22%7D%5D&pageSize=100&pageStartIndex=100
+
+...
+
+2022-03-28 16:31:01 [INFO ][UniversalCloudRESTAPITest] Received 1 events from AAA.BBB.CCC.100
+2022-03-28 16:31:01 [INFO ][UniversalCloudRESTAPITest] {"accessTime":1648477857858,"serverTime":1648477857858,"user":"monitorUser","groups":"","operation":"Login","description":"Login successful for user monitorUser.","requesterIp":"9.155.126.100","sppserver":"AAA.BBB.CCC.100"}
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (queryPage): 1648477857858
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (final): 1648477857858
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> collected events: 114
+```
+
+
+### sample QRadar log output 
+
+>tail -f /var/log/qradar.log  | grep SPP
+
+```
+Mar 28 16:13:19 ::ffff:9.155.126.100 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> debug: true
+Mar 28 16:13:19 ::ffff:9.155.126.100 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (start): 1648461176749
+Mar 28 16:13:19 ::ffff:9.155.126.100 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> counter (start): 0
+Mar 28 16:13:19 ::ffff:9.155.126.100 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> URL: https://AAA.BBB.CCC.100:443/api/endeavour/log/audit
+```

From 236a823ca1f174394a75ad0985102522142c86d7 Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 16:44:15 +0200
Subject: [PATCH 06/11] t 	deleted:    README.md

---
 IBM Spectrum Protect Plus Auditlog/README.md | 74 --------------------
 1 file changed, 74 deletions(-)
 delete mode 100644 IBM Spectrum Protect Plus Auditlog/README.md

diff --git a/IBM Spectrum Protect Plus Auditlog/README.md b/IBM Spectrum Protect Plus Auditlog/README.md
deleted file mode 100644
index ccbb23a9..00000000
--- a/IBM Spectrum Protect Plus Auditlog/README.md	
+++ /dev/null
@@ -1,74 +0,0 @@
-### IBM Spectrum Protect Plus REST API:
-* [SPP landing page](https://www.ibm.com/docs/en/spp/10.1.10)
-* [SPP REST API Doc](https://www.ibm.com/docs/en/SSNQFQ_10.1.10/pdf/restapi.pdf)
-
-### tested Spectrum Protect Plus versions:
-This Workflow has been tested against SPP version 10.1.9 and 10.1.10. 
-The API in versions 10.1.8 and earlier do not provide the required 
-information and functionalities required by this Workflow
-
-
-### sample API response of an audit log entry
-
-```
-{
-  "accessTime": 1648475990938,
-  "serverTime": 1648475990938,
-  "user": "monitorUser",
-  "groups": "",
-  "operation": "Login",
-  "description": "Login failed for user monitorUser.",
-  "requesterIp": "AAA.BBB.CCC.100",
-  "sppserver": "AAA.BBB.CCC.120"
-}
-```
-
-
-### conversion from epoch time to date and vice versa
-
-**Note:** SPP utilizes epoch timestamp in milliseconds -> multiply / device by 1000 may be required
-
-```
-date +%s               # converts local time to epoch time in seconds (not MS)
-date -d @1648466798    # convert epoch timestamp in seconds (not MS) to local date
-```
-
-
-### sample test tool execution and debug logs - sanitized
-
-> time /opt/qradar/bin/test-workflow.sh -u -w /tmp/spp/spp-Workflow.xml -wp /tmp/spp/spp-Workflow-Parameter-Values.xml
-
-```
-SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
-2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> debug: true
-2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (start): 1648461176749
-2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> counter (start): 0
-2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> URL: https://AAA.BBB.CCC.100:443/api/endeavour/log/audit
-2022-03-28 16:30:59 [INFO ][UniversalCloudRESTAPITest] Received 1 events from AAA.BBB.CCC.100
-2022-03-28 16:30:59 [INFO ][UniversalCloudRESTAPITest] {"accessTime":1648461176749,"serverTime":1648461176749,"user":"restapiuser","groups":"","operation":"Login","description":"Login failed for user restapiuser (request originated from IP address: AAA.BBB.CCC.120).","requesterIp":"AAA.BBB.CCC.120","sppserver":"AAA.BBB.CCC.100"}
-
-...
-
-2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (queryPage): 1648475895751
-2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> URL: https://AAA.BBB.CCC.100/api/endeavour/log/audit?sort=%5B%7B%22property%22%3A+%22accessTime%22%2C+%22direction%22%3A+%22ASC%22%7D%5D&filter=%5B%7B%22property%22%3A+%22accessTime%22%2C+%22op%22%3A+%22%3E%3D%22%2C+%22value%22%3A+%221648461176749%22%7D%5D&pageSize=100&pageStartIndex=100
-
-...
-
-2022-03-28 16:31:01 [INFO ][UniversalCloudRESTAPITest] Received 1 events from AAA.BBB.CCC.100
-2022-03-28 16:31:01 [INFO ][UniversalCloudRESTAPITest] {"accessTime":1648477857858,"serverTime":1648477857858,"user":"monitorUser","groups":"","operation":"Login","description":"Login successful for user monitorUser.","requesterIp":"9.155.126.100","sppserver":"AAA.BBB.CCC.100"}
-2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (queryPage): 1648477857858
-2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (final): 1648477857858
-2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> collected events: 114
-```
-
-
-### sample QRadar log output 
-
->tail -f /var/log/qradar.log  | grep SPP
-
-```
-Mar 28 16:13:19 ::ffff:9.155.126.100 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> debug: true
-Mar 28 16:13:19 ::ffff:9.155.126.100 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> bookmark (start): 1648461176749
-Mar 28 16:13:19 ::ffff:9.155.126.100 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> counter (start): 0
-Mar 28 16:13:19 ::ffff:9.155.126.100 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][9.155.126.100/- -] [-/- -]SPP IQUCRA> URL: https://AAA.BBB.CCC.100:443/api/endeavour/log/audit
-```

