[SOAR-18495] Rapid7_InsightIDR Fix Schema (advanced_query_on_log) (#2995

) (#3011) * Schema update * Removing key from schema. Keeping same naming convention (Uppercase) * Accidentally removed wrong key :/ * Major bump * Refining Schema for other query actions
rapid7 · Dec 18, 2024 · 21e7d03 · 21e7d03
1 parent d416b9e
commit 21e7d03
Show file tree

Hide file tree

Showing 8 changed files with 536 additions and 42 deletions.
diff --git a/plugins/rapid7_insightidr/.CHECKSUM b/plugins/rapid7_insightidr/.CHECKSUM
@@ -1,19 +1,19 @@
 {
-	"spec": "ef55d0eaab88354037eb0e7a0c1d5ca0",
-	"manifest": "a9dc8b0c15952a931013e92670cdf86b",
-	"setup": "8b4da6c79f36dd56dfc82e26d0009a8b",
+	"spec": "696ad2ef53e23becbc514ade6b807b86",
+	"manifest": "447c02c4e8eff1ffc54155a48b270af3",
+	"setup": "00df4e2ab481d3954b493d8e94670fca",
 	"schemas": [
 		{
 			"identifier": "add_indicators_to_a_threat/schema.py",
 			"hash": "95108ef162aa99c34e0d20ba2fd3035e"
 		},
 		{
 			"identifier": "advanced_query_on_log/schema.py",
-			"hash": "c25673288c3406030e64dc6f3451821d"
+			"hash": "04f457e70ed006499969f3871fd60314"
 		},
 		{
 			"identifier": "advanced_query_on_log_set/schema.py",
-			"hash": "ff689fccb0ed297d1c5f7f45877fd138"
+			"hash": "651d3e1a7ce2676f00851d04e596584c"
 		},
 		{
 			"identifier": "assign_user_to_investigation/schema.py",
@@ -113,7 +113,7 @@
 		},
 		{
 			"identifier": "query/schema.py",
-			"hash": "ec57e897be9e044c6607e33ab15020b0"
+			"hash": "3a8132d5735fdbb53f9f26e40cb1ada9"
 		},
 		{
 			"identifier": "replace_indicators/schema.py",

diff --git a/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr b/plugins/rapid7_insightidr/bin/komand_rapid7_insightidr
@@ -6,7 +6,7 @@ from sys import argv
 
 Name = "Rapid7 InsightIDR"
 Vendor = "rapid7"
-Version = "10.3.4"
+Version = "11.0.0"
 Description = "This plugin allows you to add indicators to a threat and see the status of investigations"
 
 

diff --git a/plugins/rapid7_insightidr/help.md b/plugins/rapid7_insightidr/help.md
@@ -146,7 +146,7 @@ Example input:
 | :--- | :--- | :--- | :--- | :--- |
 |count|integer|True|Number of log entries found|10|
 |results_events|[]events|False|Query Results|[{"labels": [],"timestamp": 1601598638768,"sequence_number": 123456789123456789,"log_id": "64z0f0p9-1a99-4501-xe36-a6d03687f313","message": {"timestamp": "2020-10-02T00:29:14.649Z","destination_asset": "iagent-win7","source_asset_address": "192.168.100.50","destination_asset_address": "example-host","destination_local_account": "user","logon_type": "NETWORK","result": "SUCCESS","new_authentication": "false","service": "ntlmssp ","source_json": {"sourceName": "Microsoft-Windows-Security-Auditing","insertionStrings": ["S-1-0-0","-","-","0x0","X-X-X-XXXXXXXXXXX","[email protected]","example-host","0x204f163c","3","NtLmSsp ","NTLM","","{00000000-0000-0000-0000-000000000000}","-","NTLM V2","128","0x0","-","192.168.50.1","59090"],"eventCode": 4624,"computerName": "example-host","sid": "","isDomainController": false,"eventData": null,"timeWritten": "2020-10-02T00:29:13.670722000Z"}},"links": [{"rel": "Context","href": "https://us.api.insight.rapid7.com/log_search/query/context/xxxx"}],"sequence_number_str": "123456789123456789"}]|
-|results_statistical|statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}|
+|results_statistical|results_statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}|
 
 Example output:
 
