diff --git a/plugins/rapid7_insightidr/.CHECKSUM b/plugins/rapid7_insightidr/.CHECKSUM index 8d0f4bc003..d6645dc493 100644 --- a/plugins/rapid7_insightidr/.CHECKSUM +++ b/plugins/rapid7_insightidr/.CHECKSUM @@ -1,5 +1,5 @@ { - "spec": "fd4a1ba356fb9c3b51b5058cf8bee435", + "spec": "ed557ded0b51e5458aefc217bdfde130", "manifest": "bf5b8c1274de589f792fc43909fcb102", "setup": "1964faaf291c2cbe3485c2bfd7ae7231", "schemas": [ @@ -9,11 +9,11 @@ }, { "identifier": "advanced_query_on_log/schema.py", - "hash": "c29d038d9e7020d8e1327a8c6ad4e3d5" + "hash": "5095f41c5b730886b330614a79dc0551" }, { "identifier": "advanced_query_on_log_set/schema.py", - "hash": "6ecdb6192aa5e8c99cafc712a6c9d6fb" + "hash": "b5b2c8b6a3b884b33241f87004815459" }, { "identifier": "assign_user_to_investigation/schema.py", diff --git a/plugins/rapid7_insightidr/help.md b/plugins/rapid7_insightidr/help.md index 1c89a9301f..765445e303 100644 --- a/plugins/rapid7_insightidr/help.md +++ b/plugins/rapid7_insightidr/help.md @@ -3094,7 +3094,7 @@ Example output: |LEQL|object|None|False|The LEQL 'WHERE' clause to match against|None| |Logs|array|None|False|Holds the Log ID of the matching log entry|None| |Search Stats|object|None|False|Holds data regarding the query execution|None| -|Statement|object|None|False|Query command/operation executed|None| +|statistics|statistics|None|False|Holds the overall statistical results|None| **statistics** diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py index 5cd8ec4a12..30c02f90a5 100755 --- a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py +++ b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py @@ -114,7 +114,7 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output): }, "results_events": { "type": "array", - "title": "Results Events", + "title": "Query Results (Events)", "description": "Query Results", "items": { "$ref": "#/definitions/events" @@ -123,7 +123,7 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output): }, "results_statistical": { "$ref": "#/definitions/results_statistics", - "title": "Results Statistical", + "title": "Query Results (Statistical)", "description": "Query Results", "order": 2 } @@ -402,28 +402,118 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output): "type": "object", "title": "results_statistics", "properties": { + "statistics": { + "$ref": "#/definitions/statistics", + "title": "statistics", + "description": "Holds the overall statistical results", + "order": 1 + }, "leql": { "type": "object", "title": "LEQL", "description": "The LEQL 'WHERE' clause to match against", - "order": 1 + "order": 2 }, "logs": { "title": "Logs", "description": "Holds the Log ID of the matching log entry", - "order": 2 + "order": 3 }, "search_stats": { "type": "object", "title": "Search Stats", "description": "Holds data regarding the query execution", + "order": 4 + } + } + }, + "statistics": { + "type": "object", + "title": "statistics", + "properties": { + "stats": { + "type": "object", + "title": "Stats", + "description": "Holds the overall result when query does not contain a 'groupby' clause", + "order": 1 + }, + "groups": { + "type": "array", + "title": "Groups", + "description": "Holds the overall result for each group in a 'groupby' query", + "items": { + "type": "object" + }, + "order": 2 + }, + "granularity": { + "type": "integer", + "title": "Granularity", + "description": "The time window in milliseconds for each time slice in the time series", "order": 3 }, - "statement": { + "timeseries": { "type": "object", - "title": "Statement", - "description": "Query command/operation executed", + "title": "Time Series", + "description": "Holds the query results for each timeslice (each partition of the time_range), for non-'groupby' queries", "order": 4 + }, + "groups_timeseries": { + "type": "array", + "title": "Groups Time Series", + "description": "For 'groupby' queries, holds the timeseries object for each group", + "items": { + "type": "object" + }, + "order": 5 + }, + "from": { + "type": "integer", + "title": "From", + "description": "The start of the time range for the query, as a UNIX timestamp in milliseconds", + "order": 6 + }, + "to": { + "type": "integer", + "title": "To", + "description": "The end of the time range for the query, as a UNIX timestamp in milliseconds", + "order": 7 + }, + "type": { + "type": "string", + "title": "Type", + "description": "The type of function performed, for example, \"count\", \"max\", \"average\", \"standarddeviation\"", + "order": 8 + }, + "key": { + "type": "string", + "title": "Key", + "description": "The key which the function of the 'calculate' clause is applied to", + "order": 9 + }, + "cardinality": { + "type": "integer", + "title": "Cardinality", + "description": "Always 0", + "order": 10 + }, + "others": { + "type": "object", + "title": "Others", + "description": "Not yet implemented", + "order": 11 + }, + "status": { + "type": "integer", + "title": "Status", + "description": "Holds a status code for the query, potentially different from the status code of the response", + "order": 12 + }, + "all_exact_results": { + "type": "boolean", + "title": "All Exact Results", + "description": "Boolean indicating whether groups are calculated approximately (approximated if a groupby query involves over 10,000 groups)", + "order": 13 } } } diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py index cd6c270dbe..2a351021a7 100755 --- a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py +++ b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py @@ -132,7 +132,7 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output): }, "results_events": { "type": "array", - "title": "Results Events", + "title": "Query Results (Events)", "description": "Query Results", "items": { "$ref": "#/definitions/events" @@ -141,7 +141,7 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output): }, "results_statistical": { "$ref": "#/definitions/statistics", - "title": "Results Statistical", + "title": "Query Results (Statistical)", "description": "Query Results", "order": 2 } diff --git a/plugins/rapid7_insightidr/plugin.spec.yaml b/plugins/rapid7_insightidr/plugin.spec.yaml index fc31c59f9a..3d264e6b5c 100644 --- a/plugins/rapid7_insightidr/plugin.spec.yaml +++ b/plugins/rapid7_insightidr/plugin.spec.yaml @@ -450,6 +450,11 @@ types: description: Links type: "[]link" results_statistics: + statistics: + title: statistics + description: Holds the overall statistical results + type: statistics + required: false leql: title: LEQL description: The LEQL 'WHERE' clause to match against @@ -465,11 +470,6 @@ types: description: Holds data regarding the query execution type: object required: false - statement: - title: Statement - description: Query command/operation executed - type: object - required: false statistics: stats: title: Stats @@ -1993,13 +1993,13 @@ actions: order: 7 output: results_events: - title: Results Events + title: Query Results (Events) description: Query Results type: "[]events" required: false example: '[{"labels": [],"timestamp": 1601598638768,"sequence_number": 123456789123456789,"log_id": "64z0f0p9-1a99-4501-xe36-a6d03687f313","message": {"timestamp": "2020-10-02T00:29:14.649Z","destination_asset": "iagent-win7","source_asset_address": "192.168.100.50","destination_asset_address": "example-host","destination_local_account": "user","logon_type": "NETWORK","result": "SUCCESS","new_authentication": "false","service": "ntlmssp ","source_json": {"sourceName": "Microsoft-Windows-Security-Auditing","insertionStrings": ["S-1-0-0","-","-","0x0","X-X-X-XXXXXXXXXXX","user@example.com","example-host","0x204f163c","3","NtLmSsp ","NTLM","","{00000000-0000-0000-0000-000000000000}","-","NTLM V2","128","0x0","-","192.168.50.1","59090"],"eventCode": 4624,"computerName": "example-host","sid": "","isDomainController": false,"eventData": null,"timeWritten": "2020-10-02T00:29:13.670722000Z"}},"links": [{"rel": "Context","href": "https://us.api.insight.rapid7.com/log_search/query/context/xxxx"}],"sequence_number_str": "123456789123456789"}]' results_statistical: - title: Results Statistical + title: Query Results (Statistical) description: Query Results type: results_statistics required: false @@ -2095,13 +2095,13 @@ actions: - Web Proxy Activity output: results_events: - title: Results Events + title: Query Results (Events) description: Query Results type: "[]events" required: false example: '[{"labels": [],"timestamp": 1601598638768,"sequence_number": 123456789123456789,"log_id": "64z0f0p9-1a99-4501-xe36-a6d03687f313","message": {"timestamp": "2020-10-02T00:29:14.649Z","destination_asset": "iagent-win7","source_asset_address": "192.168.100.50","destination_asset_address": "example-host","destination_local_account": "user","logon_type": "NETWORK","result": "SUCCESS","new_authentication": "false","service": "ntlmssp ","source_json": {"sourceName": "Microsoft-Windows-Security-Auditing","insertionStrings": ["S-1-0-0","-","-","0x0","X-X-X-XXXXXXXXXXX","user@example.com","example-host","0x204f163c","3","NtLmSsp ","NTLM","","{00000000-0000-0000-0000-000000000000}","-","NTLM V2","128","0x0","-","192.168.50.1","59090"],"eventCode": 4624,"computerName": "example-host","sid": "","isDomainController": false,"eventData": null,"timeWritten": "2020-10-02T00:29:13.670722000Z"}},"links": [{"rel": "Context","href": "https://us.api.insight.rapid7.com/log_search/query/context/xxxx"}],"sequence_number_str": "123456789123456789"}]' results_statistical: - title: Results Statistical + title: Query Results (Statistical) description: Query Results type: statistics required: false