From 7045075e5c42173541efb704bd58e87fd6ea2f60 Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 16:45:36 +0200
Subject: [PATCH 07/11] readme added

---
 IBM Spectrum Protect Plus Auditlog/README.md | 73 ++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 IBM Spectrum Protect Plus Auditlog/README.md

diff --git a/IBM Spectrum Protect Plus Auditlog/README.md b/IBM Spectrum Protect Plus Auditlog/README.md
new file mode 100644
index 00000000..5aace760
--- /dev/null
+++ b/IBM Spectrum Protect Plus Auditlog/README.md	
@@ -0,0 +1,73 @@
+### IBM Spectrum Protect Plus REST API:
+* [SPP landing page](https://www.ibm.com/docs/en/spp/10.1.10)
+* [SPP REST API Doc](https://www.ibm.com/docs/en/SSNQFQ_10.1.10/pdf/restapi.pdf)
+
+### tested Spectrum Protect Plus versions:
+This Workflow has been tested with SPP version 10.1.9 and 10.1.10. 
+The SPP REST API in versions 10.1.8 and earlier do not provide the required 
+information and functionalities required by this workflow.
+
+
+### sample API response of an audit log entry
+
+```
+{
+  "accessTime": 1648475990938,
+  "serverTime": 1648475990938,
+  "user": "monitorUser",
+  "groups": "",
+  "operation": "Login",
+  "description": "Login failed for user monitorUser.",
+  "requesterIp": "AAA.BBB.CCC.100",
+  "sppserver": "AAA.BBB.CCC.120"
+}
+```
+
+
+### conversion from epoch time to date and vice versa
+
+**Note:** SPP utilizes epoch timestamp in milliseconds -> multiply / devide with 1000 may be required
+
+```
+date +%s               # converts local time to epoch time in seconds (not MS)
+date -d @1648466798    # convert epoch timestamp in seconds (not MS) to local date
+```
+
+
+### sample test tool execution and debug logs - sanitized
+
+> time /opt/qradar/bin/test-workflow.sh -u -w /tmp/spp/spp-Workflow.xml -wp /tmp/spp/spp-Workflow-Parameter-Values.xml
+```
+SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
+2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> debug: true
+2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> bookmark (start): 1648461176749
+2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> counter (start): 0
+2022-03-28 16:30:59 [INFO ][LogAction] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> URL: https://AAA.BBB.CCC.100:443/api/endeavour/log/audit
+2022-03-28 16:30:59 [INFO ][UniversalCloudRESTAPITest] Received 1 events from AAA.BBB.CCC.100
+2022-03-28 16:30:59 [INFO ][UniversalCloudRESTAPITest] {"accessTime":1648461176749,"serverTime":1648461176749,"user":"restapiuser","groups":"","operation":"Login","description":"Login failed for user restapiuser (request originated from IP address: AAA.BBB.CCC.120).","requesterIp":"AAA.BBB.CCC.120","sppserver":"AAA.BBB.CCC.100"}
+
+...
+
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> bookmark (queryPage): 1648475895751