@@ -377,7 +377,7 @@ Example input:
 | :--- | :--- | :--- | :--- | :--- |
 |count|integer|True|Number of log entries found|10|
 |results_events|[]events|False|Query Results|[{"labels": [],"timestamp": 1601598638768,"sequence_number": 123456789123456789,"log_id": "64z0f0p9-1a99-4501-xe36-a6d03687f313","message": {"timestamp": "2020-10-02T00:29:14.649Z","destination_asset": "iagent-win7","source_asset_address": "192.168.100.50","destination_asset_address": "example-host","destination_local_account": "user","logon_type": "NETWORK","result": "SUCCESS","new_authentication": "false","service": "ntlmssp ","source_json": {"sourceName": "Microsoft-Windows-Security-Auditing","insertionStrings": ["S-1-0-0","-","-","0x0","X-X-X-XXXXXXXXXXX","[email protected]","example-host","0x204f163c","3","NtLmSsp ","NTLM","","{00000000-0000-0000-0000-000000000000}","-","NTLM V2","128","0x0","-","192.168.50.1","59090"],"eventCode": 4624,"computerName": "example-host","sid": "","isDomainController": false,"eventData": null,"timeWritten": "2020-10-02T00:29:13.670722000Z"}},"links": [{"rel": "Context","href": "https://us.api.insight.rapid7.com/log_search/query/context/xxxx"}],"sequence_number_str": "123456789123456789"}]|
-|results_statistical|statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}|
+|results_statistical|results_statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}|
 
 Example output:
 
@@ -3068,13 +3068,16 @@ Example output:
 
 |Name|Type|Default|Required|Description|Example|
 | :--- | :--- | :--- | :--- | :--- | :--- |
-|Computer Name|string|None|None|None|None|
-|Event Code|integer|None|None|None|None|
-|Event Data|eventData|None|None|None|None|
-|Is Domain Controller|boolean|None|None|None|None|
-|SID|string|None|None|None|None|
-|Source Name|string|None|None|None|None|
-|Time Written|string|None|None|None|None|
+|Destination Asset|string|None|None|None|None|
+|Destination Asset Address|string|None|None|None|None|
+|Destination Local Account|string|None|None|None|None|
+|Logon Type|string|None|None|None|None|
+|New Authentication|string|None|None|None|None|
+|Result|string|None|None|None|None|
+|Service|string|None|None|None|None|
+|Source Asset Address|string|None|None|None|None|
+|Source JSON|source_json|None|None|None|None|
+|Timestamp|string|None|None|None|None|
 
 **events**
 
@@ -3085,8 +3088,18 @@ Example output:
 |Log ID|string|None|None|Log ID|None|
 |Message|message|None|None|Message|None|
 |Sequence Number|integer|None|None|Sequence number|None|
+|Sequence Number String|string|None|None|Sequence number string|None|
 |Timestamp|integer|None|None|Timestamp|None|
 
+**results_statistics**
+
+|Name|Type|Default|Required|Description|Example|
+| :--- | :--- | :--- | :--- | :--- | :--- |
+|LEQL|object|None|False|The LEQL 'WHERE' clause to match against|None|
+|Logs|array|None|False|Holds the Log ID of the matching log entry|None|
+|Search Stats|object|None|False|Holds data regarding the query execution|None|
+|statistics|statistics|None|False|Holds the overall statistical results|None|
+
 **statistics**
 
 |Name|Type|Default|Required|Description|Example|
@@ -3105,6 +3118,19 @@ Example output:
 |To|integer|None|False|The end of the time range for the query, as a UNIX timestamp in milliseconds|None|
 |Type|string|None|False|The type of function performed, for example, "count", "max", "average", "standarddeviation"|None|
 
+**source_json**
+
+|Name|Type|Default|Required|Description|Example|
+| :--- | :--- | :--- | :--- | :--- | :--- |
+|Computer Name|string|None|False|None|None|
+|Event Code|integer|None|False|None|None|
+|Event Data|eventData|None|False|None|None|
+|Insertion Strings|[]string|None|False|Insertion Strings|None|
+|Is Domain Controller|boolean|None|False|None|None|
+|SID|string|None|False|None|None|
+|Source Name|string|None|False|Source Name|None|
+|Time Written|string|None|False|None|None|
+
 **links**
 
 |Name|Type|Default|Required|Description|Example|
@@ -3401,6 +3427,7 @@ Example output:
 
