Hi Community,
Everyday, I’m doing an agents export from Rapid7 - Login*******/agent-management
I’ll looking to script/shedule it using API, CURL and Powershell.
I’m using US1 cloud tenant and have already generated a user API.
Next step on which I’m stuck : Build the CURL query to get all my agents.
I’v no idea how to…api host to use…fully newbies…
Any hint from scripting gurus ?
Thanks
Hi Thiery,
you cannot schedule a CSV export via agent management, we do however have a Graphql Preview API, which is the API used to load the agent mangement page which we can provide access to
David
Sent your way!
@david_smith : first query try
C:\Windows\System32\curl.exe https://us.api.insight.rapid7.com/graphql -v -X POST -H “Accept-Version: kratos” -H “Content-Type: application/json” -H “X-Api-Key: SecretKey” --data “{organizations(first: 1){edges{node{idname}}”
Return
{"errors":[{"message":"Request query is not valid","extensions":{"statusCode":403},"errorType":"ValidationError","path":null}]}
Query grab from doc
Any hint about what I did wrong ?
FYI : found something working : ie :
C:\Windows\System32\curl.exe -g -X POST -H “Content-Type: application/json” -H “Accept-Version: kratos” -H “X-Api-Key: ****************” -d ‘{“query” : “query($orgId: String!) {organization(id: $orgId) {assets(first: 10000) {edges {node {host {hostNames{name }}}}}}}”,“variables”:{“orgId”:"********************"}}’ https://us.api.insight.rapid7.com/graphql/
It’s very cases sensitive … and tricky in Windows cmd ^^
@david_smith : Using GraphSQL, it it possible to get also agent’s last seen ? (I’m not sure that an GraphQL introspection query is possible)
I’m currently doing:
{"query" : "query($orgId: String!) {organization(id: $orgId) {assets(first: 10000) {edges {node {agent {id agentSemanticVersion agentStatus agentLastUpdateTime } host{ hostNames{ name}}}}}}}","variables":{"orgId":"07564651321564654645624"}}
@thierry_bon the query should include
beaconTime
{“query” : “query($orgId: String!) {organization(id: $orgId) {assets(first: 10000) {edges {node {agent {id agentSemanticVersion agentStatus agentLastUpdateTime beaconTime} host{ hostNames{ name}}}}}}}”,“variables”:{“orgId”:“07d61f4e-55e9-4c66-a8fd-16cad8b97e24”}}
as this is the time in milliseconds of the last beacon received from the agent.
Let me know if that works
@david_smith : Thks
I’m getting following error :
message":"Validation error of type FieldUndefined: Field ‘beaconTime’ in type ‘Agent’ is undefined @ 'organization/assets/edges/node/agent/beaconTime
BTW, time is in epoch unix ?
Ah we must not have exposed that in the preview API, in our internal API it works as expected.
Can you try “timestamp” instead?
And yes its Unix time in ms
@david_smith : “timestamp” worked great …thks \o/
So my query is now :
{“query” : “query($orgId: String!) {organization(id: $orgId) {assets(first: 10000) {edges {node {agent {id agentSemanticVersion agentStatus agentLastUpdateTime timestamp } host{ hostNames{ name}}}}}}}”,“variables”:{“orgId”:“0165465131546464564”}}
@david_smith Based on your experience, what would be the best way to get detail on a specific agent ?
Assuming something like $Name = “aSpecificAgentName” , query($Name: String!) would work ?
Will it work ?
query GetAgentData($name: String!) {
agent(name: $name) {
id
agentSemanticVersion
agentStatus
agentLastUpdateTime
timestamp
host {
hostNames {
name
}
}
}
}
You can’t apply a filter like name to your query beforehand, your best option would be to query for all agents (up to the first 10000) and the using the output you can fetch the information related to a particular agent by iterating over the objects that are returned in the JSON response.
OK, good to know.
Thks
@david_smith : My script is working well for months now.
Unfortunalty, I’v now more than 10000 agents, meaning that, my query in truncated.
How can I get the second page of my output to get agent after the first 10000 ?