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> URL: https://AAA.BBB.CCC.100/api/endeavour/log/audit?sort=%5B%7B%22property%22%3A+%22accessTime%22%2C+%22direction%22%3A+%22ASC%22%7D%5D&filter=%5B%7B%22property%22%3A+%22accessTime%22%2C+%22op%22%3A+%22%3E%3D%22%2C+%22value%22%3A+%221648461176749%22%7D%5D&pageSize=100&pageStartIndex=100
+
+...
+
+2022-03-28 16:31:01 [INFO ][UniversalCloudRESTAPITest] Received 1 events from AAA.BBB.CCC.100
+2022-03-28 16:31:01 [INFO ][UniversalCloudRESTAPITest] {"accessTime":1648477857858,"serverTime":1648477857858,"user":"monitorUser","groups":"","operation":"Login","description":"Login successful for user monitorUser.","requesterIp":"QRadarInstance1","sppserver":"AAA.BBB.CCC.100"}
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> bookmark (queryPage): 1648477857858
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> bookmark (final): 1648477857858
+2022-03-28 16:31:01 [INFO ][LogAction] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> collected events: 114
+```
+
+
+### sample QRadar log output 
+
+>tail -f /var/log/qradar.log  | grep SPP
+
+```
+Mar 28 16:13:19 ::ffff:QRadarInstance1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> debug: true
+Mar 28 16:13:19 ::ffff:QRadarInstance1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> bookmark (start): 1648461176749
+Mar 28 16:13:19 ::ffff:QRadarInstance1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> counter (start): 0
+Mar 28 16:13:19 ::ffff:QRadarInstance1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-7638764] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][QRadarInstance1/- -] [-/- -]SPP IQUCRA> URL: https://AAA.BBB.CCC.100:443/api/endeavour/log/audit
+```
\ No newline at end of file

From 404cef09110f83d4f62789368c47f2bce08f5870 Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 20:27:18 +0200
Subject: [PATCH 08/11] README update

---
 IBM Spectrum Protect Plus Auditlog/README.md | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/IBM Spectrum Protect Plus Auditlog/README.md b/IBM Spectrum Protect Plus Auditlog/README.md
index 5aace760..2a6d393d 100644
--- a/IBM Spectrum Protect Plus Auditlog/README.md	
+++ b/IBM Spectrum Protect Plus Auditlog/README.md	
@@ -1,8 +1,13 @@
-### IBM Spectrum Protect Plus REST API:
+### Workflow basic information:
+
+* Author: Daniel Wendler
+* Maintainer: dwendler
+* Workflow Version Number: 1.0
+* [Endpoint Documentation of Spectrum Protect Plus REST API](https://www.ibm.com/docs/en/SSNQFQ_10.1.10/pdf/restapi.pdf)
 * [SPP landing page](https://www.ibm.com/docs/en/spp/10.1.10)
-* [SPP REST API Doc](https://www.ibm.com/docs/en/SSNQFQ_10.1.10/pdf/restapi.pdf)
+* supported endpoints: Audit Logs via api/endeavour/log/audit
 
-### tested Spectrum Protect Plus versions:
+### tested REST API of IBM Spectrum Protect Plus versions:
 This Workflow has been tested with SPP version 10.1.9 and 10.1.10. 
 The SPP REST API in versions 10.1.8 and earlier do not provide the required 
 information and functionalities required by this workflow.

