Approach to automate enrichment

btabb · May 5, 2025, 11:57pm

Hi all

Was looking to get a steer on how to approach this please.

The desired outcome is when an investigation is raised a note (artifact?) is added to the investigation containing any available osint (e.g. virustotal) for any of the indicators associated with the investigation.

The sources of these indicators I think are either in:
The alert output “key rules of interest” and
The underlying logs that caused the alert to fire.

My current thinking is a new alert triggers the work flow. From this alert I can see and extract indicators from the “key rules of interest” ok but it is the log stuff im not sure how to approach.

I’m letting workflows run and then going into the Jobs → View Full Job to look at the output from the trigger.

I can see the log_entry_ID but if I manually query it im not sure how to identify the log source.
I see in the log details array there is a “logset_id” entry but not sure how to use.

The thought process is I query the logs and then use extract to grab ips etc from there.

Appreciate any feedback if i’m on the right track or if im on the reservation so to speak.

If someone already has implemented this (or similar) and can share that would be appreciated.

Thanks in advance.

Bryan

Darrick_Hall · May 6, 2025, 2:29am

I am not a 100% why you need to do log search, so I will start there and see if this helps.

An investigation contains minimal data of value when it flows into ICON by itself.

The next step is to grab the alerts associated with the investigation.

One investigation can have many alerts, so you need to use the action “List alerts for investigation” Rapid7 Extensions

The output of this is an array, as each investigation can have many alerts. You would then loop through that List Alerts Array. Within that loop you need to have a decision step checking to see if each alert is a UBA or ABA type. You can only retrieve evidence if it is not a UBA investigation.

This can be accomplished many ways. There is a variable called type, you can match that. You can match the loop variable called ID, if that ID starts with lowercase “rrn” that is an ABA alert. The logic is up to you.

If the alert is an ABA you want that path to then fetch the alert evidence using “Get Alert Evidence”. This step contains the data that is most meaningful to an analyst. Generally speaking it contains everything you could want in terms of additional data. It is also the same payload that you would get if you choose to Trigger from a detection rule instead of an alert or an investigation.

You use the investigation RRN to fetch the alerts. You use the alert RRN to fetch the evidence, but the variable is named ID when you are using it within the loop itself.

From what I can tell the query using log entry id is the same data that is found in the Get Alert Evidence action, but if you do want to give it a shot you would do something like:

where(#entry_id IN [“7b40e447-8cd6-41c4-9b94-be4698e8f66b”])

Your log source is probably fetched by using the detection rule RRN.

That at minimum gives the event type, you might have to fetch the logs and do a match after that to get the specific ID you need just in case you have duplicate log names, but this is all theory. I will test it tomorrow.

https://docs.rapid7.com/insightidr/api/detection-rules/#tag/Rules/operation/getByRRN

https://docs.rapid7.com/insightidr/log-search-api/#tag/Logs-and-Log-Sets/operation/getLog