Rapid7 InsightIDR
App Vendor: Rapid7
App Category: Analytics & SIEM
Connector Version: 1.3.0
API Version: 1.0.0
Note
This app is currently released as a beta version.
About App
Rapid7 InsightIDR is the security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activities.
The Rapid7 InsightIDR app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Indicators to Community Threat | This action adds indicators to a community threat. |
Create Community Threat | This action creates a community threat. |
Delete Community Threat | This action deletes a community threat. |
Get Investigation | This action retrieves the details of an investigation. |
Get List of Rapid7 Product Alerts Associated with the Specified Investigation | This action retrieves a list of Rapid7 product alerts associated with an investigation. |
List Alerts Associated with the Specified Investigation | This action retrieves the alerts associated with an investigation. |
List All Endpoints | This action retrieves all the endpoints. |
List Investigations | This action retrieves all the investigations. |
Query Multiple Logs | This action queries multiple logs using the Log Entries Query Language (LEQL). |
Replace Indicators for Community Threats | This action replaces indicators for community threats. |
Set Status of Investigation | This action sets the status of an investigation. |
Update Investigation | This action updates an investigation. |
Close Investigations in Bulk | This action closes investigations in bulk. |
Search Investigations | This action searches for investigations. |
Poll an In-Progress Query | This action polls a query that is in progress. |
Create Investigation Using Alerts | This action creates investigation using matching alerts. |
Create Report for Alerts | This action creates a report with alerts that match the search criteria. |
Get Evidence for a Single Alert | This action retrieves evidence associated with a single alert. |
Retrieve Alert Action Result | This action retrieves the result of a single alert action. |
Generic Action | This is a generic action to perform any additional use case that you want on Rapid7 InsightIDR. |
Retrieve Alert Actions | This action retrieves the alert actions that occurred within a time period. |
Retrieve Alert Action Tasks | This action retrieves the tasks associated with a single alert action. |
Retrieve Alert Actors | This action retrieves actors associated with a single alert. |
Retrieve Alert Field Values | This action retrieves alert field values related to the specified field ID. |
Retrieve All Alert Fields | This action retrieves all the alert fields. |
Retrieve All Process Tree | This action retrieves all process trees for an alert. |
Retrieve Assignee for a Single Alert | This action retrieves users that are assigned to a single alert. |
Retrieve Assignee for Multiple Alerts | This action retrieves users that could be assigned to multiple alerts. |
Retrieve Multiple Alerts | This action retrieves multiple alerts related to the specified alert RRN. |
Retrieve Process Tree | This action retrieves a single process tree for an alert. |
Retrieve Single Alert | This action retrieves single alert based on the alert RRN. |
Retrieve Single Alert Field | This action returns a single field based on the field identifier. |
Search Alerts | This action returns alerts that match the search criteria. |
Update Multiple Alerts | This action asynchronously updates information for multiple alerts. |
Update Single Alert | This action asynchronously updates information for a single alert. |
Configuration Parameters
The following configuration parameters are required for the Rapid7 InsightIDR app to communicate with the Rapid7 InsightIDR enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the API key to authenticate. | Password | Required | |
Region | Enter the region where the data is stored. Examples: eu ap | Text | Required | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Rapid7 InsightIDR. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Action: Add Indicators to Community Threat
This action adds indicators to a Community Threat. The following Community Threat indicators are supported in the request body: IP addresses, Process hashes, domain names, and URLs.
Note
To perform this action, you must include at least one indicator type from the available input parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Key | Enter the key of a Community Threat to add the indicators. Example: 156c9e48-64da-4bba-939e-e1c329be591b | Text | Required | |
IPs | Enter the list of IP addresses to add to the Community Threat. Example: ['192.168.0.1'] | List | Required | |
Hashes | Enter the hashes to add to the community threat. Example: ['b95663ec7339033cf1fde459a34b6606'] | List | Required | |
Domain Names | Enter the domain names to add to the community threat. Example: ['rapid7.com', 'mailxpy.com'] | List | Required | |
URLs | Enter the URLs to add to the community threat. Example: ['http://example.com/index', ' http://www.mailxpy.com/login/index.php'] | List | Required |
Example Request
[
{
"key": "156c9e48-64da-4bba-939e-e1c329be591b",
"ips": ['192.168.0.1'],
"hashes": ['b95663ec7339033cf1fde459a34b6606'],
"domain_names": ['rapid7.com', 'mailxpy.com'],
"urls": ['http://example.com/index', ' http://www.mailxpy.com/login/index.php']
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
threat | Object | The information about the threat. |
threat.name | String | The name of the threat. |
threat.note | String | Notes about this threat. |
threat.published | Boolean | Indicates whether this threat has been published. |
threat.indicator_count | Integer | The number of indicators in this threat. |
threat.rejected_indicators | Array of Strings | The list of indicators that have been rejected during the update. |
Action: Close Investigations in Bulk
This action will close investigations in bulk. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Source | Enter the source. Example: "threat intelligence", "alert", "hunt" | Text | Required | |
To | Enter the time for the investigations to be closed. Only investigations whose created_time is before this date will be closed. The time must be in ISO-formatted timestamp. Example: 2020-01-01t00:00:00.000z | Text | Required | |
From | Enter the time from which the investigations must be closed, which must be an ISO-formatted timestamp. Example: 2020-01-01t00:00:00.000z | Text | Required | |
Alert Type | Enter the alert type. Example: threat intelligence | Text | Optional | |
Detection Rule RRN | Enter the detection Rule RRN. Example: threat intelligence | Text | Required | |
Max Investigations to Close | Enter the maximum number of investigations to close. Example: 10 | Integer | Optional | |
Disposition | Enter the disposition. Example: malicious, benign, undecided, not applicable | Text | Optional |
Action: Create Community Threat
This action creates a Community Threat in Rapid7 InsightIDR. The following Community Threat indicators are supported in the request body: communityThreatName, note, indicators, IP addresses (non-CIDR notation), process hashes, domain names, and URLs.
