-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
Rapid7_InsightIDR.yml
435 lines (434 loc) · 17.9 KB
/
Rapid7_InsightIDR.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
category: Analytics & SIEM
sectionOrder:
- Connect
- Collect
commonfields:
id: Rapid7 InsightIDR
version: -1
configuration:
- display: Insight cloud server region
name: region
options:
- US
- EU
- CA
- AU
- AP
required: true
type: 15
section: Connect
- display: InsightIDR API key
name: apiKey
type: 4
section: Connect
hidden: true
required: false
- name: apikey_creds
type: 9
section: Connect
displaypassword: InsightIDR API key
hiddenusername: true
required: false
- display: Fetch incidents
name: isFetch
type: 8
section: Collect
required: false
- display: Incident type
name: incidentType
type: 13
section: Connect
required: false
- defaultvalue: '7 days'
display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
name: first_fetch
type: 0
section: Collect
required: false
- display: Fetch Limit
name: max_fetch
type: 0
section: Collect
additionalinfo: Max number of alerts per fetch. Default is 50.
defaultvalue: '50'
required: false
- display: Trust any certificate (not secure)
name: insecure
type: 8
section: Connect
advanced: true
required: false
- advanced: true
display: Use system proxy settings
name: proxy
section: Connect
type: 8
required: false
description: 'Rapid7 InsightIDR is a Cloud-Based SIEM that detect and respond to security incidents.'
display: Rapid7 InsightIDR
name: Rapid7 InsightIDR
script:
commands:
- arguments:
- description: An optional time range string (i.e 1 week, 1 day).
name: time_range
- description: "Only investigations whose createTime is after this date will be returned. If this argument is omitted, investigations with any create_time may be returned. Use ISO time format (e.g., 2018-07-01T00:00:00Z)."
name: start_time
- description: "Only investigations whose createTime is before this date will be returned. If this argument is omitted, investigations with any create_time may be returned. Use ISO time format (e.g., 2018-07-01T00:00:00Z)."
name: end_time
- auto: PREDEFINED
description: Only investigations whose status matches one of the entries in the list will be returned. If this argument is omitted, all investigations will be returned.
name: statuses
predefined:
- open
- closed
- description: The optional 0-based index of the page to retrieve. Must be an integer greater than or equal to 0.
name: index
- description: The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000.
name: page_size
description: List all open/closed investigations. You can filter results by time range and investigation status.
name: rapid7-insight-idr-list-investigations
outputs:
- contextPath: Rapid7InsightIDR.Investigation.title
description: Title of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.id
description: ID of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.status
description: Status of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.created_time
description: Time the investigation was created.
type: String
- contextPath: Rapid7InsightIDR.Investigation.source
description: Source of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.assignee.email
description: Email address of the investigation assignee.
type: String
- contextPath: Rapid7InsightIDR.Investigation.assignee.name
description: Name of the investigation assignee.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert.type
description: Type of alert in the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert.type_description
description: Description of the type of the alert in the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
description: First event time of the alert in the investigation.
type: String
- arguments:
- description: ID of the investigation to get.
name: investigation_id
required: true
description: Gets a single investigation (open or closed).
name: rapid7-insight-idr-get-investigation
outputs:
- contextPath: Rapid7InsightIDR.Investigation.title
description: Title of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.id
description: ID of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.status
description: Status of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.created_time
description: Time the investigation was created.
type: String
- contextPath: Rapid7InsightIDR.Investigation.source
description: Source of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.assignee.email
description: Email address of the investigation assignee.
type: String
- contextPath: Rapid7InsightIDR.Investigation.assignee.name
description: Name of the investigation assignee.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert.type
description: Type of alert in the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert.type_description
description: Description of the type of the alert in the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
description: First event time of the alert in the investigation.
type: String
- arguments:
- description: "Only investigations whose createTime is before this date will be returned. If this argument is omitted, investigations with any create_time may be returned - Use ISO time format (e.g., 2018-07-01T00:00:00Z)."
name: start_time
required: true
- description: "AOnly investigations whose createTime is before this date will be returned. If this argument is omitted, investigations with any create_time may be returned. Use ISO time format (e.g., 2018-07-01T00:00:00Z)."
