From f733b8a2f6c7965a6f389f320c43229962b237f2 Mon Sep 17 00:00:00 2001 From: rjmurray Date: Tue, 17 Dec 2024 10:28:35 +0000 Subject: [PATCH] Refining Schema for other query actions --- plugins/rapid7_insightidr/.CHECKSUM | 8 +- plugins/rapid7_insightidr/help.md | 35 ++++-- .../actions/advanced_query_on_log/schema.py | 84 ++++++++++++- .../advanced_query_on_log_set/schema.py | 115 ++++++++++++++++-- .../actions/query/schema.py | 84 ++++++++++++- plugins/rapid7_insightidr/plugin.spec.yaml | 86 ++++++++++--- 6 files changed, 361 insertions(+), 51 deletions(-) diff --git a/plugins/rapid7_insightidr/.CHECKSUM b/plugins/rapid7_insightidr/.CHECKSUM index efe1e008c2..48db2ed745 100644 --- a/plugins/rapid7_insightidr/.CHECKSUM +++ b/plugins/rapid7_insightidr/.CHECKSUM @@ -1,5 +1,5 @@ { - "spec": "f7a752d6162db43ab5a2af23d8fdded1", + "spec": "696ad2ef53e23becbc514ade6b807b86", "manifest": "447c02c4e8eff1ffc54155a48b270af3", "setup": "00df4e2ab481d3954b493d8e94670fca", "schemas": [ @@ -9,11 +9,11 @@ }, { "identifier": "advanced_query_on_log/schema.py", - "hash": "5095f41c5b730886b330614a79dc0551" + "hash": "04f457e70ed006499969f3871fd60314" }, { "identifier": "advanced_query_on_log_set/schema.py", - "hash": "b5b2c8b6a3b884b33241f87004815459" + "hash": "651d3e1a7ce2676f00851d04e596584c" }, { "identifier": "assign_user_to_investigation/schema.py", @@ -113,7 +113,7 @@ }, { "identifier": "query/schema.py", - "hash": "440b96851f6c0090adde3f3709aa6259" + "hash": "3a8132d5735fdbb53f9f26e40cb1ada9" }, { "identifier": "replace_indicators/schema.py", diff --git a/plugins/rapid7_insightidr/help.md b/plugins/rapid7_insightidr/help.md index 345fbbdabc..b17d7c52c4 100644 --- a/plugins/rapid7_insightidr/help.md +++ b/plugins/rapid7_insightidr/help.md @@ -377,7 +377,7 @@ Example input: | :--- | :--- | :--- | :--- | :--- | |count|integer|True|Number of log entries found|10| |results_events|[]events|False|Query Results|[{"labels": [],"timestamp": 1601598638768,"sequence_number": 123456789123456789,"log_id": "64z0f0p9-1a99-4501-xe36-a6d03687f313","message": {"timestamp": "2020-10-02T00:29:14.649Z","destination_asset": "iagent-win7","source_asset_address": "192.168.100.50","destination_asset_address": "example-host","destination_local_account": "user","logon_type": "NETWORK","result": "SUCCESS","new_authentication": "false","service": "ntlmssp ","source_json": {"sourceName": "Microsoft-Windows-Security-Auditing","insertionStrings": ["S-1-0-0","-","-","0x0","X-X-X-XXXXXXXXXXX","user@example.com","example-host","0x204f163c","3","NtLmSsp ","NTLM","","{00000000-0000-0000-0000-000000000000}","-","NTLM V2","128","0x0","-","192.168.50.1","59090"],"eventCode": 4624,"computerName": "example-host","sid": "","isDomainController": false,"eventData": null,"timeWritten": "2020-10-02T00:29:13.670722000Z"}},"links": [{"rel": "Context","href": "https://us.api.insight.rapid7.com/log_search/query/context/xxxx"}],"sequence_number_str": "123456789123456789"}]| -|results_statistical|statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}| +|results_statistical|results_statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}| Example output: @@ -3068,13 +3068,16 @@ Example output: |Name|Type|Default|Required|Description|Example| | :--- | :--- | :--- | :--- | :--- | :--- | -|Computer Name|string|None|None|None|None| -|Event Code|integer|None|None|None|None| -|Event Data|eventData|None|None|None|None| -|Is Domain Controller|boolean|None|None|None|None| -|SID|string|None|None|None|None| -|Source Name|string|None|None|None|None| -|Time Written|string|None|None|None|None| +|Destination Asset|string|None|None|None|None| +|Destination Asset Address|string|None|None|None|None| +|Destination Local Account|string|None|None|None|None| +|Logon Type|string|None|None|None|None| +|New Authentication|string|None|None|None|None| +|Result|string|None|None|None|None| +|Service|string|None|None|None|None| +|Source Asset Address|string|None|None|None|None| +|Source JSON|source_json|None|None|None|None| +|Timestamp|string|None|None|None|None| **events** @@ -3085,6 +3088,7 @@ Example output: |Log ID|string|None|None|Log ID|None| |Message|message|None|None|Message|None| |Sequence Number|integer|None|None|Sequence number|None| +|Sequence Number