Finding investigation rrn with actor rrn

InsightConnect
1

Hi everyone,

Im working on a workflow which is searching single investigation and trying to find excatly same investigation in previous investigations with actor name and investigation name. I create webhook for fetch new investigation and I search old investigation with same name and I got investigation rrn’s put to loop and I got alert rrn’s and then I use retrive actors for single alert option in loop and I have list now with actor rrn, investigation rrn, alert rrn. I sent log to IDR for each investigation rrn with alert rrn and each alert rrn with actor rrn to find investigation rrn with actor rrn. Problem here for me is when I try to read logs in InsightConnect with advance query on log option it does not work. I need a solution for this

  1. option: I put them in the same artifact and I try to fetch alert_rrn and after that investigation_rrn with python compare script but as Im not master of python I didnt do that.
2

I appreciate you sharing this information. Rather than talk through the technical process you are trying to accomplish, can you tell me your end goal?

As a simple example:

I want to send a teams message that isolates an asset in Crowdstrike.

Can you explain in more simple terms your goal, and then we can talk through the technical method to achieve this?

3

Hello Darrick,

The goal is to assist the SOC team more effectively in 24/7 scenarios by identifying investigations that occur outside business hours and are associated with the same actor and investigation name or have the same name but different actors.

Workflow Steps:

  1. Webhook Trigger: New incoming alarms are captured using an API trigger to initiate the workflow.
  2. Time Check: A check is performed to determine if the alert occurs outside business hours.
  3. Search for Previous Investigations: Using the “search investigations” API, the last 10 closed investigations with the same investigation name are retrieved.
  4. Extract Investigation RRN and Find Alerts:
    Investigation RRNs are extracted from the investigation search results and looped through to find associated alert RRNs using the “Find alerts for investigation” API.
    This information is sent to InsightConnect via syslog.

{
“timestamp”:“{{[“Current date (Search End date)”].[list].[0]}}”,
“log_type”:“alert RRN list based on investigation RRN”,
“investigation_rrn”:“{{[“get alert rrn”].[$item]}}”,
“alert_rrn”:“{{[“Loop - 4”].[$item]}}”,
“Source”:“Shift_Workflow”
}

  1. Retrieve Actors for Alerts:
    Using the alert RRNs, actors are retrieved via the “Retrieve actor for single alert” API.
    The actor list is sent to InsightConnect via syslog.

{
“timestamp”:“{{[“Current date (Search End date)”].[list].[0]}}”,
“log_type”:“Actor RRN list based on alert RRN”,
“alert_rrn”:“{{[“Action - 3”].[result_string]}}”,
“actor_rrn_list”:“{{[“Loop - 5”].[$item]}}”,
“Source”:“Shift_Workflow”
}

  1. Matching Actors with Assets:
    A Python script is used to check if the actors from the alert match any assets from the system.
    If a match is found, the corresponding actor RRN is returned.

def run(params={}):
input_array_nested = {{[“Loop - 3”].[assets list output]}}
input_array = [item for sublist in input_array_nested for item in sublist]
new_array_data = {{[“Trigger”].[actors]}}
new_assets = [item[“value”] for item in new_array_data.get(“assets”, )]

def find_matching_rrns(input_array, new_array):
    rrns = [item["rrn"] for item in input_array if item["display_name"] in new_array]
    return rrns

matching_rrns = find_matching_rrns(input_array, new_assets)

return {
    "matching_rrns": matching_rrns,
}
  1. Advanced Query for Log Search:
    An advanced query is attempted to search logs for the matched actor RRN, but an error occurs. If successfully implemented:
    The actor RRN would be used to retrieve the alert RRN from the logs.
    The alert RRN would then be used to find the corresponding investigation RRN.
    Finally, using the investigation RRN, all relevant details of the case would be retrieved.

This process aims to streamline incident detection and response by automatically correlating events and investigations, improving efficiency in handling security alerts outside of business hours. I hope I was able to explain my plan.

4

That is a very nice explanation. I appreciate you sharing that.

Your advanced query for Log Search action that is failing provides some error message?

Can you share the query you are using?

Are you doing an advanced query on log, or on logset?

5

Im doing Advanced query on log.
query:
where(“rrn” ICONTAINS “{actor_rrn}”)

I also tried
where(“rrn” = “{actor_rrn}”)

both worked with normal log search but Advanced query on log in InsightConnect event source sending error in below after waited 5 min

image

6

Are you using a log id or a log name?

7

This works for me, but I am using Log ID:

where(“r7_context.source_account.rrn” = “{{[$input].[Actor_RRN]}}”)

I recommend going into IDR and clicking on the value you want to add, and then choose to add key-value pair.

Then you can copy directly from the query builder and transfer to ICON.

IDR RRN
IDR RRN693×444 42.3 KB

8

Hi Darrick,
I did the same thing, R7 support said there was a problem with the json structure backgroud. They are handling it now. I hope after that I can collect all the rrn information.

9

Are you using a logid or a log name?

10

Im using log name

11

Use the log ID instead.

12

I got same error.

13

Can you show your step input?

14

Im using this input for to test this step.
{
“log”: “”,
“log_id”: “d5a137bb-X-338e6672d60f”,
“query”: “where("hostname" != "")”,
“relative_time”: “Last 12 Hours”,
“time_from”: “”,
“time_to”: “”,
“timeout”: 60
}