Note
To perform this action, you must include at least one indicator type from the available input parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat Name | Enter the name of a threat. Example: Trojan | Text | Required | |
Domain Names | Enter the domain names to add to the community threat. Example: $LIST['rapid7.com', 'mailxpy.com'] | Text | Required | |
Hashes | Enter the hashes to add to the community threat. Example: $LIST['b95663ec7339033cf1fde459a34b6606'] | Text | Required | |
IPs | Enter the list of IP addresses to add to the community threat. Example: $LIST['192.168.0.1'] | Text | Required | |
URLs | Enter the URLs to add to the community threat. Example: $LIST['http://example.com/index', ' http://www.mailxpy.com/login/index.php'] | Text | Required | |
Note | Enter a description of the community threat. Example: This is a sample note for this Community Threat. | Text | Optional |
Example Request
[
{
"threat_name": "Trojan",
"ips": ['192.168.0.1'],
"hashes": ['b95663ec7339033cf1fde459a34b6606'],
"domain_names": ['rapid7.com', 'mailxpy.com'],
"urls": ['http://example.com/index', ' http://www.mailxpy.com/login/index.php']
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
threat | Object | Contains information about the threat. |
threat.name | String | Name of the threat. Example: Threat |
threat.note | String | Additional notes regarding the threat. Example: Notes |
threat.published | Boolean | Indicates whether the threat information is published. Example: true |
threat.indicator_count | Integer | Count of indicators related to the threat. Example: 1 |
rejected_indicators | Array of Strings | List of indicators that were rejected. Example: ['blacklisted', 'invalid'] |
Action: Delete Community Threat
This action deletes a community threat.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Key | Enter the key of a community threat to delete. Example: 156c9e48-64da-4bba-939e-e1c329be591b | Text | Required | |
Reason | Enter the reason for deleting the threat. Example: Threat has been neutralized. | Text | Optional | It is recommended to provide a reason while deleting a community threat |
Example Request
[
{
"threat_name": "Trojan",
"reason": "Threat has been neutralized."
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
name | String | The name of the threat. |
note | String | Notes about this threat. |
published | Boolean | Indicates whether this threat has been published. |
indicator_count | Integer | The number of indicators in this threat. Must be greater than or equal to 0. |
Action: Get Investigation
This action retrieves the details of an investigation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID | Enter the ID of an investigation. Example: 174e4f99-2ac7-4481-9301-4d24c34baf06 | Text | Required | |
Multi Customer | Indicates whether the requester has multi-customer access. If set to true, the ID of the investigation must be in the RRN format, the region of the RRN must match the region of the endpoint, and a user API key must be provided. Example: multi-customer=true | Boolean | Optional | Allowed values are true and false The default value is false. |
Example Request
[
{
"id": "174e4f99-2ac7-4481-9301-4d24c34baf06",
"multi_customer": false
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
data | Array of objects | The list of data that matches the pagination parameters. If no results match, this will be an empty list. |
data.id | String | The ID of the investigation. |
data.rrn | String | The RRN of the investigation. |
data.title | String | The investigation's title. |
data.status | String | The status of the investigations. OPEN, INVESTIGATING, CLOSED |
data.source | String | The source of this investigation. |
data.disposition | String | The disposition of this investigation. Values are BENIGN, MALICIOUS, NOT_APPLICABLE, UNSPECIFIED |
data.assignee | Object | The user assigned to this investigation, if any. |
data.alerts | Array of objects | The alerts involved in this investigation, if any. |
data.created_time | String | The time the investigation was created, as an ISO formatted timestamp. |
metadata | Object | The pagination parameters used to generate this page result. |
metadata.index | Integer | The 0-based index of the page retrieved. |
metadata.size | Integer | The size of the page requested. |
metadata.total_pages | Integer | The total number of pages available with the given filter parameters. |
metadata.total_data | Integer | The total number of results available with the given filter parameters. |
Action: Get List of Rapid7 Product Alerts Associated With the Specified Investigation
This action retrieves a list of Rapid7 product alerts associated with an investigation. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID | Enter the ID of an investigation. Example: 174e4f99-2ac7-4481-9301-4d24c34baf06 | Text | Required | |
Multi Customer | Choose to verify whether this is a multi-customer request. Example: false | Boolean | Optional | Allowed values: true, false Default value: false |
Example Request
[
{
"id": "174e4f99-2ac7-4481-9301-4d24c34baf06",
"multi_customer": false
}
]Action: List Alerts Associated With the Specified Investigation
This action retrieves and lists all alerts associated with an investigation, with the specified investigation ID. The listed alerts are sorted in descending order by alert created time. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID | Enter the ID of an investigation. Example: 174e4f99-2ac7-4481-9301-4d24c34baf06 | Text | Required | |
Index | The optional 0-based index of the page to retrieve. It must be an integer greater than or equal to 0. Example: 0 | Text | Optional | Default is 0 |
Size | The optional size of the page to retrieve. It must be an integer greater than 0, or less than or equal to 100. Example: size=20 | Text | Optional | Default is 20 |
Example Request
[
{
"identifier": "174e4f99-2ac7-4481-9301-4d24c34baf06",
"index": "0",
"size": "10"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
data.id | String | Unique identifier for the alert. |
data.title | String | Title or brief description of the alert. |
data.alert_type | String | Type of alert. |
data.alert_type_description | String | Description of the alert type. |
data.created_time | String | Timestamp when the alert was created (ISO 8601 format). |
data.first_event_time | String | Timestamp of the first event related to the alert (ISO 8601 format). |
data.latest_event_time | String | Timestamp of the latest event related to the alert (ISO 8601 format). |
data.alert_source | String | Source of the alert. |
data.detection_rule_rrn.rule_name | String | Name of the detection rule that triggered the alert. |
data.detection_rule_rrn.rule_rrn | String | Resource Reference Number (RRN) for the detection rule. |
metadata.index | Integer | Index of the current page. |
metadata.size | Integer | Number of items per page. |
metadata.total_pages | Integer | Total number of pages available. |
metadata.total_data | Integer | Total number of data items. |
Action: List All Endpoints
This action retrieves all the endpoints which is a convenient way to search for audit logs. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
This action does not require any input parameters.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
endpoint | object | The endpoint itself. Example, /audit/query/logs/{log_keys} |
endpoint.path | String | The path of the endpoint. Example, https://eu.rest.logs.insight.rapid7.com/audit/query/logs/{log_keys} |
endpoint.verbs | Array of strings | Array of HTTP verbs supported by the endpoint. Example, ["GET"] |
Action: List Investigations
This action retrieves a list of investigations matching the specified action input parameters. By default, the investigations will be sorted by investigation priority in descending order.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Assignee Email | Enter the email ID of the assignee. Only investigations assigned to that user will be included. Example: assignee.email=johndoe@exampledomain.com | Text | Optional | |
