From ac9cb7ddc6b3d0930faa5644e0405726935359ac Mon Sep 17 00:00:00 2001
From: Jarod Amos <79214602+jamos-bt@users.noreply.github.com>
Date: Tue, 29 Aug 2023 15:01:17 -0500
Subject: [PATCH 1/2] added workflows, parameters, and a read-me for the two PM
 Cloud event feeds

Signed-off-by: Jarod Amos <79214602+jamos-bt@users.noreply.github.com>
---
 ...tivityAudits-Workflow-Parameter-Values.xml |  13 ++
 ...dTrust-PMCloud-ActivityAudits-Workflow.xml | 138 ++++++++++++++++++
 ...ClientEvents-Workflow-Parameter-Values.xml |  13 ++
 ...ondTrust-PMCloud-ClientEvents-Workflow.xml | 130 +++++++++++++++++
 .../BeyondTrust/PM Cloud/README.md            |  97 ++++++++++++
 5 files changed, 391 insertions(+)
 create mode 100644 Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ActivityAudits-Workflow-Parameter-Values.xml
 create mode 100644 Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ActivityAudits-Workflow.xml
 create mode 100644 Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ClientEvents-Workflow-Parameter-Values.xml
 create mode 100644 Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ClientEvents-Workflow.xml
 create mode 100644 Community Developed/BeyondTrust/PM Cloud/README.md

