diff --git a/plugins/rapid7_insightidr/.CHECKSUM b/plugins/rapid7_insightidr/.CHECKSUM index 23b35d73f9..f74cabc66e 100644 --- a/plugins/rapid7_insightidr/.CHECKSUM +++ b/plugins/rapid7_insightidr/.CHECKSUM @@ -1,7 +1,7 @@ { - "spec": "ef55d0eaab88354037eb0e7a0c1d5ca0", - "manifest": "a9dc8b0c15952a931013e92670cdf86b", - "setup": "8b4da6c79f36dd56dfc82e26d0009a8b", + "spec": "1731102995c13b9e66eb3d167cc3b36e", + "manifest": "bf5b8c1274de589f792fc43909fcb102", + "setup": "1964faaf291c2cbe3485c2bfd7ae7231", "schemas": [ { "identifier": "add_indicators_to_a_threat/schema.py", @@ -9,11 +9,11 @@ }, { "identifier": "advanced_query_on_log/schema.py", - "hash": "c25673288c3406030e64dc6f3451821d" + "hash": "1f0d2740af4d48b6d202f8fe82bac40e" }, { "identifier": "advanced_query_on_log_set/schema.py", - "hash": "ff689fccb0ed297d1c5f7f45877fd138" + "hash": "b5b2c8b6a3b884b33241f87004815459" }, { "identifier": "assign_user_to_investigation/schema.py", @@ -113,7 +113,7 @@ }, { "identifier": "query/schema.py", - "hash": "ec57e897be9e044c6607e33ab15020b0" + "hash": "440b96851f6c0090adde3f3709aa6259" }, { "identifier": "replace_indicators/schema.py", diff --git a/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr b/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr index 49786697c9..41e4449756 100755 --- a/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr +++ b/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr @@ -6,7 +6,7 @@ from sys import argv Name = "Rapid7 InsightIDR" Vendor = "rapid7" -Version = "10.3.4" +Version = "10.3.5" Description = "This plugin allows you to add indicators to a threat and see the status of investigations" diff --git a/plugins/rapid7_insightidr/help.md b/plugins/rapid7_insightidr/help.md index feef85fbaa..221b67b5ac 100644 --- a/plugins/rapid7_insightidr/help.md +++ b/plugins/rapid7_insightidr/help.md @@ -146,7 +146,7 @@ Example input: | :--- | :--- | :--- | :--- | :--- | |count|integer|True|Number of log entries found|10| |results_events|[]events|False|Query Results|[{"labels": [],"timestamp": 1601598638768,"sequence_number": 123456789123456789,"log_id": "64z0f0p9-1a99-4501-xe36-a6d03687f313","message": {"timestamp": "2020-10-02T00:29:14.649Z","destination_asset": "iagent-win7","source_asset_address": "192.168.100.50","destination_asset_address": "example-host","destination_local_account": "user","logon_type": "NETWORK","result": "SUCCESS","new_authentication": "false","service": "ntlmssp ","source_json": {"sourceName": "Microsoft-Windows-Security-Auditing","insertionStrings": ["S-1-0-0","-","-","0x0","X-X-X-XXXXXXXXXXX","user@example.com","example-host","0x204f163c","3","NtLmSsp ","NTLM","","{00000000-0000-0000-0000-000000000000}","-","NTLM V2","128","0x0","-","192.168.50.1","59090"],"eventCode": 4624,"computerName": "example-host","sid": "","isDomainController": false,"eventData": null,"timeWritten": "2020-10-02T00:29:13.670722000Z"}},"links": [{"rel": "Context","href": "https://us.api.insight.rapid7.com/log_search/query/context/xxxx"}],"sequence_number_str": "123456789123456789"}]| -|results_statistical|statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}| +|results_statistical|results_statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}| Example output: @@ -3087,6 +3087,16 @@ Example output: |Sequence Number|integer|None|None|Sequence number|None| |Timestamp|integer|None|None|Timestamp|None| +**results_statistics** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|leql|object|None|False|The LEQL 'WHERE' clause to match against|None| +|logs|array|None|False|Holds the Log ID of the matching log entry|None| +|search_stats|object|None|False|Holds data regarding the query execution|None| +|statement|object|None|False|Query command/operation executed|None| +|statistics|statistics|None|False|Holds the overall statistical results|None| + **statistics** |Name|Type|Default|Required|Description|Example| @@ -3401,6 +3411,7 @@ Example output: # Version History +* 10.3.5 - Updating schema for 'advanced_query_on_log' action to account for missing keys * 10.3.4 - Bumping requirements.txt | SDK bump to 6.2.2 * 10.3.3 - Bumping requirements.txt | SDK bump to 6.2.0 * 10.3.2 - Initial updates for fedramp compliance | Updated SDK to the latest version diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py index b7a20a379f..771cacef31 100755 --- a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py +++ b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py @@ -122,7 +122,7 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output): "order": 1 }, "results_statistical": { - "$ref": "#/definitions/statistics", + "$ref": "#/definitions/results_statistics", "title": "Query Results (Statistical)", "description": "Query Results", "order": 2 @@ -164,7 +164,7 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output): "order": 4 }, "message": { - "type": ["object", "string"], + "$ref": "#/definitions/message", "title": "Message", "description": "Message", "order": 5 @@ -180,6 +180,47 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output): } } }, + "message": { + "type": "object", + "title": "message", + "properties": { + "sourceName": { + "type": "string", + "title": "Source Name", + "order": 1 + }, + "eventCode": { + "type": "integer", + "title": "Event Code", + "order": 2 + }, + "computerName": { + "type": "string", + "title": "Computer Name", + "order": 3 + }, + "sid": { + "type": "string", + "title": "SID", + "order": 4 + }, + "isDomainController": { + "type": "boolean", + "title": "Is Domain Controller", + "order": 5 + }, + "eventData": { + "$ref": "#/definitions/eventData", + "title": "Event Data", + "order": 6 + }, + "timeWritten": { + "type": "string", + "title": "Time Written", + "order": 7 + } + } + }, "eventData": { "type": "object", "title": "eventData", @@ -357,6 +398,41 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output): } } }, + "results_statistics": { + "type": "object", + "title": "results_statistics", + "properties": { + "statistics": { + "$ref": "#/definitions/statistics", + "title": "statistics", + "description": "Holds the overall statistical results", + "order": 1 + }, + "leql": { + "type": "object", + "title": "leql", + "description": "The LEQL 'WHERE' clause to match against", + "order": 2 + }, + "logs": { + "title": "logs", + "description": "Holds the Log ID of the matching log entry", + "order": 3 + }, + "search_stats": { + "type": "object", + "title": "search_stats", + "description": "Holds data regarding the query execution", + "order": 4 + }, + "statement": { + "type": "object", + "title": "statement", + "description": "Query command/operation executed", + "order": 5 + } + } + }, "statistics": { "type": "object", "title": "statistics", diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py index 2c8c1b6f07..2a351021a7 100755 --- a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py +++ b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py @@ -182,7 +182,7 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output): "order": 4 }, "message": { - "type": ["object", "string"], + "$ref": "#/definitions/message", "title": "Message", "description": "Message", "order": 5 @@ -198,6 +198,47 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output): } } }, + "message": { + "type": "object", + "title": "message", + "properties": { + "sourceName": { + "type": "string", + "title": "Source Name", + "order": 1 + }, + "eventCode": { + "type": "integer", + "title": "Event Code", + "order": 2 + }, + "computerName": { + "type": "string", + "title": "Computer Name", + "order": 3 + }, + "sid": { + "type": "string", + "title": "SID", + "order": 4 + }, + "isDomainController": { + "type": "boolean", + "title": "Is Domain Controller", + "order": 