From bc6884258fe9039a1dec27381889e33a6076dc29 Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 20:50:02 +0200
Subject: [PATCH 09/11] README update

---
 IBM Spectrum Protect Plus Auditlog/README.md | 30 +++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/IBM Spectrum Protect Plus Auditlog/README.md b/IBM Spectrum Protect Plus Auditlog/README.md
index 2a6d393d..f0a9ad48 100644
--- a/IBM Spectrum Protect Plus Auditlog/README.md	
+++ b/IBM Spectrum Protect Plus Auditlog/README.md	
@@ -1,17 +1,45 @@
 ### Workflow basic information:
 
 * Author: Daniel Wendler
-* Maintainer: dwendler
+* Maintainer: dwendler, dwendler(at)de(dot)ibm(dot)com
 * Workflow Version Number: 1.0
 * [Endpoint Documentation of Spectrum Protect Plus REST API](https://www.ibm.com/docs/en/SSNQFQ_10.1.10/pdf/restapi.pdf)
 * [SPP landing page](https://www.ibm.com/docs/en/spp/10.1.10)
 * supported endpoints: Audit Logs via api/endeavour/log/audit
 
+
+### Workflow parameters
+
+* #host# (required): IP_Address or Hostname, no protocol prefix, e.g. "mySppHost.myCompany.com" will be assebled to https://mySppHost.myCompany.com:443 
+* #port# (not required, default is 443): 443
+* #username# (required): e.g. monitorUser, this user needs the correct RBAC within SPP to query the SPP audit logs
+* #password# (required): password of above user
+* #pageSize# (not required, leave default): number of audit log entries to retrieve with a single REST API get operation, the workflow will use pagination until no new events exist in the audit log queue. default = 100 is suggested by the API for this endpoint
+
+
 ### tested REST API of IBM Spectrum Protect Plus versions:
 This Workflow has been tested with SPP version 10.1.9 and 10.1.10. 
 The SPP REST API in versions 10.1.8 and earlier do not provide the required 
 information and functionalities required by this workflow.
 
+### QRadar Log Source Configuration
+
+If you want to ingest data from an endpoint using Universal Rest API Protocol, configure a log source on the QRadar® Console using the Workflow field so that the defined endpoint can communicate with QRadar by using the Universal Rest API protocol.
+
+1. Log in to QRadar.
+2. Click the _Admin_ tab.
+3. To open the app, click the _Log Sources_ app icon and _launch_ the app to select _Log Sources - Manage Log Sources_ 
+4. Click _New Log Source_ > _Single Log Source_.
+5. On the _Select a Log Source Type_ page, Select the Log Source Type _Universal DSM_ and click _Select Protocol Type_ >  _Universal Cloud REST API_.
+6. *Important:* disable the function _Coalescing Events_, otherwise, similar Audit Logs may be interpreted as a single event. 
+7. On the Select a Protocol Type page, select a protocol and click _Configure Log Source Parameters_.
+8. On the Configure the Log Source parameters page, configure the log source parameters and click _Configure Protocol
+Parameters_.
+9. On the Configure the Protocol Parameters page, configure the protocol-specific parameters (Workflow and Workflow
+Parameter Values). 
+10. In the Test protocol parameters window, click _Start Test_.
+11. To fix any errors, click _Configure Protocol Parameters_. Configure the parameters and click Test Protocol Parameters.
+12. Click _Finish_
 