 # Version History
 
+* 11.0.0 - Updating schema for query actions (`advanced_query_on_log`, `advanced_query_on_log_set` & `query`) to account for missing keys/invalid mapping in the schema
 * 10.3.4 - Bumping requirements.txt | SDK bump to 6.2.2
 * 10.3.3 - Bumping requirements.txt | SDK bump to 6.2.0
 * 10.3.2 - Initial updates for fedramp compliance | Updated SDK to the latest version

diff --git a/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py b/plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py
@@ -122,7 +122,7 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output):
       "order": 1
     },
     "results_statistical": {
-      "$ref": "#/definitions/statistics",
+      "$ref": "#/definitions/results_statistics",
       "title": "Query Results (Statistical)",
       "description": "Query Results",
       "order": 2
@@ -164,7 +164,7 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output):
           "order": 4
         },
         "message": {
-          "type": ["object", "string"],
+          "$ref": "#/definitions/message",
           "title": "Message",
           "description": "Message",
           "order": 5
@@ -177,6 +177,119 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output):
             "$ref": "#/definitions/link"
           },
           "order": 6
+        },
+        "sequence_number_str": {
+          "type": "string",
+          "title": "Sequence Number String",
+          "description": "Sequence number string",
+          "order": 7
+        }
+      }
+    },
+    "message": {
+      "type": "object",
+      "title": "message",
+      "properties": {
+        "timestamp": {
+          "type": "string",
+          "title": "Timestamp",
+          "order": 1
+        },
+        "destination_asset": {
+          "type": "string",
+          "title": "Destination Asset",
+          "order": 2
+        },
+        "source_asset_address": {
+          "type": "string",
+          "title": "Source Asset Address",
+          "order": 3
+        },
+        "destination_asset_address": {
+          "type": "string",
+          "title": "Destination Asset Address",
+          "order": 4
+        },
+        "destination_local_account": {
+          "type": "string",
+          "title": "Destination Local Account",
+          "order": 5
+        },
+        "logon_type": {
+          "type": "string",
+          "title": "Logon Type",
+          "order": 6
+        },
+        "result": {
+          "type": "string",
+          "title": "Result",
+          "order": 7
+        },
+        "new_authentication": {
+          "type": "string",
+          "title": "New Authentication",
+          "order": 8
+        },
+        "service": {
+          "type": "string",
+          "title": "Service",
+          "order": 9
+        },
+        "source_json": {
+          "$ref": "#/definitions/source_json",
+          "title": "Source JSON",
+          "order": 10
+        }
+      }
+    },
+    "source_json": {
+      "type": "object",
+      "title": "source_json",
+      "properties": {
+        "sourceName": {
+          "type": "string",
+          "title": "Source Name",
+          "description": "Source Name",
+          "order": 1
+        },
+        "insertionStrings": {
+          "type": "array",
+          "title": "Insertion Strings",
+          "description": "Insertion Strings",
+          "items": {
+            "type": "string"
+          },
+          "order": 2
+        },
+        "eventCode": {
+          "type": "integer",
+          "title": "Event Code",
+          "order": 3
+        },
+        "computerName": {
+          "type": "string",
+          "title": "Computer Name",
+          "order": 4
+        },
+        "sid": {
+          "type": "string",
+          "title": "SID",
+          "order": 5
+        },
+        "isDomainController": {
+          "type": "boolean",
+          "title": "Is Domain Controller",
+          "order": 6
+        },
+        "eventData": {
+          "$ref": "#/definitions/eventData",
+          "title": "Event Data",
+          "order": 7
+        },
+        "timeWritten": {
+          "type": "string",
+          "title": "Time Written",
+          "order": 8
         }
       }
     },
@@ -357,6 +470,35 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output):
         }
       }
     },
+    "results_statistics": {
+      "type": "object",
+      "title": "results_statistics",
+      "properties": {
+        "statistics": {
+          "$ref": "#/definitions/statistics",
+          "title": "statistics",
+          "description": "Holds the overall statistical results",
+          "order": 1
+        },
+        "leql": {
+          "type": "object",
+          "title": "LEQL",
+          "description": "The LEQL 'WHERE' clause to match against",
+          "order": 2
+        },
+        "logs": {
+          "title": "Logs",
+          "description": "Holds the Log ID of the matching log entry",
+          "order": 3
+        },
+        "search_stats": {
+          "type": "object",
+          "title": "Search Stats",
+          "description": "Holds data regarding the query execution",
+          "order": 4
+        }
+      }
+    },
     "statistics": {
       "type": "object",
       "title": "statistics",