diff --git a/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ActivityAudits-Workflow-Parameter-Values.xml b/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ActivityAudits-Workflow-Parameter-Values.xml
new file mode 100644
index 00000000..77585327
--- /dev/null
+++ b/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ActivityAudits-Workflow-Parameter-Values.xml	
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+
+    <!-- PM Cloud Services Hostname : Be sure to include the '-services' portion of the hostname (ex: if you access the web site at 'mysite.example.com' then the value to enter here would be 'mysite-services.example.com') -->
+    <Value name="hostname"      value="" />    
+    <!-- Client ID -->
+    <Value name="client_id"     value="" />    
+    <!-- Client Secret -->
+    <Value name="client_secret" value="" />    
+    <!-- Page Size : Audit activity is retrieved from your PM Cloud site in chunks of data (pages). The page size determines how many records are retrieved by any single request. (default: 200 - max: 200) -->
+    <Value name="page_size"     value="200" />    
+    
+</WorkflowParameterValues>
\ No newline at end of file
diff --git a/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ActivityAudits-Workflow.xml b/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ActivityAudits-Workflow.xml
new file mode 100644
index 00000000..38c6ed88
--- /dev/null
+++ b/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ActivityAudits-Workflow.xml	
@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow 
+  name="BeyondTrust PM Cloud - Activity Audits"
+  description="Retrieves activity audit data from a PM Cloud site via standard REST API calls"
+  version="23.1" 
+  xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+
+    <Parameters>
+        <Parameter name="hostname" 
+          label="PM Cloud Services Hostname" 
+          description="Be sure to include the '-services' portion of the hostname (ex: if you access the web site at 'mysite.example.com' then the value to enter here would be 'mysite-services.example.com')" 
+          required="true" />
+        <Parameter name="client_id" 
+          label="Client ID" 
+          required="true" />
+        <Parameter name="client_secret" 
+          label="Client Secret" 
+          required="true" 
+          secret="true" />
+        <Parameter name="page_size" 
+          label="Page Size" 
+          description="Audit activity is retrieved from your PM Cloud site in chunks of data (pages). The page size determines how many records are retrieved by any single request. (default: 200 - max: 200)"
+          required="true"
+          default="200" />
+    </Parameters>
+
+    <Actions>
+        
+        <!-- Initialize the last ingested date (current time minus 1 hour) -->
+        <Initialize path="/last_ingested_date" value="${time() - 3600000}" />
+        <!-- Prepare the start and end date filter, based on the current last ingested date -->
+        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" time="${/last_ingested_date}" timeZone="UTC" savePath="/start_date" />
+        <!-- Prepare the end date filter, which is the current time. -->
+        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" timeZone="UTC" savePath="/end_date" />
+        <Log type="INFO" message="Preparing to attempt activity audit ingestion from ${/hostname} starting at ${/start_date} through ${/end_date}" />
+        
+        <!--
+        //////////////////////
+        // Get Access Token //
+        //////////////////////
+        -->
+        <Log type="DEBUG" message="Preparing to attempt authentication call to ${/hostname}" />
+        <CallEndpoint url="https://${/hostname}/oauth/connect/token" method="POST" savePath="/auth_token_response" >
+            <RequestHeader name="Accept" value="*/*" />
+            <!-- <BasicAuthentication username="${/client_id}" password="${/client_secret}" /> -->
+            <RequestHeader name="Authorization" value="Basic ${base64_encode('${/client_id}:${/client_secret}')}"/>
+            <UrlEncodedFormRequestBody>
+              <Parameter name="grant_type" value="client_credentials" />
+            </UrlEncodedFormRequestBody>
+        </CallEndpoint>
+
+        <!-- Handle Errors -->
+        <If condition="/auth_token_response/status_code = 429">
+            <Set path="/temp_message" value="(HTTP 429) API rate limit hit. The polling process for this interval will exit and another attempt will be made on the next interval" />
+            <Log type="WARN" message="${/temp_message}" />
+            <Abort reason="${/temp_message}" />
+        </If>
+        <ElseIf condition="/auth_token_response/status_code != 200">
+            <Set path="/temp_message" value="Authentication attempt failed: ${/auth_token_response/body}" />
+            <Log type="ERROR" message="${/temp_message}" />
+            <Abort reason="${/temp_message}" />
+        </ElseIf>
+
+        <!-- Extract the Access Token -->
+        <Log type="DEBUG" message="Successfully authenticated" />