name: end_time
required: true
- auto: PREDEFINED
description: The name of an investigation source. Only investigations from this source will be closed. If the source is ALERT, an alert type must be specified as well. Can be "ALERT", "MANUAL", or "HUNT""The LEQL query to match desired log events. Do not use a calculation.more
name: source
predefined:
- ALERT
- MANUAL
- HUNT
required: true
- description: The category of alerts to closed. This argument is required if the source is ALERT and ignored for other sources. This value must be an exact match of the alert type returned by the List Investigations response.
isArray: true
name: alert_type
- description: The maximum number of alerts to close with this request. If this argument is not specified then there is no maximum. If this limit is exceeded, then a 400 error response is returned. The minimum value is 0.
name: max_investigations_to_close
description: Bulk closes investigations according to the specified investigation create-time date range. You can specify the maximum number of alerts to close per call. If that maximum is exceeded a 400 error response is returned.
name: rapid7-insight-idr-close-investigations
outputs:
- contextPath: Rapid7InsightIDR.Investigation.id
description: ID of the investigation.
type: String
- arguments:
- description: ID of the investigation to assign the user to.
isArray: true
name: investigation_id
required: true
- description: The email address of the user to assign to this investigation. This must be the same email address used to log in to the Insight platform.
name: user_email_address
required: true
description: Assigns a user to an investigation according to the specified user email address.
name: rapid7-insight-idr-assign-user
outputs:
- contextPath: Rapid7InsightIDR.Investigation.title
description: Title of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.id
description: ID of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.status
description: Status of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.created_time
description: Time the investigation was created.
type: String
- contextPath: Rapid7InsightIDR.Investigation.source
description: Source of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.assignee.email
description: Email address of the investigation assignee.
type: String
- contextPath: Rapid7InsightIDR.Investigation.assignee.name
description: Name of the investigation assignee.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert.type
description: Type of alert in the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert.type_description
description: Description of the type of the alert in the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
description: First event time of the alert in the investigation.
type: String
- arguments:
- description: ID of the investigation to set the status of.
isArray: true
name: investigation_id
required: true
- auto: PREDEFINED
description: The new status for the investigation. Can be "open" or "closed".
name: status
predefined:
- open
- closed
required: true
description: Sets the investigation status to either open or closed.
name: rapid7-insight-idr-set-status
outputs:
- contextPath: Rapid7InsightIDR.Investigation.title
description: Title of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.id
description: ID of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.status
description: Status of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.created_time
description: Time the investigation was created.
type: String
- contextPath: Rapid7InsightIDR.Investigation.source
description: Source of the investigation.
type: String
- contextPath: Rapid7InsightIDR.Investigation.assignee_email
description: Email address of the investigation assignee.
type: String
- contextPath: Rapid7InsightIDR.Investigation.assignee_name
description: Name of the investigation assignee.
type: String
- contextPath: Rapid7InsightIDR.Investigation.alert_type
description: Type of alert in the investigation.
type: String
- arguments:
- description: Key of the threat (or threats) to add indicators to.
isArray: true
name: key
required: true
- description: IP address indicators to add.
isArray: true
name: ip_addresses
- description: "Hash indicators to add."
isArray: true
name: hashes
- description: Domain indicators to add.
isArray: true
name: domain_names
- description: URL indicators to add.
isArray: true
name: url
description: Adds new indicators to a threat (IP addresses, hashes, domains, and URLs).
name: rapid7-insight-idr-add-threat-indicators
outputs:
- contextPath: Rapid7InsightIDR.Threat.name
description: Name of the threat.
type: String
- contextPath: Rapid7InsightIDR.Threat.note
description: Notes for the threat.
type: String
- contextPath: Rapid7InsightIDR.Threat.indicator_count
description: How many indicators the threat has.
type: Number
- contextPath: Rapid7InsightIDR.Threat.published
description: Whether or not the threat is published.
type: Boolean
- arguments:
- description: Key of the threat (or threats) to replace indicators for.
isArray: true
name: key
required: true
- description: IP address indicators to add.
isArray: true
name: ip_addresses
- description: "Hash indicators to add."
isArray: true
name: hashes
- description: Domain indicators to add.
isArray: true
name: domain_names
- description: URL indicators to add.
