From 9ba2005ba71e5087874bf629c680d3df6a2409f7 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 00:44:16 +0300
Subject: [PATCH 01/55] Add Parameters file

---
 FireEye-HX-Workflow-Parameter-Value.xml | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 FireEye-HX-Workflow-Parameter-Value.xml

diff --git a/FireEye-HX-Workflow-Parameter-Value.xml b/FireEye-HX-Workflow-Parameter-Value.xml
new file mode 100644
index 00000000..b04e2a39
--- /dev/null
+++ b/FireEye-HX-Workflow-Parameter-Value.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="hexXXXXXX-hx-webui-1.hex03.helix.apps.fireeye.com" />
+    <Value name="hx_port" value="443" />
+    <Value name="username" value="api_analyst" />
+    <Value name="password" value="api_analyst" />
+    <!-- Number of alert records to fetch per request -->
+    <Value name="limit" value="100" />
+</WorkflowParameterValues>
\ No newline at end of file

From 3f09db3ab5ce1a27f15c2d66d6eb279f3b7f1e9a Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 00:45:06 +0300
Subject: [PATCH 02/55] Move into "FireEye HX" folder

---
 .../FireEye-HX-Workflow-Parameter-Value.xml                     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename FireEye-HX-Workflow-Parameter-Value.xml => FireEye HX/FireEye-HX-Workflow-Parameter-Value.xml (94%)

diff --git a/FireEye-HX-Workflow-Parameter-Value.xml b/FireEye HX/FireEye-HX-Workflow-Parameter-Value.xml
similarity index 94%
rename from FireEye-HX-Workflow-Parameter-Value.xml
rename to FireEye HX/FireEye-HX-Workflow-Parameter-Value.xml
index b04e2a39..ba7a2578 100644
--- a/FireEye-HX-Workflow-Parameter-Value.xml
+++ b/FireEye HX/FireEye-HX-Workflow-Parameter-Value.xml	
@@ -6,4 +6,4 @@
     <Value name="password" value="api_analyst" />
     <!-- Number of alert records to fetch per request -->
     <Value name="limit" value="100" />
-</WorkflowParameterValues>
\ No newline at end of file
+</WorkflowParameterValues>

From 9e5415345cc633f1dc880fd3447f4ccdc24080d4 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 00:46:44 +0300
Subject: [PATCH 03/55] Files uploaded

---
 .../FireEye-HX-Alert_Groups-Workflow copy.xml |  82 +++++++++++++
 FireEye HX/FireEye-HX-Alerts-Workflow.xml     | 112 ++++++++++++++++++
 FireEye HX/LICENSE                            |  21 ++++
 FireEye HX/README.md                          |   2 +
 4 files changed, 217 insertions(+)
 create mode 100644 FireEye HX/FireEye-HX-Alert_Groups-Workflow copy.xml
 create mode 100644 FireEye HX/FireEye-HX-Alerts-Workflow.xml
 create mode 100644 FireEye HX/LICENSE
 create mode 100644 FireEye HX/README.md

diff --git a/FireEye HX/FireEye-HX-Alert_Groups-Workflow copy.xml b/FireEye HX/FireEye-HX-Alert_Groups-Workflow copy.xml
new file mode 100644
index 00000000..cf4fb4ee
--- /dev/null
+++ b/FireEye HX/FireEye-HX-Alert_Groups-Workflow copy.xml	
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="FireEye HX" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+	<Parameters>
+		<Parameter name="host" label="Host" required="true" />
+		<Parameter name="hx_port" label="Port" value="443" required="true" />
+		<Parameter name="username" label="Username" required="true" />
+		<Parameter name="password" label="Password" required="true" secret="true" />
+	</Parameters>
+	<Actions>
+		<!-- Initialize the Bookmark -->
+		<Initialize path="/bookmark" value="${time() - 86400000}" />
+	
+		<!-- Use bookmark -10 mins as start time -->
+		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/start_time" />
+
+		<!-- Authenticate and request API Token -->
+        <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/get_feapi_token" >
+            <SSLConfiguration allowUntrustedServerCertificate="true" />
+            <BasicAuthentication username="${/username}" password="${/password}" />
+            <RequestHeader name="Accept" value="application/json" />
+        </CallEndpoint>
+
+        <!-- Handle Errors -->
+        <If condition="/get_feapi_token/status_code != 204">
+			<Log type="Error" message="FE HX API: Error Authenticating to API: ${/get_feapi_token/body}" />
+            <Abort reason="Error login: ${/get_feapi_token/body}" />
+        </If>
+		<Else>
+			<!-- Extract the API Token -->
+			<Set path="/x_feapi_token" value="${/get_feapi_token/headers/X-FeApi-Token}" />
+			<!-- Build filterQuery -->
+			<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/start_time}"],"field":"last_event_at"}' />
+
+			<!-- Get Alerts -->
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alert_groups/?" method="GET" savePath="/get_alerts">
+				<QueryParameter name="offset" value="0" />
+				<QueryParameter name="limit" value="100" />
+				<QueryParameter name="sort" value="last_event_at" />
+				<!-- URL Encoded Filter for last_event_at greater than Start Time -->
+				<QueryParameter name="filterQuery" value="${/filterQuery}" />
+				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+				<RequestHeader name="Accept" value="application/json" />
+			</CallEndpoint>
+			
+			<!-- Handle Errors -->
+			<If condition="/get_alerts/status_code != 200">
+				<Log type="Error" message="FE HX API: Error fetching alerts ${/get_alerts/body}" />
+			</If>
+			<Else>
+				<Log type="INFO" message="FE HX API: Got ${/get_alerts/body/data/total} events" />
+
+				<!-- Alert are returned in JSON format-->
+				<!-- Extract Alerts-->
+				<If condition="${/get_alerts/body/data/total} > 0">
+					<Set path="/alerts" value="${/get_alerts/body/data/entries}" />
+					<Set path="/bookmark" value="${max(/alerts/reported_at)}" />
+				</If>
+				<!-- Post Alerts -->
+				<PostEvents path="/alerts" source="${/host}" />
+			</Else>
+
+			<!-- Dispose generated token to clear active session -->
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/del_feapi_token" >
+				<SSLConfiguration allowUntrustedServerCertificate="true" />
+				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+				<RequestHeader name="Accept" value="application/json" />
+			</CallEndpoint>
+
+			<!-- Handle Errors -->
+			<If condition="/del_feapi_token/status_code != 204">
+				<Log type="Error" message="FE HX API: Error Deleteing Session: ${/del_feapi_token/body/message}" />
+				<Abort reason="${/get_feapi_token/body/message}" />
+			</If>
+		</Else>
+	</Actions>
+	<Tests>
+		<DNSResolutionTest host="${/host}" />
+		<TCPConnectionTest host="${/host}" port="${/hx_port}" />
+		<SSLHandshakeTest host="${/host}" port="${/hx_port}"/>
+		<HTTPConnectionThroughProxyTest url="https://${/host}:${/hx_port}" />
+	</Tests>
+</Workflow>
\ No newline at end of file
diff --git a/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/FireEye HX/FireEye-HX-Alerts-Workflow.xml
new file mode 100644
index 00000000..866906ee
--- /dev/null
+++ b/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="FireEye HX" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+	<Parameters>
+		<Parameter name="host" label="Host" required="true" />
+		<Parameter name="hx_port" label="Port" required="true" />
+		<Parameter name="username" label="Username" required="true" />
+		<Parameter name="password" label="Password" required="true" secret="true" />
+		<Parameter name="limit" label="Limit" required="true" />
+	</Parameters>
+	<Actions>
+		<!-- Initialize the Bookmark -->
+		<Initialize path="/bookmark" value="${time() - 60000 * 60 * 24}" />
+
+		<!-- Use bookmark -10 mins as start time -->
+		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/start_time" />
+
+		<!-- Authenticate and request API Token -->
+        <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/get_feapi_token" >
+            <SSLConfiguration allowUntrustedServerCertificate="true" />
+            <BasicAuthentication username="${/username}" password="${/password}" />
+            <RequestHeader name="Accept" value="application/json" />
+        </CallEndpoint>
+
+        <!-- Handle Errors -->
+        <If condition="/get_feapi_token/status_code != 204">
+			<Log type="Error" message="FE HX API: Error Authenticating to API: ${/get_feapi_token/body}" />
+            <Abort reason="Error login: ${/get_feapi_token/body}" />
+        </If>
+		<Else>
+			<!-- Extract the API Token -->
+			<Set path="/x_feapi_token" value="${/get_feapi_token/headers/X-FeApi-Token}" />
+			<!-- Build filterQuery -->
+			<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/start_time}"],"field":"reported_at"}' />
+
+			<!-- Get Alerts -->
+			<Set path="/offset" value="0" />
+
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/get_alerts">
+				<QueryParameter name="offset" value="${/offset}" />
+				<QueryParameter name="limit" value="${/limit}" />
+				<QueryParameter name="sort" value="_id" />
+				<!-- URL Encoded Filter for last_event_at greater than Start Time -->
+				<QueryParameter name="filterQuery" value="${/filterQuery}" />
+				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+				<RequestHeader name="Accept" value="application/json" />
+			</CallEndpoint>
+			
+			<!-- Handle Errors -->
+			<If condition="/get_alerts/status_code != 200">
+				<Log type="Error" message="FE HX API: Error fetching alerts ${/get_alerts/body}" />
+			</If>
+			<Else>
+				<Log type="INFO" message="FE HX API: Got ${/get_alerts/body/data/total} events" />
+
+				<!-- Alert are returned in JSON format-->
+				<!-- Extract Alerts-->
+				<If condition="${/get_alerts/body/data/total} > 0">
+					 <DoWhile condition="count(/get_alerts/body/data/entries) > 0">
+						<Set path="/alerts" value="${/get_alerts/body/data/entries}" />
+						<!-- Enrich Alerts -->
+						<ForEach item="alert" items="/alerts">
+							<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/agent">
+								<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+								<RequestHeader name="Accept" value="application/json" />
+							</CallEndpoint>
+							<!-- Add host information to alert-->
+							<Merge sourcePath="/agent/body/data/hostname" targetPath="/alert/agent" />
+							<Merge sourcePath="/agent/body/data/domain" targetPath="/alert/agent" />
+							<Merge sourcePath="/agent/body/data/primary_ip_address" targetPath="/alert/agent" />
+							<Merge sourcePath="/agent/body/data/last_poll_ip" targetPath="/alert/agent" />
+							<!-- Post Alert -->
+							<PostEvent path="/alert" source="${/host}" />
+						</ForEach>
+						<!-- Update bookmark -->
+						<Set path="/bookmark" value="${max(/alerts/reported_at)}" />
+						<!-- Next Page -->
+						<Set path="/Offset" value="${/offset + /limit - 1}" />
+						<!-- Get next page of alerts -->
+						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/get_alerts">
+							<QueryParameter name="offset" value="${/offset}" />
+							<QueryParameter name="limit" value="${/limit}" />
+							<QueryParameter name="sort" value="_id" />
+							<QueryParameter name="filterQuery" value="${/filterQuery}" />
+							<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+							<RequestHeader name="Accept" value="application/json" />
+						</CallEndpoint>
+
+					</DoWhile>
+				</If>
+			</Else>
+
+			<!-- Dispose generated token to clear active session -->
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/del_feapi_token" >
+				<SSLConfiguration allowUntrustedServerCertificate="true" />
+				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+				<RequestHeader name="Accept" value="application/json" />
+			</CallEndpoint>
+
+			<!-- Handle Errors -->
+			<If condition="/del_feapi_token/status_code != 204">
+				<Log type="Error" message="FE HX API: Error Deleteing Session: ${/del_feapi_token/body/message}" />
+				<Abort reason="${/get_feapi_token/body/message}" />
+			</If>
+		</Else>
+	</Actions>
+	<Tests>
+		<DNSResolutionTest host="${/host}" />
+		<TCPConnectionTest host="${/host}" port="${/hx_port}" />
+		<SSLHandshakeTest host="${/host}" port="${/hx_port}"/>
+		<HTTPConnectionThroughProxyTest url="https://${/host}:${/hx_port}" />
+	</Tests>
+</Workflow>
\ No newline at end of file
diff --git a/FireEye HX/LICENSE b/FireEye HX/LICENSE
new file mode 100644
index 00000000..35589ce6
--- /dev/null
+++ b/FireEye HX/LICENSE	
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Mohamed Al-Shabrawy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/FireEye HX/README.md b/FireEye HX/README.md
new file mode 100644
index 00000000..3eb243c7
--- /dev/null
+++ b/FireEye HX/README.md	
@@ -0,0 +1,2 @@
+# FireEye-HX-QRadar-Workflow
+IBM QRadar Universal Cloud Connector Workflow for FireEye HX

From 5f27e672245135caedc0bff368630fa511ecdf14 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 00:47:07 +0300
Subject: [PATCH 04/55] Rename FireEye-HX-Alert_Groups-Workflow copy.xml to
 FireEye-HX-Alert_Groups-Workflow.xml

---
 ...s-Workflow copy.xml => FireEye-HX-Alert_Groups-Workflow.xml} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename FireEye HX/{FireEye-HX-Alert_Groups-Workflow copy.xml => FireEye-HX-Alert_Groups-Workflow.xml} (99%)

diff --git a/FireEye HX/FireEye-HX-Alert_Groups-Workflow copy.xml b/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml
similarity index 99%
rename from FireEye HX/FireEye-HX-Alert_Groups-Workflow copy.xml
rename to FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml
index cf4fb4ee..2955827a 100644
--- a/FireEye HX/FireEye-HX-Alert_Groups-Workflow copy.xml	
+++ b/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml	
@@ -79,4 +79,4 @@
 		<SSLHandshakeTest host="${/host}" port="${/hx_port}"/>
 		<HTTPConnectionThroughProxyTest url="https://${/host}:${/hx_port}" />
 	</Tests>
-</Workflow>
\ No newline at end of file
+</Workflow>

From f4cfdaa6a71d24e7c367958873ac48de010cd508 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 00:48:37 +0300
Subject: [PATCH 05/55] Update README.md

---
 FireEye HX/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/FireEye HX/README.md b/FireEye HX/README.md
index 3eb243c7..5559fd18 100644
--- a/FireEye HX/README.md	
+++ b/FireEye HX/README.md	
@@ -1,2 +1,2 @@
-# FireEye-HX-QRadar-Workflow
-IBM QRadar Universal Cloud Connector Workflow for FireEye HX
+# QRadar Workflow for FireEye HX
+IBM QRadar Universal Cloud Connector Workflow for reading FireEye HX alerts through REST API

From 7df22e82ca1e1a0e182b307acef94abf6f26f902 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 01:01:47 +0300
Subject: [PATCH 06/55] Update README.md

---
 FireEye HX/README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/FireEye HX/README.md b/FireEye HX/README.md
index 5559fd18..ef14275e 100644
--- a/FireEye HX/README.md	
+++ b/FireEye HX/README.md	
@@ -1,2 +1,13 @@
 # QRadar Workflow for FireEye HX
 IBM QRadar Universal Cloud Connector Workflow for reading FireEye HX alerts through REST API
+
+- Author Name: Mohamed Al-Shabrawy
+- Maintainer Name: @M-Shabrawy
+- Version: 1.0.2
+- Endpoint Documentation:
+  - - https://fireeye.dev/
+  - - https://fireeye.dev/apis/lighthouse/
+  
+- Event Types Currently Supported by the workflow:
+-   -  Alerts: Gets a list of non-suppressed alerts known to the system
+-   -  Alert Groups: Lists all alert_groups 