+        <Set path="/access_token" value="${/auth_token_response/body/access_token}" />
+
+
+        <!--
+        ////////////////////
+        // Request Events //
+        ////////////////////
+        -->
+
+        <Set path="/page_number" value="1" />
+        <Set path="/total_ingested_count" value="0" />
+
+        <!-- Fetch all events, one page at a time -->
+        <DoWhile condition="/events_response/body/pageCount >= /page_number">
+        
+            <Log type="DEBUG" message="Retrieving activity audit records from ${/hostname} starting at ${/start_date} through ${/end_date} (Page: ${/page_number} - Page Size: ${/page_size})" />
+
+            <!-- Fetch the current page -->
+            <CallEndpoint url="https://${/hostname}/management-api/v1/ActivityAudits/Details" method="GET" savePath="/events_response" >
+                <BearerAuthentication token="${/access_token}" />
+                <QueryParameter name="Filter.Created.Dates" value="${/start_date}" />
+                <QueryParameter name="Filter.Created.Dates" value="${/end_date}" />
+                <QueryParameter name="Filter.Created.SelectionMode" value="Range" />
+                <QueryParameter name="Pagination.PageSize" value="${/page_size}" />
+                <QueryParameter name="Pagination.PageNumber" value="${/page_number}" />
+            </CallEndpoint>
+
+            <!-- Handle Errors -->
+            <If condition="/events_response/status_code = 429">
+                <Set path="/temp_message" value="(HTTP 429) API rate limit hit. The polling process for this interval will exit and another attempt will be made on the next interval" />
+                <Log type="WARN" message="${/temp_message}" />
+                <Abort reason="${/temp_message}" />
+            </If>
+            <ElseIf condition="/events_response/status_code != 200">
+                <Set path="/temp_message" value="Activity audits ingestion failed: ${/events_response/status_code} ${/events_response/status_message}" />
+                <Log type="ERROR" message="${/temp_message}" />
+                <Abort reason="${/temp_message}" />
+            </ElseIf>
+
+            <Log type="DEBUG" message="Found a total of ${/events_response/body/totalRecordCount} activity audit record(s) spanning ${/events_response/body/pageCount} page(s) - current page is ${/page_number}" />
+            
+            <!-- Update the last ingested date -->
+            <ForEach item="/event" items="/events_response/body/data">
+                <!-- Post Event -->
+                <PostEvent path="/event" source="${/hostname}"/>
+                <Set path="/total_ingested_count" value="${/total_ingested_count + 1}" />
+                
+                <!-- Save the date as the last ingested date -->
+                <Set path="/event_created" value="${/event/created}" />
+                <ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss[.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]" date="${/event_created}" timeZone="UTC" savePath="/event_timestamp" />
+                <If condition="/event_timestamp > /last_ingested_date">
+                    <Set path="/last_ingested_date" value="${/event_timestamp + 1}" />
+                </If>
+                <Log type="DEBUG" message="Event ingested datetime is (${/event_timestamp}) for activity audit data ID: ${/event/id}" />
+            </ForEach>
+
+            <!-- Move to the next page -->
+            <Set path="/page_number" value="${/page_number + 1}" />
+
+        </DoWhile>
+            
+        <Log type="INFO" message="Ingested ${/total_ingested_count} activity audits from ${/hostname} starting at ${/start_date} through ${/end_date}" />
+
+    </Actions>
+
+    <Tests>
+        <DNSResolutionTest host="${/hostname}" />
+        <TCPConnectionTest host="${/hostname}" />
+        <SSLHandshakeTest host="${/hostname}" />
+        <HTTPConnectionThroughProxyTest url="https://${/hostname}/bogus-path" expectedResponseStatus="404" />
+    </Tests>
+
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ClientEvents-Workflow-Parameter-Values.xml b/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ClientEvents-Workflow-Parameter-Values.xml
new file mode 100644
index 00000000..84d6f62a
--- /dev/null
+++ b/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ClientEvents-Workflow-Parameter-Values.xml	
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V1">
+
+    <!-- PM Cloud Services Hostname : Be sure to include the '-services' portion of the hostname (ex: if you access the web site at 'mysite.example.com' then the value to enter here would be 'mysite-services.example.com') -->
+    <Value name="hostname"      value="" />    
+    <!-- Client ID -->
+    <Value name="client_id"     value="" />    
+    <!-- Client Secret -->
+    <Value name="client_secret" value="" />    
+    <!-- Batch Size : Client events are retrieved through your PM Cloud site in chunks of data (batches). The batch size determines how many records are retrieved by any single request. (default: 1000 - max: 1000) -->