String|string|None|None|Sequence number string|None| |Timestamp|integer|None|None|Timestamp|None| **results_statistics** @@ -3114,6 +3118,19 @@ Example output: |To|integer|None|False|The end of the time range for the query, as a UNIX timestamp in milliseconds|None| |Type|string|None|False|The type of function performed, for example, "count", "max", "average", "standarddeviation"|None| +**source_json** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|Computer Name|string|None|False|None|None| +|Event Code|integer|None|False|None|None| +|Event Data|eventData|None|False|None|None| +|Insertion Strings|[]string|None|False|Insertion Strings|None| +|Is Domain Controller|boolean|None|False|None|None| +|SID|string|None|False|None|None| +|Source Name|string|None|False|Source Name|None| +|Time Written|string|None|False|None|None| + **links** |Name|Type|Default|Required|Description|Example| @@ -3410,7 +3427,7 @@ Example output: # Version History -* 11.0.0 - Updating schema for 'advanced_query_on_log' action to account for missing keys +* 11.0.0 - Updating schema for query actions (`advanced_query_on_log`, `advanced_query_on_log_set` & `query`) to account for missing keys/invalid mapping in the schema * 10.3.4 - Bumping requirements.txt | SDK bump to 6.2.2 * 10.3.3 - Bumping requirements.txt | SDK bump to 6.2.0 * 10.3.2 - Initial updates for fedramp compliance | Updated SDK to the latest version diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py index 30c02f90a5..cb70564363 100755 --- a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py +++ b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py @@ -177,47 +177,119 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output): "$ref": "#/definitions/link" }, "order": 6 + }, + "sequence_number_str": { + "type": "string", + "title": "Sequence Number String", + "description": "Sequence number string", + "order": 7 } } }, "message": { "type": "object", "title": "message", + "properties": { + "timestamp": { + "type": "string", + "title": "Timestamp", + "order": 1 + }, + "destination_asset": { + "type": "string", + "title": "Destination Asset", + "order": 2 + }, + "source_asset_address": { + "type": "string", + "title": "Source Asset Address", + "order": 3 + }, + "destination_asset_address": { + "type": "string", + "title": "Destination Asset Address", + "order": 4 + }, + "destination_local_account": { + "type": "string", + "title": "Destination Local Account", + "order": 5 + }, + "logon_type": { + "type": "string", + "title": "Logon Type", + "order": 6 + }, + "result": { + "type": "string", + "title": "Result", + "order": 7 + }, + "new_authentication": { + "type": "string", + "title": "New Authentication", + "order": 8 + }, + "service": { + "type": "string", + "title": "Service", + "order": 9 + }, + "source_json": { + "$ref": "#/definitions/source_json", + "title": "Source JSON", + "order": 10 + } + } + }, + "source_json": { + "type": "object", + "title": "source_json", "properties": { "sourceName": { "type": "string", "title": "Source Name", + "description": "Source Name", "order": 1 }, + "insertionStrings": { + "type": "array", + "title": "Insertion Strings", + "description": "Insertion Strings", + "items": { + "type": "string" + }, + "order": 2 + }, "eventCode": { "type": "integer", "title": "Event Code", - "order": 2 + "order": 3 }, "computerName": { "type": "string", "title": "Computer Name", - "order": 3 + "order": 4 }, "sid": { "type": "string", "title": "SID", - "order": 4 + "order": 5 }, "isDomainController": { "type": "boolean", "title": "Is Domain Controller", - "order": 5 + "order": 6 }, "eventData": { "$ref": "#/definitions/eventData", "title": "Event Data", - "order": 6 + "order": 7 }, "timeWritten": { "type": "string", "title": "Time Written", - "order": 7 + "order": 8 } } }, diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py index 2a351021a7..4754b20da6 100755 --- a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py +++ b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py @@ -140,7 +140,7 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output): "order": 1 }, "results_statistical": { - "$ref": "#/definitions/statistics", + "$ref": "#/definitions/results_statistics", "title": "Query Results (Statistical)", "description": "Query