Schema update

rapid7 · Dec 16, 2024 · 994e104 · 994e104
1 parent 50ded62
commit 994e104
Show file tree

Hide file tree

Showing 8 changed files with 211 additions and 15 deletions.
diff --git a/plugins/rapid7_insightidr/.CHECKSUM b/plugins/rapid7_insightidr/.CHECKSUM
@@ -1,19 +1,19 @@
 {
-	"spec": "ef55d0eaab88354037eb0e7a0c1d5ca0",
-	"manifest": "a9dc8b0c15952a931013e92670cdf86b",
-	"setup": "8b4da6c79f36dd56dfc82e26d0009a8b",
+	"spec": "1731102995c13b9e66eb3d167cc3b36e",
+	"manifest": "bf5b8c1274de589f792fc43909fcb102",
+	"setup": "1964faaf291c2cbe3485c2bfd7ae7231",
 	"schemas": [
 		{
 			"identifier": "add_indicators_to_a_threat/schema.py",
 			"hash": "95108ef162aa99c34e0d20ba2fd3035e"
 		},
 		{
 			"identifier": "advanced_query_on_log/schema.py",
-			"hash": "c25673288c3406030e64dc6f3451821d"
+			"hash": "1f0d2740af4d48b6d202f8fe82bac40e"
 		},
 		{
 			"identifier": "advanced_query_on_log_set/schema.py",
-			"hash": "ff689fccb0ed297d1c5f7f45877fd138"
+			"hash": "b5b2c8b6a3b884b33241f87004815459"
 		},
 		{
 			"identifier": "assign_user_to_investigation/schema.py",
@@ -113,7 +113,7 @@
 		},
 		{
 			"identifier": "query/schema.py",
-			"hash": "ec57e897be9e044c6607e33ab15020b0"
+			"hash": "440b96851f6c0090adde3f3709aa6259"
 		},
 		{
 			"identifier": "replace_indicators/schema.py",

diff --git a/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr b/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr
@@ -6,7 +6,7 @@ from sys import argv
 
 Name = "Rapid7 InsightIDR"
 Vendor = "rapid7"
-Version = "10.3.4"
+Version = "10.3.5"
 Description = "This plugin allows you to add indicators to a threat and see the status of investigations"
 
 

diff --git a/plugins/rapid7_insightidr/help.md b/plugins/rapid7_insightidr/help.md
@@ -146,7 +146,7 @@ Example input:
 | :--- | :--- | :--- | :--- | :--- |
 |count|integer|True|Number of log entries found|10|
 |results_events|[]events|False|Query Results|[{"labels": [],"timestamp": 1601598638768,"sequence_number": 123456789123456789,"log_id": "64z0f0p9-1a99-4501-xe36-a6d03687f313","message": {"timestamp": "2020-10-02T00:29:14.649Z","destination_asset": "iagent-win7","source_asset_address": "192.168.100.50","destination_asset_address": "example-host","destination_local_account": "user","logon_type": "NETWORK","result": "SUCCESS","new_authentication": "false","service": "ntlmssp ","source_json": {"sourceName": "Microsoft-Windows-Security-Auditing","insertionStrings": ["S-1-0-0","-","-","0x0","X-X-X-XXXXXXXXXXX","user@example.com","example-host","0x204f163c","3","NtLmSsp ","NTLM","","{00000000-0000-0000-0000-000000000000}","-","NTLM V2","128","0x0","-","192.168.50.1","59090"],"eventCode": 4624,"computerName": "example-host","sid": "","isDomainController": false,"eventData": null,"timeWritten": "2020-10-02T00:29:13.670722000Z"}},"links": [{"rel": "Context","href": "https://us.api.insight.rapid7.com/log_search/query/context/xxxx"}],"sequence_number_str": "123456789123456789"}]|
-|results_statistical|statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}|
+|results_statistical|results_statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}|
 
 Example output:
 
@@ -3087,6 +3087,16 @@ Example output:
 |Sequence Number|integer|None|None|Sequence number|None|
 |Timestamp|integer|None|None|Timestamp|None|
 