+    <Value name="batch_size"     value="1000" />    
+    
+</WorkflowParameterValues>
\ No newline at end of file
diff --git a/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ClientEvents-Workflow.xml b/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ClientEvents-Workflow.xml
new file mode 100644
index 00000000..c68e5c15
--- /dev/null
+++ b/Community Developed/BeyondTrust/PM Cloud/BeyondTrust-PMCloud-ClientEvents-Workflow.xml	
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow 
+  name="BeyondTrust PM Cloud - Client Events"
+  description="Retrieves client event data from a PM Cloud site via standard REST API calls"
+  version="23.1" 
+  xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+
+    <Parameters>
+        <Parameter name="hostname" 
+          label="PM Cloud Services Hostname" 
+          description="Be sure to include the '-services' portion of the hostname (ex: if you access the web site at 'mysite.example.com' then the value to enter here would be 'mysite-services.example.com')" 
+          required="true" />
+        <Parameter name="client_id" 
+          label="Client ID" 
+          required="true" />
+        <Parameter name="client_secret" 
+          label="Client Secret" 
+          required="true" 
+          secret="true" />
+        <Parameter name="batch_size" 
+          label="Batch Size" 
+          description="Client events are retrieved through your PM Cloud site in chunks of data (batches). The batch size determines how many records are retrieved by any single request. (default: 1000 - max: 1000)"
+          required="true"
+          default="1000" />
+    </Parameters>
+
+    <Actions>
+        
+        <!-- Initialize the last ingested date (current time minus 1 hour) -->
+        <Initialize path="/last_ingested_date" value="${time() - 3600000}" />
+        <!-- Prepare the start date filter, based on the current last ingested date -->
+        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" time="${/last_ingested_date}" timeZone="UTC" savePath="/start_date" />
+        <Log type="INFO" message="Preparing to attempt client event ingestion from ${/hostname} starting at ${/start_date}" />
+        
+        <!--
+        //////////////////////
+        // Get Access Token //
+        //////////////////////
+        -->
+        <Log type="DEBUG" message="Preparing to attempt authentication call to ${/hostname}" />
+        <CallEndpoint url="https://${/hostname}/oauth/connect/token" method="POST" savePath="/auth_token_response" >
+            <RequestHeader name="Accept" value="*/*" />
+            <!-- <BasicAuthentication username="${/client_id}" password="${/client_secret}" /> -->
+            <RequestHeader name="Authorization" value="Basic ${base64_encode('${/client_id}:${/client_secret}')}"/>
+            <UrlEncodedFormRequestBody>
+              <Parameter name="grant_type" value="client_credentials" />
+            </UrlEncodedFormRequestBody>
+        </CallEndpoint>
+
+        <!-- Handle Errors -->
+        <If condition="/auth_token_response/status_code = 429">
+            <Set path="/temp_message" value="(HTTP 429) API rate limit hit. The polling process for this interval will exit and another attempt will be made on the next interval" />
+            <Log type="WARN" message="${/temp_message}" />
+            <Abort reason="${/temp_message}" />
+        </If>
+        <ElseIf condition="/auth_token_response/status_code != 200">
+            <Set path="/temp_message" value="Authentication attempt failed: ${/auth_token_response/body}" />
+            <Log type="ERROR" message="${/temp_message}" />
+            <Abort reason="${/temp_message}" />
+        </ElseIf>
+
+        <!-- Extract the Access Token -->
+        <Log type="DEBUG" message="Successfully authenticated" />
+        <Set path="/access_token" value="${/auth_token_response/body/access_token}" />
+
+
+        <!--
+        ////////////////////
+        // Request Events //
+        ////////////////////
+        -->
+
+        <Set path="/total_ingested_count" value="0" />
+
+        <!-- Fetch all events, one batch at a time ... If the number of events returned in this batch is smaller than the batch size, it must be the last batch -->
+        <DoWhile condition="/events_response/body/totalRecordsReturned >= /batch_size">
+        
+            <Log type="DEBUG" message="Retrieving client events from ${/hostname} starting at ${/start_date} (Batch Size: ${/batch_size})" />
+
+            <!-- Fetch the current batch -->
+            <CallEndpoint url="https://${/hostname}/management-api/v1/Events/FromStartDate" method="GET" savePath="/events_response" >
+                <BearerAuthentication token="${/access_token}" />
+                <QueryParameter name="StartDate" value="${/start_date}" />
+                <QueryParameter name="RecordSize" value="${/batch_size}" />
+            </CallEndpoint>
+
+            <!-- Handle Errors -->