isArray: true
name: url
description: Deletes existing indicators from a threat and adds new indicators to the threat.
name: rapid7-insight-idr-replace-threat-indicators
outputs:
- contextPath: Rapid7InsightIDR.Threat.name
description: Name of the threat.
type: String
- contextPath: Rapid7InsightIDR.Threat.note
description: Notes for the threat.
type: String
- contextPath: Rapid7InsightIDR.Threat.indicator_count
description: How many indicators the threat has.
type: Number
- contextPath: Rapid7InsightIDR.Threat.published
description: Whether or not the threat is published.
type: Boolean
- arguments: []
description: Lists all existing logs for an account.
name: rapid7-insight-idr-list-logs
outputs:
- contextPath: Rapid7InsightIDR.Log.name
description: Log name.
type: String
- contextPath: Rapid7InsightIDR.Log.id
description: Log ID.
type: String
- arguments: []
description: Lists all existing log sets for your InsightsIDR instance.
name: rapid7-insight-idr-list-log-sets
outputs:
- contextPath: Rapid7InsightIDR.LogSet.name
description: Log name.
type: String
- contextPath: Rapid7InsightIDR.LogSet.id
description: Log ID.
type: String
- arguments:
- description: IDs of the logs to download - up to 10 logs allowed.
isArray: true
name: log_ids
required: true
- description: "Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. This is optional if time_range is supplied."
name: start_time
- description: 'Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds.'
name: end_time
- description: 'The relative time range in a readable format. Optional if "from" \ is supplied. For example: Last 4 Days. Note that if start_time, end_time and\ \ time_range is not provided the default will be Last 3 days.'
name: time_range
- description: "The LEQL query to match desired log events. Do not use a calculation.more info: https://docs.rapid7.com/insightidr/build-a-query/"
name: query
- description: 'The maximum number of log events to download; cannot exceed 20 million. The default is 20 million. The argument value should be written like this: "10 thousand" or "2 million").'
name: limit
description: Downloads logs for from your InsightsIDR instance. The maximum number of logs per call is 10.
name: rapid7-insight-idr-download-logs
outputs: []
- arguments:
- description: Logentries log key.
name: log_id
required: true
- description: "A valid LEQL query to run against the logmore info: https://docs.rapid7.com/insightidr/build-a-query/"
name: query
required: true
- description: A time range string (i.e 1 week, 1 day) - While using this parameter, start_time and end_time isn't needed.
name: time_range
- description: 'Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000.'
name: start_time
- description: 'Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000.'
name: end_time
- description: The maximum number of log entries to return per page. Default of 50.
name: logs_per_page
- description: The earlier sequence number of a log entry to start searching from.
name: sequence_number
description: Queries within a log for certain values.
name: rapid7-insight-idr-query-log
outputs:
- contextPath: Rapid7InsightIDR.Event.log_id
description: ID of the log the event appears in.
type: String
- contextPath: Rapid7InsightIDR.Event.message
description: Event message.
type: String
- contextPath: Rapid7InsightIDR.Event.timestamp
description: Time when the event was triggered.
type: Number
- arguments:
- description: ID of the log set.
isArray: true
name: log_set_id
required: true
- description: "A valid LEQL query to run against the logmore info: https://docs.rapid7.com/insightidr/build-a-query/"
name: query
required: true
- description: A time range string (e.g., 1 week, 1 day) - While using this parameter, start_time and end_time isn't needed.
name: time_range
- description: 'Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000.'
name: start_time
- description: 'Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000.'
name: end_time
- description: The maximum number of log entries to return per page. Default of 50.
name: logs_per_page
- description: The earlier sequence number of a log entry to start searching from.
name: sequence_number
description: Queries within a log set for certain values.
name: rapid7-insight-idr-query-log-set
outputs:
- contextPath: Rapid7InsightIDR.Event.log_id
description: ID of the log the event appears in.
type: String
- contextPath: Rapid7InsightIDR.Event.message
description: Event message.
type: String
- contextPath: Rapid7InsightIDR.Event.timestamp
description: Time when the event was triggered.
type: Number
dockerimage: demisto/python3:3.10.13.87159
isfetch: true
runonce: false
script: '-'
subtype: python3
type: python
tests:
- No tests
fromversion: 5.0.0