From fa6eb99a18731789623aab3f1f3c85cc60081779 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 07:37:19 +0300
Subject: [PATCH 07/55] Rename FireEye-HX-Workflow-Parameter-Value.xml to
 FireEye-HX-Alerts-Workflow-Parameter-Value.xml

---
 ...r-Value.xml => FireEye-HX-Alerts-Workflow-Parameter-Value.xml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename FireEye HX/{FireEye-HX-Workflow-Parameter-Value.xml => FireEye-HX-Alerts-Workflow-Parameter-Value.xml} (100%)

diff --git a/FireEye HX/FireEye-HX-Workflow-Parameter-Value.xml b/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml
similarity index 100%
rename from FireEye HX/FireEye-HX-Workflow-Parameter-Value.xml
rename to FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml

From e219484bb9de23e354f0cf792f217da77a844bf9 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 07:37:53 +0300
Subject: [PATCH 08/55] Add files via upload

---
 .../FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml

diff --git a/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml b/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml
new file mode 100644
index 00000000..b04e2a39
--- /dev/null
+++ b/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml	
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="hexXXXXXX-hx-webui-1.hex03.helix.apps.fireeye.com" />
+    <Value name="hx_port" value="443" />
+    <Value name="username" value="api_analyst" />
+    <Value name="password" value="api_analyst" />
+    <!-- Number of alert records to fetch per request -->
+    <Value name="limit" value="100" />
+</WorkflowParameterValues>
\ No newline at end of file

From 5a42d88d2d96217d3adaa03f493327bc47e4dfdd Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 18:38:58 +0300
Subject: [PATCH 09/55] Increase intial pull to 30 day and replace Merge with
 Set

---
 FireEye HX/FireEye-HX-Alerts-Workflow.xml | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/FireEye HX/FireEye-HX-Alerts-Workflow.xml
index 866906ee..ee3d6c6a 100644
--- a/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
+++ b/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
@@ -9,7 +9,7 @@
 	</Parameters>
 	<Actions>
 		<!-- Initialize the Bookmark -->
-		<Initialize path="/bookmark" value="${time() - 60000 * 60 * 24}" />
+		<Initialize path="/bookmark" value="${time() - 60000 * 60 * 24 * 30}" />
 
 		<!-- Use bookmark -10 mins as start time -->
 		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/start_time" />
@@ -58,17 +58,16 @@
 					 <DoWhile condition="count(/get_alerts/body/data/entries) > 0">
 						<Set path="/alerts" value="${/get_alerts/body/data/entries}" />
 						<!-- Enrich Alerts -->
-						<ForEach item="alert" items="/alerts">
+						<ForEach item="/alert" items="/alerts">
 							<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/agent">
 								<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 								<RequestHeader name="Accept" value="application/json" />
 							</CallEndpoint>
 							<!-- Add host information to alert-->
-							<Merge sourcePath="/agent/body/data/hostname" targetPath="/alert/agent" />
-							<Merge sourcePath="/agent/body/data/domain" targetPath="/alert/agent" />
-							<Merge sourcePath="/agent/body/data/primary_ip_address" targetPath="/alert/agent" />
-							<Merge sourcePath="/agent/body/data/last_poll_ip" targetPath="/alert/agent" />
-							<!-- Post Alert -->
+							<Set path="/alert/agent/hostname" value="${/agent/body/data/hostname}"  />
+							<Set path="/alert/agent/domain" value="${/agent/body/data/domain}"  />
+							<Set path="/alert/agent/primary_ip_address" value="${/agent/body/data/primary_ip_address}"  />
+							<Set path="/alert/agent/last_poll_ip" value="${/agent/body/data/last_poll_ip}"  />
 							<PostEvent path="/alert" source="${/host}" />
 						</ForEach>
 						<!-- Update bookmark -->
@@ -109,4 +108,4 @@
 		<SSLHandshakeTest host="${/host}" port="${/hx_port}"/>
 		<HTTPConnectionThroughProxyTest url="https://${/host}:${/hx_port}" />
 	</Tests>
-</Workflow>
\ No newline at end of file
+</Workflow>

From a2ea0ff206e35049de4eba869a784bbf4a73831a Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 10 Feb 2022 23:20:03 +0300
Subject: [PATCH 10/55] Update FireEye-HX-Alerts-Workflow.xml

---
 FireEye HX/FireEye-HX-Alerts-Workflow.xml | 45 +++++++++++++----------
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/FireEye HX/FireEye-HX-Alerts-Workflow.xml
index ee3d6c6a..907271b1 100644
--- a/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
+++ b/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
@@ -7,6 +7,7 @@
 		<Parameter name="password" label="Password" required="true" secret="true" />
 		<Parameter name="limit" label="Limit" required="true" />
 	</Parameters>
+	
 	<Actions>
 		<!-- Initialize the Bookmark -->
 		<Initialize path="/bookmark" value="${time() - 60000 * 60 * 24 * 30}" />
@@ -14,24 +15,23 @@
 		<!-- Use bookmark -10 mins as start time -->
 		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/start_time" />
 
-		<!-- Authenticate and request API Token -->
-        <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/get_feapi_token" >
-            <SSLConfiguration allowUntrustedServerCertificate="true" />
-            <BasicAuthentication username="${/username}" password="${/password}" />
-            <RequestHeader name="Accept" value="application/json" />
-        </CallEndpoint>
+			<!-- Authenticate and request API Token -->
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getFeApiToken" >
+			<SSLConfiguration allowUntrustedServerCertificate="true" />
+			<BasicAuthentication username="${/username}" password="${/password}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
 
-        <!-- Handle Errors -->
-        <If condition="/get_feapi_token/status_code != 204">
-			<Log type="Error" message="FE HX API: Error Authenticating to API: ${/get_feapi_token/body}" />
-            <Abort reason="Error login: ${/get_feapi_token/body}" />
-        </If>
+		<!-- Handle Errors -->
+		<If condition="/get_feapi_token/status_code != 204">
+			<Log type="Error" message="FE HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
+			<Abort reason="Error login: ${/get_feapi_token/body}" />
+		</If>
 		<Else>
 			<!-- Extract the API Token -->
 			<Set path="/x_feapi_token" value="${/get_feapi_token/headers/X-FeApi-Token}" />
 			<!-- Build filterQuery -->
 			<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/start_time}"],"field":"reported_at"}' />
-
 			<!-- Get Alerts -->
 			<Set path="/offset" value="0" />
 
@@ -39,30 +39,33 @@
 				<QueryParameter name="offset" value="${/offset}" />
 				<QueryParameter name="limit" value="${/limit}" />
 				<QueryParameter name="sort" value="_id" />
-				<!-- URL Encoded Filter for last_event_at greater than Start Time -->
 				<QueryParameter name="filterQuery" value="${/filterQuery}" />
 				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 				<RequestHeader name="Accept" value="application/json" />
 			</CallEndpoint>
-			
+
 			<!-- Handle Errors -->
 			<If condition="/get_alerts/status_code != 200">
 				<Log type="Error" message="FE HX API: Error fetching alerts ${/get_alerts/body}" />
 			</If>
 			<Else>
 				<Log type="INFO" message="FE HX API: Got ${/get_alerts/body/data/total} events" />
-
 				<!-- Alert are returned in JSON format-->
 				<!-- Extract Alerts-->
 				<If condition="${/get_alerts/body/data/total} > 0">
-					 <DoWhile condition="count(/get_alerts/body/data/entries) > 0">
+					<DoWhile condition="count(/get_alerts/body/data/entries) > 0">
 						<Set path="/alerts" value="${/get_alerts/body/data/entries}" />
 						<!-- Enrich Alerts -->
 						<ForEach item="/alert" items="/alerts">
-							<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/agent">
+							<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/getAagent">
 								<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 								<RequestHeader name="Accept" value="application/json" />
 							</CallEndpoint>
+							<If condition="/agent/status_code != 204">
+								<Log type="Error" message="FE HX API: Error Authenticating to API: ${/get_feapi_token/body}" />
+								<Abort reason="Error login: ${/get_feapi_token/body}" />
+							</If>
+							<Log type="Info" message="FE HX API: Host found for ID: ${/alert/agent/_id}" />
 							<!-- Add host information to alert-->
 							<Set path="/alert/agent/hostname" value="${/agent/body/data/hostname}"  />
 							<Set path="/alert/agent/domain" value="${/agent/body/data/domain}"  />
@@ -83,18 +86,19 @@
 							<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 							<RequestHeader name="Accept" value="application/json" />
 						</CallEndpoint>
-
+						
 					</DoWhile>
 				</If>
+				<Else>
+					<Log type="Notice" message="FE HX API: No Alerts to Pull." />
+				</Else>
 			</Else>
-
 			<!-- Dispose generated token to clear active session -->
 			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/del_feapi_token" >
 				<SSLConfiguration allowUntrustedServerCertificate="true" />
 				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 				<RequestHeader name="Accept" value="application/json" />
 			</CallEndpoint>
-
 			<!-- Handle Errors -->
 			<If condition="/del_feapi_token/status_code != 204">
 				<Log type="Error" message="FE HX API: Error Deleteing Session: ${/del_feapi_token/body/message}" />
@@ -102,6 +106,7 @@
 			</If>
 		</Else>
 	</Actions>
+	
 	<Tests>
 		<DNSResolutionTest host="${/host}" />
 		<TCPConnectionTest host="${/host}" port="${/hx_port}" />

From 22b0b924bf76c05c8a1f7561a08e6d0a8a6a1e49 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 13 Feb 2022 11:54:18 +0200
Subject: [PATCH 11/55] Update FireEye-HX-Alerts-Workflow.xml

---
 FireEye HX/FireEye-HX-Alerts-Workflow.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/FireEye HX/FireEye-HX-Alerts-Workflow.xml
index 907271b1..5578eb79 100644
--- a/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
+++ b/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
@@ -61,9 +61,9 @@
 								<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 								<RequestHeader name="Accept" value="application/json" />
 							</CallEndpoint>
-							<If condition="/agent/status_code != 204">
-								<Log type="Error" message="FE HX API: Error Authenticating to API: ${/get_feapi_token/body}" />
-								<Abort reason="Error login: ${/get_feapi_token/body}" />
+							<If condition="/getAagent/status_code != 200">
+								<Log type="Error" message="FE HX API: Error fetching Agnet information: ${/getAagent/body}" />
+								<Abort reason="Error login: ${/getAagent/body}" />
 							</If>
 							<Log type="Info" message="FE HX API: Host found for ID: ${/alert/agent/_id}" />
 							<!-- Add host information to alert-->

From 9303cd7a0c055d67e000d7d09f96fa1c5f15a818 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 13 Feb 2022 12:05:13 +0200
Subject: [PATCH 12/55] change variable naming style

---
 FireEye HX/FireEye-HX-Alerts-Workflow.xml | 31 +++++++++++++----------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/FireEye HX/FireEye-HX-Alerts-Workflow.xml
index 5578eb79..dae9213c 100644
--- a/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
+++ b/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
@@ -13,7 +13,7 @@
 		<Initialize path="/bookmark" value="${time() - 60000 * 60 * 24 * 30}" />
 
 		<!-- Use bookmark -10 mins as start time -->
-		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/start_time" />
+		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/startTime" />
 
 			<!-- Authenticate and request API Token -->
 		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getFeApiToken" >
@@ -31,11 +31,11 @@
 			<!-- Extract the API Token -->
 			<Set path="/x_feapi_token" value="${/get_feapi_token/headers/X-FeApi-Token}" />
 			<!-- Build filterQuery -->
-			<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/start_time}"],"field":"reported_at"}' />
+			<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/starTime}"],"field":"reported_at"}' />
 			<!-- Get Alerts -->
 			<Set path="/offset" value="0" />
 
-			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/get_alerts">
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
 				<QueryParameter name="offset" value="${/offset}" />
 				<QueryParameter name="limit" value="${/limit}" />
 				<QueryParameter name="sort" value="_id" />
@@ -46,15 +46,15 @@
 
 			<!-- Handle Errors -->
 			<If condition="/get_alerts/status_code != 200">
-				<Log type="Error" message="FE HX API: Error fetching alerts ${/get_alerts/body}" />
+				<Log type="Error" message="FE HX API: Error fetching alerts ${/getAlerts/body}" />
 			</If>
 			<Else>
-				<Log type="INFO" message="FE HX API: Got ${/get_alerts/body/data/total} events" />
+				<Log type="INFO" message="FE HX API: Got ${/getAlerts/body/data/total} events" />
 				<!-- Alert are returned in JSON format-->
 				<!-- Extract Alerts-->
-				<If condition="${/get_alerts/body/data/total} > 0">
-					<DoWhile condition="count(/get_alerts/body/data/entries) > 0">
-						<Set path="/alerts" value="${/get_alerts/body/data/entries}" />
+				<If condition="${/getAlerts/body/data/total} > 0">
+					<DoWhile condition="count(/getAlerts/body/data/entries) > 0">
+						<Set path="/alerts" value="${/getAlerts/body/data/entries}" />
 						<!-- Enrich Alerts -->
 						<ForEach item="/alert" items="/alerts">
 							<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/getAagent">
@@ -78,7 +78,7 @@
 						<!-- Next Page -->
 						<Set path="/Offset" value="${/offset + /limit - 1}" />
 						<!-- Get next page of alerts -->
-						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/get_alerts">
+						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
 							<QueryParameter name="offset" value="${/offset}" />
 							<QueryParameter name="limit" value="${/limit}" />
 							<QueryParameter name="sort" value="_id" />
@@ -86,7 +86,10 @@
 							<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 							<RequestHeader name="Accept" value="application/json" />
 						</CallEndpoint>
-						
+						<If condition="/getAlerts/status_code != 200">
+							<Log type="Error" message="FE HX API: Error getting alerts: ${/getAlerts/body}" />
+							<Abort reason="Error login: ${/getAlerts/body}" />
+						</If>
 					</DoWhile>
 				</If>
 				<Else>
@@ -94,15 +97,15 @@
 				</Else>
 			</Else>
 			<!-- Dispose generated token to clear active session -->
-			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/del_feapi_token" >
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
 				<SSLConfiguration allowUntrustedServerCertificate="true" />
 				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 				<RequestHeader name="Accept" value="application/json" />
 			</CallEndpoint>
 			<!-- Handle Errors -->
-			<If condition="/del_feapi_token/status_code != 204">
-				<Log type="Error" message="FE HX API: Error Deleteing Session: ${/del_feapi_token/body/message}" />
-				<Abort reason="${/get_feapi_token/body/message}" />
+			<If condition="/delFeApiToken/status_code != 204">
+				<Log type="Error" message="FE HX API: Error Deleteing Session: ${/delFeApiToken/body/message}" />
+				<Abort reason="${/delFeApiToken/body/message}" />
 			</If>
 		</Else>
 	</Actions>