+**results_statistics**
+
+|Name|Type|Default|Required|Description|Example|
+| :--- | :--- | :--- | :--- | :--- | :--- |
+|leql|object|None|False|The LEQL 'WHERE' clause to match against|None|
+|logs|array|None|False|Holds the Log ID of the matching log entry|None|
+|search_stats|object|None|False|Holds data regarding the query execution|None|
+|statement|object|None|False|Query command/operation executed|None|
+|statistics|statistics|None|False|Holds the overall statistical results|None|
+
 **statistics**
 
 |Name|Type|Default|Required|Description|Example|
@@ -3401,6 +3411,7 @@ Example output:
 
 # Version History
 
+* 10.3.5 - Updating schema for 'advanced_query_on_log' action to account for missing keys
 * 10.3.4 - Bumping requirements.txt | SDK bump to 6.2.2
 * 10.3.3 - Bumping requirements.txt | SDK bump to 6.2.0
 * 10.3.2 - Initial updates for fedramp compliance | Updated SDK to the latest version

diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py
@@ -122,7 +122,7 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output):
       "order": 1
     },
     "results_statistical": {
-      "$ref": "#/definitions/statistics",
+      "$ref": "#/definitions/results_statistics",
       "title": "Query Results (Statistical)",
       "description": "Query Results",
       "order": 2
@@ -164,7 +164,7 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output):
           "order": 4
         },
         "message": {
-          "type": ["object", "string"],
+          "$ref": "#/definitions/message",
           "title": "Message",
           "description": "Message",
           "order": 5
@@ -180,6 +180,47 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output):
         }
       }
     },
+    "message": {
+      "type": "object",
+      "title": "message",
+      "properties": {
+        "sourceName": {
+          "type": "string",
+          "title": "Source Name",
+          "order": 1
+        },
+        "eventCode": {
+          "type": "integer",
+          "title": "Event Code",
+          "order": 2
+        },
+        "computerName": {
+          "type": "string",
+          "title": "Computer Name",
+          "order": 3
+        },
+        "sid": {
+          "type": "string",
+          "title": "SID",
+          "order": 4
+        },
+        "isDomainController": {
+          "type": "boolean",
+          "title": "Is Domain Controller",
+          "order": 5
+        },
+        "eventData": {
+          "$ref": "#/definitions/eventData",
+          "title": "Event Data",
+          "order": 6
+        },
+        "timeWritten": {
+          "type": "string",
+          "title": "Time Written",
+          "order": 7
+        }
+      }
+    },
     "eventData": {
       "type": "object",
       "title": "eventData",
@@ -357,6 +398,41 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output):
         }
       }
     },
+    "results_statistics": {
+      "type": "object",
+      "title": "results_statistics",
+      "properties": {
+        "statistics": {
+          "$ref": "#/definitions/statistics",
+          "title": "statistics",
+          "description": "Holds the overall statistical results",
+          "order": 1
+        },
+        "leql": {
+          "type": "object",
+          "title": "leql",
+          "description": "The LEQL 'WHERE' clause to match against",
+          "order": 2
+        },
+        "logs": {
+          "title": "logs",
+          "description": "Holds the Log ID of the matching log entry",
+          "order": 3
+        },
+        "search_stats": {
+          "type": "object",
+          "title": "search_stats",
+          "description": "Holds data regarding the query execution",
+          "order": 4
+        },
+        "statement": {
+          "type": "object",
+          "title": "statement",
+          "description": "Query command/operation executed",
+          "order": 5
+        }
+      }
+    },
     "statistics": {
       "type": "object",
       "title": "statistics",

diff --git a/...ns/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py b/...ns/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py
@@ -182,7 +182,7 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output):
           "order": 4
         },
         "message": {
-          "type": ["object", "string"],
+          "$ref": "#/definitions/message",
           "title": "Message",
           "description": "Message",
           "order": 5
@@ -198,6 +198,47 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output):
         }
       }
     },
+    "message": {
+      "type": "object",
+      "title": "message",
+      "properties": {
+        "sourceName": {
+          "type": "string",
+          "title": "Source Name",
+          "order": 1
+        },
+        "eventCode": {
+          "type": "integer",
+          "title": "Event Code",
+          "order": 2
+        },
+        "computerName": {
+          "type": "string",
+          "title": "Computer Name",
+          "order": 3
+        },
+        "sid": {
+          "type": "string",
+          "title": "SID",
+          "order": 4
+        },
+        "isDomainController": {
+          "type": "boolean",
+          "title": "Is Domain Controller",
+          "order": 5
+        },
+        "eventData": {
+          "$ref": "#/definitions/eventData",
+          "title": "Event Data",
+          "order": 6
+        },
+        "timeWritten": {
+          "type": "string",
+          "title": "Time Written",
+          "order": 7
+        }
+      }
+    },
     "eventData": {
       "type": "object",
       "title": "eventData",

diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py
@@ -98,7 +98,7 @@ class QueryOutput(insightconnect_plugin_runtime.Output):
           "order": 4
         },
         "message": {
-          "type": ["object", "string"],
+          "$ref": "#/definitions/message",
           "title": "Message",
           "description": "Message",
           "order": 5
@@ -114,6 +114,47 @@ class QueryOutput(insightconnect_plugin_runtime.Output):
         }
       }
     },
+    "message": {
+      "type": "object",
+      "title": "message",
+      "properties": {
+        "sourceName": {
+          "type": "string",
+          "title": "Source Name",
+          "order": 1
+        },
+        "eventCode": {
+          "type": "integer",
+          "title": "Event Code",
+          "order": 2
+        },
+        "computerName": {
+          "type": "string",
+          "title": "Computer Name",
+          "order": 3
+        },
+        "sid": {
+          "type": "string",
+          "title": "SID",
+          "order": 4
+        },
+        "isDomainController": {
+          "type": "boolean",
+          "title": "Is Domain Controller",
+          "order": 5
+        },
+        "eventData": {
+          "$ref": "#/definitions/eventData",
+          "title": "Event Data",
+          "order": 6
+        },
+        "timeWritten": {
+          "type": "string",
+          "title": "Time Written",
+          "order": 7
+        }
+      }
+    },
     "eventData": {
       "type": "object",
       "title": "eventData",

diff --git a/plugins/rapid7_insightidr/plugin.spec.yaml b/plugins/rapid7_insightidr/plugin.spec.yaml
@@ -4,7 +4,7 @@ products: [insightconnect]
 name: rapid7_insightidr
 title: "Rapid7 InsightIDR"
 description: "This plugin allows you to add indicators to a threat and see the status of investigations"
-version: 10.3.4
+version: 10.3.5
 connection_version: 5
 supported_versions: ["Latest release successfully tested on 2024-09-10."]
 vendor: rapid7
@@ -36,6 +36,7 @@ sdk:
   version: 6.2.2
   user: nobody
 version_history:
+  - "10.3.5 - Updating schema for 'advanced_query_on_log' action to account for missing keys"
   - "10.3.4 - Bumping requirements.txt | SDK bump to 6.2.2"
   - "10.3.3 - Bumping requirements.txt | SDK bump to 6.2.0"
   - "10.3.2 - Initial updates for fedramp compliance | Updated SDK to the latest version"
@@ -448,6 +449,32 @@ types:
       title: Links
       description: Links
       type: "[]link"
+  results_statistics:
+    statistics:
+      title: statistics
+      description: Holds the overall statistical results
+      type: statistics
+      required: false
+    leql:
+      title: leql
+      description: The LEQL 'WHERE' clause to match against
+      type: object
+      required: false
+    logs:
+      title: logs
+      description: Holds the Log ID of the matching log entry
+      type: array
+      required: false
+    search_stats:
+      title: search_stats
+      description: Holds data regarding the query execution
+      type: object
+      required: false
+    statement:
+      title: statement
+      description: Query command/operation executed
+      type: object
+      required: false
   statistics:
     stats:
       title: Stats
@@ -1979,7 +2006,7 @@ actions:
       results_statistical:
         title: Query Results (Statistical)
         description: Query Results
-        type: statistics
+        type: results_statistics
         required: false
         example: '{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}'
       count:

diff --git a/plugins/rapid7_insightidr/setup.py b/plugins/rapid7_insightidr/setup.py
@@ -3,7 +3,7 @@
 
 
 setup(name="rapid7_insightidr-rapid7-plugin",
-      version="10.3.4",
+      version="10.3.5",
       description="This plugin allows you to add indicators to a threat and see the status of investigations",
       author="rapid7",
       author_email="",