Results", "order": 2 @@ -195,47 +195,119 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output): "$ref": "#/definitions/link" }, "order": 6 + }, + "sequence_number_str": { + "type": "string", + "title": "Sequence Number String", + "description": "Sequence number string", + "order": 7 } } }, "message": { "type": "object", "title": "message", + "properties": { + "timestamp": { + "type": "string", + "title": "Timestamp", + "order": 1 + }, + "destination_asset": { + "type": "string", + "title": "Destination Asset", + "order": 2 + }, + "source_asset_address": { + "type": "string", + "title": "Source Asset Address", + "order": 3 + }, + "destination_asset_address": { + "type": "string", + "title": "Destination Asset Address", + "order": 4 + }, + "destination_local_account": { + "type": "string", + "title": "Destination Local Account", + "order": 5 + }, + "logon_type": { + "type": "string", + "title": "Logon Type", + "order": 6 + }, + "result": { + "type": "string", + "title": "Result", + "order": 7 + }, + "new_authentication": { + "type": "string", + "title": "New Authentication", + "order": 8 + }, + "service": { + "type": "string", + "title": "Service", + "order": 9 + }, + "source_json": { + "$ref": "#/definitions/source_json", + "title": "Source JSON", + "order": 10 + } + } + }, + "source_json": { + "type": "object", + "title": "source_json", "properties": { "sourceName": { "type": "string", "title": "Source Name", + "description": "Source Name", "order": 1 }, + "insertionStrings": { + "type": "array", + "title": "Insertion Strings", + "description": "Insertion Strings", + "items": { + "type": "string" + }, + "order": 2 + }, "eventCode": { "type": "integer", "title": "Event Code", - "order": 2 + "order": 3 }, "computerName": { "type": "string", "title": "Computer Name", - "order": 3 + "order": 4 }, "sid": { "type": "string", "title": "SID", - "order": 4 + "order": 5 }, "isDomainController": { "type": "boolean", "title": "Is Domain Controller", - "order": 5 + "order": 6 }, "eventData": { "$ref": "#/definitions/eventData", "title": "Event Data", - "order": 6 + "order": 7 }, "timeWritten": { "type": "string", "title": "Time Written", - "order": 7 + "order": 8 } } }, @@ -416,6 +488,35 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output): } } }, + "results_statistics": { + "type": "object", + "title": "results_statistics", + "properties": { + "statistics": { + "$ref": "#/definitions/statistics", + "title": "statistics", + "description": "Holds the overall statistical results", + "order": 1 + }, + "leql": { + "type": "object", + "title": "LEQL", + "description": "The LEQL 'WHERE' clause to match against", + "order": 2 + }, + "logs": { + "title": "Logs", + "description": "Holds the Log ID of the matching log entry", + "order": 3 + }, + "search_stats": { + "type": "object", + "title": "Search Stats", + "description": "Holds data regarding the query execution", + "order": 4 + } + } + }, "statistics": { "type": "object", "title": "statistics", diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py index bcc0c26a70..0fe15b9a58 100755 --- a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py +++ b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/query/schema.py @@ -111,47 +111,119 @@ class QueryOutput(insightconnect_plugin_runtime.Output): "$ref": "#/definitions/link" }, "order": 6 + }, + "sequence_number_str": { + "type": "string", + "title": "Sequence Number String", + "description": "Sequence number string", + "order": 7 } } }, "message": { "type": "object", "title": "message", + "properties": { + "timestamp": { + "type": "string", + "title": "Timestamp", + "order": 1 + }, + "destination_asset": { + "type": "string", + "title": "Destination Asset", + "order": 2 + }, + "source_asset_address": { + "type": "string", + "title": "Source Asset Address", + "order": 3 + }, + "destination_asset_address": { + "type": "string", + "title": "Destination Asset Address", + "order": 4 + }, + "destination_local_account": { + "type": "string", + "title": "Destination Local Account", + "order": 5 + }, + "logon_type": { + "type": "string", + "title": "Logon Type", + "order": 6 + }, + "result": { + "type": "string", + "title": "Result", + "order": 7 + }, + "new_authentication": { + "type": "string", + "title": "New