Formulate URL for Investigation page from InsightIDR API data

I’m hoping to create a URL which leads directly to an Investigation. I have data from the InsightIDR Investigations API. I’m using this as part of an InsightConnect workflow which will provide more granular control for alerting the SOC about specific Investigations. I hope to contribute the Workflow back to the community.

An example URL would look something like this:
https://us.idr.insight.rapid7.com/op/A00A0000AAA00A00AAA0#/investigations/1bb111bb-111b-11b1-11b1-1b1bbb1bb11b

The InsightIDR API exposes does not expose the Investigation ID (e.g. 1bb111bb-111b-11b1-11b1-1b1bbb1bb11b), nor the value after op (e.g. A00A0000AAA00A00AAA0).

How can I get that value after OP, and what is it? It isn’t the organization_id. I’ve checked with my colleagues, and we all see the same value for a specific app within an org. What I mean by that is that we have more than one org within our R7 tenant; if we call the orgs A, B and C, then we all see the same value for InsightIDR within org A, and InsightIDR within org B has a different value.

Hoping I don’t have to hardcode it as a Workflow Parameter to get the Workflow working but having looked through Insight Platform API overview and Available product APIs documentation I’m stumped.

1 Like

Not a big deal, but while researching this, I noticed that the tooltip for the Copy shareable InsightIDR link button in the Investigations UI is [object Obect] which doesn’t seem quite right:
image

image

Hi,

this value is your Product Token, which is unique to each org, and would be safe to hardcode into your script.

As for that tooltip issue, is that within ICON?

David

[DS] this value is your Product Token, which is unique to each org, and would be safe to hardcode into your script.

Thanks David. Is there any way to acquire the Product Token programmatically? Not a huge deal if not, but it would be a nice-to-have feature for my workflow.

[DS] As for that tooltip issue, is that within ICON?

The tooltip screenshot I mentioned is in the Investigation UI in InsightIDR. Search for Investigations, then expand one of the result cards to see the Copy shareable InsightIDR link button.

Since starting to try to formulate deep links to Investigations, I’ve realized that the rrn for an Investigation doesn’t directly contain the Investigation ID:
rrn:investigation:us:3ed45e95-xxxx-xxxx-832b-dce18e27c485:investigation:73F40YXXXXXX

Is there any way to formulate a deep link to an Investigation given the rrn?

Unfortunately not, this is something we don’t expose via api.

Ah thanks I see it now

David

Ah, so the only way to get a deep link to an Investigation is by logging in to the InsightIDR UI and manually retrieving it? That’s a shame if so, but thanks for clarifying.

Yes, its also in the email alert that is sent as part of the investigation URL

David

1 Like

Apologies I was originally replying to the question on the ability to fetch the product token programmatically, and missed your question about the RRN, you cannot use the rrn in the URL you are trying to construct, you need the investigation ID, which is returned via the V1 API InsightIDR API Documentation

I will share this feedback with the team as this does seem like a missing piece for the V2 API.

David

2 Likes

Thank you for asking the team about the Investigation ID regression in the v2 API and pointing me at the v1 documentation - I hadn’t thought to look at that.

Parsing the email alert is a possibility - and way better than no alternative - but I’d rather stick to the API if possible. I could use the v1 API to list out all Investigations and create some sort of lookup table to Investigation ID as a workaround, but I think I’m going to abandon the deep link idea for now. It’d be useful for the SOC, but I don’t want to build something too convoluted.

I carried out a quick test of the InsightIDR plugin which was updated to v4.0.0 at the end of last month to include Investigation-related actions like Search Investigations. I wanted to see if it would return Investigation ID, but it doesn’t since the plugin is a wrapper for the InsightIDR v2 API.

Please know that I truly appreciate the replies I get here in the forums, as well as the significant dev work which goes into all of these plugin enhancements. In this particular case, thank you @david_smith and @igorski, as well as many others who have spent time developing and/or helping me with the components I’m asking about.

Hi Adam!

I’m the associate product manager for the Investigation Management V2 APIs. Thank you for sharing your feedback. I’ll reach out to you to find time to chat further about your use cases!

1 Like

@david_smith : I was wondering do we have an option to integrate tools like Akamai and forescout with rapid 7 IDR. I don’t see any build in event source for this. Can you suggest how it can be done via custom logs or do we have an option with API.
Thanks

Hi,

you are correct we don’t have a built in integration or event source for these tools, as with any unsupported event source/vendor, custom logs allows you the option to ingest text based logs in a variety of ways.

The most popular options would be to read from a network file share using a watch directory collection method, or alternatively a listen on network port option if the source can transmit logs outbound to the collector.

We have no native API option for the two you mentioned, in order to leverage any third party APIs a custom script would be needed to allow the data to be collected using one of the options outlined here Data Collection Methods | InsightIDR Documentation

David