From a4a65d55ba6657e602be20e5219864f03a6ef414 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 24 Feb 2022 10:36:44 +0300
Subject: [PATCH 13/55] Update FireEye-HX-Alerts-Workflow.xml

correcting Offset to offset (caused infinite loop)
---
 FireEye HX/FireEye-HX-Alerts-Workflow.xml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/FireEye HX/FireEye-HX-Alerts-Workflow.xml
index dae9213c..d775f756 100644
--- a/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
+++ b/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
@@ -74,9 +74,11 @@
 							<PostEvent path="/alert" source="${/host}" />
 						</ForEach>
 						<!-- Update bookmark -->
-						<Set path="/bookmark" value="${max(/alerts/reported_at)}" />
+						<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" date="${max(/alerts/reported_at)}" savePath="/last_alert_time" />
+            					<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" time="${/last_alert_time + 1}" savePath="/bookmark" />
+						
 						<!-- Next Page -->
-						<Set path="/Offset" value="${/offset + /limit - 1}" />
+						<Set path="/offset" value="${/offset + /limit - 1}" />
 						<!-- Get next page of alerts -->
 						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
 							<QueryParameter name="offset" value="${/offset}" />
@@ -104,8 +106,8 @@
 			</CallEndpoint>
 			<!-- Handle Errors -->
 			<If condition="/delFeApiToken/status_code != 204">
-				<Log type="Error" message="FE HX API: Error Deleteing Session: ${/delFeApiToken/body/message}" />
-				<Abort reason="${/delFeApiToken/body/message}" />
+				<Log type="Error" message="FE HX API: Error Deleteing Session: ${/delFeApiToken/body}" />
+				<Abort reason="${/delFeApiToken/body}" />
 			</If>
 		</Else>
 	</Actions>

From cbbd6f17fb8a197fac173eec863e65f2762630bb Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 24 Feb 2022 13:02:57 +0300
Subject: [PATCH 14/55] Update README.md

---
 FireEye HX/README.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/FireEye HX/README.md b/FireEye HX/README.md
index ef14275e..36c0aab1 100644
--- a/FireEye HX/README.md	
+++ b/FireEye HX/README.md	
@@ -1,6 +1,10 @@
 # QRadar Workflow for FireEye HX
 IBM QRadar Universal Cloud Connector Workflow for reading FireEye HX alerts through REST API
 
+## Requirements:
+User account to access FireEye HX Controller with api_analyst role
+
+## Workflow information
 - Author Name: Mohamed Al-Shabrawy
 - Maintainer Name: @M-Shabrawy
 - Version: 1.0.2
@@ -8,6 +12,6 @@ IBM QRadar Universal Cloud Connector Workflow for reading FireEye HX alerts thro
   - - https://fireeye.dev/
   - - https://fireeye.dev/apis/lighthouse/
   
-- Event Types Currently Supported by the workflow:
+## Event Types Currently Supported by the workflow:
 -   -  Alerts: Gets a list of non-suppressed alerts known to the system
--   -  Alert Groups: Lists all alert_groups 
+-   -  Alert Groups: Lists all alert_groups

From 9ab5e4729c61fad4ad0e4fda0b32eef5caf09953 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:29:22 +0300
Subject: [PATCH 15/55] Update FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml

Co-authored-by: Chris Collins <christopher.ian.collins@gmail.com>
---
 FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml b/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml
index 2955827a..d864cc08 100644
--- a/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml	
+++ b/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml	
@@ -68,7 +68,7 @@
 
 			<!-- Handle Errors -->
 			<If condition="/del_feapi_token/status_code != 204">
-				<Log type="Error" message="FE HX API: Error Deleteing Session: ${/del_feapi_token/body/message}" />
+				<Log type="Error" message="FE HX API: Error Deleting Session: ${/del_feapi_token/body/message}" />
 				<Abort reason="${/get_feapi_token/body/message}" />
 			</If>
 		</Else>

From 0b63501996a9d332bb6e849cbf72518826268018 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:34:36 +0300
Subject: [PATCH 16/55] Rename FireEye HX/README.md to Community
 Developed/FireEye HX/README.md

Moving to new folder structure
---
 {FireEye HX => Community Developed/FireEye HX}/README.md | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {FireEye HX => Community Developed/FireEye HX}/README.md (100%)

diff --git a/FireEye HX/README.md b/Community Developed/FireEye HX/README.md
similarity index 100%
rename from FireEye HX/README.md
rename to Community Developed/FireEye HX/README.md

From 55bce66350ee1bb18ceb742205d5c2f63f4d94a6 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:35:40 +0300
Subject: [PATCH 17/55] Rename FireEye HX/LICENSE to Community
 Developed/FireEye HX/LICENSE

Move to new folder structure
---
 {FireEye HX => Community Developed/FireEye HX}/LICENSE | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {FireEye HX => Community Developed/FireEye HX}/LICENSE (100%)

diff --git a/FireEye HX/LICENSE b/Community Developed/FireEye HX/LICENSE
similarity index 100%
rename from FireEye HX/LICENSE
rename to Community Developed/FireEye HX/LICENSE

From 1ea7d008a0bb61fbcba1b8722f6269a04e7aeaa1 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:36:19 +0300
Subject: [PATCH 18/55] Rename FireEye
 HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml to Community
 Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml

Move to new folder structure
---
 .../FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename {FireEye HX => Community Developed/FireEye HX}/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml (94%)

diff --git a/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml b/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml
similarity index 94%
rename from FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml
rename to Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml
index b04e2a39..ba7a2578 100644
--- a/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml	
+++ b/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml	
@@ -6,4 +6,4 @@
     <Value name="password" value="api_analyst" />
     <!-- Number of alert records to fetch per request -->
     <Value name="limit" value="100" />
-</WorkflowParameterValues>
\ No newline at end of file
+</WorkflowParameterValues>

From 61fb663ed5ba727a51316b1ee48f872ec90c42ef Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:36:53 +0300
Subject: [PATCH 19/55] Rename FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml
 to Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml

Move to new folder structure
---
 .../FireEye HX}/FireEye-HX-Alert_Groups-Workflow.xml              | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {FireEye HX => Community Developed/FireEye HX}/FireEye-HX-Alert_Groups-Workflow.xml (100%)

diff --git a/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml b/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml
similarity index 100%
rename from FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml
rename to Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml

From 8213986390aba2e22b2ccc494ada0073d4fe0853 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:37:38 +0300
Subject: [PATCH 20/55] Rename FireEye
 HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml to Community
 Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml

Move to new folder structure
---
 .../FireEye HX}/FireEye-HX-Alerts-Workflow-Parameter-Value.xml    | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {FireEye HX => Community Developed/FireEye HX}/FireEye-HX-Alerts-Workflow-Parameter-Value.xml (100%)

diff --git a/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml b/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml
similarity index 100%
rename from FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml
rename to Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml

From d26059b17b9cb5d6d3659956843fa8ab1827f1ba Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:38:02 +0300
Subject: [PATCH 21/55] Rename FireEye HX/FireEye-HX-Alerts-Workflow.xml to
 Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml

Move to new folder structure
---
 .../FireEye HX}/FireEye-HX-Alerts-Workflow.xml                    | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {FireEye HX => Community Developed/FireEye HX}/FireEye-HX-Alerts-Workflow.xml (100%)

diff --git a/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml
similarity index 100%
rename from FireEye HX/FireEye-HX-Alerts-Workflow.xml
rename to Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml

From 5254d5613ceb2ca634c623247529954e6b0350b5 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:44:15 +0300
Subject: [PATCH 22/55] Update FireEye-HX-Alerts-Workflow.xml

Adding Insecure parameter to all Endpoint calls to control allowUntrustedServerCertificate
---
 .../FireEye HX/FireEye-HX-Alerts-Workflow.xml  | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml
index d775f756..3cb8a662 100644
--- a/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
+++ b/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
@@ -6,6 +6,7 @@
 		<Parameter name="username" label="Username" required="true" />
 		<Parameter name="password" label="Password" required="true" secret="true" />
 		<Parameter name="limit" label="Limit" required="true" />
+		<Parameter name="ignore_selfsigned_certificate" label="Insecure" required="false" />
 	</Parameters>
 	
 	<Actions>
@@ -17,7 +18,9 @@
 
 			<!-- Authenticate and request API Token -->
 		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getFeApiToken" >
-			<SSLConfiguration allowUntrustedServerCertificate="true" />
+			<If condition="/ignore_selfsigned_certificate == 1">
+				<SSLConfiguration allowUntrustedServerCertificate="true" />
+			</If>
 			<BasicAuthentication username="${/username}" password="${/password}" />
 			<RequestHeader name="Accept" value="application/json" />
 		</CallEndpoint>
@@ -36,6 +39,9 @@
 			<Set path="/offset" value="0" />
 
 			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
+				<If condition="/ignore_selfsigned_certificate == 1">
+					<SSLConfiguration allowUntrustedServerCertificate="true" />
+				</If>
 				<QueryParameter name="offset" value="${/offset}" />
 				<QueryParameter name="limit" value="${/limit}" />
 				<QueryParameter name="sort" value="_id" />
@@ -58,6 +64,9 @@
 						<!-- Enrich Alerts -->
 						<ForEach item="/alert" items="/alerts">
 							<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/getAagent">
+								<If condition="/ignore_selfsigned_certificate == 1">
+									<SSLConfiguration allowUntrustedServerCertificate="true" />
+								</If>
 								<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 								<RequestHeader name="Accept" value="application/json" />
 							</CallEndpoint>
@@ -81,6 +90,9 @@
 						<Set path="/offset" value="${/offset + /limit - 1}" />
 						<!-- Get next page of alerts -->
 						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
+							<If condition="/ignore_selfsigned_certificate == 1">
+								<SSLConfiguration allowUntrustedServerCertificate="true" />
+							</If>
 							<QueryParameter name="offset" value="${/offset}" />
 							<QueryParameter name="limit" value="${/limit}" />
 							<QueryParameter name="sort" value="_id" />
@@ -100,7 +112,9 @@
 			</Else>
 			<!-- Dispose generated token to clear active session -->
 			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
-				<SSLConfiguration allowUntrustedServerCertificate="true" />
+				<If condition="/ignore_selfsigned_certificate == 1">
+					<SSLConfiguration allowUntrustedServerCertificate="true" />
+				</If>
 				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 				<RequestHeader name="Accept" value="application/json" />
 			</CallEndpoint>

From 05c7f226c8b6184032b6d3a560385063eb92bb03 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:46:02 +0300
Subject: [PATCH 23/55] Update FireEye-HX-Alerts-Workflow-Parameter-Value.xml

Added ignore_selfsigned_certificate parameter
---
 .../FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml b/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml
index ba7a2578..3c519f5a 100644
--- a/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml	
+++ b/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml	
@@ -6,4 +6,5 @@
     <Value name="password" value="api_analyst" />
     <!-- Number of alert records to fetch per request -->
     <Value name="limit" value="100" />
+    <Value name="ignore_selfsigned_certificate" value="0" />
 </WorkflowParameterValues>

From fcf186083a4ac8bb2cd2c43d86f13402828bbb30 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:46:29 +0300
Subject: [PATCH 24/55] Update README.md

---
 Community Developed/FireEye HX/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Community Developed/FireEye HX/README.md b/Community Developed/FireEye HX/README.md
index 36c0aab1..55347f9a 100644
--- a/Community Developed/FireEye HX/README.md	
+++ b/Community Developed/FireEye HX/README.md	
@@ -7,7 +7,7 @@ User account to access FireEye HX Controller with api_analyst role
 ## Workflow information
 - Author Name: Mohamed Al-Shabrawy
 - Maintainer Name: @M-Shabrawy
-- Version: 1.0.2
+- Version: 1.0.3
 - Endpoint Documentation:
   - - https://fireeye.dev/
   - - https://fireeye.dev/apis/lighthouse/

From 39cee4dea540ca3713d1fbbf47955b9c021ec431 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:48:48 +0300
Subject: [PATCH 25/55] Update README.md

Update version
---
 Community Developed/FireEye HX/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Community Developed/FireEye HX/README.md b/Community Developed/FireEye HX/README.md
index 55347f9a..cddbf7c4 100644
--- a/Community Developed/FireEye HX/README.md	
+++ b/Community Developed/FireEye HX/README.md	
@@ -1,5 +1,5 @@
 # QRadar Workflow for FireEye HX
-IBM QRadar Universal Cloud Connector Workflow for reading FireEye HX alerts through REST API
+IBM QRadar Universal Cloud Connector Workflow for reading Trellix/FireEye HX alerts through REST API
 
 ## Requirements:
 User account to access FireEye HX Controller with api_analyst role

From d57c70b3f5ef78ae769230d6a18271c383f338db Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:49:25 +0300
Subject: [PATCH 26/55] Update FireEye-HX-Alerts-Workflow.xml

Update version information
---
 Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml
index 3cb8a662..11109345 100644
--- a/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
+++ b/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<Workflow name="FireEye HX" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+<Workflow name="FireEye HX" version="1.0.3" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
 	<Parameters>
 		<Parameter name="host" label="Host" required="true" />
 		<Parameter name="hx_port" label="Port" required="true" />

From b294e3d73042bd66c03c9fbc168615c8587e0797 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:58:10 +0300
Subject: [PATCH 27/55] Update FireEye-HX-Alert_Groups-Workflow.xml

Indentation and adding allowUntrustedServerCertificate control
---
 .../FireEye-HX-Alert_Groups-Workflow.xml      | 100 ++++++++++--------
 1 file changed, 54 insertions(+), 46 deletions(-)

diff --git a/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml b/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml
index d864cc08..69d3f5ed 100644
--- a/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml	
+++ b/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml	
@@ -5,6 +5,7 @@
 		<Parameter name="hx_port" label="Port" value="443" required="true" />
 		<Parameter name="username" label="Username" required="true" />
 		<Parameter name="password" label="Password" required="true" secret="true" />
+		<Parameter name="ignore_selfsigned_certificate" label="Insecure" required="false" />
 	</Parameters>
 	<Actions>
 		<!-- Initialize the Bookmark -->
@@ -15,62 +16,69 @@
 
 		<!-- Authenticate and request API Token -->
         <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/get_feapi_token" >
-            <SSLConfiguration allowUntrustedServerCertificate="true" />
-            <BasicAuthentication username="${/username}" password="${/password}" />
-            <RequestHeader name="Accept" value="application/json" />
+		<If condition="/ignore_selfsigned_certificate == 1">
+			<SSLConfiguration allowUntrustedServerCertificate="true" />
+		</If>
+		<BasicAuthentication username="${/username}" password="${/password}" />
+		<RequestHeader name="Accept" value="application/json" />
         </CallEndpoint>
 
         <!-- Handle Errors -->
-        <If condition="/get_feapi_token/status_code != 204">
-			<Log type="Error" message="FE HX API: Error Authenticating to API: ${/get_feapi_token/body}" />
-            <Abort reason="Error login: ${/get_feapi_token/body}" />
+	<If condition="/get_feapi_token/status_code != 204">
+		<Log type="Error" message="FE HX API: Error Authenticating to API: ${/get_feapi_token/body}" />
+		<Abort reason="Error login: ${/get_feapi_token/body}" />
         </If>
-		<Else>
-			<!-- Extract the API Token -->
-			<Set path="/x_feapi_token" value="${/get_feapi_token/headers/X-FeApi-Token}" />
-			<!-- Build filterQuery -->
-			<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/start_time}"],"field":"last_event_at"}' />
+	<Else>
+		<!-- Extract the API Token -->
+		<Set path="/x_feapi_token" value="${/get_feapi_token/headers/X-FeApi-Token}" />
+		<!-- Build filterQuery -->
+		<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/start_time}"],"field":"last_event_at"}' />
 
