def run(self, params={}):
rest_params = {}
for key in params:
if params[key]:
rest_params[key] = params[key]
if not rest_params.get('statuses'):
raise PluginException(cause='The statuses parameter cannot be blank.',
assistance='choose a statues parameter, and please report this bug to support.')
if rest_params.get('statuses') == 'EITHER':
del rest_params['statuses']
request = ResourceHelper(self.connection.session, self.logger)
endpoint = Investigations.list_investigations(self.connection.url)
response = request.resource_request(endpoint, 'get', params=rest_params)
try:
result = json.loads(response['resource'])
except json.decoder.JSONDecodeError:
self.logger.error(f'InsightIDR response: {response}')
raise PluginException(cause='The response from InsightIDR was not in the correct format.',
assistance='Contact support for help. See log for more details')
try:
investigations = result['data']
metadata = result['metadata']
return {Output.INVESTIGATIONS: investigations, Output.METADATA: metadata}
except KeyError:
self.logger.error(result)
raise PluginException(cause='The response from InsightIDR was not in the correct format.',
assistance='Contact support for help. See log for more details')
def run(self, params={}):
investigation_id = params.get(Input.ID)
user_email = params.get(Input.USER_EMAIL_ADDRESS)
endpoint = Investigations.set_user_for_investigation(
self.connection.url, investigation_id)
payload = {"user_email_address": user_email}
response = self.connection.session.put(endpoint, json=payload)
try:
response.raise_for_status()
except Exception as e:
raise PluginException(
cause="The IDR API returned an error.",
assistance=
"Usually this is the result of an invalid user email or investigation ID. Please see the following for more information:\n",
data=response.text)
try:
result = response.json()
except json.decoder.JSONDecodeError:
self.logger.error(f'InsightIDR response: {response}')
raise PluginException(
cause=
'The response from InsightIDR was not in the correct format.',
assistance='Contact support for help. See log for more details',
data=response)
return {Output.SUCCESS: True, Output.INVESTIGATION: result}
def run(self, params={}):
idr_id = params.get(Input.ID)
status = params.get(Input.STATUS)
request = ResourceHelper(self.connection.session, self.logger)
endpoint = Investigations.set_the_status_of_an_investigation(
self.connection.url, idr_id, status)
response = request.resource_request(endpoint, "put")
try:
result = json.loads(response["resource"])
except json.decoder.JSONDecodeError:
self.logger.error(f"InsightIDR response: {response}")
raise PluginException(
cause=
"The response from InsightIDR was not in the correct format.",
assistance="Contact support for help. See log for more details",
)
try:
return {Output.INVESTIGATION: result}
except KeyError:
self.logger.error(result)
raise PluginException(
cause=
"The response from InsightIDR was not in the correct format.",
assistance="Contact support for help. See log for more details",
)
def run(self, params={}):
rest_params = {}
start_time = params.get(Input.START_TIME, None)
end_time = params.get(Input.END_TIME, None)
for key in params:
if params[key]:
rest_params[key] = params[key]
if not rest_params.get("statuses"):
raise PluginException(
cause="The statuses parameter cannot be blank.",
assistance=
"choose a statues parameter, and please report this bug to support.",
)
if rest_params.get("statuses") == "EITHER":
del rest_params["statuses"]
if start_time:
start_time_parsed = datetime.datetime.fromisoformat(start_time)
rest_params["start_time"] = start_time_parsed.astimezone(
datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
if end_time:
end_time_parsed = datetime.datetime.fromisoformat(end_time)
rest_params["end_time"] = end_time_parsed.astimezone(
datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
request = ResourceHelper(self.connection.session, self.logger)
endpoint = Investigations.list_investigations(self.connection.url)
response = request.resource_request(endpoint,
"get",
params=rest_params)
try:
result = json.loads(response["resource"])
except json.decoder.JSONDecodeError:
self.logger.error(f"InsightIDR response: {response}")
raise PluginException(
cause=
"The response from InsightIDR was not in the correct format.",
assistance="Contact support for help. See log for more details",
)
try:
investigations = result["data"]
metadata = result["metadata"]
return {
Output.INVESTIGATIONS: investigations,
Output.METADATA: metadata
}
except KeyError:
self.logger.error(result)
raise PluginException(
cause=
"The response from InsightIDR was not in the correct format.",
assistance="Contact support for help. See log for more details",
)
def run(self, params={}):
request = ResourceHelper(self.connection.session, self.logger)
endpoint = Investigations.close_investigations_in_bulk(
self.connection.url)
source = self._get_with_default(params, Input.SOURCE, "MANUAL")
max_investigations_to_close = self._get_with_default(
params, Input.MAX_INVESTIGATIONS_TO_CLOSE, None)
alert_type = self._get_with_default(params, Input.ALERT_TYPE, None)
timestamp_from = params.get(Input.DATETIME_FROM)
if not timestamp_from:
timestamp_from = (datetime.now() - timedelta(days=7)).replace(
microsecond=0).isoformat()
timestamp_from = f"{timestamp_from}Z"
timestamp_to = params.get(Input.DATETIME_TO)
if not timestamp_to:
timestamp_to = datetime.now().replace(microsecond=0).isoformat()
timestamp_to = f"{timestamp_to}Z"
response = request.resource_request(endpoint,
'post',
payload={
"alert_type": alert_type,
"from": timestamp_from,
"max_investigations_to_close":
max_investigations_to_close,
"source": source,
"to": timestamp_to,
})
try:
result = json.loads(response.get("resource", '{}'))
except json.decoder.JSONDecodeError:
self.logger.error(f'InsightIDR response: {response}')
raise PluginException(
cause=
'The response from InsightIDR was not in the expected format.',
assistance=
'Contact support for help. See log for more details:',
data=response)
return {
Output.IDS: result.get("ids", []),
Output.NUM_CLOSED: result.get("num_closed", 0)
}