def run(self, params={}):
rest_params = {}
for key in params:
if params[key]:
rest_params[key] = params[key]
if not rest_params.get('statuses'):
raise PluginException(cause='The statuses parameter cannot be blank.',
assistance='choose a statues parameter, and please report this bug to support.')
if rest_params.get('statuses') == 'EITHER':
del rest_params['statuses']
request = ResourceHelper(self.connection.session, self.logger)
endpoint = Investigations.list_investigations(self.connection.url)
response = request.resource_request(endpoint, 'get', params=rest_params)
try:
result = json.loads(response['resource'])
except json.decoder.JSONDecodeError:
self.logger.error(f'InsightIDR response: {response}')
raise PluginException(cause='The response from InsightIDR was not in the correct format.',
assistance='Contact support for help. See log for more details')
try:
investigations = result['data']
metadata = result['metadata']
return {Output.INVESTIGATIONS: investigations, Output.METADATA: metadata}
except KeyError:
self.logger.error(result)
raise PluginException(cause='The response from InsightIDR was not in the correct format.',
assistance='Contact support for help. See log for more details')
def run(self, params={}):
idr_id = params.get(Input.ID)
status = params.get(Input.STATUS)
request = ResourceHelper(self.connection.session, self.logger)
endpoint = Investigations.set_the_status_of_an_investigation(
self.connection.url, idr_id, status)
response = request.resource_request(endpoint, "put")
try:
result = json.loads(response["resource"])
except json.decoder.JSONDecodeError:
self.logger.error(f"InsightIDR response: {response}")
raise PluginException(
cause=
"The response from InsightIDR was not in the correct format.",
assistance="Contact support for help. See log for more details",
)
try:
return {Output.INVESTIGATION: result}
except KeyError:
self.logger.error(result)
raise PluginException(
cause=
"The response from InsightIDR was not in the correct format.",
assistance="Contact support for help. See log for more details",
)
def run(self, params={}):
rest_params = {}
start_time = params.get(Input.START_TIME, None)
end_time = params.get(Input.END_TIME, None)
for key in params:
if params[key]:
rest_params[key] = params[key]
if not rest_params.get("statuses"):
raise PluginException(
cause="The statuses parameter cannot be blank.",
assistance=
"choose a statues parameter, and please report this bug to support.",
)
if rest_params.get("statuses") == "EITHER":
del rest_params["statuses"]
if start_time:
start_time_parsed = datetime.datetime.fromisoformat(start_time)
rest_params["start_time"] = start_time_parsed.astimezone(
datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
if end_time:
end_time_parsed = datetime.datetime.fromisoformat(end_time)
rest_params["end_time"] = end_time_parsed.astimezone(
datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
request = ResourceHelper(self.connection.session, self.logger)
endpoint = Investigations.list_investigations(self.connection.url)
response = request.resource_request(endpoint,
"get",
params=rest_params)
try:
result = json.loads(response["resource"])
except json.decoder.JSONDecodeError:
self.logger.error(f"InsightIDR response: {response}")
raise PluginException(
cause=
"The response from InsightIDR was not in the correct format.",
assistance="Contact support for help. See log for more details",
)
try:
investigations = result["data"]
metadata = result["metadata"]
return {
Output.INVESTIGATIONS: investigations,
Output.METADATA: metadata
}
except KeyError:
self.logger.error(result)
raise PluginException(
cause=
"The response from InsightIDR was not in the correct format.",
assistance="Contact support for help. See log for more details",
)
def run(self, params={}):
request = ResourceHelper(self.connection.session, self.logger)
endpoint = Threats.add_indicators_to_a_threat(self.connection.url, params.pop(Input.KEY))
response = request.resource_request(endpoint, 'post',
params={"format": "json"},
payload=params)
try:
result = json.loads(response['resource'])
except json.decoder.JSONDecodeError:
self.logger.error(f'InsightIDR response: {response}')
raise PluginException(cause='The response from InsightIDR was not in the correct format.',
assistance='Contact support for help. See log for more details',
data=response)
return {Output.REJECTED_INDICATORS: result["rejected_indicators"], Output.THREAT: result["threat"]}
def run(self, params={}):
request = ResourceHelper(self.connection.session, self.logger)
response = request.resource_request(
Logs.get_all_logs(self.connection.url), 'get')
try:
result = json.loads(response['resource'])
except (json.decoder.JSONDecodeError, IndexError, KeyError):
self.logger.error(f'InsightIDR response: {response}')
raise PluginException(
cause=
'The response from InsightIDR was not in the correct format.',
assistance='Contact support for help. See log for more details.'
