Worfklow for Dynatrace #278

ChrisCollinsIBM · 2026-04-16T18:05:36Z

Suggested change

<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">

<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2_1">

Explained in more detail below: https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/pull/278/changes#r3095346056

ChrisCollinsIBM · 2026-04-16T18:04:27Z

Suggested change

<Workflow name="DynatraceAuditLogs" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">

<Workflow name="DynatraceAuditLogs" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1">

Updating this and the parameters file to V2_1 instead of V1 will bring you up-to-date on the latest schema, and allow to to omit the source tag in the PostEvent call later so that end users can use whatever Log Source Identifier they like instead of having to use the ${host} value as currently configured.

ChrisCollinsIBM · 2026-04-16T18:02:29Z

This style of fixed interval time querying (last hour, last minute, last day, etc) is great for a POC of getting data but generally isn't suitable for production ingestion of data.

If the system doing the polling is ever down (patching, outage, etc) then you will definitely end up missing records even if polling every 5 minutes.

We can still merge this into the repo as an example of how you can get data in though, but it would need some refining into a sliding window for the time query, likely with the "from" time being a value that is greater than the timestamp of the last event retrieved (possible plus one millisecond, or one second depending on the API granularity).

ChrisCollinsIBM · 2026-04-16T18:05:02Z

Updating to the V2_1 schema will allow you to drop the source tag below making end user configuration easier.

Suggested change

<PostEvent path="/current_audit_log" source="${/host}" />

<PostEvent path="/current_audit_log" />

-Original file line number
+Diff line change
@@ -0,0 +1,77 @@
+    Dynatrace Audit Configuration
+    -----------------
+) Steps to obtain an integration with QRadar:
+    - [Easily check configuration changes or environment sign ins with the new Audit logs API](https://www.dynatrace.com/news/blog/easily-check-configuration-changes-or-environment-sign-ins-with-the-new-audit-logs-api/)
+) There are the following source type:
+    - [Audit logs API - GET audit log](https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log)
+    QRadar Log Source Configuration
+    --------------------------------
+    Please follow the root ReadMe for configuring within QRadar.
+    Workflow parameters
+    --------------------------------
+    ```xml
+    <WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+        <Value name="host" value="dynlocal.company.com/e/XXXXX-XXXXX-XXXXX-XXXX" />
+        <Value name="apiToken" value="dt0c01.XXXXXX.XXXXXXXXXXXXXXXXXXXX" />
+        <Value name="fromTime" value="now-1d" />
+    </WorkflowParameterValues>
+    ```
+    where:
+    - `host`: hostname of your Dynatrace instance
+    - `apiToken`: Access Token with admin privileges
+    - `fromTime`: The start of the requested timeframe. Default value: `now-2w`, the last 2 weeks.
+    In `host`, depends on your environment. For:
+    - SaaS:	{your-environment-id}.live.dynatrace.com/api/v2/auditlogs
+    - Environment ActiveGateCluster ActiveGate:	{your-activegate-domain}:9999/e/{your-environment-id}
+    In `fromTime`. You can use multiple formats, but my sugestion is to use Relative timeframe, back from now. Example: `now-5m`, the last 5 minutes.
+    Supported time units for the relative timeframe are:
+    - `m`: minutes
+    - `h`: hours
+    - `d`: days
+    - `w`: weeks
+    - `M`: months
+    - `y`: years
+    Troubleshooting
+    -------------------
+    You can extract the debug run of the workflow from /var/log/qradar.log into a file and share the file with Cyberark support. Each workflow has
+    a specific prefix for logging.
+    For Dynatrace Audit Logs workflow:
+    ```bash
+    grep "Dynatrace::AuditLogs" /var/log/qradar.log  > dynaudit.log
+    ```
+    You can also grep on the “Dynatrace:: prefix to capture logs workflows. Here is a sample where the password was changed in EPM but not
+    reflected in the workflow parameter xml file in Qradar.
+    ```bash
+    [root@host-1 log]# grep "Dynatrace::" /var/log/qradar.log
+    ```
+    About
+    ---------------
+    - Author Name: Enio Basso
+    - Maintainer Name: @ebasso
+    - Version Number: 1
+    - Event Types Currently Supported by the workflow: Audit events from Dynatrace.
+    - Endpoint Documentation: https://docs.dynatrace.com/docs/discover-dynatrace/references/dynatrace-api/environment-api/audit-logs/get-log

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Worfklow for Dynatrace #278

Diff view

Diff view

There are no files selected for viewing

ChrisCollinsIBM Apr 16, 2026

Uh oh!

ChrisCollinsIBM Apr 16, 2026

Uh oh!

ChrisCollinsIBM Apr 16, 2026

Uh oh!

ChrisCollinsIBM Apr 16, 2026

Uh oh!

Worfklow for Dynatrace #278

Are you sure you want to change the base?

Worfklow for Dynatrace #278

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

ChrisCollinsIBM Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!

ChrisCollinsIBM Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!

ChrisCollinsIBM Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!

ChrisCollinsIBM Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!