-			<!-- Get Alerts -->
-			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alert_groups/?" method="GET" savePath="/get_alerts">
-				<QueryParameter name="offset" value="0" />
-				<QueryParameter name="limit" value="100" />
-				<QueryParameter name="sort" value="last_event_at" />
-				<!-- URL Encoded Filter for last_event_at greater than Start Time -->
-				<QueryParameter name="filterQuery" value="${/filterQuery}" />
-				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
-				<RequestHeader name="Accept" value="application/json" />
-			</CallEndpoint>
-			
-			<!-- Handle Errors -->
-			<If condition="/get_alerts/status_code != 200">
-				<Log type="Error" message="FE HX API: Error fetching alerts ${/get_alerts/body}" />
+		<!-- Get Alerts -->
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alert_groups/?" method="GET" savePath="/get_alerts">
+			<If condition="/ignore_selfsigned_certificate == 1">
+				<SSLConfiguration allowUntrustedServerCertificate="true" />
 			</If>
-			<Else>
-				<Log type="INFO" message="FE HX API: Got ${/get_alerts/body/data/total} events" />
+			<QueryParameter name="offset" value="0" />
+			<QueryParameter name="limit" value="100" />
+			<QueryParameter name="sort" value="last_event_at" />
+			<!-- URL Encoded Filter for last_event_at greater than Start Time -->
+			<QueryParameter name="filterQuery" value="${/filterQuery}" />
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+			
+		<!-- Handle Errors -->
+		<If condition="/get_alerts/status_code != 200">
+			<Log type="Error" message="FE HX API: Error fetching alerts ${/get_alerts/body}" />
+		</If>
+		<Else>
+			<Log type="INFO" message="FE HX API: Got ${/get_alerts/body/data/total} events" />
 
-				<!-- Alert are returned in JSON format-->
-				<!-- Extract Alerts-->
-				<If condition="${/get_alerts/body/data/total} > 0">
-					<Set path="/alerts" value="${/get_alerts/body/data/entries}" />
-					<Set path="/bookmark" value="${max(/alerts/reported_at)}" />
-				</If>
-				<!-- Post Alerts -->
-				<PostEvents path="/alerts" source="${/host}" />
-			</Else>
+			<!-- Alert are returned in JSON format-->
+			<!-- Extract Alerts-->
+			<If condition="${/get_alerts/body/data/total} > 0">
+				<Set path="/alerts" value="${/get_alerts/body/data/entries}" />
+				<Set path="/bookmark" value="${max(/alerts/reported_at)}" />
+			</If>
+			<!-- Post Alerts -->
+			<PostEvents path="/alerts" source="${/host}" />
+		</Else>
 
-			<!-- Dispose generated token to clear active session -->
-			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/del_feapi_token" >
+		<!-- Dispose generated token to clear active session -->
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/del_feapi_token" >
+			<If condition="/ignore_selfsigned_certificate == 1">
 				<SSLConfiguration allowUntrustedServerCertificate="true" />
-				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
-				<RequestHeader name="Accept" value="application/json" />
-			</CallEndpoint>
-
-			<!-- Handle Errors -->
-			<If condition="/del_feapi_token/status_code != 204">
-				<Log type="Error" message="FE HX API: Error Deleting Session: ${/del_feapi_token/body/message}" />
-				<Abort reason="${/get_feapi_token/body/message}" />
 			</If>
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+
+		<!-- Handle Errors -->
+		<If condition="/del_feapi_token/status_code != 204">
+			<Log type="Error" message="FE HX API: Error Deleting Session: ${/del_feapi_token/body/message}" />
+			<Abort reason="${/get_feapi_token/body/message}" />
+		</If>
 		</Else>
 	</Actions>
 	<Tests>

From 27f067e9089c69bbaaf1448f9f739e94ad0d981e Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Tue, 23 Aug 2022 08:59:06 +0300
Subject: [PATCH 28/55] Update
 FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml

Added ignore_selfsigned_certificate parameter
---
 .../FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml         | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml b/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml
index ba7a2578..3c519f5a 100644
--- a/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml	
+++ b/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml	
@@ -6,4 +6,5 @@
     <Value name="password" value="api_analyst" />
     <!-- Number of alert records to fetch per request -->
     <Value name="limit" value="100" />
+    <Value name="ignore_selfsigned_certificate" value="0" />
 </WorkflowParameterValues>

From 49ad1b4b9d6751ac756aa9754e4030f41620746b Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 19 Dec 2024 13:10:19 +0200
Subject: [PATCH 29/55] Update README.md

Update brand name to Trellix
---
 Community Developed/FireEye HX/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Community Developed/FireEye HX/README.md b/Community Developed/FireEye HX/README.md
index cddbf7c4..99b605b2 100644
--- a/Community Developed/FireEye HX/README.md	
+++ b/Community Developed/FireEye HX/README.md	
@@ -1,4 +1,4 @@
-# QRadar Workflow for FireEye HX
+# QRadar Workflow for Trellix HX Alerts
 IBM QRadar Universal Cloud Connector Workflow for reading Trellix/FireEye HX alerts through REST API
 
 ## Requirements:
@@ -7,7 +7,7 @@ User account to access FireEye HX Controller with api_analyst role
 ## Workflow information
 - Author Name: Mohamed Al-Shabrawy
 - Maintainer Name: @M-Shabrawy
-- Version: 1.0.3
+- Version: 1.0.4
 - Endpoint Documentation:
   - - https://fireeye.dev/
   - - https://fireeye.dev/apis/lighthouse/

From c52b7091022660442b61b2c8b854bf1d50de349c Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 19 Dec 2024 13:22:34 +0200
Subject: [PATCH 30/55] Update and rename FireEye-HX-Alerts-Workflow.xml to
 Trellix-HX-Alerts-Workflow.xml

- Updated file name to reflect brand name change.
- Remove the use of Bypass SSL, as it's now part of DSM configuration.
- Update variable names
---
 .../Trellix-HX-Alerts-Workflow.xml}           | 35 ++++++-------------
 1 file changed, 11 insertions(+), 24 deletions(-)
 rename Community Developed/{FireEye HX/FireEye-HX-Alerts-Workflow.xml => Trellix HX/Trellix-HX-Alerts-Workflow.xml} (78%)

diff --git a/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml
similarity index 78%
rename from Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml
rename to Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml
index 11109345..5a6526cb 100644
--- a/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow.xml	
+++ b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml	
@@ -1,12 +1,11 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<Workflow name="FireEye HX" version="1.0.3" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+<Workflow name="Trellix HX" version="1.0.4" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
 	<Parameters>
 		<Parameter name="host" label="Host" required="true" />
 		<Parameter name="hx_port" label="Port" required="true" />
 		<Parameter name="username" label="Username" required="true" />
 		<Parameter name="password" label="Password" required="true" secret="true" />
 		<Parameter name="limit" label="Limit" required="true" />
-		<Parameter name="ignore_selfsigned_certificate" label="Insecure" required="false" />
 	</Parameters>
 	
 	<Actions>
@@ -18,30 +17,24 @@
 
 			<!-- Authenticate and request API Token -->
 		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getFeApiToken" >
-			<If condition="/ignore_selfsigned_certificate == 1">
-				<SSLConfiguration allowUntrustedServerCertificate="true" />
-			</If>
 			<BasicAuthentication username="${/username}" password="${/password}" />
 			<RequestHeader name="Accept" value="application/json" />
 		</CallEndpoint>
 
 		<!-- Handle Errors -->
-		<If condition="/get_feapi_token/status_code != 204">
+		<If condition="/getFeApiToken/status_code != 204">
 			<Log type="Error" message="FE HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
-			<Abort reason="Error login: ${/get_feapi_token/body}" />
+			<Abort reason="Error login: ${/getFeApiToken/body}" />
 		</If>
 		<Else>
 			<!-- Extract the API Token -->
-			<Set path="/x_feapi_token" value="${/get_feapi_token/headers/X-FeApi-Token}" />
+			<Set path="/x_feapi_token" value="${/getFeApiToken/headers/X-FeApi-Token}" />
 			<!-- Build filterQuery -->
 			<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/starTime}"],"field":"reported_at"}' />
 			<!-- Get Alerts -->
 			<Set path="/offset" value="0" />
 
 			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
-				<If condition="/ignore_selfsigned_certificate == 1">
-					<SSLConfiguration allowUntrustedServerCertificate="true" />
-				</If>
 				<QueryParameter name="offset" value="${/offset}" />
 				<QueryParameter name="limit" value="${/limit}" />
 				<QueryParameter name="sort" value="_id" />
@@ -51,7 +44,7 @@
 			</CallEndpoint>
 
 			<!-- Handle Errors -->
-			<If condition="/get_alerts/status_code != 200">
+			<If condition="/getAlerts/status_code != 200">
 				<Log type="Error" message="FE HX API: Error fetching alerts ${/getAlerts/body}" />
 			</If>
 			<Else>
@@ -64,9 +57,6 @@
 						<!-- Enrich Alerts -->
 						<ForEach item="/alert" items="/alerts">
 							<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/getAagent">
-								<If condition="/ignore_selfsigned_certificate == 1">
-									<SSLConfiguration allowUntrustedServerCertificate="true" />
-								</If>
 								<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 								<RequestHeader name="Accept" value="application/json" />
 							</CallEndpoint>
@@ -76,23 +66,20 @@
 							</If>
 							<Log type="Info" message="FE HX API: Host found for ID: ${/alert/agent/_id}" />
 							<!-- Add host information to alert-->
-							<Set path="/alert/agent/hostname" value="${/agent/body/data/hostname}"  />
-							<Set path="/alert/agent/domain" value="${/agent/body/data/domain}"  />
-							<Set path="/alert/agent/primary_ip_address" value="${/agent/body/data/primary_ip_address}"  />
-							<Set path="/alert/agent/last_poll_ip" value="${/agent/body/data/last_poll_ip}"  />
+							<Set path="/alert/agent/hostname" value="${/getAagent/body/data/hostname}"  />
+							<Set path="/alert/agent/domain" value="${/getAagent/body/data/domain}"  />
+							<Set path="/alert/agent/primary_ip_address" value="${/getAagent/body/data/primary_ip_address}"  />
+							<Set path="/alert/agent/last_poll_ip" value="${/getAagent/body/data/last_poll_ip}"  />
 							<PostEvent path="/alert" source="${/host}" />
 						</ForEach>
 						<!-- Update bookmark -->
-						<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" date="${max(/alerts/reported_at)}" savePath="/last_alert_time" />
-            					<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" time="${/last_alert_time + 1}" savePath="/bookmark" />
+						<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" date="${max(/alerts/reported_at)}" savePath="/LastAlertTime" />
+            					<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" time="${/LastAlertTime + 1}" savePath="/bookmark" />
 						
 						<!-- Next Page -->
 						<Set path="/offset" value="${/offset + /limit - 1}" />
 						<!-- Get next page of alerts -->
 						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
-							<If condition="/ignore_selfsigned_certificate == 1">
-								<SSLConfiguration allowUntrustedServerCertificate="true" />
-							</If>
 							<QueryParameter name="offset" value="${/offset}" />
 							<QueryParameter name="limit" value="${/limit}" />
 							<QueryParameter name="sort" value="_id" />

From 4109bf4afc431104e11d8829d4ec17b1f8a19416 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 19 Dec 2024 13:23:31 +0200
Subject: [PATCH 31/55] Rename README.md to README.md

---
 Community Developed/{FireEye HX => Trellix HX}/README.md | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Community Developed/{FireEye HX => Trellix HX}/README.md (100%)

diff --git a/Community Developed/FireEye HX/README.md b/Community Developed/Trellix HX/README.md
similarity index 100%
rename from Community Developed/FireEye HX/README.md
rename to Community Developed/Trellix HX/README.md

From a4091a03174a26d08edde75d32abe88c6fbef296 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 19 Dec 2024 13:24:22 +0200
Subject: [PATCH 32/55] Rename FireEye-HX-Alerts-Workflow-Parameter-Value.xml
 to Trellix-HX-Alerts-Workflow-Parameter-Value.xml

---
 .../Trellix-HX-Alerts-Workflow-Parameter-Value.xml}               | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Community Developed/{FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml => Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml} (100%)

diff --git a/Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml
similarity index 100%
rename from Community Developed/FireEye HX/FireEye-HX-Alerts-Workflow-Parameter-Value.xml
rename to Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml

From 2318b8709445abe63ca192e3670c0eeec7578008 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Thu, 19 Dec 2024 13:26:37 +0200
Subject: [PATCH 33/55] Update Trellix-HX-Alerts-Workflow-Parameter-Value.xml

Removed Ignore Self-Signed Certificate parameter
---
 .../Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml
index 3c519f5a..f3a8c00c 100644
--- a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml	
+++ b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml	
@@ -1,10 +1,9 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
     <Value name="host" value="hexXXXXXX-hx-webui-1.hex03.helix.apps.fireeye.com" />
-    <Value name="hx_port" value="443" />
+    <Value name="hx_port" value="443" /> <!-- 443 for CLoud and 3000 for On-Prem -->
     <Value name="username" value="api_analyst" />
     <Value name="password" value="api_analyst" />
     <!-- Number of alert records to fetch per request -->
     <Value name="limit" value="100" />
-    <Value name="ignore_selfsigned_certificate" value="0" />
 </WorkflowParameterValues>

From 100f3353fc3155201f6452db91e07e0f0908fae8 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 22 Dec 2024 10:59:49 +0200
Subject: [PATCH 34/55] Update and rename
 FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml to
 FireEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml

Updated to use the new brand name and removed ignore self-signed certificate
---
 ...reEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml} | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 rename Community Developed/{FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml => Trellix HX/FireEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml} (81%)

diff --git a/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml b/Community Developed/Trellix HX/FireEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml
similarity index 81%
rename from Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml
rename to Community Developed/Trellix HX/FireEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml
index 3c519f5a..f3a8c00c 100644
--- a/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow-Parameter-Value.xml	
+++ b/Community Developed/Trellix HX/FireEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml	
@@ -1,10 +1,9 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
     <Value name="host" value="hexXXXXXX-hx-webui-1.hex03.helix.apps.fireeye.com" />
-    <Value name="hx_port" value="443" />
+    <Value name="hx_port" value="443" /> <!-- 443 for CLoud and 3000 for On-Prem -->
     <Value name="username" value="api_analyst" />
     <Value name="password" value="api_analyst" />
     <!-- Number of alert records to fetch per request -->
     <Value name="limit" value="100" />
-    <Value name="ignore_selfsigned_certificate" value="0" />
 </WorkflowParameterValues>

From 6471a0fda7ddd1076164e75683ba765754e31c83 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 22 Dec 2024 11:01:00 +0200
Subject: [PATCH 35/55] Rename FireEye-HX-Alert_Groups-Workflow.xml to
 Trellix-HX-Alert_Groups-Workflow.xml

Updated to reflect new brand name
---
 .../Trellix-HX-Alert_Groups-Workflow.xml}                         | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Community Developed/{FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml => Trellix HX/Trellix-HX-Alert_Groups-Workflow.xml} (100%)

diff --git a/Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml b/Community Developed/Trellix HX/Trellix-HX-Alert_Groups-Workflow.xml
similarity index 100%
rename from Community Developed/FireEye HX/FireEye-HX-Alert_Groups-Workflow.xml
rename to Community Developed/Trellix HX/Trellix-HX-Alert_Groups-Workflow.xml

From 672717293d7e07eb2f3f533fb08acc4c8c711fc7 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 22 Dec 2024 11:05:49 +0200
Subject: [PATCH 36/55] Update Trellix-HX-Alert_Groups-Workflow.xml