End Time | Enter the time an investigation is closed. Only investigations whose created_time is before this date will be returned by the API. Must be an ISO-formatted timestamp. Example: end_time=2018-07-28T23:59:00Z | Text | Optional | Default is "The current time" |
Index | Enter the 0-based index of the first page to retrieve. Must be an integer greater than 0. Example: 0 | Text | Optional | Default is 0 |
Size | Enter the maximum number of investigations to retrieve. Must be an integer greater than 0, or less than or equal to 100. Example: size=20 | Text | Optional | Default is 20 |
Sort | Enter a field for investigations to be sorted by and their sort direction separated by a comma. Example: priority,DESC | Text | Optional | Sortable fields are created_time,priority, rrn, alerts_most_recent_created_time, and alerts_most_recent_detection_created_time. |
Start Time | Enter the time an investigation is opened. Only investigations whose created_time is after this date will be returned by the API. Must be an ISO-formatted timestamp. Example: start_time=2018-07-01T00:00:00Z | Text | Optional | Default is "28 days prior" |
Statuses | Enter a comma-separated list of investigation statuses to include in the result. Example: statuses=OPEN,INVESTIGATING | Text | Optional | Possible values are |
Priorities | Enter the investigation priorities to include in the response. Example: priorities=UNSPECIFIED, LOW | Text | Optional | Possible values are UNSPECIFIED, LOW, MEDIUM, HIGH, and CRITICAL |
Extra Fields | Enter the extra fields to pass to the API. | Key value | Optional | Allowed keys: multi_customer, tags, sources |
API Version | Enter the version of the API to use for this request. Example: v2 | Text | Required | Default value: v1 |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
data | Array of objects | The list of data that matches the pagination parameters. If no results match, this will be an empty list. |
data.id | String | The ID of the investigation. |
data.rrn | String | The RRN of the investigation. |
data.title | String | The investigation's title. |
data.status | String | The status of the investigations. Possible values: "OPEN, INVESTIGATING, CLOSED". |
data.source | String | The source of this investigation. |
data.disposition | String | The disposition of this investigation. Possible values: "BENIGN, MALICIOUS, NOT_APPLICABLE, UNSPECIFIED". |
data.assignee | Object | The user assigned to this investigation, if any. |
data.alerts | Array of objects | The alerts involved in this investigation, if any. |
data.created_time | String | The time the investigation was created, as an ISO formatted timestamp. |
metadata | Object | The pagination parameters used to generate this page result. |
metadata.index | Number | The 0-based index of the page retrieved. |
metadata.size | Number | The size of the page requested. |
metadata.total_pages | Number | The total number of pages available with the given filter parameters. |
metadata.total_data | Number | The total number of results available with the given filter parameters. |
Action: Query Multiple Logs
This action queries multiple logs using the Log Entry Query Language (LEQL). This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Log IDs | Enter the log IDs. Example: ['565c1b7b-c08b-4c87-a42a-ab08bad56071', 'c78579a8-8b20-4e6a-d4c0-5287198a263b'] | List | Required | |
Duration | Enter the time range to search logs. Example: {'time_range':'last 1 hour'} | Key Value | Required | Allowed values: yesterday, today and last x timeunits (where x represents a number and timeunits represents one of min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s), or years). |
Statement | Enter the LEQL query run against the logs. Example: where(931dde6c60>=800) | Text | Required | |
Query Params | Enter the query params.Example:{"per_page": 10} | Key Value | Optional |
Example Request
[
{
"log_ids": ['565c1b7b-c08b-4c87-a42a-ab08bad56071', 'c78579a8-8b20-4e6a-d4c0-5287198a263b'],
"duration": {'time_range':'last 1 hour'},
"statement": "where(931dde6c60>=800)",
"query_params": {"per_page": 10}
}
]Action: Replace Indicators for Community Threats
This action replaces InsightIDR Community Threat indicators for a Community Threat with the given Community Threat key. The following Community Threat indicators are supported in the request body: IP addresses, process hashes, domain names, and URLs.
Note
To perform this action, you must include at least one indicator type from the available input parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Key | Enter the key of a Community Threat for which the indicators are going to be replaced. Example: 156c9e48-64da-4bba-939e-e1c329be591b | Text | Required | |
Domain Names | Enter the domain names to add to the community threat. Example: ['rapid7.com', 'mailxpy.com'] | List | Required | |
Hashes | Enter the hashes to add to the community threat. Example: ['b95663ec7339033cf1fde459a34b6606'] | List | Required | |
IPs | Enter the IP address to add to the community threat. Example: ['192.168.0.1'] | List | Required | |
URLs | Enter the URLs to add to the community threat. Example: ['http://example.com/index', ' http://www.mailxpy.com/login/index.php'] | List | Required |
Example Request
[
{
"key": "156c9e48-64da-4bba-939e-e1c329be591b",
"ips": ['192.168.0.1'],
"hashes": ['b95663ec7339033cf1fde459a34b6606'],
"domain_names": ['rapid7.com', 'mailxpy.com'],
"urls": ['http://example.com/index', ' http://www.mailxpy.com/login/index.php']
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
threat | Object | The information about the threat. |
threat.name | String | The name of the threat. |
threat.note | String | Notes about this threat (optional). |
threat.published | Boolean | Indicates whether this threat has been published. |
threat.indicator_count | Integer (int64) | The number of indicators in this threat. Must be greater than or equal to 0. |
threat.rejected_indicators | Array of strings | The list of indicators that have been rejected during the update. |
Action: Poll an In-Progress Query
This action polls a query that is in progress. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID | Enter the continuation ID. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | You can retrieve the continuation ID from the Query Multiple Logs action. |
Time Range | Enter the time range. Example: last 10 weeks | Text | Optional | Allowed values: yesterday, today, last x timeunits: where x represents a number and timeunits represents the unit of time Allowed time units(case insensitive): mins or minutes, hrs or hours, days, weeks, months, years |
Example Request
[
{
"id": "0bnc17f4-bbbe-46b1-a843-163c074bd1ad",
"time_range": "last 10 weeks"
}
]Action: Create Investigation Using Alerts
This action creates an investigation using matching alerts. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Organization ID | Enter the ID of the organization that the investigation belongs to. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Title | Enter the title of the investigation. Example: alert from insight ops | Text | Required | |
Disposition | Enter the disposition of the investigation. | Text | Required | |
Status | Enter the status of the investigation. Example: open | Text | Required | |
Start Time | Enter the start time. Example: 2020-01-01t00:00:00.000z | Text | Required | |
Terms | Enter the search terms. Example: {"field_ids":"['2525', '2523']"} | Key Value | Required | |
End Time | Enter the end time. Example: 2020-01-01t00:00:00.000z | Text | Optional | |
LEQL Query | Enter the Log Entry Query Language (LEQL) query. Example: (where (931dde6c60>=800)) | Text | Optional | |