 ### sample API response of an audit log entry
 

From 4b7b1c0237262f121adbef9c267cbab96f9e92b0 Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 20:51:22 +0200
Subject: [PATCH 10/11] README update

---
 IBM Spectrum Protect Plus Auditlog/README.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/IBM Spectrum Protect Plus Auditlog/README.md b/IBM Spectrum Protect Plus Auditlog/README.md
index f0a9ad48..8e77fab4 100644
--- a/IBM Spectrum Protect Plus Auditlog/README.md	
+++ b/IBM Spectrum Protect Plus Auditlog/README.md	
@@ -1,4 +1,4 @@
-### Workflow basic information:
+# Workflow basic information:
 
 * Author: Daniel Wendler
 * Maintainer: dwendler, dwendler(at)de(dot)ibm(dot)com
@@ -8,7 +8,7 @@
 * supported endpoints: Audit Logs via api/endeavour/log/audit
 
 
-### Workflow parameters
+# Workflow parameters
 
 * #host# (required): IP_Address or Hostname, no protocol prefix, e.g. "mySppHost.myCompany.com" will be assebled to https://mySppHost.myCompany.com:443 
 * #port# (not required, default is 443): 443
@@ -17,12 +17,12 @@
 * #pageSize# (not required, leave default): number of audit log entries to retrieve with a single REST API get operation, the workflow will use pagination until no new events exist in the audit log queue. default = 100 is suggested by the API for this endpoint
 
 
-### tested REST API of IBM Spectrum Protect Plus versions:
+# tested REST API of IBM Spectrum Protect Plus versions:
 This Workflow has been tested with SPP version 10.1.9 and 10.1.10. 
 The SPP REST API in versions 10.1.8 and earlier do not provide the required 
 information and functionalities required by this workflow.
 
-### QRadar Log Source Configuration
+# QRadar Log Source Configuration
 
 If you want to ingest data from an endpoint using Universal Rest API Protocol, configure a log source on the QRadar® Console using the Workflow field so that the defined endpoint can communicate with QRadar by using the Universal Rest API protocol.
 
@@ -41,7 +41,7 @@ Parameter Values).
 11. To fix any errors, click _Configure Protocol Parameters_. Configure the parameters and click Test Protocol Parameters.
 12. Click _Finish_
 
-### sample API response of an audit log entry
+# sample API response of an audit log entry
 
 ```
 {
@@ -57,7 +57,7 @@ Parameter Values).
 ```
 
 
-### conversion from epoch time to date and vice versa
+# conversion from epoch time to date and vice versa
 
 **Note:** SPP utilizes epoch timestamp in milliseconds -> multiply / devide with 1000 may be required
 
@@ -67,7 +67,7 @@ date -d @1648466798    # convert epoch timestamp in seconds (not MS) to local da
 ```
 
 
-### sample test tool execution and debug logs - sanitized
+# sample test tool execution and debug logs - sanitized
 
 > time /opt/qradar/bin/test-workflow.sh -u -w /tmp/spp/spp-Workflow.xml -wp /tmp/spp/spp-Workflow-Parameter-Values.xml
 ```
@@ -94,7 +94,7 @@ SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
 ```
 
 
-### sample QRadar log output 
+# sample QRadar log output 
 
 >tail -f /var/log/qradar.log  | grep SPP
 

From c0e97ec1a83800578e6e59e066bdbd00d630ca61 Mon Sep 17 00:00:00 2001
From: Daniel Wendler <beamish04@gmail.com>
Date: Mon, 28 Mar 2022 20:57:06 +0200
Subject: [PATCH 11/11] changed debug mode in Workflow

---
 IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml b/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml
index b620c94d..2e998702 100644
--- a/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml	
+++ b/IBM Spectrum Protect Plus Auditlog/spp-Workflow.xml	
@@ -11,7 +11,7 @@
     </Parameters>
 
     <Actions>
-        <Set path="/debug" value="true" />
+        <Set path="/debug" value="false" />
         <Set path="/sppaddress" value="https://${/host}:${/port}" />