The input takes in an array of domains. We kept passing in an array of strings, and get the error:
Tier 1 does not have access to bulk endpoints
Eventually we found out that if we make the input array of size 1, the action then works. It was a frustrating issue to troubleshoot, just adding this for anyone experiencing it in the future.
What Plugin, Action, and version is this for?
cisco umbrella investigate plugin - Domain Status and Categorization action - v3.1.3
So when you use an array of 1 it converts that to a string
domains = params.get("domains")
if len(domains) == 1:
domains = str(domains[0])
try:
remoteCategories = self.connection.investigate.categorization(domains, labels=True)
then if it is a sting it does a GET otherwise it does a POST
if type(domains) is str:
return self._get_categorization(domains, labels)
elif type(domains) is list:
return self._post_categorization(domains, labels)
The GET and POST requests look like
def _get_categorization(self, domain, labels):
uri = urljoin(self._uris["categorization"], domain)
params = {"showLabels": True} if labels else {}
return self.get_parse(uri, params)
def _post_categorization(self, domains, labels):
params = {"showLabels": True} if labels else {}
return self.post_parse(self._uris["categorization"], params, json.dumps(domains))
There is either an issue with how ICON is taking the JSON array or with the POST route on the Cisco side, but I do not use them so i cannot test the API externally. Hopefully someone from Rapid7 can chime in more on this.