Removed ignore self-signed certificate, and update variable naming style
---
 .../Trellix-HX-Alert_Groups-Workflow.xml      | 36 +++++++------------
 1 file changed, 13 insertions(+), 23 deletions(-)

diff --git a/Community Developed/Trellix HX/Trellix-HX-Alert_Groups-Workflow.xml b/Community Developed/Trellix HX/Trellix-HX-Alert_Groups-Workflow.xml
index 69d3f5ed..81e7b6f8 100644
--- a/Community Developed/Trellix HX/Trellix-HX-Alert_Groups-Workflow.xml	
+++ b/Community Developed/Trellix HX/Trellix-HX-Alert_Groups-Workflow.xml	
@@ -5,40 +5,33 @@
 		<Parameter name="hx_port" label="Port" value="443" required="true" />
 		<Parameter name="username" label="Username" required="true" />
 		<Parameter name="password" label="Password" required="true" secret="true" />
-		<Parameter name="ignore_selfsigned_certificate" label="Insecure" required="false" />
 	</Parameters>
 	<Actions>
 		<!-- Initialize the Bookmark -->
 		<Initialize path="/bookmark" value="${time() - 86400000}" />
 	
 		<!-- Use bookmark -10 mins as start time -->
-		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/start_time" />
+		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/startTime" />
 
 		<!-- Authenticate and request API Token -->
-        <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/get_feapi_token" >
-		<If condition="/ignore_selfsigned_certificate == 1">
-			<SSLConfiguration allowUntrustedServerCertificate="true" />
-		</If>
+        <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getApiToken" >
 		<BasicAuthentication username="${/username}" password="${/password}" />
 		<RequestHeader name="Accept" value="application/json" />
         </CallEndpoint>
 
         <!-- Handle Errors -->
-	<If condition="/get_feapi_token/status_code != 204">
-		<Log type="Error" message="FE HX API: Error Authenticating to API: ${/get_feapi_token/body}" />
-		<Abort reason="Error login: ${/get_feapi_token/body}" />
+	<If condition="/getApiToken/status_code != 204">
+		<Log type="Error" message="FE HX API: Error Authenticating to API: ${/getApiToken/body}" />
+		<Abort reason="Error login: ${/getApiToken/body}" />
         </If>
 	<Else>
 		<!-- Extract the API Token -->
-		<Set path="/x_feapi_token" value="${/get_feapi_token/headers/X-FeApi-Token}" />
+		<Set path="/x_feapi_token" value="${/getApiToken/headers/X-FeApi-Token}" />
 		<!-- Build filterQuery -->
-		<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/start_time}"],"field":"last_event_at"}' />
+		<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/startTime}"],"field":"last_event_at"}' />
 
 		<!-- Get Alerts -->
-		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alert_groups/?" method="GET" savePath="/get_alerts">
-			<If condition="/ignore_selfsigned_certificate == 1">
-				<SSLConfiguration allowUntrustedServerCertificate="true" />
-			</If>
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alert_groups/?" method="GET" savePath="/getAlerts">
 			<QueryParameter name="offset" value="0" />
 			<QueryParameter name="limit" value="100" />
 			<QueryParameter name="sort" value="last_event_at" />
@@ -49,15 +42,15 @@
 		</CallEndpoint>
 			
 		<!-- Handle Errors -->
-		<If condition="/get_alerts/status_code != 200">
-			<Log type="Error" message="FE HX API: Error fetching alerts ${/get_alerts/body}" />
+		<If condition="/getAlerts/status_code != 200">
+			<Log type="Error" message="FE HX API: Error fetching alerts ${/getAlerts/body}" />
 		</If>
 		<Else>
-			<Log type="INFO" message="FE HX API: Got ${/get_alerts/body/data/total} events" />
+			<Log type="INFO" message="FE HX API: Got ${/getAlerts/body/data/total} events" />
 
 			<!-- Alert are returned in JSON format-->
 			<!-- Extract Alerts-->
-			<If condition="${/get_alerts/body/data/total} > 0">
+			<If condition="${/getAlerts/body/data/total} > 0">
 				<Set path="/alerts" value="${/get_alerts/body/data/entries}" />
 				<Set path="/bookmark" value="${max(/alerts/reported_at)}" />
 			</If>
@@ -66,10 +59,7 @@
 		</Else>
 
 		<!-- Dispose generated token to clear active session -->
-		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/del_feapi_token" >
-			<If condition="/ignore_selfsigned_certificate == 1">
-				<SSLConfiguration allowUntrustedServerCertificate="true" />
-			</If>
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delApiToken" >
 			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 			<RequestHeader name="Accept" value="application/json" />
 		</CallEndpoint>

From 557bc6b5ec26ebb40058c390167e4e538ee51c20 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 22 Dec 2024 11:06:37 +0200
Subject: [PATCH 37/55] Update and rename LICENSE to LICENSE

---
 Community Developed/{FireEye HX => Trellix HX}/LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename Community Developed/{FireEye HX => Trellix HX}/LICENSE (96%)

diff --git a/Community Developed/FireEye HX/LICENSE b/Community Developed/Trellix HX/LICENSE
similarity index 96%
rename from Community Developed/FireEye HX/LICENSE
rename to Community Developed/Trellix HX/LICENSE
index 35589ce6..15286d7a 100644
--- a/Community Developed/FireEye HX/LICENSE	
+++ b/Community Developed/Trellix HX/LICENSE	
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Mohamed Al-Shabrawy
+Copyright (c) 2024 Mohamed Al-Shabrawy
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

From f4eba812293bfa4f92150d5396b58319b115c3a6 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 22 Dec 2024 11:15:01 +0200
Subject: [PATCH 38/55] Update Trellix-HX-Alerts-Workflow.xml

Updated bookmark update section
---
 Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml
index 5a6526cb..26573a02 100644
--- a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml	
+++ b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml	
@@ -73,8 +73,7 @@
 							<PostEvent path="/alert" source="${/host}" />
 						</ForEach>
 						<!-- Update bookmark -->
-						<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" date="${max(/alerts/reported_at)}" savePath="/LastAlertTime" />
-            					<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" time="${/LastAlertTime + 1}" savePath="/bookmark" />
+						<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" date="${max(/alerts/reported_at)}" savePath="/bookmark" />
 						
 						<!-- Next Page -->
 						<Set path="/offset" value="${/offset + /limit - 1}" />

From db82bf2099c2e23fae302de0b12b862856d4314e Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 22 Dec 2024 11:18:09 +0200
Subject: [PATCH 39/55] Update Trellix-HX-Alerts-Workflow.xml

Changing FE to Trellix and added logging
---
 .../Trellix HX/Trellix-HX-Alerts-Workflow.xml   | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml
index 26573a02..9da4efcf 100644
--- a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml	
+++ b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml	
@@ -23,7 +23,7 @@
 
 		<!-- Handle Errors -->
 		<If condition="/getFeApiToken/status_code != 204">
-			<Log type="Error" message="FE HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
+			<Log type="Error" message="Trellix HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
 			<Abort reason="Error login: ${/getFeApiToken/body}" />
 		</If>
 		<Else>
@@ -45,10 +45,10 @@
 
 			<!-- Handle Errors -->
 			<If condition="/getAlerts/status_code != 200">
-				<Log type="Error" message="FE HX API: Error fetching alerts ${/getAlerts/body}" />
+				<Log type="Error" message="Trellix HX API: Error fetching alerts ${/getAlerts/body}" />
 			</If>
 			<Else>
-				<Log type="INFO" message="FE HX API: Got ${/getAlerts/body/data/total} events" />
+				<Log type="INFO" message="Trellix HX API: Got ${/getAlerts/body/data/total} events" />
 				<!-- Alert are returned in JSON format-->
 				<!-- Extract Alerts-->
 				<If condition="${/getAlerts/body/data/total} > 0">
@@ -61,10 +61,10 @@
 								<RequestHeader name="Accept" value="application/json" />
 							</CallEndpoint>
 							<If condition="/getAagent/status_code != 200">
-								<Log type="Error" message="FE HX API: Error fetching Agnet information: ${/getAagent/body}" />
+								<Log type="Error" message="Trellix HX API: Error fetching Agnet information: ${/getAagent/body}" />
 								<Abort reason="Error login: ${/getAagent/body}" />
 							</If>
-							<Log type="Info" message="FE HX API: Host found for ID: ${/alert/agent/_id}" />
+							<Log type="Info" message="Trellix HX API: Host found for ID: ${/alert/agent/_id}" />
 							<!-- Add host information to alert-->
 							<Set path="/alert/agent/hostname" value="${/getAagent/body/data/hostname}"  />
 							<Set path="/alert/agent/domain" value="${/getAagent/body/data/domain}"  />
@@ -74,6 +74,7 @@
 						</ForEach>
 						<!-- Update bookmark -->
 						<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" date="${max(/alerts/reported_at)}" savePath="/bookmark" />
+						<Log type="Info" message="Trellix HX API: Last Alert Time set to: ${/bookmark}" />
 						
 						<!-- Next Page -->
 						<Set path="/offset" value="${/offset + /limit - 1}" />
@@ -87,13 +88,13 @@
 							<RequestHeader name="Accept" value="application/json" />
 						</CallEndpoint>
 						<If condition="/getAlerts/status_code != 200">
-							<Log type="Error" message="FE HX API: Error getting alerts: ${/getAlerts/body}" />
+							<Log type="Error" message="Trellix HX API: Error getting alerts: ${/getAlerts/body}" />
 							<Abort reason="Error login: ${/getAlerts/body}" />
 						</If>
 					</DoWhile>
 				</If>
 				<Else>
-					<Log type="Notice" message="FE HX API: No Alerts to Pull." />
+					<Log type="Notice" message="Trellix HX API: No Alerts to Pull." />
 				</Else>
 			</Else>
 			<!-- Dispose generated token to clear active session -->
@@ -106,7 +107,7 @@
 			</CallEndpoint>
 			<!-- Handle Errors -->
 			<If condition="/delFeApiToken/status_code != 204">
-				<Log type="Error" message="FE HX API: Error Deleteing Session: ${/delFeApiToken/body}" />
+				<Log type="Error" message="Trellix HX API: Error Deleteing Session: ${/delFeApiToken/body}" />
 				<Abort reason="${/delFeApiToken/body}" />
 			</If>
 		</Else>

From 8a48d19b605a6792c0071b785a6310a037f5514a Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 22 Dec 2024 11:21:36 +0200
Subject: [PATCH 40/55] Create
 Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml

---
 ...rellix-HX-ProcessTracker-Workflow-Parameter-Value.xml | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml

diff --git a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml
new file mode 100644
index 00000000..f3a8c00c
--- /dev/null
+++ b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml	
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+    <Value name="host" value="hexXXXXXX-hx-webui-1.hex03.helix.apps.fireeye.com" />
+    <Value name="hx_port" value="443" /> <!-- 443 for CLoud and 3000 for On-Prem -->
+    <Value name="username" value="api_analyst" />
+    <Value name="password" value="api_analyst" />
+    <!-- Number of alert records to fetch per request -->
+    <Value name="limit" value="100" />
+</WorkflowParameterValues>

From b426fa3984983f849125b49b6132bfe7c298e17b Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Sun, 22 Dec 2024 12:13:23 +0200
Subject: [PATCH 41/55] Create Trellix-HX-ProcessTracker-Workflow.xml

Initial version
---
 .../Trellix-HX-ProcessTracker-Workflow.xml    | 103 ++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml

diff --git a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml
new file mode 100644
index 00000000..470173cd
--- /dev/null
+++ b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml	
@@ -0,0 +1,103 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Trellix HX" version="1.0.4" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+	<Parameters>
+		<Parameter name="host" label="Host" required="true" />
+		<Parameter name="hx_port" label="Port" required="true" />
+		<Parameter name="username" label="Username" required="true" />
+		<Parameter name="password" label="Password" required="true" secret="true" />
+    <Parameter name="limit" label="Limit" required="true"/>
+	</Parameters>
+	
+	<Actions>
+		<!-- Initialize the Bookmark -->
+		<Initialize path="/bookmark" value="0" />
+
+			<!-- Authenticate and request API Token -->
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getFeApiToken" >
+			<BasicAuthentication username="${/username}" password="${/password}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+
+		<!-- Handle Errors -->
+		<If condition="/getFeApiToken/status_code != 204">
+			<Log type="Error" message="Trellix HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
+			<Abort reason="Error login: ${/getFeApiToken/body}" />
+		</If>
+		<Else>
+			<!-- Extract the API Token -->
+			<Set path="/x_feapi_token" value="${/getFeApiToken/headers/X-FeApi-Token}" />
+      
+			<!-- Get PT Events -->
+			<Set path="/offset" value="${/bookmark}" />
+      <Set path="/limit" value="${/limit}" />
+
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getPTEvents">
+				<QueryParameter name="offset" value="${/offset}" />
+				<QueryParameter name="limit" value="${/limit}" />
+				<QueryParameter name="sort" value="created_at:asc" />
+				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+				<RequestHeader name="Accept" value="application/json" />
+			</CallEndpoint>
+
+			<!-- Handle Errors -->
+			<If condition="/getAlerts/status_code != 200">
+				<Log type="Error" message="Trellix HX API: Error fetching PT Events ${/getPTEvents/body}" />
+			</If>
+			<Else>
+				<Log type="INFO" message="Trellix HX API: Got ${/getPTEvents/body/total} events" />
+				<!-- Events are returned in JSON format-->
+				<!-- Extract Alerts-->
+				<If condition="${/getPTEvents/body/total} > 0">
+          <Set path="entries" value="${/getPTEvents/body/total}">
+					<DoWhile condition="/entries > 0">
+						<Set path="/events" value="${/getPTEvents/body/data}" />
+						<ForEach item="/event" items="/events"
+							<PostEvent path="/event" source="${/host}" />
+              <!-- Update bookmark -->
+              <Set path="/bookmark" value="${/event/_id}" />
+						</ForEach>
+						<Set path="/offset" value="${/event/_id + 1}" />
+						<!-- Get next page of alerts -->
+						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getPTEvents">
+							<QueryParameter name="offset" value="${/offset}" />
+							<QueryParameter name="limit" value="${/limit}" />
+							<QueryParameter name="sort" value="_id" />
+							<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+							<RequestHeader name="Accept" value="application/json" />
+						</CallEndpoint>
+						<If condition="/getAlerts/status_code != 200">
+							<Log type="Error" message="Trellix HX API: Error getting alerts: ${/getPTEvents/body}" />
+							<Abort reason="Error login: ${/getAlerts/body}" />
+						</If>
+            <Else>
+              <Set path="entries" value="${/getPTEvents/body/total}">
+            </Else>
+					</DoWhile>
+				</If>
+				<Else>
+					<Log type="Notice" message="Trellix HX API: No Alerts to Pull." />
+				</Else>
+			</Else>
+			<!-- Dispose generated token to clear active session -->
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
+				<If condition="/ignore_selfsigned_certificate == 1">
+					<SSLConfiguration allowUntrustedServerCertificate="true" />
+				</If>
+				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+				<RequestHeader name="Accept" value="application/json" />
+			</CallEndpoint>
+			<!-- Handle Errors -->
+			<If condition="/delFeApiToken/status_code != 204">
+				<Log type="Error" message="Trellix HX API: Error Deleteing Session: ${/delFeApiToken/body}" />
+				<Abort reason="${/delFeApiToken/body}" />
+			</If>
+		</Else>
+	</Actions>
+	
+	<Tests>
+		<DNSResolutionTest host="${/host}" />
+		<TCPConnectionTest host="${/host}" port="${/hx_port}" />
+		<SSLHandshakeTest host="${/host}" port="${/hx_port}"/>
+		<HTTPConnectionThroughProxyTest url="https://${/host}:${/hx_port}" />
+	</Tests>
+</Workflow>