Priority | Enter the priority of the investigation. Example: low | Text | Optional | Allowed values are UNMAPPED, INFO, LOW, MEDIUM, HIGH, and CRITICAL. |
Tags | Enter the tags to apply to the investigation. Example: ['malware', 'threat'] | List | Optional | |
Extra Params | Enter any additional details associated with the investigation. Example: {"key":"value"} | Key Value | Optional |
Action Response Parameters
Parameter | Description | Type |
|---|---|---|
action_rrn | String | The RRN of the action created to update the alerts. See the Actions endpoints for more information. |
region_failures | Array of Objects (RegionFailure) | The regions where the request failed to execute. The presence of items in this field indicates partial failure. |
region_failures.region | String | The region where the request failed. |
region_failures.message | String | A description of the failure. |
Action: Create Report for Alerts
This action creates a report with alerts that match the search criteria. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start time | Enter the start time of the range to search. Example: 2020-01-01t00:00:00.000z | Text | Required | |
Terms | Enter the search terms to match against. Example: {"field_ids":"['233','454','476']"} | Key Value | Required | |
End time | Enter the end time of the range to search. Example: 2020-01-01t00:00:00.000z | Text | Optional | |
Leql query | Enter the LEQL 'WHERE' clause to match against. Example: (where(931dde6c60>=800)) | Text | Optional | |
Aggregates | Enter the aggregations to apply for all matching results. Example: {"type": "bucket"} | Key Value | Optional | |
Extra params | Enter the extra params. Example: {"key":"value"} | Key Value | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
count | Integer | The number of alerts that match the search criteria. |
aggregates | Array of Objects | The aggregation results. |
aggregates.name | String | The identifier of the aggregation, that was specified in the request. |
aggregates.type | String | The type of aggregate. The default is "BUCKET". |
aggregates.value | Object | The single-value result of the requested query. |
aggregates.field_ids | Array of Strings | The field identifiers that were aggregated by. |
aggregates.buckets | Array of Objects | The buckets that the aggregation results are grouped into. |
aggregates.buckets.keys | Array of Strings or Strings or Numbers or Booleans | The values for the selected field identifiers in this bucket, in matching order. |
aggregates.buckets.count | Integer (int64) | The number of alerts in this bucket. |
region_failures | Array of Objects | Regions that failed to execute the request. The presence of items indicates partial results. |
region_failures.region | String | The region where the request failed. |
region_failures.message | String | A description of the failure. |
Action: Get Evidence for a Single Alert
This action will retrieve evidence associated with a single alert. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert RRN | Enter the alert RRN. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Index | The index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page to retrieve. Example: 10 | Integer | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
evidences | Array of objects | The alert evidence. |
evidences.rrn | String | The unique RRN of the evidence. |
evidences.version | Integer | The version of the evidence. |
evidences.created_at | String (date-time) | The timestamp when the evidence was created. |
evidences.updated_at | String (date-time) | The timestamp when the evidence was last updated. |
evidences.evented_at | String (date-time) | The timestamp when the event that triggered the alert occurred in the source system. |
evidences.external_source | String | The source of the evidence. |
evidences.event_type | String | The type of evidence. |
evidences.data | String | The evidence data. |
metadata | Object | The pagination returned. |
metadata.index | Integer | The page number. |
metadata.size | Integer | The number of items requested. |
metadata.items_in_index | Integer | The number of items returned in the index. |
metadata.total_items | Integer | The total number of items available to request. |
metadata.is_last_index | Boolean | Indicates that the item is the last in the index. |
Action: Retrieve Alert Action Result
This action retrieves the result of a single alert action. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action RRN | Enter the unique identifier for the action. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
actions | Array of Objects | List of actions taken. |
actions.rrn | String | Resource reference number for the action. |
actions.type | String | Type of action taken. Example: "PATCH_ALERT" |
actions.created_at | String | Date and time the action was created. Example: "2019-08-24T14:15:22Z" |
actions.task_count | Number | Number of tasks associated with the action. |
actions.request_payload | String | Payload of the request related to the action. |
actions.metadata | Array of Objects | Additional metadata for the action. |
actions.metadata.key | String | Key for the metadata entry. |
actions.metadata.value | String | Value for the metadata entry. |
actions.metadata.display | String | The display name for the metadata entry. |
metadata | Object | Metadata about the response. |
metadata.index | Number | Current index in pagination. |
metadata.size | Number | Number of items per page. |
metadata.items_in_index | Number | Number of items in the current index. |
metadata.total_items | Number | Total number of items across all indices. |
metadata.is_last_index | Boolean | Indicates if the current index is the last one. Example: true |
region_failures | Array of Objects | Failures by region. |
region_failures.region | String | Region where the failure occurred. |
region_failures.message | String | Message describing the failure. |
Action: Generic Action
This is a generic action to perform any additional use case that you want on Rapid7 InsightIDR. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the endpoint to make the API request. Example: /v1/investigations | Text | Required | |
Method | Enter the HTTP method to make the API request. Example: GET | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Payload JSON | Enter the payload in JSON format. Example: {"format": "json"} | Key Value | Optional | |
Query Params | Enter the query parameters to filter the results. Example: {"format": "json"} | Key Value | Optional | |
Extra Fields | Enter the extra fields to pass to the API. Example: download: false | Key Value | Optional | Allowed values: payload_data, custom_output, download, filename, files, retry_wait, retry_count, response_type |
Action: Retrieve Alert Actions
This action retrieves the alert actions that occurred within the specified time period. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start Time | Enter the start time to limit the results to only actions that were created after the specified date and time. Example: 2020-01-01t00:00:00.000z | Text | Optional | |
Type | Enter the type to limit the results to only actions with the specified type. Example: ["PATCH_ALERT"] | List | Optional | Allowed values are PATCH_ALERT and CREATE_INVESTIGATION |
Sort Fields | Enter the sort fields. Example: CREATED_AT | Text | Optional | Allowed values are CREATED_AT and TASK_COUNT |
Sort Order | Enter the sort order. Example: desc | Text | Optional | Allowed values are ASC and DESC. |
Index | The index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page to retrieve. Example: 10 | Integer | Optional | |
Status | Enter the status to limit the results to only actions with a specified status. Example: PENDING | Text | Optional | Allowed values are PENDING, RUNNING, FAILED, COMPLETE_WITH_ISSUES, and COMPLETED. |
Has Failed Task | Enter true to limit the results to only actions that have failed tasks. Example: true, false | Boolean | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
