Error 401 on R7 made IDR Workflow for User disabling on UBA

tgriffith · April 10, 2023, 9:00pm

Using the R7 made IDR workflow to disable accounts upon UBA trigger. The disabling works, but then I get an error with the Get RRN or Close Ticket portion. Error details below.

Any ideas?

error log:

rapid7/Rapid7 InsightIDR:4.3.0. Step name: set_status_of_investigation_action
Unauthorized (401): Unauthorized
An error occurred during plugin execution!

InsightIDR returned a status code of 401: Unauthorized 
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-4.9.0-py3.8.egg/insightconnect_plugin_runtime/plugin.py", line 376, in handle_step
    output = self.start_step(
  File "/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-4.9.0-py3.8.egg/insightconnect_plugin_runtime/plugin.py", line 556, in start_step
    output = func(params)
  File "/usr/local/lib/python3.8/site-packages/rapid7_insightidr_rapid7_plugin-4.3.0-py3.8.egg/komand_rapid7_insightidr/actions/set_status_of_investigation_action/action.py", line 34, in run
    response = request.resource_request(endpoint, "put")
  File "/usr/local/lib/python3.8/site-packages/rapid7_insightidr_rapid7_plugin-4.3.0-py3.8.egg/komand_rapid7_insightidr/util/resource_helper.py", line 120, in resource_request
    raise PluginException(f"InsightIDR returned a status code of {response.status_code}: {status_code_message}")
insightconnect_plugin_runtime.exceptions.PluginException: An error occurred during plugin execution!

InsightIDR returned a status code of 401: Unauthorized

darrick_hall2 · April 11, 2023, 3:18pm

For your connection to the UBA Plugin are you using a User API Key, or a platform API key? If it works to trigger off the investigation, but not update the investigation it would seem that it only has read permissions on investigations.

tgriffith · April 11, 2023, 5:32pm

Organization API key, which is admin generated. Is there a way to increase permissions for an Org API key?

Edit: Sorry, should clarify. I’ve looked for a way but haven’t found one.

Michael-Cochran-Rapid7 · April 11, 2023, 6:37pm

An Organization API Key is considered a super user and has rights to do everything across all products. They can only be generated by platform/organization admins.

The User API Key inherits the same permissions as the user who created it.

If the key is an Organization Key and not a User Key then it sounds like there might be another issue at hand. I would suggest reaching out to the Support team and they can take a more in depth look at what might be going on.

tgriffith · April 11, 2023, 7:09pm

That’s what I thought. Thanks!