PLGN-251-Increasing the maximum results per call from 50 to 500 and a…

…dding in log if there is more than 500 (#2104) (#2105)
rapid7 · Nov 9, 2023 · 84ea3a3 · 84ea3a3
1 parent 1711779
commit 84ea3a3
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 11 deletions.
diff --git a/plugins/rapid7_insightidr/.CHECKSUM b/plugins/rapid7_insightidr/.CHECKSUM
@@ -1,15 +1,15 @@
 {
-	"spec": "7334b6d77f442d36280bd35d6ce3f34e",
-	"manifest": "0e896c3b72ca96d223dc521c31eef7b2",
-	"setup": "72ec0955651aa66bca8b39549acc1411",
+	"spec": "e88e03be591a773f6f06ab8f8ff72d75",
+	"manifest": "fcaf023d3d8e468094348803d3ecc5eb",
+	"setup": "3b83b99c77061338b639889ef7848b9b",
 	"schemas": [
 		{
 			"identifier": "add_indicators_to_a_threat/schema.py",
 			"hash": "ae591f6016d3c55c7d02f6ccbff1ace5"
 		},
 		{
 			"identifier": "advanced_query_on_log/schema.py",
-			"hash": "218cf52cbd4460b58be9610d7cc34556"
+			"hash": "8eee4540d5732fa2be2f9a5c4cc603e0"
 		},
 		{
 			"identifier": "advanced_query_on_log_set/schema.py",

diff --git a/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr b/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr
@@ -6,7 +6,7 @@ from sys import argv
 
 Name = "Rapid7 InsightIDR"
 Vendor = "rapid7"
-Version = "6.0.0"
+Version = "6.0.1"
 Description = "This plugin allows you to add indicators to a threat and see the status of investigations"
 
 

diff --git a/plugins/rapid7_insightidr/help.md b/plugins/rapid7_insightidr/help.md
@@ -110,7 +110,7 @@ Example output:
 
 #### Advanced Query on Log
 
-Realtime query an InsightIDR log. This will query individual logs for results
+Realtime query an InsightIDR log. This will query individual logs for results. Note only 500 results will be returned from a single call, if all results are required for this query please use smaller timeranges 
 
 ##### Input
 
@@ -2024,6 +2024,7 @@ Example output:
 
 # Version History
 
+* 6.0.1 - Action: `Advanced Query On Log Set` - Up the maximium events returned from 50 to 500
 * 6.0.0 - Action: `Advanced Query On Log Set` - Add new output type for statistical queries.
 * 5.1.2 - Action: `Advanced Query on Log Set` - Fix JSONDecoderError | Action: `Query` - Update spec and help.md to show it queries log IDs, not query IDs
 * 5.1.1 - Action: `List Investigations` - Now receiving size input | Actions: `Advanced Query On Log` & `Advanced Query On Log Set` - Acronym LQL has been updated to LEQL

diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/action.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/action.py
@@ -88,6 +88,10 @@ def repeat_requests_on_timeout(self, callback_url: str, timeout: int, results_ob
                     self.logger.info("No results were found, returning an empty list")
                     return []
             else:
+                if results_object.get("links", [{}])[0].get("rel") == "Next":
+                    self.logger.info(
+                        "Over 500 results are available for this query, but only 500 will be returned, please use a more specific query to get all results"
+                    )
                 return log_entries
 
     def get_results_from_callback(self, callback_url: str, timeout: int) -> [object]:
@@ -137,7 +141,7 @@ def maybe_get_log_entries(self, log_id: str, query: str, time_from: int, time_to
         @return: (callback url, list of log entries)
         """
         endpoint = f"{self.connection.url}log_search/query/logs/{log_id}"
-        params = {"query": query, "from": time_from, "to": time_to}
+        params = {"query": query, "from": time_from, "to": time_to, "per_page": 500}
 
         self.logger.info(f"Getting logs from: {endpoint}")
         self.logger.info(f"Using parameters: {params}")
@@ -155,6 +159,11 @@ def maybe_get_log_entries(self, log_id: str, query: str, time_from: int, time_to
         potential_results = results_object.get("events", [])
         if potential_results:
             self.logger.info("Got results immediately, returning.")
+            self.logger.info("results_object.get('links', [{}])")
+            if results_object.get("links", [{}])[0].get("rel") == "Next":
+                self.logger.info(
+                    "Over 500 results are available for this query, but only 500 will be returned, please use a more specific query to get all results"
+                )
             return None, potential_results
         else:
             self.logger.info("Got a callback url. Polling results...")

diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py
@@ -4,7 +4,7 @@
 
 
 class Component:
-    DESCRIPTION = "Realtime query an InsightIDR log. This will query individual logs for results"
+    DESCRIPTION = "Realtime query an InsightIDR log. This will query individual logs for results. Note only 500 results will be returned from a single call, if all results are required for this query please use smaller timeranges"
 
 
 class Input:

diff --git a/plugins/rapid7_insightidr/plugin.spec.yaml b/plugins/rapid7_insightidr/plugin.spec.yaml
@@ -4,7 +4,7 @@ products: [insightconnect]
 name: rapid7_insightidr
 title: "Rapid7 InsightIDR"
 description: "This plugin allows you to add indicators to a threat and see the status of investigations"
-version: 6.0.0
+version: 6.0.1
 connection_version: 5
 supported_versions: ["Latest release successfully tested on 2022-07-20."]
 vendor: rapid7
@@ -1242,7 +1242,7 @@ actions:
         example: {"log": {"id": "0b9a242d-d2fb-4e42-8656-eb5ff64d652f","name": "Windows Defender","tokens": ["bc38a911-65f1-4755-cca3-a330a6336b3a"],"structures": ["1238a911-65f1-4755-cca3-a330a6336b3a"],"user_data": {"platform_managed": "true"},"source_type": "token","token_seed": null,"retention_period": "default","links": [{"rel": "Related","href": "https://example.com"}],"rrn": "rrn:logsearch:us:bc38a911-65f1-4755-cca3-a330a6336b3a:log:bc38a911-65f1-4755-cca3-a330a6336b3a","logsets_info": [{"id": "bc38a911-65f1-4755-cca3-a330a6336b3a","name": "Unparsed Data","rrn": "rrn:logsearch:us:bc38a911-65f1-4755-cca3-a330a6336b3a:logset:bc38a911-65f1-4755-cca3-a330a6336b3a","links": [{"rel": "Self","href": "https://example.com/3e966a63-bf3a-4a3c-8903-979c7e90ce85"}]}]}}
   advanced_query_on_log:
     title: Advanced Query on Log
-    description: Realtime query an InsightIDR log. This will query individual logs for results
+    description: Realtime query an InsightIDR log. This will query individual logs for results. Note only 500 results will be returned from a single call, if all results are required for this query please use smaller timeranges
     input:
       query:
         title: Query

diff --git a/plugins/rapid7_insightidr/setup.py b/plugins/rapid7_insightidr/setup.py
@@ -3,7 +3,7 @@
 
 
 setup(name="rapid7_insightidr-rapid7-plugin",
-      version="6.0.0",
+      version="6.0.1",
       description="This plugin allows you to add indicators to a threat and see the status of investigations",
       author="rapid7",
       author_email="",