actions | Array of Objects | List of actions taken. |
actions.rrn | String | Resource reference number for the action. |
actions.type | String | Type of action taken. Example: "PATCH_ALERT" |
actions.created_at | String | Date and time the action was created. Example: "2019-08-24T14:15:22Z" |
actions.task_count | Number | Number of tasks associated with the action. |
actions.request_payload | String | Payload of the request related to the action. |
actions.metadata | Array of Objects | Additional metadata for the action. |
actions.metadata.key | String | Key for the metadata entry. |
actions.metadata.value | String | Value for the metadata entry. |
actions.metadata.display | String | Display name for the metadata entry. |
metadata | Object | Metadata about the response. |
metadata.index | Number | Current index in pagination. |
metadata.size | Number | Number of items per page. |
metadata.items_in_index | Number | Number of items in the current index. |
metadata.total_items | Number | Total number of items across all indices. |
metadata.is_last_index | Boolean | Indicates if the current index is the last one. Example: true |
region_failures | Array of Objects | Failures by region. |
region_failures.region | String | Region where the failure occurred. |
region_failures.message | String | Message describing the failure. |
Action: Retrieve Alert Action Tasks
This action retrieves the tasks associated with a single alert action. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action RRN | Enter the unique identifier for the action. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Status | Enter the status to limit the results to only tasks with a specified status. Example: PENDING | Text | Optional | Allowed values are PENDING, RUNNING, FAILED, COMPLETE_WITH_ISSUES, and COMPLETED. |
Index | The index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page to retrieve. Example: 10 | Integer | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
tasks | Array of Objects | List of tasks with their details. |
tasks.rrn | String | Resource reference number for the task. |
tasks.item_identifier | String | Identifier for the item associated with the task. |
tasks.status | String | Status of the task. Example: "PENDING" |
tasks.failure_reason | String | Reason for the task's failure, if any. |
metadata | Object | Metadata about the response. |
metadata.index | Number | Current index in pagination. |
metadata.size | Number | Number of items per page. |
metadata.items_in_index | Number | Number of items in the current index. |
metadata.total_items | Number | Total number of items across all indices. |
metadata.is_last_index | Boolean | Indicates if the current index is the last one. Example: true |
region_failures | Array of Objects | Failures by region. |
region_failures.region | String | Region where the failure occurred. |
region_failures.message | String | Message describing the failure. |
Action: Retrieve Alert Actors
This action will retrieve actors associated with a single alert. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert RRN | Enter the alert RRN. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Index | The index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page to retrieve. Example: 10 | Integer | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
actors | Array of Objects | List of actors or entities. |
actors.rrn | String | Global unique identifier for the actor. |
actors.id | String | Identifier of the actor. |
actors.type | String | Type of the actor. |
actors.display_name | String | Display name of the actor. |
metadata | Object | Metadata about the collection of actors. |
metadata.index | Number | Index of the current set of actors. |
metadata.size | Number | Size of the current set of actors. |
metadata.items_in_index | Number | Number of items in the current index. |
metadata.total_items | Number | Total number of items across all indexes. |
metadata.is_last_index | Boolean | Indicator if the current index is the last one. |
Action: Retrieve Alert Field Values
This action will retrieve alert field values related to the specified field ID. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Field ID | Enter the field ID. Example: 73654 | Integer | Required | |
Search | Enter the search. Example: malware | Text | Optional | |
Index | The index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page to retrieve. Example: 10 | Integer | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
values | Array of Objects | List of values. |
values.value | String | The main value |
values.display | String | The display value associated with the main value. |
values.additional_displays | Array of Objects | List of additional displays. |
values.additional_displays.name | String | Name of the additional display. |
values.additional_displays.display | String | The display value associated with the additional display. |
metadata | Object | Metadata information. |
metadata.index | Number | The index value. |
metadata.size | Number | The size value. |
metadata.items_in_index | Number | Number of items in the index. |
metadata.total_items | Number | Total number of items. |
metadata.is_last_index | Boolean | Indicates if it is the last index, e.g., true. |
region_failures | Array of Objects | List of region failures. |
region_failures.region | String | The region associated with the failure. |
region_failures.message | String | The message describing the failure. |
Action: Retrieve All Alert Fields
This action will retrieve all the alert fields. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Path | Enter the path to limit results to only fields that are the same as or less than this value. Example: process | Text | Optional | |
Path Depth | Enter the path depth. Example: 1 | Integer | Optional | Value must be greater than or equal to 1. |
Search | Enter the search term. Example: malware | Text | Optional | |
Index | The index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page to retrieve. Example: 10 | Integer | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
fields | Array of Objects | List of fields. |
fields.id | String | The ID of the field. |
fields.is_enumerable | Boolean | Indicates if the field is enumerable. |
fields.is_searchable | Boolean | Indicates if the field is searchable. |
fields.is_sortable | Boolean | Indicates if the field is sortable. |
fields.is_aggregateable | Boolean | Indicates if the field is aggregateable. |
fields.display_groups | Array of Objects | List of display groups. |
fields.display_groups.name | String | The name of the display group. |
fields.display_groups.is_column | Boolean | Indicates if the display group is a column. |
fields.display_groups.has_children | Boolean | Indicates if the display group has children. |
metadata | Object | Metadata information. |
metadata.index | Number | The index value. |
metadata.size | Number | The size value. |
metadata.items_in_index | Number | Number of items in the index. |
metadata.total_items | Number | Total number of items. |
metadata.is_last_index | Boolean | Indicates if it is the last index. |
region_failures | Array of Objects | List of region failures. |
region_failures.region | String | The region associated with the failure, if any. |
region_failures.message | String | The message describing the failure, if any. |
Action: Retrieve All Process Tree
This action retrieves all process trees for an alert. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert RRN | Enter the unique identifier of the alert. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Force Refresh | Enter true to indicate whether forced refresh is enabled for the process tree. Example: true, false | Boolean | Required | When true, it forces the tree to be regenerated regardless of the available data, otherwise the cached version is returned if available. Note that regeneration is an expensive operation, response times may be high. |