From 8f66a7871f82b6cf52cb5201f2fd022ab643343e Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Mon, 23 Dec 2024 16:15:06 +0200
Subject: [PATCH 42/55] Update Trellix-HX-Alerts-Workflow.xml

---
 .../Trellix HX/Trellix-HX-Alerts-Workflow.xml   | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml
index 9da4efcf..59ca5f9e 100644
--- a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml	
+++ b/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml	
@@ -10,12 +10,9 @@
 	
 	<Actions>
 		<!-- Initialize the Bookmark -->
-		<Initialize path="/bookmark" value="${time() - 60000 * 60 * 24 * 30}" />
+		<Initialize path="/bookmark" value="0" />
 
-		<!-- Use bookmark -10 mins as start time -->
-		<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/bookmark}" savePath="/startTime" />
-
-			<!-- Authenticate and request API Token -->
+		<!-- Authenticate and request API Token -->
 		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getFeApiToken" >
 			<BasicAuthentication username="${/username}" password="${/password}" />
 			<RequestHeader name="Accept" value="application/json" />
@@ -29,16 +26,14 @@
 		<Else>
 			<!-- Extract the API Token -->
 			<Set path="/x_feapi_token" value="${/getFeApiToken/headers/X-FeApi-Token}" />
-			<!-- Build filterQuery -->
-			<Set path="/filterQuery" value='{"operator":"gt","arg": ["${/starTime}"],"field":"reported_at"}' />
 			<!-- Get Alerts -->
 			<Set path="/offset" value="0" />
+			<Set path="limit" value="1" />
 
 			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
 				<QueryParameter name="offset" value="${/offset}" />
 				<QueryParameter name="limit" value="${/limit}" />
 				<QueryParameter name="sort" value="_id" />
-				<QueryParameter name="filterQuery" value="${/filterQuery}" />
 				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 				<RequestHeader name="Accept" value="application/json" />
 			</CallEndpoint>
@@ -48,14 +43,16 @@
 				<Log type="Error" message="Trellix HX API: Error fetching alerts ${/getAlerts/body}" />
 			</If>
 			<Else>
-				<Log type="INFO" message="Trellix HX API: Got ${/getAlerts/body/data/total} events" />
+				<Log type="INFO" message="Trellix HX API: Got ${/getAlerts/body/data/total} alerts" />
 				<!-- Alert are returned in JSON format-->
 				<!-- Extract Alerts-->
 				<If condition="${/getAlerts/body/data/total} > 0">
-					<DoWhile condition="count(/getAlerts/body/data/entries) > 0">
+					<set path="entries" value="${/getAlerts/body/data/total}">
+					<DoWhile condition="(/getAlerts/body/data/entries) > 0">
 						<Set path="/alerts" value="${/getAlerts/body/data/entries}" />
 						<!-- Enrich Alerts -->
 						<ForEach item="/alert" items="/alerts">
+							<Set path="/alertID" value="${/alert/_id}">
 							<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/getAagent">
 								<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 								<RequestHeader name="Accept" value="application/json" />

From d8d1900d69635e2e1ea57bdc9a292d27114c0369 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Mon, 23 Dec 2024 21:32:18 +0200
Subject: [PATCH 43/55] Update
 Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml

Removed Limit parameter
---
 .../Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml      | 2 --
 1 file changed, 2 deletions(-)

diff --git a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml
index f3a8c00c..ac21019f 100644
--- a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml	
+++ b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml	
@@ -4,6 +4,4 @@
     <Value name="hx_port" value="443" /> <!-- 443 for CLoud and 3000 for On-Prem -->
     <Value name="username" value="api_analyst" />
     <Value name="password" value="api_analyst" />
-    <!-- Number of alert records to fetch per request -->
-    <Value name="limit" value="100" />
 </WorkflowParameterValues>

From 547b8737886b18258f30152b5c8bff43b819c8f6 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Mon, 23 Dec 2024 21:34:23 +0200
Subject: [PATCH 44/55] Update Trellix-HX-ProcessTracker-Workflow.xml

First working version
---
 .../Trellix-HX-ProcessTracker-Workflow.xml    | 76 ++++++++++---------
 1 file changed, 41 insertions(+), 35 deletions(-)

diff --git a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml
index 470173cd..47e81d69 100644
--- a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml	
+++ b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml	
@@ -5,7 +5,6 @@
 		<Parameter name="hx_port" label="Port" required="true" />
 		<Parameter name="username" label="Username" required="true" />
 		<Parameter name="password" label="Password" required="true" secret="true" />
-    <Parameter name="limit" label="Limit" required="true"/>
 	</Parameters>
 	
 	<Actions>
@@ -21,68 +20,75 @@
 		<!-- Handle Errors -->
 		<If condition="/getFeApiToken/status_code != 204">
 			<Log type="Error" message="Trellix HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
-			<Abort reason="Error login: ${/getFeApiToken/body}" />
+			<Abort reason="Trellix HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
 		</If>
 		<Else>
 			<!-- Extract the API Token -->
 			<Set path="/x_feapi_token" value="${/getFeApiToken/headers/X-FeApi-Token}" />
       
 			<!-- Get PT Events -->
-			<Set path="/offset" value="${/bookmark}" />
-      <Set path="/limit" value="${/limit}" />
-
-			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getPTEvents">
+			<Set path="/offset" value="0" />
+			<Set path="/limit" value="1" />
+			<!-- Get the first event on the system to get the start ID-->
+           
+			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/plugins/process-tracker/v1/events?" method="GET" savePath="/getPTEvents">
 				<QueryParameter name="offset" value="${/offset}" />
 				<QueryParameter name="limit" value="${/limit}" />
-				<QueryParameter name="sort" value="created_at:asc" />
+				<QueryParameter name="sort" value="id:asc" />
 				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 				<RequestHeader name="Accept" value="application/json" />
 			</CallEndpoint>
 
 			<!-- Handle Errors -->
-			<If condition="/getAlerts/status_code != 200">
+			<If condition="/getPTEvents/status_code != 200">
 				<Log type="Error" message="Trellix HX API: Error fetching PT Events ${/getPTEvents/body}" />
 			</If>
 			<Else>
-				<Log type="INFO" message="Trellix HX API: Got ${/getPTEvents/body/total} events" />
+				<Log type="INFO" message="Trellix HX API: Got ${/getPTEvents/body/total} PT events" />
+				
+				<!-- HX API ill return a new token as part of response headers when nearing exipry-->
+				<If condition="/getPTEvents/headers/X-FeApi-Token != null">
+					<Set path="/x_feapi_token" value="${/getPTEvents/headers/X-FeApi-Token}" />
+				</If>
 				<!-- Events are returned in JSON format-->
-				<!-- Extract Alerts-->
+				<!-- Extract Events-->
 				<If condition="${/getPTEvents/body/total} > 0">
-          <Set path="entries" value="${/getPTEvents/body/total}">
-					<DoWhile condition="/entries > 0">
-						<Set path="/events" value="${/getPTEvents/body/data}" />
-						<ForEach item="/event" items="/events"
-							<PostEvent path="/event" source="${/host}" />
-              <!-- Update bookmark -->
-              <Set path="/bookmark" value="${/event/_id}" />
-						</ForEach>
-						<Set path="/offset" value="${/event/_id + 1}" />
-						<!-- Get next page of alerts -->
-						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getPTEvents">
-							<QueryParameter name="offset" value="${/offset}" />
-							<QueryParameter name="limit" value="${/limit}" />
-							<QueryParameter name="sort" value="_id" />
+					<Set path="/entries" value="${/getPTEvents/body/total}" />
+					<Set path="/bookmark" value="${/getPTEvents/body/data[0]/id}" />
+					<DoWhile condition="${/entries} > 0">
+						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/plugins/process-tracker/v1/events/${/bookmark}" method="GET" savePath="/getPTEvent">
 							<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 							<RequestHeader name="Accept" value="application/json" />
 						</CallEndpoint>
-						<If condition="/getAlerts/status_code != 200">
-							<Log type="Error" message="Trellix HX API: Error getting alerts: ${/getPTEvents/body}" />
-							<Abort reason="Error login: ${/getAlerts/body}" />
+						<!-- HX API ill return a new token as part of response headers when nearing exipry-->
+						<If condition="/getPTEvents/headers/X-FeApi-Token != null">
+							<Set path="/x_feapi_token" value="${/getPTEvent/headers/X-FeApi-Token}" />
 						</If>
-            <Else>
-              <Set path="entries" value="${/getPTEvents/body/total}">
-            </Else>
+						<If condition="/getPTEvent/status_code = 404">
+                            				<Set path="/bookmark" value="${/bookmark  + 1}" />
+							<Set path="/entries" value="${/entries - 1}" />
+							<Log type="INFO" message="Trellix HX API: Next PT Even ID ${/bookmark}" />
+		                    			<Log type="Error" message="Trellix HX API: Error PT event ${/bookmark} not found: ${/getPTEvent/body}" />
+						</If>
+						<ElseIf condition="/getPTEvent/status_code = 200">
+							<Set path="/event" value="${/getPTEvent/body/data[0]}" />
+							<PostEvent path="/event" source="${/host}" />
+							<!-- Update bookmark -->
+							<Set path="/bookmark" value="${/event/id + 1}" />
+							<Set path="/entries" value="${/entries - 1}" />
+							<Log type="INFO" message="Trellix HX API: Next PT Even ID ${/bookmark}" />
+						</ElseIf>
+						<Else>
+							<Log type="Error" message="Trellix HX API: Error getting PT Events: ${/getPTEvent/body}" />
+						</Else>
 					</DoWhile>
 				</If>
 				<Else>
-					<Log type="Notice" message="Trellix HX API: No Alerts to Pull." />
+					<Log type="Notice" message="Trellix HX API: No PT Events to Pull." />
 				</Else>
 			</Else>
 			<!-- Dispose generated token to clear active session -->
 			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
-				<If condition="/ignore_selfsigned_certificate == 1">
-					<SSLConfiguration allowUntrustedServerCertificate="true" />
-				</If>
 				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 				<RequestHeader name="Accept" value="application/json" />
 			</CallEndpoint>
@@ -97,7 +103,7 @@
 	<Tests>
 		<DNSResolutionTest host="${/host}" />
 		<TCPConnectionTest host="${/host}" port="${/hx_port}" />
-		<SSLHandshakeTest host="${/host}" port="${/hx_port}"/>
+		<!--SSLHandshakeTest host="${/host}" port="${/hx_port}"/-->
 		<HTTPConnectionThroughProxyTest url="https://${/host}:${/hx_port}" />
 	</Tests>
 </Workflow>

From f3e23bb741654bd97429c125b25e337d38b4b40c Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Mon, 23 Dec 2024 21:37:09 +0200
Subject: [PATCH 45/55] Update README.md

Added Process Tracker workflow information
---
 Community Developed/Trellix HX/README.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Community Developed/Trellix HX/README.md b/Community Developed/Trellix HX/README.md
index 99b605b2..d844f0a0 100644
--- a/Community Developed/Trellix HX/README.md	
+++ b/Community Developed/Trellix HX/README.md	
@@ -1,5 +1,5 @@
 # QRadar Workflow for Trellix HX Alerts
-IBM QRadar Universal Cloud Connector Workflow for reading Trellix/FireEye HX alerts through REST API
+IBM QRadar Universal Cloud Connector Workflows for reading Trellix/FireEye HX Alerts and Events through REST API
 
 ## Requirements:
 User account to access FireEye HX Controller with api_analyst role
@@ -7,7 +7,7 @@ User account to access FireEye HX Controller with api_analyst role
 ## Workflow information
 - Author Name: Mohamed Al-Shabrawy
 - Maintainer Name: @M-Shabrawy
-- Version: 1.0.4
+- Version: 1.0.5
 - Endpoint Documentation:
   - - https://fireeye.dev/
   - - https://fireeye.dev/apis/lighthouse/
@@ -15,3 +15,4 @@ User account to access FireEye HX Controller with api_analyst role
 ## Event Types Currently Supported by the workflow:
 -   -  Alerts: Gets a list of non-suppressed alerts known to the system
 -   -  Alert Groups: Lists all alert_groups
+-   -  Process Tracker Module events

From 5b71d649a65d71ebed1aecf07662552660934d58 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Mon, 23 Dec 2024 21:37:36 +0200
Subject: [PATCH 46/55] Update README.md

---
 Community Developed/Trellix HX/README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Community Developed/Trellix HX/README.md b/Community Developed/Trellix HX/README.md
index d844f0a0..82ed0549 100644
--- a/Community Developed/Trellix HX/README.md	
+++ b/Community Developed/Trellix HX/README.md	
@@ -13,6 +13,6 @@ User account to access FireEye HX Controller with api_analyst role
   - - https://fireeye.dev/apis/lighthouse/
   
 ## Event Types Currently Supported by the workflow:
--   -  Alerts: Gets a list of non-suppressed alerts known to the system
--   -  Alert Groups: Lists all alert_groups
--   -  Process Tracker Module events
+-   Alerts: Gets a list of non-suppressed alerts known to the system
+-   Alert Groups: Lists all alert_groups
+-   Process Tracker Module events

From 6658de3946428a52c8c41439f66d86ed3274fe18 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Wed, 25 Dec 2024 18:47:02 +0200
Subject: [PATCH 47/55] Update Trellix-HX-ProcessTracker-Workflow.xml

Update workflow logic to count for non-linear Event IDs
---
 .../Trellix-HX-ProcessTracker-Workflow.xml    | 189 +++++++++++-------
 1 file changed, 112 insertions(+), 77 deletions(-)

diff --git a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml
index 47e81d69..896bb695 100644
--- a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml	
+++ b/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml	
@@ -1,17 +1,17 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<Workflow name="Trellix HX" version="1.0.4" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+<Workflow name="Trellix HX Process Tracker Events" version="1.0.1" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
 	<Parameters>
 		<Parameter name="host" label="Host" required="true" />
 		<Parameter name="hx_port" label="Port" required="true" />
 		<Parameter name="username" label="Username" required="true" />
 		<Parameter name="password" label="Password" required="true" secret="true" />
 	</Parameters>
-	
 	<Actions>
 		<!-- Initialize the Bookmark -->
 		<Initialize path="/bookmark" value="0" />
+		<Initialize path="/totalEventCount" value="0" />
 
-			<!-- Authenticate and request API Token -->
+		<!-- Authenticate and request API Token -->
 		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getFeApiToken" >
 			<BasicAuthentication username="${/username}" password="${/password}" />
 			<RequestHeader name="Accept" value="application/json" />
@@ -20,85 +20,120 @@
 		<!-- Handle Errors -->
 		<If condition="/getFeApiToken/status_code != 204">
 			<Log type="Error" message="Trellix HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
-			<Abort reason="Trellix HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
+			<Abort reason="Trellix HX API: API Authentication Error: ${/getFeApiToken/body}" />
 		</If>
 		<Else>
 			<!-- Extract the API Token -->
 			<Set path="/x_feapi_token" value="${/getFeApiToken/headers/X-FeApi-Token}" />
-      
-			<!-- Get PT Events -->
-			<Set path="/offset" value="0" />
-			<Set path="/limit" value="1" />
-			<!-- Get the first event on the system to get the start ID-->
-           
-			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/plugins/process-tracker/v1/events?" method="GET" savePath="/getPTEvents">
-				<QueryParameter name="offset" value="${/offset}" />
-				<QueryParameter name="limit" value="${/limit}" />
-				<QueryParameter name="sort" value="id:asc" />
-				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
-				<RequestHeader name="Accept" value="application/json" />
-			</CallEndpoint>
+        </Else>
+        <!-- Get PT Events -->
+        <!-- Get First Event -->
+        <Set path="/offset" value="0" />
+        <Set path="/limit" value="1" />
+        
+        <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/plugins/process-tracker/v1/events?" method="GET" savePath="/getFirstPTEvent">
+            <QueryParameter name="offset" value="${/offset}" />
+            <QueryParameter name="limit" value="${/limit}" />
+            <QueryParameter name="sort" value="id:asc" />
+            <RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+            <RequestHeader name="Accept" value="application/json" />
+        </CallEndpoint>
+        <!-- Handle Errors -->
+        <If condition="/getFirstPTEvent/status_code != 200">
+            <Log type="Error" message="Trellix HX API: Error fetching PT Events ${/getFirstPTEvent/body}" />
+            <Abort reason="Trellix HX API: Error pulling ProcessTracker Events: ${/getFirstPTEvent/body}" />
+        </If>
+        <Else>
+            <Set path="/totalEventCount" value="${/getFirstPTEvent/body/total}" />
+            <Log type="INFO" message="Trellix HX API: Got ${/totalEventCount} PT events" />
+            <!-- Check for events -->
+            <If condition="${/totalEventCount} > 0">
+                <!-- Set first event ID -->
+                <Set path="/firstEventId" value="${/getFirstPTEvent/body/data[0]/id}" />
+            </If>
+            <Else>
+                <!-- Dispose generated token to clear active session -->
+                <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
+                    <RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+                    <RequestHeader name="Accept" value="application/json" />
+                </CallEndpoint>
+                <Log type="Notice" message="Trellix HX API: no PT Events available" />
+                <Abort reason="Trellix HX API: no PT Events available" />
+            </Else>
+        </Else>
+
+        <!-- Get last Event on the system
+            Events might not have sequential IDs and offest doesn’t match event ID -->
+        <Set path="/offset" value="${/totalEventCount - 1}" />
+        <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/plugins/process-tracker/v1/events?" method="GET" savePath="/getPTLastEvent">
+            <QueryParameter name="offset" value="${/offset}" />
+            <QueryParameter name="limit" value="${/limit}" />
+            <QueryParameter name="sort" value="id:asc" />
+            <RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+            <RequestHeader name="Accept" value="application/json" />
+        </CallEndpoint>
+        <!-- Handle Errors -->
+        <If condition="/getPTLastEvent/status_code != 200">
+            <Log type="Error" message="Trellix HX API: Error fetching PT Events ${/getPTLastEvent/body}" />
+            <Abort reason="Trellix HX API: Error pulling ProcessTracker Events: ${/getPTLastEvent/body}" />
+        </If>
+        <Else>
+            <!-- HX API ill return a new token as part of response headers when nearing exipry-->
+            <If condition="/getPTLastEvent/headers/X-FeApi-Token != null">
+                <Set path="/x_feapi_token" value="${/getPTEvents/headers/X-FeApi-Token}" />
+            </If>
+            
+            <!-- Set last Event ID-->
+            <Set path="/lastEventId" value="${/getPTLastEvent/body/data[0]/id}" />
+            <!-- Check for bookmark-->
+            <If condition="/bookmark > 0">
+                <If condition="/firstEventId > /bookmark">
+                    <Set path="/bookmark" value="${/firstEventId}"/>
+                </If>
+                <ElseIf condition="/lastEventId <= /bookmark">
+                    <Set path="/bookmark" value="${/lastEventId}"/>
+                    <Log type="Notice" message="Trellix HX API: no more PT Events " />
+                    <Abort reason="Trellix HX API: no more PT Events" />
+                </ElseIf>
+            </If>
+            
+            <Set path="/entries" value="${/lastEventId - /firstEventId + 1}" />
+        
+            <DoWhile condition="${/entries} > 0">
+                <!-- Loop through event using IDs -->
+                <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/plugins/process-tracker/v1/events/${/bookmark}" method="GET" savePath="/getPTEvent">
+                    <RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+                    <RequestHeader name="Accept" value="application/json" />
+                </CallEndpoint>
+                <!-- HX API ill return a new token as part of response headers when nearing exipry-->
+                <If condition="/getPTEvents/headers/X-FeApi-Token != null">
+                    <Set path="/x_feapi_token" value="${/getPTEvent/headers/X-FeApi-Token}" />
+                </If>
+                <If condition="/getPTEvent/status_code = 404">
+                    <!-- Update bookmark -->
+                    <Set path="/bookmark" value="${/bookmark  + 1}" />
+                    <Log type="Notice" message="Trellix HX API: Error PT event ${/bookmark} not found: ${/getPTEvent/body}" />
+                </If>
+                <ElseIf condition="/getPTEvent/status_code = 200">
+                    <Set path="/event" value="${/getPTEvent/body/data[0]}" />
+                    <PostEvent path="/event" source="${/host}" />
+                    <!-- Update bookmark -->
+                    <Set path="/bookmark" value="${/bookmark + 1}" />
+                    <Set path="/entries" value="${/entries - 1}" />
+                    <Log type="INFO" message="Trellix HX API: Next PT Even ID ${/bookmark}" />
+                </ElseIf>
+                <Else>
+                    <Log type="Error" message="Trellix HX API: Error getting PT Events: ${/getPTEvent/body}" />
+                </Else>
+            </DoWhile>
+        </Else>
 
-			<!-- Handle Errors -->
-			<If condition="/getPTEvents/status_code != 200">
-				<Log type="Error" message="Trellix HX API: Error fetching PT Events ${/getPTEvents/body}" />
-			</If>
-			<Else>
-				<Log type="INFO" message="Trellix HX API: Got ${/getPTEvents/body/total} PT events" />
-				
-				<!-- HX API ill return a new token as part of response headers when nearing exipry-->
-				<If condition="/getPTEvents/headers/X-FeApi-Token != null">
-					<Set path="/x_feapi_token" value="${/getPTEvents/headers/X-FeApi-Token}" />
-				</If>
-				<!-- Events are returned in JSON format-->
-				<!-- Extract Events-->
-				<If condition="${/getPTEvents/body/total} > 0">
-					<Set path="/entries" value="${/getPTEvents/body/total}" />
-					<Set path="/bookmark" value="${/getPTEvents/body/data[0]/id}" />
-					<DoWhile condition="${/entries} > 0">
-						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/plugins/process-tracker/v1/events/${/bookmark}" method="GET" savePath="/getPTEvent">
-							<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
-							<RequestHeader name="Accept" value="application/json" />
-						</CallEndpoint>
-						<!-- HX API ill return a new token as part of response headers when nearing exipry-->
-						<If condition="/getPTEvents/headers/X-FeApi-Token != null">
-							<Set path="/x_feapi_token" value="${/getPTEvent/headers/X-FeApi-Token}" />
-						</If>
-						<If condition="/getPTEvent/status_code = 404">
-                            				<Set path="/bookmark" value="${/bookmark  + 1}" />
-							<Set path="/entries" value="${/entries - 1}" />
-							<Log type="INFO" message="Trellix HX API: Next PT Even ID ${/bookmark}" />
-		                    			<Log type="Error" message="Trellix HX API: Error PT event ${/bookmark} not found: ${/getPTEvent/body}" />
-						</If>
-						<ElseIf condition="/getPTEvent/status_code = 200">
-							<Set path="/event" value="${/getPTEvent/body/data[0]}" />
-							<PostEvent path="/event" source="${/host}" />
-							<!-- Update bookmark -->
-							<Set path="/bookmark" value="${/event/id + 1}" />
-							<Set path="/entries" value="${/entries - 1}" />
-							<Log type="INFO" message="Trellix HX API: Next PT Even ID ${/bookmark}" />
-						</ElseIf>
-						<Else>
-							<Log type="Error" message="Trellix HX API: Error getting PT Events: ${/getPTEvent/body}" />
-						</Else>
-					</DoWhile>
-				</If>
-				<Else>
-					<Log type="Notice" message="Trellix HX API: No PT Events to Pull." />
-				</Else>
-			</Else>
-			<!-- Dispose generated token to clear active session -->
-			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
-				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
-				<RequestHeader name="Accept" value="application/json" />
-			</CallEndpoint>
-			<!-- Handle Errors -->
-			<If condition="/delFeApiToken/status_code != 204">
-				<Log type="Error" message="Trellix HX API: Error Deleteing Session: ${/delFeApiToken/body}" />
-				<Abort reason="${/delFeApiToken/body}" />
-			</If>
-		</Else>
-	</Actions>
+        <!-- Dispose generated token to clear active session -->
+        <CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
+            <RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+            <RequestHeader name="Accept" value="application/json" />
+        </CallEndpoint>
+    </Actions>
 	
 	<Tests>
 		<DNSResolutionTest host="${/host}" />

From 3c95ec88099465708030d56b1e1a9cf1dcfc9354 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Wed, 25 Dec 2024 18:52:27 +0200
Subject: [PATCH 48/55] Rename Community Developed/Trellix
 HX/Trellix-HX-ProcessTracker-Workflow.xml to Community Developed/Trellix
 HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow.xml

Reorganization
---
 .../{ => Process Tracker}/Trellix-HX-ProcessTracker-Workflow.xml  | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Community Developed/Trellix HX/{ => Process Tracker}/Trellix-HX-ProcessTracker-Workflow.xml (100%)

diff --git a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml b/Community Developed/Trellix HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow.xml
similarity index 100%
rename from Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow.xml
rename to Community Developed/Trellix HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow.xml

From 72cff029550cf2e2a77dd488ad3e6b00b03bcf84 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Wed, 25 Dec 2024 18:52:59 +0200
Subject: [PATCH 49/55] Rename Community Developed/Trellix
 HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml to Community
 Developed/Trellix HX/Process
 Tracker/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml

Reorganization
---
 .../Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml        | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Community Developed/Trellix HX/{ => Process Tracker}/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml (100%)

diff --git a/Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml b/Community Developed/Trellix HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml
similarity index 100%
rename from Community Developed/Trellix HX/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml
rename to Community Developed/Trellix HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow-Parameter-Value.xml

From cda8eaea37e5177f4f1e36c449fa8872f7cdfd20 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Wed, 25 Dec 2024 18:53:25 +0200
Subject: [PATCH 50/55] Rename Community Developed/Trellix
 HX/Trellix-HX-Alerts-Workflow.xml to Community Developed/Trellix
 HX/Alerts/Trellix-HX-Alerts-Workflow.xml

Reorganization
---
 .../Trellix HX/{ => Alerts}/Trellix-HX-Alerts-Workflow.xml        | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Community Developed/Trellix HX/{ => Alerts}/Trellix-HX-Alerts-Workflow.xml (100%)

diff --git a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml b/Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow.xml
similarity index 100%
rename from Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow.xml
rename to Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow.xml

From 18ed4ca164dbc126908cf51f841bfb0ef7782f4a Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Wed, 25 Dec 2024 18:53:52 +0200
Subject: [PATCH 51/55] Rename Community Developed/Trellix
 HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml to Community
 Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow-Parameter-Value.xml

Reorganization
---
 .../{ => Alerts}/Trellix-HX-Alerts-Workflow-Parameter-Value.xml   | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Community Developed/Trellix HX/{ => Alerts}/Trellix-HX-Alerts-Workflow-Parameter-Value.xml (100%)

diff --git a/Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml b/Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow-Parameter-Value.xml
similarity index 100%
rename from Community Developed/Trellix HX/Trellix-HX-Alerts-Workflow-Parameter-Value.xml
rename to Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow-Parameter-Value.xml

From 35d3f562185e92234bd0da37b3dcfeb7e3983328 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Wed, 25 Dec 2024 18:54:30 +0200
Subject: [PATCH 52/55] Rename Community Developed/Trellix
 HX/Trellix-HX-Alert_Groups-Workflow.xml to Community Developed/Trellix
 HX/Alert Groups/Trellix-HX-Alert_Groups-Workflow.xml

Reorganization
---
 .../{ => Alert Groups}/Trellix-HX-Alert_Groups-Workflow.xml       | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Community Developed/Trellix HX/{ => Alert Groups}/Trellix-HX-Alert_Groups-Workflow.xml (100%)

diff --git a/Community Developed/Trellix HX/Trellix-HX-Alert_Groups-Workflow.xml b/Community Developed/Trellix HX/Alert Groups/Trellix-HX-Alert_Groups-Workflow.xml
similarity index 100%
rename from Community Developed/Trellix HX/Trellix-HX-Alert_Groups-Workflow.xml
rename to Community Developed/Trellix HX/Alert Groups/Trellix-HX-Alert_Groups-Workflow.xml

From 746b04b52023d6148a4edb0ee5161ce8f9309745 Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Wed, 25 Dec 2024 18:55:11 +0200
Subject: [PATCH 53/55] Rename Community Developed/Trellix
 HX/FireEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml to Community
 Developed/Trellix HX/Alert
 Groups/Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml

Reorganization
---
 .../Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml}         | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Community Developed/Trellix HX/{FireEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml => Alert Groups/Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml} (100%)

diff --git a/Community Developed/Trellix HX/FireEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml b/Community Developed/Trellix HX/Alert Groups/Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml
similarity index 100%
rename from Community Developed/Trellix HX/FireEye-Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml
rename to Community Developed/Trellix HX/Alert Groups/Trellix-HX-Alert_Groups-Workflow-Parameter-Value.xml

From 0bec7679c6b4ca878c977e86f01b0e6c61accb7a Mon Sep 17 00:00:00 2001
From: Mohamed Al-Shabrawy <12400622+M-Shabrawy@users.noreply.github.com>
Date: Wed, 25 Dec 2024 18:58:01 +0200
Subject: [PATCH 54/55] Update README.md

Updated descriptions
---
 Community Developed/Trellix HX/README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Community Developed/Trellix HX/README.md b/Community Developed/Trellix HX/README.md
index 82ed0549..2f0be395 100644
--- a/Community Developed/Trellix HX/README.md	
+++ b/Community Developed/Trellix HX/README.md	
@@ -1,4 +1,4 @@
-# QRadar Workflow for Trellix HX Alerts
+# QRadar Workflows for Trellix HX
 IBM QRadar Universal Cloud Connector Workflows for reading Trellix/FireEye HX Alerts and Events through REST API
 
 ## Requirements:
@@ -13,6 +13,6 @@ User account to access FireEye HX Controller with api_analyst role
   - - https://fireeye.dev/apis/lighthouse/
   
 ## Event Types Currently Supported by the workflow:
--   Alerts: Gets a list of non-suppressed alerts known to the system
--   Alert Groups: Lists all alert_groups
--   Process Tracker Module events
+-   Alerts: Collects non-suppressed alerts known to the system.
+-   Alert Groups: Collects alert_groups.
+-   Process Tracker: Collects Process Tracker module events.