5 + }, + "eventData": { + "$ref": "#/definitions/eventData", + "title": "Event Data", + "order": 6 + }, + "timeWritten": { + "type": "string", + "title": "Time Written", + "order": 7 + } + } + }, "eventData": { "type": "object", "title": "eventData", diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py index dbe5687da6..bcc0c26a70 100755 --- a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py +++ b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py @@ -98,7 +98,7 @@ class QueryOutput(insightconnect_plugin_runtime.Output): "order": 4 }, "message": { - "type": ["object", "string"], + "$ref": "#/definitions/message", "title": "Message", "description": "Message", "order": 5 @@ -114,6 +114,47 @@ class QueryOutput(insightconnect_plugin_runtime.Output): } } }, + "message": { + "type": "object", + "title": "message", + "properties": { + "sourceName": { + "type": "string", + "title": "Source Name", + "order": 1 + }, + "eventCode": { + "type": "integer", + "title": "Event Code", + "order": 2 + }, + "computerName": { + "type": "string", + "title": "Computer Name", + "order": 3 + }, + "sid": { + "type": "string", + "title": "SID", + "order": 4 + }, + "isDomainController": { + "type": "boolean", + "title": "Is Domain Controller", + "order": 5 + }, + "eventData": { + "$ref": "#/definitions/eventData", + "title": "Event Data", + "order": 6 + }, + "timeWritten": { + "type": "string", + "title": "Time Written", + "order": 7 + } + } + }, "eventData": { "type": "object", "title": "eventData", diff --git a/plugins/rapid7_insightidr/plugin.spec.yaml b/plugins/rapid7_insightidr/plugin.spec.yaml index 293e2a8c4e..9db42e4399 100644 --- a/plugins/rapid7_insightidr/plugin.spec.yaml +++ b/plugins/rapid7_insightidr/plugin.spec.yaml @@ -4,7 +4,7 @@ products: [insightconnect] name: rapid7_insightidr title: "Rapid7 InsightIDR" description: "This plugin allows you to add indicators to a threat and see the status of investigations" -version: 10.3.4 +version: 10.3.5 connection_version: 5 supported_versions: ["Latest release successfully tested on 2024-09-10."] vendor: rapid7 @@ -36,6 +36,7 @@ sdk: version: 6.2.2 user: nobody version_history: + - "10.3.5 - Updating schema for 'advanced_query_on_log' action to account for missing keys" - "10.3.4 - Bumping requirements.txt | SDK bump to 6.2.2" - "10.3.3 - Bumping requirements.txt | SDK bump to 6.2.0" - "10.3.2 - Initial updates for fedramp compliance | Updated SDK to the latest version" @@ -448,6 +449,32 @@ types: title: Links description: Links type: "[]link" + results_statistics: + statistics: + title: statistics + description: Holds the overall statistical results + type: statistics + required: false + leql: + title: leql + description: The LEQL 'WHERE' clause to match against + type: object + required: false + logs: + title: logs + description: Holds the Log ID of the matching log entry + type: array + required: false + search_stats: + title: search_stats + description: Holds data regarding the query execution + type: object + required: false + statement: + title: statement + description: Query command/operation executed + type: object + required: false statistics: stats: title: Stats @@ -1979,7 +2006,7 @@ actions: results_statistical: title: Query Results (Statistical) description: Query Results - type: statistics + type: results_statistics required: false example: '{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}' count: diff --git a/plugins/rapid7_insightidr/setup.py b/plugins/rapid7_insightidr/setup.py index 2077db7975..7e5c5ab5ee 100755 --- a/plugins/rapid7_insightidr/setup.py +++ b/plugins/rapid7_insightidr/setup.py @@ -3,7 +3,7 @@ setup(name="rapid7_insightidr-rapid7-plugin", - version="10.3.4", + version="10.3.5", description="This plugin allows you to add indicators to a threat and see the status of investigations", author="rapid7", author_email="",