From 3960efad277dcfd3afeae964ad50e1181bc9a3fd Mon Sep 17 00:00:00 2001
From: Benimanela <benim@qmasters.co>
Date: Wed, 1 Mar 2023 12:50:05 +0200
Subject: [PATCH] Added Rapid7 ThreatCommand workflow Signed-off-by: Benimanela
 benim@qmasters.co

---
 .../Rapid7-ThreatCommand/README.md            |  8 ++
 .../ThreatCommand_parameters.xml              | 15 ++++
 .../ThreatCommand_workflow.xml                | 77 +++++++++++++++++++
 3 files changed, 100 insertions(+)
 create mode 100644 Community Developed/Rapid7-ThreatCommand/README.md
 create mode 100644 Community Developed/Rapid7-ThreatCommand/ThreatCommand_parameters.xml
 create mode 100644 Community Developed/Rapid7-ThreatCommand/ThreatCommand_workflow.xml

diff --git a/Community Developed/Rapid7-ThreatCommand/README.md b/Community Developed/Rapid7-ThreatCommand/README.md
new file mode 100644
index 00000000..910bb0ad
--- /dev/null
+++ b/Community Developed/Rapid7-ThreatCommand/README.md	
@@ -0,0 +1,8 @@
+# Rapid& ThreatCommand Parameters Configuration
+Parameter                           | Name | Default Value | Type | Required (True/False) | Description
+---                                 | --- | --- | --- |--- |---
+hostname                            | Host Name | https://api.ti.insight.rapid7.com | String | True | IP or URL for the instance.
+account_id                          | Account ID | False | Authentication | True | 
+api_key                             | API Key | False | Authentication | True | 
+severity                            | Severity | "High", "Medium", "Low" | String | False | you can specify the alert severity to pull
+is_closed                           | Is Closed | True | Bool | False | Change to folse for ignoring closed alerts
diff --git a/Community Developed/Rapid7-ThreatCommand/ThreatCommand_parameters.xml b/Community Developed/Rapid7-ThreatCommand/ThreatCommand_parameters.xml
new file mode 100644
index 00000000..1005a4f3
--- /dev/null
+++ b/Community Developed/Rapid7-ThreatCommand/ThreatCommand_parameters.xml	
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
+
+	<!-- "hostname" - ThreatCommand API host (default="https://api.ti.insight.rapid7.com")-->
+	<Value name="hostname" value="https://api.ti.insight.rapid7.com"/>
+	<!-- "account_id" - ThreatCommand Account id for QRadar (required) -->
+	<Value name="account_id" value=""/>
+	<!-- "api_secert" - ThreatCommand API key for QRadar (required) -->
+	<Value name="api_key" value=""/>
+
+	<!-- "severity" - ThreatCommand alert severity, can be multiple separated by commas, allowed values: "High", "Medium", "Low". (optional) -->
+	<Value name="severity" value="High, Medium, Low"/>
+	<!-- "is_closed" - Show closed/open alerts, default value: true. (optional) -->
+	<Value name="is_closed" value="true"/>
+</WorkflowParameterValues>
diff --git a/Community Developed/Rapid7-ThreatCommand/ThreatCommand_workflow.xml b/Community Developed/Rapid7-ThreatCommand/ThreatCommand_workflow.xml
new file mode 100644
index 00000000..95a1d8d6
--- /dev/null
+++ b/Community Developed/Rapid7-ThreatCommand/ThreatCommand_workflow.xml	
@@ -0,0 +1,77 @@
+<Workflow name="Qmasters Rapid7 ThreatCommand workflow for QRadar" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
+    <Parameters>
+		<Parameter name="hostname" label="Host Name" required="true" />
+		<Parameter name="account_id" label="Account ID" required="true" secret="true" />
+		<Parameter name="api_key" label="API Key" required="true" secret="true" />
+        <Parameter name="severity" label="Severity" required="false" />
+        <Parameter name="is_closed" label="Is Cloased" required="false" default="false" />
+    </Parameters>
+	
+    <Actions>
+		<!-- Clear the log source status before a new workflow run starts -->
+        <ClearStatus />
+		
+        <!-- Prepare the start date filter, based on the current bookmark -->
+		<Initialize path="/bookmark" value="${time() - 604800000}" />
+        
+		<!-- Get Alert List -->				
+		<CallEndpoint url="${/hostname}/public/v2/data/alerts/alerts-list" method="GET" savePath="/get_alert_list" >
+			<BasicAuthentication username="${/account_id}" password="${/api_key}" />
+            <QueryParameter name="isClosed" value="${/is_closed}" />
+            <QueryParameter name="severity" value="${/severity}" />
+            <QueryParameter name="foundDateFrom" value="${/bookmark}" />
+		</CallEndpoint>
+
+        <!-- Handle Errors -->
+	    <If condition="/get_alert_list/status_code != 200">
+		    <If condition="/get_alert_list/status_code = 403" >
+			    <Abort reason="Invalid ThreatCommand API Key" />
+		    </If>
+
+            <If condition="/get_alert_list/status_code >= 500" >
+			    <Abort reason="ThreatCommand API is not available" />
+		    </If>
+
+		    <Abort reason="ThreatCommand abort reason:  ${/get_alert_list}" />
+	    </If>
+
+        <!-- Initialize a list to contain all alerts -->
+	    <Set path="/alerts" value="[]" />
+
+        <!-- Get Alerts -->	
+        <ForEach item="/alert_id" items="/get_alert_list/body">
+		    <CallEndpoint url="${/hostname}/public/v1/data/alerts/get-complete-alert/${/alert_id}" method="GET" savePath="/get_alert_${/alert_id}" >
+		    	<BasicAuthentication username="${/account_id}" password="${/api_key}" />
+		    </CallEndpoint>
+
+            <!-- Handle Errors -->
+            <If condition="/get_alert_${/alert_id}/status_code != 200">
+                <If condition="/get_alert_${/alert_id}/status_code = 404">
+                    <Abort reason="ThreatCommand abort reason:  ${/get_alert_${/alert_id}}"/>
+                </If>
+                
+                <Abort reason="ThreatCommand abort reason:  ${/get_alert_${/alert_id}}" />
+            </If>
+            
+            <Add path="/alerts" value="${/get_alert_${/alert_id}/body}" />
+        </ForEach>
+
+            <!-- Post Event, if any -->
+            <If condition="count(/alerts) > 0">
+                <PostEvents path="/alerts" source="${/hostname}" />
+
+                <!-- Update the bookmark -->
+                <ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss[.SSS]'Z'" timeZone="UTC" date="${max(/alerts/FoundDate)}" savePath="/last_event_time" />
+                <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" time="${/last_event_time + 1}" savePath="/bookmark" />
+                <ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss[.SSS]'Z'" timeZone="UTC" date="${/bookmark}" savePath="/bookmark" />
+            </If>
+    
+	</Actions>
+	
+    <Tests>
+        <DNSResolutionTest host="${/hostname}" />
+        <TCPConnectionTest host="${/hostname}" />
+        <SSLHandshakeTest host="${/hostname}" />
+        <HTTPConnectionThroughProxyTest url="${/hostname}" expectedResponseStatus="404" />
+    </Tests>
+</Workflow>