Authentication", + "order": 8 + }, + "service": { + "type": "string", + "title": "Service", + "order": 9 + }, + "source_json": { + "$ref": "#/definitions/source_json", + "title": "Source JSON", + "order": 10 + } + } + }, + "source_json": { + "type": "object", + "title": "source_json", "properties": { "sourceName": { "type": "string", "title": "Source Name", + "description": "Source Name", "order": 1 }, + "insertionStrings": { + "type": "array", + "title": "Insertion Strings", + "description": "Insertion Strings", + "items": { + "type": "string" + }, + "order": 2 + }, "eventCode": { "type": "integer", "title": "Event Code", - "order": 2 + "order": 3 }, "computerName": { "type": "string", "title": "Computer Name", - "order": 3 + "order": 4 }, "sid": { "type": "string", "title": "SID", - "order": 4 + "order": 5 }, "isDomainController": { "type": "boolean", "title": "Is Domain Controller", - "order": 5 + "order": 6 }, "eventData": { "$ref": "#/definitions/eventData", "title": "Event Data", - "order": 6 + "order": 7 }, "timeWritten": { "type": "string", "title": "Time Written", - "order": 7 + "order": 8 } } }, diff --git a/plugins/rapid7_insightidr/plugin.spec.yaml b/plugins/rapid7_insightidr/plugin.spec.yaml index fd13ab83f5..edf40051c2 100644 --- a/plugins/rapid7_insightidr/plugin.spec.yaml +++ b/plugins/rapid7_insightidr/plugin.spec.yaml @@ -36,7 +36,7 @@ sdk: version: 6.2.2 user: nobody version_history: - - "11.0.0 - Updating schema for 'advanced_query_on_log' action to account for missing keys" + - "11.0.0 - Updating schema for query actions (`advanced_query_on_log`, `advanced_query_on_log_set` & `query`) to account for missing keys/invalid mapping in the schema" - "10.3.4 - Bumping requirements.txt | SDK bump to 6.2.2" - "10.3.3 - Bumping requirements.txt | SDK bump to 6.2.0" - "10.3.2 - Initial updates for fedramp compliance | Updated SDK to the latest version" @@ -403,27 +403,36 @@ types: description: Last full scan age required: false message: - sourceName: - title: Source Name + timestamp: + title: Timestamp type: string - eventCode: - title: Event Code - type: integer - computerName: - title: Computer Name + destination_asset: + title: Destination Asset type: string - sid: - title: SID + source_asset_address: + title: Source Asset Address type: string - isDomainController: - title: Is Domain Controller - type: boolean - eventData: - title: Event Data - type: eventData - timeWritten: - title: Time Written + destination_asset_address: + title: Destination Asset Address + type: string + destination_local_account: + title: Destination Local Account + type: string + logon_type: + title: Logon Type type: string + result: + title: Result + type: string + new_authentication: + title: New Authentication + type: string + service: + title: Service + type: string + source_json: + title: Source JSON + type: source_json events: labels: title: Labels @@ -449,6 +458,10 @@ types: title: Links description: Links type: "[]link" + sequence_number_str: + title: Sequence Number String + description: Sequence number string + type: string results_statistics: statistics: title: statistics @@ -536,6 +549,41 @@ types: description: Boolean indicating whether groups are calculated approximately (approximated if a groupby query involves over 10,000 groups) type: boolean required: false + source_json: + sourceName: + title: Source Name + type: string + description: Source Name + required: false + insertionStrings: + title: Insertion Strings + type: "[]string" + description: Insertion Strings + required: false + eventCode: + title: Event Code + type: integer + required: false + computerName: + title: Computer Name + type: string + required: false + sid: + title: SID + type: string + required: false + isDomainController: + title: Is Domain Controller + type: boolean + required: false + eventData: + title: Event Data + type: eventData + required: false + timeWritten: + title: Time Written + type: string + required: false links: href: title: HREF @@ -2103,7 +2151,7 @@ actions: results_statistical: title: Query Results (Statistical) description: Query Results - type: statistics + type: results_statistics required: false example: '{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}' count: