Use V2 API handler for auth logs

stevenncap · Sep 16, 2021 · f35386c · f35386c
1 parent 88eb184
commit f35386c
Showing 1 changed file with 29 additions and 20 deletions.
diff --git a/Duo/Duo-Security-Workflow.xml b/Duo/Duo-Security-Workflow.xml
@@ -1,26 +1,21 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <!--
-
 Duo Admin API
 https://duo.com/docs/adminapi
-
 Duo Admin Panel
 https://admin.duosecurity.com/
-
 To obtain an 'Integration Key' and 'Secret Key':
 - Log on to the Duo Admin Panel
 - Navigate to "Applications"
 - Select the application to be monitored.
 - The "Integration Key" and "Secret Key" should be visible on the application page.
-
 Note:
 The Duo log APIs have rate limits where they can only be called every 5 minutes otherwise the API will
 return a "42901: Too Many Requests" error.  For this reason, this workflow uses the `minimumRecurrence`
 to ensure that we don't poll faster than allowed (set to a 6 minutes to avoid edge cases).  See the
 following Duo issue for details: https://github.com/duosecurity/duo_client_python/issues/101
-
 -->
-<Workflow name="Duo" version="1.0" minimumRecurrence="360" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+<Workflow name="Duo" version="1.0" minimumRecurrence="120" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
 
     <Parameters>
         <Parameter name="host" label="Host" required="true" />
@@ -31,22 +26,33 @@ following Duo issue for details: https://github.com/duosecurity/duo_client_pytho
     <Actions>
 
         <!--
-        /////////////////////////
-        // Authentication Logs //
-        /////////////////////////
+        ////////////////////////////
+        // v2 Authentication Logs //
+        ////////////////////////////
         -->
-
+
+
         <!-- Initialize the Bookmark -->
-        <Initialize path="/auth_logs/bookmark" value="1" />
+        <!-- Starting Bookmark is T-1hour in ms (3600000) -->
+        <Initialize path="/auth_logs/bookmark" value="${time() - 3600000}" />
+
+        <!-- Initialize the Maxtime and Limit -->
+        <Initialize path="/auth_logs/maxtime" value="${time()}" />
+        <Initialize path="/auth_logs/limit" value="1000" />
 
+        <!-- Always use up to date Maxtime -->
+        <Set path="/auth_logs/maxtime" value="${time()}" />
+
         <!-- Generate an Access Token -->
         <FormatDate pattern="EEE, dd MMM yyyy HH:mm:ss Z" timeZone="UTC" savePath="/auth_logs/date" />
-        <Set path="/value" value="${/auth_logs/date}&#xA;GET&#xA;${/host}&#xA;/admin/v1/logs/authentication&#xA;mintime=${/auth_logs/bookmark}" />
+        <Set path="/value" value="${/auth_logs/date}&#xA;GET&#xA;${/host}&#xA;/admin/v2/logs/authentication&#xA;limit=${/auth_logs/limit}&amp;maxtime=${/auth_logs/maxtime}&amp;mintime=${/auth_logs/bookmark}" />
         <GenerateHMAC algorithm="SHA1" secretKey="${/secret_key}" message="${/value}" saveFormat="HEX" savePath="/signature" />
 
         <!-- Fetch the Events -->
-        <CallEndpoint url="https://${/host}/admin/v1/logs/authentication" method="GET" savePath="/auth_logs/response">
+        <CallEndpoint url="https://${/host}/admin/v2/logs/authentication" method="GET" savePath="/auth_logs/response">
             <BasicAuthentication username="${/integration_key}" password="${/signature}" />
+            <QueryParameter name="limit" value="${/auth_logs/limit}" omitIfEmpty="true" />
+            <QueryParameter name="maxtime" value="${/auth_logs/maxtime}" omitIfEmpty="true" />
             <QueryParameter name="mintime" value="${/auth_logs/bookmark}" omitIfEmpty="true" />
             <RequestHeader name="Date" value="${/auth_logs/date}" />
         </CallEndpoint>
@@ -57,14 +63,17 @@ following Duo issue for details: https://github.com/duosecurity/duo_client_pytho
         </If>
 
         <!-- Post the Events -->
-        <PostEvents path="/auth_logs/response/body/response" source="${/host}" />
-
-        <!-- Update the Bookmark for the next iteration -->
-        <If condition="count(/auth_logs/response/body/response) > 0" >
-            <Set path="/auth_logs/bookmark" value="${max(/auth_logs/response/body/response/timestamp) + 1}" />
+        <If condition="/auth_logs/response/body/response/metadata != null" >
+            <PostEvents path="/auth_logs/response/body/response/authlogs" source="${/host}" />
+
+            <!-- Update the Bookmark for the next iteration -->
+            <!-- Converted to 13 character Unix timestamp in milliseconds + 1 -->
+
+            <If condition="count(/auth_logs/response/body/response) > 0" >
+                <Set path="/auth_logs/bookmark" value="${(max(/auth_logs/response/body/response/authlogs/timestamp) * 1000 ) + 1}" />
+            </If>
         </If>
 
-
         <!--
         ////////////////////////
         // Administrator Logs //
@@ -108,4 +117,4 @@ following Duo issue for details: https://github.com/duosecurity/duo_client_pytho
         <HTTPConnectionThroughProxyTest url="https://${/host}" />
     </Tests>
 
-</Workflow>
+</Workflow>