[API] [CURL] get agent in Data Collection Management

thierry_bon · September 6, 2022, 10:52am

Hi Community,

Everyday, I’m doing an agents export from Rapid7 - Login*******/agent-management
I’ll looking to script/shedule it using API, CURL and Powershell.
I’m using US1 cloud tenant and have already generated a user API.
Next step on which I’m stuck : Build the CURL query to get all my agents.
I’v no idea how to…api host to use…fully newbies…
Any hint from scripting gurus ?

Thanks

david_smith · September 6, 2022, 2:55pm

Hi Thiery,

you cannot schedule a CSV export via agent management, we do however have a Graphql Preview API, which is the API used to load the agent mangement page which we can provide access to

David

thierry_bon · September 6, 2022, 3:30pm

@david_smith I 'd love be able to reach this Graphql and have corresponding docs
Could you ?

bobsledtedd · September 6, 2022, 3:31pm

@david_smith Hi David, Looking for acess to the Graphql Preview API. Thanks.

david_smith · September 6, 2022, 4:14pm

Sent your way!

thierry_bon · September 7, 2022, 8:14am

@david_smith : first query try

C:\Windows\System32\curl.exe https://us.api.insight.rapid7.com/graphql -v -X POST -H “Accept-Version: kratos” -H “Content-Type: application/json” -H “X-Api-Key: SecretKey” --data “{organizations(first: 1){edges{node{idname}}”

Return
{"errors":[{"message":"Request query is not valid","extensions":{"statusCode":403},"errorType":"ValidationError","path":null}]}

Query grab from doc
Any hint about what I did wrong ?

thierry_bon · September 7, 2022, 2:59pm

FYI : found something working : ie :

C:\Windows\System32\curl.exe -g -X POST -H “Content-Type: application/json” -H “Accept-Version: kratos” -H “X-Api-Key: ****************” -d ‘{"query" : "query($orgId: String!) {organization(id: $orgId) {assets(first: 10000) {edges {node {host {hostNames{name }}}}}}}","variables":{"orgId":"********************"}}’ https://us.api.insight.rapid7.com/graphql/

It’s very cases sensitive … and tricky in Windows cmd ^^

david_smith · September 7, 2022, 3:08pm

Glad you got it working @thierry_bon!

thierry_bon · February 6, 2023, 12:11pm

@david_smith : Using GraphSQL, it it possible to get also agent’s last seen ? (I’m not sure that an GraphQL introspection query is possible)

I’m currently doing:

{"query" : "query($orgId: String!) {organization(id: $orgId) {assets(first: 10000) {edges {node {agent {id agentSemanticVersion agentStatus agentLastUpdateTime } host{ hostNames{ name}}}}}}}","variables":{"orgId":"07564651321564654645624"}}

david_smith · February 6, 2023, 12:53pm

@thierry_bon the query should include

beaconTime

{“query” : “query($orgId: String!) {organization(id: $orgId) {assets(first: 10000) {edges {node {agent {id agentSemanticVersion agentStatus agentLastUpdateTime beaconTime} host{ hostNames{ name}}}}}}}”,“variables”:{“orgId”:“07d61f4e-55e9-4c66-a8fd-16cad8b97e24”}}

as this is the time in milliseconds of the last beacon received from the agent.

Let me know if that works

thierry_bon · February 6, 2023, 2:52pm

@david_smith : Thks
I’m getting following error :
message":"Validation error of type FieldUndefined: Field ‘beaconTime’ in type ‘Agent’ is undefined @ 'organization/assets/edges/node/agent/beaconTime

BTW, time is in epoch unix ?

david_smith · February 6, 2023, 4:44pm

Ah we must not have exposed that in the preview API, in our internal API it works as expected.

Can you try “timestamp” instead?

And yes its Unix time in ms

thierry_bon · February 7, 2023, 12:00pm

@david_smith : “timestamp” worked great …thks \o/
So my query is now :

{“query” : “query($orgId: String!) {organization(id: $orgId) {assets(first: 10000) {edges {node {agent {id agentSemanticVersion agentStatus agentLastUpdateTime timestamp } host{ hostNames{ name}}}}}}}”,“variables”:{“orgId”:“0165465131546464564”}}

thierry_bon · February 7, 2023, 12:37pm

@david_smith Based on your experience, what would be the best way to get detail on a specific agent ?
Assuming something like $Name = “aSpecificAgentName” , query($Name: String!) would work ?

thierry_bon · February 7, 2023, 12:43pm

Will it work ?

query GetAgentData($name: String!) {
agent(name: $name) {
id
agentSemanticVersion
agentStatus
agentLastUpdateTime
timestamp
host {
hostNames {
name
}
}
}
}

david_smith · February 7, 2023, 1:52pm

You can’t apply a filter like name to your query beforehand, your best option would be to query for all agents (up to the first 10000) and the using the output you can fetch the information related to a particular agent by iterating over the objects that are returned in the JSON response.

thierry_bon · February 7, 2023, 2:11pm

OK, good to know.
Thks

thierry_bon · April 30, 2023, 3:55pm

@david_smith : My script is working well for months now.
Unfortunalty, I’v now more than 10000 agents, meaning that, my query in truncated.
How can I get the second page of my output to get agent after the first 10000 ?

312312 · May 1, 2023, 8:11am

@thierry_bon Would it be possible to share the API preview document with me?

thierry_bon · May 1, 2023, 2:21pm

I’m not knowing how ^^
But @david_smith should be able to share it