)
return {Output.LOGS: result}
def run(self, params={}):
request = ResourceHelper(self.connection.session, self.logger)
endpoint = Investigations.close_investigations_in_bulk(
self.connection.url)
source = self._get_with_default(params, Input.SOURCE, "MANUAL")
max_investigations_to_close = self._get_with_default(
params, Input.MAX_INVESTIGATIONS_TO_CLOSE, None)
alert_type = self._get_with_default(params, Input.ALERT_TYPE, None)
timestamp_from = params.get(Input.DATETIME_FROM)
if not timestamp_from:
timestamp_from = (datetime.now() - timedelta(days=7)).replace(
microsecond=0).isoformat()
timestamp_from = f"{timestamp_from}Z"
timestamp_to = params.get(Input.DATETIME_TO)
if not timestamp_to:
timestamp_to = datetime.now().replace(microsecond=0).isoformat()
timestamp_to = f"{timestamp_to}Z"
response = request.resource_request(endpoint,
'post',
payload={
"alert_type": alert_type,
"from": timestamp_from,
"max_investigations_to_close":
max_investigations_to_close,
"source": source,
"to": timestamp_to,
})
try:
result = json.loads(response.get("resource", '{}'))
except json.decoder.JSONDecodeError:
self.logger.error(f'InsightIDR response: {response}')
raise PluginException(
cause=
'The response from InsightIDR was not in the expected format.',
assistance=
'Contact support for help. See log for more details:',
data=response)
return {
Output.IDS: result.get("ids", []),
Output.NUM_CLOSED: result.get("num_closed", 0)
}
def run(self, params={}):
time_now = int(time.time())
request = ResourceHelper(self.connection.session, self.logger)
# 7776000 - is for three months from now.
# It is here because InsightDR keep logs for three months in hot storage
three_months_seconds = 7776000
request_params = {
"from": (time_now - three_months_seconds) * 1000,
"to": time_now * 1000
}
response = request.resource_request(QueryLogs.get_query_logs(
self.connection.url, params.get(Input.ID)),
'get',
params=request_params)
try:
result = json.loads(response['resource'])
if response["status"] == 202:
response = request.resource_request(result["links"][0]["href"],
'get',
params=request_params)
result = json.loads(response['resource'])
except (json.decoder.JSONDecodeError, IndexError, KeyError):
self.logger.error(f'InsightIDR response: {response}')
raise PluginException(
cause=
'The response from InsightIDR was not in the correct format.',
assistance='Contact support for help. See log for more details.'
)
try:
result_response = []
events = result.get("events", [])
if events:
for event in events:
event["message"] = json.loads(event["message"].replace(
'\n', '\\n'))
result_response.append(event)
return {Output.EVENTS: result_response}
except KeyError:
self.logger.error(result)
raise PluginException(
cause=
'The response from InsightIDR was not in the correct format.',
assistance='Contact support for help. See log for more details.'
)
def run(self, params={}):
request = ResourceHelper(self.connection.session, self.logger)
response = request.resource_request(
Logs.get_a_log(self.connection.url, params.get(Input.ID)), "get")
try:
result = json.loads(response["resource"])
except (json.decoder.JSONDecodeError, IndexError, KeyError):
self.logger.error(f"InsightIDR response: {response}")
raise PluginException(
cause=
"The response from InsightIDR was not in the correct format.",
assistance=
"Contact support for help. See log for more details.",
)
return {Output.LOG: result}