+            <If condition="/events_response/status_code = 429">
+                <Set path="/temp_message" value="(HTTP 429) API rate limit hit. The polling process for this interval will exit and another attempt will be made on the next interval" />
+                <Log type="WARN" message="${/temp_message}" />
+                <Abort reason="${/temp_message}" />
+            </If>
+            <ElseIf condition="/events_response/status_code != 200">
+                <Set path="/temp_message" value="Client events ingestion failed: ${/events_response/status_code} ${/events_response/status_message}" />
+                <Log type="ERROR" message="${/temp_message}" />
+                <Abort reason="${/temp_message}" />
+            </ElseIf>
+
+            <Log type="DEBUG" message="Found a total of ${/events_response/body/totalRecordsReturned} client event(s) in this batch (Batch Size: ${/batch_size})" />
+            
+            <!-- Update the last ingested date and start date so the next call picks up where this left off -->
+            <ForEach item="/event" items="/events_response/body/events">
+                <!-- Post Event -->
+                <PostEvent path="/event" source="${/hostname}"/>
+                <Set path="/total_ingested_count" value="${/total_ingested_count + 1}" />
+                
+                <!-- Save the date as the last ingested date -->
+                <Set path="/event_created" value="${/event/event/ingested}" />
+                <ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss[.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]'+00:00'" date="${/event_created}" timeZone="UTC" savePath="/event_timestamp" />
+                <If condition="/event_timestamp > /last_ingested_date">
+                    <Set path="/last_ingested_date" value="${/event_timestamp + 1}" />
+                    <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" time="${/last_ingested_date}" timeZone="UTC" savePath="/start_date" />
+                </If>
+                <Log type="DEBUG" message="Event ingested datetime is (${/event_timestamp}) for client event ID: ${/event/id}" />
+            </ForEach>
+
+        </DoWhile>
+            
+        <Log type="INFO" message="Ingested ${/total_ingested_count} client events from ${/hostname} starting at ${/start_date}" />
+
+    </Actions>
+
+    <Tests>
+        <DNSResolutionTest host="${/hostname}" />
+        <TCPConnectionTest host="${/hostname}" />
+        <SSLHandshakeTest host="${/hostname}" />
+        <HTTPConnectionThroughProxyTest url="https://${/hostname}/bogus-path" expectedResponseStatus="404" />
+    </Tests>
+
+</Workflow>
\ No newline at end of file
diff --git a/Community Developed/BeyondTrust/PM Cloud/README.md b/Community Developed/BeyondTrust/PM Cloud/README.md
new file mode 100644
index 00000000..d2a6791c
--- /dev/null
+++ b/Community Developed/BeyondTrust/PM Cloud/README.md	
@@ -0,0 +1,97 @@
+# BeyondTrust PM Cloud + IBM QRadar Integration
+
+***Written and maintained by:** BeyondTrust Corporation*
+***Version:** 23.1.1*
+
+This document describes the installation and configuration of the integration between BeyondTrust Privilege Management Cloud and IBM QRadar.
+
+The integration consists of:
+- a pair of workflow definitions that are leveraged by IBM's Universal Cloud REST API Protocol
+- corresponding workflow parameters files
+- an extension package which provides Log Source Categories, Log Source Extensions, Event Mappings, QID Records, and other components 
+
+---
+
+# Prerequisites
+
+Before proceeding with the installation and configuration of the integration with PM Cloud, it's important to ensure a few things are in place.
+
+### Network Considerations
+
+Your QRadar instance will need the ability to connect to various REST API endpoints provided by your PM Cloud site.  Communication is in the form of **secure HTTP traffic on TCP port 443**  The purpose of this connectivity is to query the PM Cloud site for event information which can be ingested by QRadar.
+
+### Create a PM Cloud API Account
+
+The API account is used from within QRadar to make API calls to PM cloud. This process is covered in the [PM Cloud Admin Guide](https://www.beyondtrust.com/docs/privilege-management/console/pm-cloud/configuration/configure-api-settings.htm).
+
+---
+
+# Installation and Configuration
+
+Once the prerequisites have been satisfied, you can move on to the installation and configuration of the integration.
+
+### Install Extension Package
+
+The extension package is currently available via the downloads section of the BeyondTrust Support portal.  Once you have acquired the package, to install the extension:
+1. Authenticate to your QRadar instance as an administrator
+2. Navigate to **Admin > System Configuration > Extensions Management**
+3. In the Extensions Management window, click the **Add** button to begin the process of adding a new extension
+4. Browse to and select the ZIP archive containing the extension and click **Add** to begin installation
+5. Proceed through the subsequent dialogs to complete the installation process
+
+### Download and Configure Workflows
+
+After the extension is installed, the other primary component of the integration is the pair of workflow definitions and parameters.  The two definitions files provide the logic to make the PM Cloud API calls to retrieve event data while the parameters files provide the necessary configuration for those workflows.
+
+These files are all published to IBM's Universal Cloud REST API connector library, available here:  [https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/tree/master/Community%20Developed/BeyondTrust](https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/tree/master/Community%20Developed/BeyondTrust)
+1. From the link above, download all 4 XML files.  These should include:
+    - BeyondTrust-PMCloud-ActivityAudits-Workflow.xml
+    - BeyondTrust-PMCloud-ActivityAudits-Workflow-Parameter-Values.xml
+    - BeyondTrust-PMCloud-ClientEvents-Workflow.xml
+    - BeyondTrust-PMCloud-ClientEvents-Workflow-Parameter-Values.xml
+2. Open each of the parameters files (BeyondTrust-PMCloud-xxxxx-Workflow-Parameter-Values.xml) in a text editor
+3. Supply values for each of the following parameters in these two files:
+    - **hostname** - PM Cloud Services Hostname - Be sure to include the '-services' portion of the hostname (ex: if you access the web site at 'mysite.example.com' then the value to enter here would be 'mysite-services.example.com')
+    - **client_id** - PM Cloud API Account Client ID
+    - **client_secret** - PM Cloud API Account Client Secret
+4. You may also modify the **page_size** or **batch_size** values if desired.  There are corresponding notes in each file which describe the purpose of these files, their default values, as well as the maximum values for each
+5. Save your changes to each parameters file
+
+### Create Log Sources
+
+Once the extension is installed and you have downloaded and configured the workflows, the next step is to create Log Sources for the two event data feeds supported by the integration.
+
+The two basic categories of events that can be consumed by the application are:
+1. **Client Events** - These events originate from the individual systems being managed by BeyondTrust Endpoint Privilege Management. The flow back to the PM Cloud site, and are retrievable via the API.  Examples include: user logon, a process started, a process blocked, etc.
+2. **Activity Audits** - These events represent activities that occur within the PM Cloud web interface.  Examples include: user role changes, editing or committing a policy draft, assigning a computer to a group, etc.
+
+The following steps describe how to add a Log Source for either of the two data feeds:
+1. Authenticate to your QRadar instance as an administrator
+2. Navigate to **Admin > Data Sources > Events > Log Sources**
+3. In the **Log Source Management** window, click the arrow next to the **+ New Log Source** button to expand additional options
+4. From the expanded options, select **+ Quick Log Source**
+5. On the **Overview** tab, enter the appropriate values in each of the configuration fields:
+    - **Name** - Give the log source a unique name
+    - **Log Source Type** - Select one of the two ***BeyondTrust PM Cloud - xxxxx*** types
+    - **Protocol Type** - Select ***Universal Cloud REST API***
+    - **Extension** - Select the ***BeyondTrustPMCloudxxxxxCustom_ext*** corresponding to the selected Log Source Type
+    - *(Supply or modify other fields as needed)*
+6. Click the **Protocol** tab to proceed to the next configuration section
+7. On the **Protocol** tab, enter the appropriate values in each of the configuration fields:
+    - **Log Source Identifier** - Provide a value to describe the source of these events; IBM suggests the name / hostname of the system generating the events
+    - **Workflow** - Copy and paste the contents of the appropriate workflow XML file here
+    - **Workflow Parameters** - Copy and paste the contents of the appropriate workflow parameters XML file here
+    - *(Supply or modify other fields as needed)*
+8. Click the **Test** tab and then **Start Test** to verify your configuration
+9. If the test was successful, click **Create** to save the new Log Source
+10. Repeat the steps above to add a second Log Source for the other type of events
+
+---
+
+# Troubleshooting and Support
+
+Should you encounter issues with event ingestion, the application does write to the standard QRadar log and error log.  Review these logs first to determine if an issue has occurred.
+
+You can find more information on QRadar logs, including how to access them, here:  [https://www.ibm.com/docs/en/qsip/7.5?topic=problems-qradar-log-files](https://www.ibm.com/docs/en/qsip/7.5?topic=problems-qradar-log-files)
+
+For any issues which require additional assistance, please contact BeyondTrust Support at [mysupport@beyondtrust.com](mailto:mysupport@beyondtrust.com) or through the Customer Support Portal.
\ No newline at end of file