Index | The index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page to retrieve. Example: 10 | Integer | Optional | |
Branch | Enter the branch number to generate the process tree with. Example: 9 | Integer | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
process_trees | Array of Objects | List of process trees. |
process_trees.rrn | String | Resource reference number. |
process_trees.creator | String | Creator of the resource. |
process_trees.created_at | String | Date and time the resource was created. Example: "2019-08-24T14:15:22Z" |
process_trees.updated_at | String | Date and time the resource was last updated. Example: "2019-08-24T14:15:22Z" |
process_trees.alert_rrn | String | Reference number of the related alert. |
process_trees.tree_uuid | String | UUID of the process tree. |
process_trees.process_tree | Object | Details about the process tree. |
process_trees.process_tree.pid | String | Process ID. |
process_trees.process_tree.name | String | Name of the process. |
process_trees.process_tree.cmdline | String | Command line used to start the process. |
process_trees.process_tree.username | String | Username under which the process is running. |
process_trees.process_tree.start_time | Number | Start time of the process (epoch time). |
process_trees.process_tree.hashes | Object | Hashes associated with the process. |
process_trees.process_tree.hashes.md5 | String | MD5 hash of the process. |
process_trees.process_tree.hashes.sha1 | String | SHA1 hash of the process. |
process_trees.process_tree.hashes.sha256 | String | SHA256 hash of the process. |
process_trees.process_tree.children | Array of Objects | Child processes. |
process_trees.new_starts | Number | Count of new process starts. |
process_trees.snapshots | Number | Count of snapshots taken. |
process_trees.refresh_status | Boolean | Indicates if the refresh status is true or false. Example: true |
metadata | Object | Metadata about the process trees. |
metadata.index | Number | Index of the metadata. |
metadata.size | Number | Size of the metadata. |
metadata.items_in_index | Number | Number of items in the index. |
metadata.total_items | Number | Total number of items. |
metadata.is_last_index | Boolean | Indicates if it is the last index. Example: true |
Action: Retrieve Assignee for a Single Alert
This action will retrieve users that are assigned to a single alert. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert RRN | Enter the alert rnn. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Index | The index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page to retrieve. Example: 10 | Integer | Optional | |
Search | Limits the results to those containing the search term. | Text | Optional |
Action: Retrieve Assignee for Multiple Alerts
This action will retrieve users that could be assigned to multiple alerts. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start Time | Enter the start time of the range to search. Example: 2020-01-01t00:00:00.000z | Text | Required | |
End Time | Enter the end time of the range to search. Example: 2020-01-01t00:00:00.000z | Text | Required | |
LEQL Query | Enter the LEQL query. Example: (where(931dde6c60>=800)) | Text | Required | |
Terms | Enter the search terms to match against. Example: {"key":"value"} | Key Value | Required | |
Index | The index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page you want to retrieve. Example: 10 | Integer | Optional | |
Search | Enter the search criteria. Example: malware | Text | Optional |
Action Input Parameters
Parameter | Type | Description |
|---|---|---|
users | Array of Objects | List of users. |
users.id | String | Identifier of the user. |
users.email | String | Email address of the user. |
users.name | String | Name of the user. |
metadata | Object | Metadata about the collection of users. |
metadata.index | Number | Index of the current set of users. |
metadata.size | Number | Size of the current set of users. |
metadata.items_in_index | Number | Number of items in the current index. |
metadata.total_items | Number | Total number of items across all indexes. |
metadata.is_last_index | Boolean | Indicator if the current index is the last one. |
Action: Retrieve Multiple Alerts
This action will retrieve multiple alerts related to the specified alert RRN. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert RRNs | Enter the RRNs of the alerts to retrieve. Example: ["0bnc17f4-bbbe-46b1-a843-163c074bd1ad", "0bnc17f4-bbbe-46b1-a843-163c074bd1ad"] | List | Required | |
Field IDs | Enter the field IDs of additional fields to include for each alert. No additional fields are included if this parameter is empty. Example: ["key1", "key2"] | List | Optional | |
Strict | Choose true to return a 404 error if no alerts are found. Example: true | Boolean | Optional |
Action: Retrieve Process Tree
This action retrieves a single process tree for an alert. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert RRN | Enter the unique identifier of the alert. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Process Tree RRN | Enter the unique identifier of the process tree. Example: 1cft17f4-bbbe-46b1-a843-163ciqabd1ad | Text | Required | |
Force Refresh | Enter true to indicates whether forced refresh is enabled for the process tree. Example: true, false | Boolean | Required | |
Branch | Enter the branch number to generate the process tree with. Example: 6 | Integer | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
rrn | String | Resource reference number. |
creator | String | Creator of the resource. |
created_at | String | Date and time the resource was created. Example: "2019-08-24T14:15:22Z" |
updated_at | String | Date and time the resource was last updated. Example: "2019-08-24T14:15:22Z" |
alert_rrn | String | Reference number of the related alert. |
tree_uuid | String | UUID of the process tree. |
process_tree | Object | Details about the process tree. |
process_tree.pid | String | Process tree ID. |
process_tree.name | String | Name of the process. |
process_tree.cmdline | String | Command line used to start the process. |
process_tree.username | String | Username under which the process is running. |
process_tree.start_time | Number | Start time of the process (epoch time). |
process_tree.hashes | Object | Hashes associated with the process. |
process_tree.hashes.md5 | String | MD5 hash of the process. |
process_tree.hashes.sha1 | String | SHA1 hash of the process. |
process_tree.hashes.sha256 | String | SHA256 hash of the process. |
process_tree.children | Array of Objects | Child processes. |
new_starts | Number | Count of new process starts. |
snapshots | Number | Count of snapshots taken. |
refresh_status | Boolean | Indicates if the refresh status is true or false |
Action: Retrieve Single Alert
This action retrieves a single alert based on the specified alert RRN. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert RRN | Enter the unique identifier of the alert. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
rrn | Unique identifier for the record. | String |
version | Version number of the record. | Number |
created_at | Timestamp when the record was created. | String |
updated_at | Timestamp when the record was last updated. | String |
alerted_at | Timestamp when the record was last alerted. | String |
ingested_at | Timestamp when the record was ingested. | String |
external_source | Name of the external source providing the data. | String |
external_id | External identifier associated with the record. | String |
organization | Information about the organization associated with the record. | Object |
organization.id | Identifier of the organization. | String |
organization.name | Name of the organization. | String |
