Error with Action Domain Status and Categorization

The input takes in an array of domains. We kept passing in an array of strings, and get the error:

Tier 1 does not have access to bulk endpoints

Eventually we found out that if we make the input array of size 1, the action then works. It was a frustrating issue to troubleshoot, just adding this for anyone experiencing it in the future.

1 Like

What Plugin, Action, and version is this for?

cisco umbrella investigate plugin - Domain Status and Categorization action - v3.1.3

So when you use an array of 1 it converts that to a string

domains = params.get("domains")
        if len(domains) == 1:
            domains = str(domains[0])

            remoteCategories = self.connection.investigate.categorization(domains, labels=True)

then if it is a sting it does a GET otherwise it does a POST

if type(domains) is str:
            return self._get_categorization(domains, labels)
        elif type(domains) is list:
            return self._post_categorization(domains, labels)

The GET and POST requests look like

def _get_categorization(self, domain, labels):
        uri = urljoin(self._uris["categorization"], domain)
        params = {"showLabels": True} if labels else {}
        return self.get_parse(uri, params)

    def _post_categorization(self, domains, labels):
        params = {"showLabels": True} if labels else {}
        return self.post_parse(self._uris["categorization"], params, json.dumps(domains))

There is either an issue with how ICON is taking the JSON array or with the POST route on the Cisco side, but I do not use them so i cannot test the API externally. Hopefully someone from Rapid7 can chime in more on this.