From d2f309924df11ac2cc5ca6df3a6b736ed6726c66 Mon Sep 17 00:00:00 2001
From: Jarod Amos <79214602+jamos-bt@users.noreply.github.com>
Date: Fri, 13 Dec 2024 16:11:51 -0600
Subject: [PATCH 2/2] Update README.md

Updated version, instructions for acquiring the associated extension from the App Exchange, location of these workflow files, and the guidance on setting the Log Source Identifier ... all with guidance from the QRadar App Validation team
---
 .../BeyondTrust/PM Cloud/README.md            | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/Community Developed/BeyondTrust/PM Cloud/README.md b/Community Developed/BeyondTrust/PM Cloud/README.md
index d2a6791c..6eb1d543 100644
--- a/Community Developed/BeyondTrust/PM Cloud/README.md	
+++ b/Community Developed/BeyondTrust/PM Cloud/README.md	
@@ -1,7 +1,7 @@
 # BeyondTrust PM Cloud + IBM QRadar Integration
 
 ***Written and maintained by:** BeyondTrust Corporation*
-***Version:** 23.1.1*
+***Version:** 24.1.1*
 
 This document describes the installation and configuration of the integration between BeyondTrust Privilege Management Cloud and IBM QRadar.
 
@@ -32,18 +32,19 @@ Once the prerequisites have been satisfied, you can move on to the installation
 
 ### Install Extension Package
 
-The extension package is currently available via the downloads section of the BeyondTrust Support portal.  Once you have acquired the package, to install the extension:
-1. Authenticate to your QRadar instance as an administrator
-2. Navigate to **Admin > System Configuration > Extensions Management**
-3. In the Extensions Management window, click the **Add** button to begin the process of adding a new extension
-4. Browse to and select the ZIP archive containing the extension and click **Add** to begin installation
-5. Proceed through the subsequent dialogs to complete the installation process
+The extension package is available via the IBM Security App Exchange:
+1. Go to the App Exchange at: https://exchange.xforce.ibmcloud.com/hub
+2. Search for **BeyondTrust**; select and then download the app for PM Cloud then download
+3. Navigate to **Admin > System Configuration > Extensions Management**
+4. In the Extensions Management window, click the **Add** button to begin the process of adding a new extension
+5. Browse to and select the extension file downloaded from the App Exchange and click **Add** to begin installation
+6. Proceed through the subsequent dialogs to complete the installation process
 
 ### Download and Configure Workflows
 
 After the extension is installed, the other primary component of the integration is the pair of workflow definitions and parameters.  The two definitions files provide the logic to make the PM Cloud API calls to retrieve event data while the parameters files provide the necessary configuration for those workflows.
 
-These files are all published to IBM's Universal Cloud REST API connector library, available here:  [https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/tree/master/Community%20Developed/BeyondTrust](https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/tree/master/Community%20Developed/BeyondTrust)
+These files are all published to IBM's Universal Cloud REST API connector library, available here:  [https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/tree/master/Community%20Developed/BeyondTrust/PM%20Cloud](https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/tree/master/Community%20Developed/BeyondTrust/PM%20Cloud)
 1. From the link above, download all 4 XML files.  These should include:
     - BeyondTrust-PMCloud-ActivityAudits-Workflow.xml
     - BeyondTrust-PMCloud-ActivityAudits-Workflow-Parameter-Values.xml
@@ -78,7 +79,7 @@ The following steps describe how to add a Log Source for either of the two data
     - *(Supply or modify other fields as needed)*
 6. Click the **Protocol** tab to proceed to the next configuration section
 7. On the **Protocol** tab, enter the appropriate values in each of the configuration fields:
-    - **Log Source Identifier** - Provide a value to describe the source of these events; IBM suggests the name / hostname of the system generating the events
+    - **Log Source Identifier** - It is suggested to initially use a dummy value, then once all configuration is entered and you reach the **Test** step below, the test should return the correct identifier. Use that value to replace the dummy value. 
     - **Workflow** - Copy and paste the contents of the appropriate workflow XML file here
     - **Workflow Parameters** - Copy and paste the contents of the appropriate workflow parameters XML file here
     - *(Supply or modify other fields as needed)*
@@ -94,4 +95,4 @@ Should you encounter issues with event ingestion, the application does write to
 
 You can find more information on QRadar logs, including how to access them, here:  [https://www.ibm.com/docs/en/qsip/7.5?topic=problems-qradar-log-files](https://www.ibm.com/docs/en/qsip/7.5?topic=problems-qradar-log-files)
 
-For any issues which require additional assistance, please contact BeyondTrust Support at [mysupport@beyondtrust.com](mailto:mysupport@beyondtrust.com) or through the Customer Support Portal.
\ No newline at end of file
+For any issues which require additional assistance, please contact BeyondTrust Support at [mysupport@beyondtrust.com](mailto:mysupport@beyondtrust.com) or through the Customer Support Portal.