organization.region | Region where the organization is located. | String |
organization.product_token | Token associated with the organization's product. | String |
organization.customer_id | Identifier of the customer within the organization. | String |
organization.customer_name | Name of the customer within the organization. | String |
organization.customer_code | Code associated with the customer. | String |
organization.customer_group | Group or category the customer belongs to. | String |
organization.flags | Flags associated with the organization. | Array of Strings |
title | Title or name associated with the record. | String |
type | Type of the record. | String |
rule | Details of the rule associated with the record. | Object |
rule.rrn | Rule identifier. | String |
rule.name | Name of the rule. | String |
rule.mitre_tcodes | Mitre Tcodes associated with the rule. | Array of Strings |
rule.version_rrn | Version identifier of the rule. | String |
rule_matching_keys | Keys used for matching rules. | Array of Objects |
rule_matching_keys.key | Key used for matching rules. | String |
rule_matching_keys.values | Values associated with the matching key. | Array of Strings |
rule_keys_of_interest | Keys of interest for rules. | Array of Objects |
rule_keys_of_interest.key | Key of interest for rules. | String |
rule_keys_of_interest.values | Values associated with the key of interest. | Array of Strings |
responsibility | Responsibility status associated with the record. | String |
monitored | Flag indicating if the record is monitored. | Boolean |
assignee | Details of the assignee responsible for the record. | Object |
assignee.at | Timestamp when the assignee was assigned. | String |
assignee.id | Identifier of the assignee. | String |
assignee.email | Email address of the assignee. | String |
assignee.first_name | First name of the assignee. | String |
assignee.last_name | Last name of the assignee. | String |
priority | Priority status associated with the record. | String |
status | Status of the record. | String |
status_transitions | Transition times for status changes. | Object |
status_transitions.seconds_to_first_investigating | Seconds elapsed to first investigating status. | Number |
status_transitions.seconds_to_first_closed | Seconds elapsed to first closed status. | Number |
disposition | Disposition status associated with the record. | String |
investigation_rrn | Unique identifier for the associated investigation. | String |
tags | Tags associated with the record. | Array of Strings |
permissions | Permissions associated with the record. | Object |
permissions.canEdit | Flag indicating if editing is permitted. | Boolean |
fields | Custom fields associated with the record. | Array of Objects |
fields.id | Identifier of the field. | String |
fields.values | Values associated with the field. | Array of Strings |
Action: Retrieve Single Alert Field
This action returns a single field based on the field identifier. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Field ID | Enter the field ID. Example: 9873546 | Integer | Required |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
id | String | Identifier. |
is_enumerable | Boolean | Indicates if the field is enumerated, e.g., true. |
is_searchable | Boolean | Indicates if the field is searchable, e.g., true. |
is_sortable | Boolean | Indicates if the field is sortable, e.g., true. |
is_aggregateable | Boolean | Indicates if the field is aggregateable, e.g., true. |
display_groups | Array of Objects | List of display groups the field belongs to. |
display_groups.name | String | Name of the display group. |
display_groups.is_column | Boolean | In this group, indicates whether the field can be displayed as a table column., e.g., true. |
display_groups.has_children | Boolean | In this group, indicates whether other fields are nested beneath the field (for example, if other fields exist that have the field as part of their path). |
Action: Search Alerts
This action is used to return alerts that match the search criteria. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start time | Enter the start time of the range to search. Example: 2020-01-01t00:00:00.000z | Text | Required | |
Terms | Enter the search terms. Example: [ { "field_ids": [ "string" ] | List | Required | |
Sort | Enter the sort order. Example: [{"field_id": "string","order": "ASCENDING_NULLS_LAST"}] | List | Optional | Allowed values for order are ASCENDING_NULLS_LAST, ASCENDING_NULLS_FIRST, DESCENDING_NULLS_LAST, and DESCENDING_NULLS_FIRST. |
LEQL query | The LEQL 'where' clause to match against. Example: (where(931dde6c60>=800)) | Text | Optional | |
End time | Enter the end time of the range to search. Example: 2020-01-01t00:00:00.000z | Text | Optional | |
RRN Only | Specify whether the response returns only the alert RRNs and the alert details. | Boolean | Optional | If you set it to TRUE, the response returns the RRNs only. If you set it to FALSE or is unspecified, the response returns the RRNs and the alert details. |
Index | Enter the index of the page to retrieve (zero-indexed). Example: 0 | Integer | Optional | |
Size | Enter the size of the page to retrieve. Example: 10 | Integer | Optional | |
Extra params | Enter the extra params. Example: { "name": "string", "type": "bucket", "fields": [ { "field_id": "string", "interval": 0, "order": "ASCENDING_NULLS_LAST" } | Key Value | Optional | |
Field IDs | Enter the field IDs of the alert. Example: ["key1", "key2"] | List | Optional | |
Aggregates | Enter the aggregations to apply for all matching results. Example: [{ "name": "string", "type": "bucket", "fields": [ { "field_id": "string", "interval": 0, "order": "ASCENDING_NULLS_LAST" }] | List | Optional |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
rrns | Array of Strings | Array of unique identifiers (RRNs) of the alerts. |
alerts | Array of Objects | Array of alert objects. |
alerts.rrn | String | Unique identifier for the alert record. |
alerts.version | Number | Version number of the alert. |
alerts.created_at | String | Timestamp when the alert was created. |
alerts.updated_at | String | Timestamp when the alert was last updated. |
alerts.alerted_at | String | Timestamp when the alert was last alerted. |
alerts.ingested_at | String | Timestamp when the alert was ingested. |
alerts.external_source | String | Name of the external source providing the alert data. |
alerts.external_id | String | External identifier associated with the alert record. |
alerts.organization | Object | Information about the organization associated with the alert record. |
alerts.organization.id | String | Identifier of the organization. |
alerts.organization.name | String | Name of the organization. |
alerts.organization.region | String | Region where the organization is located. |
alerts.organization.product_token | String | Token associated with the organization's product. |
alerts.organization.customer_id | String | Identifier of the customer within the organization. |
alerts.organization.customer_name | String | Name of the customer within the organization. |
alerts.organization.customer_code | String | Code associated with the customer. |
alerts.organization.customer_group | String | Group or category the customer belongs to. |
alerts.organization.flags | Array of Strings | Flags associated with the organization. |
alerts.title | String | Title or name associated with the alert record. |
alerts.type | String | Type of the alert record. |
alerts.rule | Object | Details of the rule associated with the alert record. |
alerts.rule.rrn | String | Rule identifier. |
alerts.rule.name | String | Name of the rule. |
alerts.rule.mitre_tcodes | Array of Strings | Mitre Tcodes associated with the rule. |
alerts.rule.version_rrn | String | Version identifier of the rule. |
alerts.rule_matching_keys | Array of Objects | Keys used for matching rules. |