From 5900a194edba4a7da85ebc7757a4e6ba7d6050b8 Mon Sep 17 00:00:00 2001
From: Mohamed AlShabrawy <m.s.elshabrawy@gmail.com>
Date: Thu, 26 Dec 2024 15:55:40 +0300
Subject: [PATCH 55/55] - Updated missing first event ID logic - minor bugs
 Signed-off-by: Mohamed Al-Shabrawy <@M-Shabrawy>

---
 .../Alerts/Trellix-HX-Alerts-Workflow.xml     | 183 ++++++++++--------
 .../Trellix-HX-ProcessTracker-Workflow.xml    |  21 +-
 2 files changed, 119 insertions(+), 85 deletions(-)

diff --git a/Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow.xml b/Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow.xml
index 59ca5f9e..f5c9fe5c 100644
--- a/Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow.xml	
+++ b/Community Developed/Trellix HX/Alerts/Trellix-HX-Alerts-Workflow.xml	
@@ -7,107 +7,138 @@
 		<Parameter name="password" label="Password" required="true" secret="true" />
 		<Parameter name="limit" label="Limit" required="true" />
 	</Parameters>
-	
 	<Actions>
 		<!-- Initialize the Bookmark -->
 		<Initialize path="/bookmark" value="0" />
-
 		<!-- Authenticate and request API Token -->
 		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="GET" savePath="/getFeApiToken" >
 			<BasicAuthentication username="${/username}" password="${/password}" />
 			<RequestHeader name="Accept" value="application/json" />
 		</CallEndpoint>
-
 		<!-- Handle Errors -->
 		<If condition="/getFeApiToken/status_code != 204">
-			<Log type="Error" message="Trellix HX API: Error Authenticating to API: ${/getFeApiToken/body}" />
-			<Abort reason="Error login: ${/getFeApiToken/body}" />
+			<Log type="Error" message="Trellix HX API: API Authentication Error: ${/getFeApiToken/body}" />
+			<Abort reason="Trellix HX API: API Authentication Error: ${/getFeApiToken/body}" />
 		</If>
 		<Else>
 			<!-- Extract the API Token -->
 			<Set path="/x_feapi_token" value="${/getFeApiToken/headers/X-FeApi-Token}" />
-			<!-- Get Alerts -->
-			<Set path="/offset" value="0" />
-			<Set path="limit" value="1" />
+		</Else>
+		<!-- Get First Alert -->
+		<Set path="/offset" value="0" />
+		<Set path="limit" value="1" />
+		
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getFirstAlert">
+			<QueryParameter name="offset" value="${/offset}" />
+			<QueryParameter name="limit" value="${/limit}" />
+			<QueryParameter name="sort" value="_id" />
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+		<!-- Handle Errors -->
+		<If condition="/getFirstAlert/status_code != 200">
+			<Log type="Error" message="Trellix HX API: Error fetching first alert ${/getFirstAlert/body}" />
+			<Abort reason="Trellix HX API: API Authentication Error: ${/getFirstAlert/body}">
+		</If>
+		<Else>
+		<Set path="/firstAlertId" value="${/getFirstAlert/body/data/entries[0]/_id}" />
+			<Log type="INFO" message="Trellix HX API: Got ${/getFirstAlert/body/data/total} alerts" />
+			<If condition="${/getFirstAlert/body/data/total} > 0">
+				<set path="/entries" value="${/getAlerts/body/data/total}">
+			</If>
+			<Else>
+				<Log type="Notice" message="Trellix HX API: No Alerts to fetch" />
+				<Abort reason="Trellix HX API: No Alerts to fetch">
+			</Else>
+		</Else>
+		
+		<!-- Get Last Alert -->
+		<Set path="/offset" value="${/entries -1}" />
+		<Set path="limit" value="1" />
+		
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getLastAlert">
+			<QueryParameter name="offset" value="${/offset}" />
+			<QueryParameter name="limit" value="${/limit}" />
+			<QueryParameter name="sort" value="_id" />
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+		<!-- Handle Errors -->
+		<If condition="/getLastAlert/status_code != 200">
+			<Log type="Error" message="Trellix HX API: Error fetching last alert ${/getLastAlert/body}" />
+			<Abort reason="Trellix HX API: Error fetching last alert ${/getLastAlert/body}">
+		</If>
+		<Else>
+			<Set path="/firstAlertId" value="${/getLastAlert/body/data/entries[0]/_id}" />
+			<Log type="INFO" message="Trellix HX API: Last Alert ID: ${/getLastAlert/body/data/total}" />
+			<If condition="${/getFirstAlert/body/data/total} > 0">
+				<set path="/entries" value="${/getAlerts/body/data/total}">
+			</If>
+		</Else>
 
+		<If condition="/bookmark > 0">
+			
+		</If>
+		<Else>
+
+		</Else>
+		
+		<!-- Extract Alerts-->
+		<DoWhile condition="(/entries) > 0">
+			<Set path="/alerts" value="${/getAlerts/body/data/entries}" />
+			<!-- Enrich Alerts -->
+			<ForEach item="/alert" items="/alerts">
+				<Set path="/alertID" value="${/alert/_id}">
+				<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/getAagent">
+					<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+					<RequestHeader name="Accept" value="application/json" />
+				</CallEndpoint>
+				<If condition="/getAagent/status_code != 200">
+					<Log type="Error" message="Trellix HX API: Error fetching Agnet information: ${/getAagent/body}" />
+					<Abort reason="Error login: ${/getAagent/body}" />
+				</If>
+				<Log type="Info" message="Trellix HX API: Host found for ID: ${/alert/agent/_id}" />
+				<!-- Add host information to alert-->
+				<Set path="/alert/agent/hostname" value="${/getAagent/body/data/hostname}"  />
+				<Set path="/alert/agent/domain" value="${/getAagent/body/data/domain}"  />
+				<Set path="/alert/agent/primary_ip_address" value="${/getAagent/body/data/primary_ip_address}"  />
+				<Set path="/alert/agent/last_poll_ip" value="${/getAagent/body/data/last_poll_ip}"  />
+				<PostEvent path="/alert" source="${/host}" />
+			</ForEach>
+			<!-- Update bookmark -->
+			<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" date="${max(/alerts/reported_at)}" savePath="/bookmark" />
+			<Log type="Info" message="Trellix HX API: Last Alert Time set to: ${/bookmark}" />
+			
+			<!-- Next Page -->
+			<Set path="/offset" value="${/offset + /limit - 1}" />
+			<!-- Get next page of alerts -->
 			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
 				<QueryParameter name="offset" value="${/offset}" />
 				<QueryParameter name="limit" value="${/limit}" />
 				<QueryParameter name="sort" value="_id" />
+				<QueryParameter name="filterQuery" value="${/filterQuery}" />
 				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
 				<RequestHeader name="Accept" value="application/json" />
 			</CallEndpoint>
-
-			<!-- Handle Errors -->
 			<If condition="/getAlerts/status_code != 200">
-				<Log type="Error" message="Trellix HX API: Error fetching alerts ${/getAlerts/body}" />
+				<Log type="Error" message="Trellix HX API: Error getting alerts: ${/getAlerts/body}" />
+				<Abort reason="Error login: ${/getAlerts/body}" />
 			</If>
-			<Else>
-				<Log type="INFO" message="Trellix HX API: Got ${/getAlerts/body/data/total} alerts" />
-				<!-- Alert are returned in JSON format-->
-				<!-- Extract Alerts-->
-				<If condition="${/getAlerts/body/data/total} > 0">
-					<set path="entries" value="${/getAlerts/body/data/total}">
-					<DoWhile condition="(/getAlerts/body/data/entries) > 0">
-						<Set path="/alerts" value="${/getAlerts/body/data/entries}" />
-						<!-- Enrich Alerts -->
-						<ForEach item="/alert" items="/alerts">
-							<Set path="/alertID" value="${/alert/_id}">
-							<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/hosts/${/alert/agent/_id}" method="GET" savePath="/getAagent">
-								<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
-								<RequestHeader name="Accept" value="application/json" />
-							</CallEndpoint>
-							<If condition="/getAagent/status_code != 200">
-								<Log type="Error" message="Trellix HX API: Error fetching Agnet information: ${/getAagent/body}" />
-								<Abort reason="Error login: ${/getAagent/body}" />
-							</If>
-							<Log type="Info" message="Trellix HX API: Host found for ID: ${/alert/agent/_id}" />
-							<!-- Add host information to alert-->
-							<Set path="/alert/agent/hostname" value="${/getAagent/body/data/hostname}"  />
-							<Set path="/alert/agent/domain" value="${/getAagent/body/data/domain}"  />
-							<Set path="/alert/agent/primary_ip_address" value="${/getAagent/body/data/primary_ip_address}"  />
-							<Set path="/alert/agent/last_poll_ip" value="${/getAagent/body/data/last_poll_ip}"  />
-							<PostEvent path="/alert" source="${/host}" />
-						</ForEach>
-						<!-- Update bookmark -->
-						<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" date="${max(/alerts/reported_at)}" savePath="/bookmark" />
-						<Log type="Info" message="Trellix HX API: Last Alert Time set to: ${/bookmark}" />
-						
-						<!-- Next Page -->
-						<Set path="/offset" value="${/offset + /limit - 1}" />
-						<!-- Get next page of alerts -->
-						<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/alerts/?" method="GET" savePath="/getAlerts">
-							<QueryParameter name="offset" value="${/offset}" />
-							<QueryParameter name="limit" value="${/limit}" />
-							<QueryParameter name="sort" value="_id" />
-							<QueryParameter name="filterQuery" value="${/filterQuery}" />
-							<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
-							<RequestHeader name="Accept" value="application/json" />
-						</CallEndpoint>
-						<If condition="/getAlerts/status_code != 200">
-							<Log type="Error" message="Trellix HX API: Error getting alerts: ${/getAlerts/body}" />
-							<Abort reason="Error login: ${/getAlerts/body}" />
-						</If>
-					</DoWhile>
-				</If>
-				<Else>
-					<Log type="Notice" message="Trellix HX API: No Alerts to Pull." />
-				</Else>
-			</Else>
-			<!-- Dispose generated token to clear active session -->
-			<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
-				<If condition="/ignore_selfsigned_certificate == 1">
-					<SSLConfiguration allowUntrustedServerCertificate="true" />
-				</If>
-				<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
-				<RequestHeader name="Accept" value="application/json" />
-			</CallEndpoint>
-			<!-- Handle Errors -->
-			<If condition="/delFeApiToken/status_code != 204">
-				<Log type="Error" message="Trellix HX API: Error Deleteing Session: ${/delFeApiToken/body}" />
-				<Abort reason="${/delFeApiToken/body}" />
+		</DoWhile>
+
+		<!-- Dispose generated token to clear active session -->
+		<CallEndpoint url="https://${/host}:${/hx_port}/hx/api/v3/token" method="DELETE" savePath="/delFeApiToken" >
+			<If condition="/ignore_selfsigned_certificate == 1">
+				<SSLConfiguration allowUntrustedServerCertificate="true" />
 			</If>
-		</Else>
+			<RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
+			<RequestHeader name="Accept" value="application/json" />
+		</CallEndpoint>
+		<!-- Handle Errors -->
+		<If condition="/delFeApiToken/status_code != 204">
+			<Log type="Error" message="Trellix HX API: Error Deleteing Session: ${/delFeApiToken/body}" />
+			<Abort reason="${/delFeApiToken/body}" />
+		</If>
 	</Actions>
 	
 	<Tests>
diff --git a/Community Developed/Trellix HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow.xml b/Community Developed/Trellix HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow.xml
index 896bb695..d67517e1 100644
--- a/Community Developed/Trellix HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow.xml	
+++ b/Community Developed/Trellix HX/Process Tracker/Trellix-HX-ProcessTracker-Workflow.xml	
@@ -40,8 +40,8 @@
         </CallEndpoint>
         <!-- Handle Errors -->
         <If condition="/getFirstPTEvent/status_code != 200">
-            <Log type="Error" message="Trellix HX API: Error fetching PT Events ${/getFirstPTEvent/body}" />
-            <Abort reason="Trellix HX API: Error pulling ProcessTracker Events: ${/getFirstPTEvent/body}" />
+            <Log type="Error" message="Trellix HX API: Error fetching first PT Event ${/getFirstPTEvent/body}" />
+            <Abort reason="Trellix HX API: Error pulling ProcessTracker first Event: ${/getFirstPTEvent/body}" />
         </If>
         <Else>
             <Set path="/totalEventCount" value="${/getFirstPTEvent/body/total}" />
@@ -57,7 +57,7 @@
                     <RequestHeader name="X-FeApi-Token" value="${/x_feapi_token}" />
                     <RequestHeader name="Accept" value="application/json" />
                 </CallEndpoint>
-                <Log type="Notice" message="Trellix HX API: no PT Events available" />
+                <Log type="INFO" message="Trellix HX API: no PT Events available" />
                 <Abort reason="Trellix HX API: no PT Events available" />
             </Else>
         </Else>
@@ -74,8 +74,8 @@
         </CallEndpoint>
         <!-- Handle Errors -->
         <If condition="/getPTLastEvent/status_code != 200">
-            <Log type="Error" message="Trellix HX API: Error fetching PT Events ${/getPTLastEvent/body}" />
-            <Abort reason="Trellix HX API: Error pulling ProcessTracker Events: ${/getPTLastEvent/body}" />
+            <Log type="Error" message="Trellix HX API: Error fetching last PT Event: ${/getPTLastEvent/body}" />
+            <Abort reason="Trellix HX API: Error pulling ProcessTracker Last Event: ${/getPTLastEvent/body}" />
         </If>
         <Else>
             <!-- HX API ill return a new token as part of response headers when nearing exipry-->
@@ -90,12 +90,15 @@
                 <If condition="/firstEventId > /bookmark">
                     <Set path="/bookmark" value="${/firstEventId}"/>
                 </If>
-                <ElseIf condition="/lastEventId <= /bookmark">
+                <ElseIf condition="/bookmark >= /lastEventId">
                     <Set path="/bookmark" value="${/lastEventId}"/>
-                    <Log type="Notice" message="Trellix HX API: no more PT Events " />
+                    <Log type="INFO" message="Trellix HX API: no more PT Events " />
                     <Abort reason="Trellix HX API: no more PT Events" />
                 </ElseIf>
             </If>
+            <Else>
+                <Set path="/bookmark" value="${/firstEventId}"/>
+            </Else>
             
             <Set path="/entries" value="${/lastEventId - /firstEventId + 1}" />
         
@@ -112,7 +115,7 @@
                 <If condition="/getPTEvent/status_code = 404">
                     <!-- Update bookmark -->
                     <Set path="/bookmark" value="${/bookmark  + 1}" />
-                    <Log type="Notice" message="Trellix HX API: Error PT event ${/bookmark} not found: ${/getPTEvent/body}" />
+                    <Log type="INFO" message="Trellix HX API: Error PT event ${/bookmark} not found: ${/getPTEvent/body}" />
                 </If>
                 <ElseIf condition="/getPTEvent/status_code = 200">
                     <Set path="/event" value="${/getPTEvent/body/data[0]}" />
@@ -123,7 +126,7 @@
                     <Log type="INFO" message="Trellix HX API: Next PT Even ID ${/bookmark}" />
                 </ElseIf>
                 <Else>
-                    <Log type="Error" message="Trellix HX API: Error getting PT Events: ${/getPTEvent/body}" />
+                    <Log type="ERROR" message="Trellix HX API: Error getting PT Events: ${/getPTEvent/body}" />
                 </Else>
             </DoWhile>
         </Else>