alerts.rule_matching_keys.key | String | Key used for matching rules. |
alerts.rule_matching_keys.values | Array of Strings | Values associated with the matching key. |
alerts.rule_keys_of_interest | Array of Objects | Keys of interest for rules. |
alerts.rule_keys_of_interest.key | String | Key of interest for rules. |
alerts.rule_keys_of_interest.values | Array of Strings | Values associated with the key of interest. |
alerts.responsibility | String | Responsibility status associated with the alert record. |
alerts.monitored | Boolean | Flag indicating if the alert record is monitored. |
alerts.assignee | Object | Details of the assignee responsible for the alert record. |
alerts.assignee.at | String | Timestamp when the assignee was assigned. |
alerts.assignee.id | String | Identifier of the assignee. |
alerts.assignee.email | String | Email address of the assignee. |
alerts.assignee.first_name | String | First name of the assignee. |
alerts.assignee.last_name | String | Last name of the assignee. |
alerts.priority | String | Priority status associated with the alert record. |
alerts.status | String | Status of the alert record. |
alerts.status_transitions | Object | Transition times for status changes. |
alerts.status_transitions.seconds_to_first_investigating | Number | Seconds elapsed to first investigating status. |
alerts.status_transitions.seconds_to_first_closed | Number | Seconds elapsed to first closed status. |
alerts.disposition | String | Disposition status associated with the alert record. |
alerts.investigation_rrn | String | Unique identifier for the associated investigation. |
alerts.tags | Array of Strings | Tags associated with the alert record. |
alerts.permissions | Object | Permissions associated with the alert record. |
alerts.permissions.canEdit | Boolean | Flag indicating if editing is permitted. |
alerts.fields | Array of Objects | Custom fields associated with the alert record. |
alerts.fields.id | String | Identifier of the field. |
alerts.fields.values | Array of Strings | Values associated with the field. |
metadata | Object | Metadata related to the collection of alerts. |
metadata.index | Number | Index of the current batch of alerts. |
metadata.size | Number | Size of the current batch of alerts. |
metadata.items_in_index | Number | Number of items in the current index. |
metadata.total_items | Number | Total number of items in the collection. |
metadata.is_last_index | Boolean | Flag indicating if the current index is the last. |
aggregates | Array of Objects | Aggregates related to the alerts. |
aggregates.name | String | Name of the aggregate. |
aggregates.type | String | Type of the aggregate. |
aggregates.value | Object | Value associated with the aggregate. |
aggregates.field_ids | Array of Strings | Identifiers of fields associated with the aggregate. |
aggregates.buckets | Array of Objects | Buckets associated with the aggregate. |
aggregates.buckets.keys | Array of Arrays of Strings | Keys within the bucket. |
aggregates.buckets.count | Number | Count of items within the bucket. |
region_failures | Array of Objects | Failures related to specific regions, if any. |
region_failures.region | String | Region where the failure occurred. |
region_failures.message | String | Message describing the failure. |
Action: Search Investigations
This action will search investigations.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filters. Example: {"multi-customer": "true"} | Key Value | Optional | |
Payload | Enter the payload to search for investigations. Example: {"multi-customer": "true"} | Key Value | Optional | It is recommended to pass payload while searching for investigations. |
Action: Set Status of Investigation
This action sets the status of an investigation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID | Enter the ID of an investigation. Example: 174e4f99-2ac7-4481-9301-4d24c34baf06 | Text | Required | |
Status | Enter the status of the investigation. Example: open | Text | Required | Allowed values: open, closed, investigating |
API Version | Enter the version of the API to use for this request. Example: v2 | Text | Required | Default value: v1 |
Extra Fields | Enter the extra fields to pass to the API. | Key value | Optional | Available keys: disposition, threat_command_close_reason, threat_command_free_text |
Example Request
[
{
"id": "174e4f99-2ac7-4481-9301-4d24c34baf06",
"status": "open"
}
]Action: Update Investigation
This action updates an investigation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID | Enter the ID of an investigation. Example: "174e4f99-2ac7-4481-9301-4d24c34baf06" | Text | Required | |
Multi Customer | Choose to verify whether this is a multi-customer request. Example: false | Boolean | Optional | Allowed values:
Default value:false |
Assignee | Enter the email ID of the assignee. Example: "john.doe@sampledomain.com" | Text | Optional | |
Priority | Enter the priority of the investigation. Example: "low" | Text | Optional | Allowed values:
|
Disposition | Enter the disposition of the investigation. Examples:
| Text | Optional | |
Status | Enter the status of the investigation. Examples:
| Text | Optional | |
Tags | Enter the tags of the investigation. Example: "tag1, tag2, tag3" | Text | Optional | |
Title | Enter the new name of the investigation. Example: "new_name" | Text | Optional | |
Threat Command Close Reason | Enter the threat command close reason of the investigation. Example: "threat_command_close_reason" | Text | Optional | |
Threat Command Free Text | Enter the threat command free text of the investigation. Example: "threat_command_free_text" | Text | Optional |
Example Request
[
{
"key": "174e4f99-2ac7-4481-9301-4d24c34baf06",
"multi_customer": false,
"assignee": "john.doe@sampledomain.com",
"priority": "low",
"disposition": "open",
"status": "open",
"tags": "tag1, tag2, tag3",
"title": "new_name",
"threat_command_close_reason": "threat_command_close_reason",
"threat_command_free_text: "threat_command_free_text"
}
]Action: Update Multiple Alerts
This action will asynchronously update information for multiple alerts. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start time | Enter the start time. Example: 2020-01-01t00:00:00.000z | Text | Required | |
Terms | Enter the search terms. Example: { "field_ids": "string" } | Key Value | Required | |
Patch | Enter the new information to update the alerts with. Example: {"status":"open"} | Key Value | Required | |
End time | Enter the end time. Example: 2020-01-01t00:00:00.000z | Text | Optional | |
LEQL query | Enter the leql query. Example: (where(931dde6c60>=800)) | Text | Optional |
Action: Update Single Alert
This action will asynchronously update information for a single alert. This action is only available to Managed Detection and Response (MDR) customers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert RRN | Enter the alert RRN. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Alert status | Enter the alert status. | Text | Required | Allowed values: unmapped, open, investigating, waiting, closed |
Disposition value | Enter the disposition value. | Text | Required | Allowed values: unmapped, undecided, malicious, benign, unknown, not_applicable |
Priority value | Enter the priority value. | Text | Required | Allowed values: unmapped, info, low, medium, high, critical |
Assignee ID | Enter the user assigned to the alert. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Investigation RRN | Enter the investigation RRN. Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad | Text | Required | |
Tag value | Enter the tags. Example: ["tag1", "tag2"] | List | Required | |
Tag action | Enter the action to add or remove tags from the alerts. | Text | Required | Allowed values:
|
Comments | Enter the reason for updating the alerts, which is captured in the alert audit log for tracking purposes. | Text | Required |