I’m hoping to create a URL which leads directly to an Investigation. I have data from the InsightIDR Investigations API. I’m using this as part of an InsightConnect workflow which will provide more granular control for alerting the SOC about specific Investigations. I hope to contribute the Workflow back to the community.
An example URL would look something like this: https://us.idr.insight.rapid7.com/op/A00A0000AAA00A00AAA0#/investigations/1bb111bb-111b-11b1-11b1-1b1bbb1bb11b
The InsightIDR APIexposes does not expose the Investigation ID (e.g. 1bb111bb-111b-11b1-11b1-1b1bbb1bb11b), nor the value after op (e.g. A00A0000AAA00A00AAA0).
How can I get that value after OP, and what is it? It isn’t the organization_id. I’ve checked with my colleagues, and we all see the same value for a specific app within an org. What I mean by that is that we have more than one org within our R7 tenant; if we call the orgs A, B and C, then we all see the same value for InsightIDR within org A, and InsightIDR within org B has a different value.
Not a big deal, but while researching this, I noticed that the tooltip for the Copy shareable InsightIDR link button in the Investigations UI is [object Obect] which doesn’t seem quite right:
[DS] this value is your Product Token, which is unique to each org, and would be safe to hardcode into your script.
Thanks David. Is there any way to acquire the Product Token programmatically? Not a huge deal if not, but it would be a nice-to-have feature for my workflow.
[DS] As for that tooltip issue, is that within ICON?
The tooltip screenshot I mentioned is in the Investigation UI in InsightIDR. Search for Investigations, then expand one of the result cards to see the Copy shareable InsightIDR link button.
Ah, so the only way to get a deep link to an Investigation is by logging in to the InsightIDR UI and manually retrieving it? That’s a shame if so, but thanks for clarifying.
Apologies I was originally replying to the question on the ability to fetch the product token programmatically, and missed your question about the RRN, you cannot use the rrn in the URL you are trying to construct, you need the investigation ID, which is returned via the V1 API InsightIDR API Documentation
I will share this feedback with the team as this does seem like a missing piece for the V2 API.
Thank you for asking the team about the Investigation ID regression in the v2 API and pointing me at the v1 documentation - I hadn’t thought to look at that.
Parsing the email alert is a possibility - and way better than no alternative - but I’d rather stick to the API if possible. I could use the v1 API to list out all Investigations and create some sort of lookup table to Investigation ID as a workaround, but I think I’m going to abandon the deep link idea for now. It’d be useful for the SOC, but I don’t want to build something too convoluted.
Please know that I truly appreciate the replies I get here in the forums, as well as the significant dev work which goes into all of these plugin enhancements. In this particular case, thank you @david_smith and @igorski, as well as many others who have spent time developing and/or helping me with the components I’m asking about.
I’m the associate product manager for the Investigation Management V2 APIs. Thank you for sharing your feedback. I’ll reach out to you to find time to chat further about your use cases!
@david_smith : I was wondering do we have an option to integrate tools like Akamai and forescout with rapid 7 IDR. I don’t see any build in event source for this. Can you suggest how it can be done via custom logs or do we have an option with API.
Thanks
you are correct we don’t have a built in integration or event source for these tools, as with any unsupported event source/vendor, custom logs allows you the option to ingest text based logs in a variety of ways.
The most popular options would be to read from a network file share using a watch directory collection method, or alternatively a listen on network port option if the source can transmit logs outbound to the collector.
We have no native API option for the two you mentioned, in order to leverage any third party APIs a custom script would be needed to allow the data to be collected using one of the options outlined here Data Collection Methods | InsightIDR Documentation
@dreadpir8robots I had the same whish to be able to build the IDR URL from an ICON workflow.
I ended up creating a second “List Investigations” action with the IDR plugin of v 3.2 since that one is using the older API.
Then I do a loop over the retrieved investigations until I have match on the RRN which I did get from both calls. Unfortunately did not find a way for finding the op/…/ part but in our case I just made that static since we only have one org.
I need to create a URL link back from our case managment product to investigations in insightIDR. Are there plans for v2 of the insightIDR API to support the return of the investigation “id” so this can be done?
I know this is an old topic, but has there been any progress? My team is trying to develop a single pane of glass dashboard that pulls alerts/investigations/incidents from the various platforms in our security stack so we don’t have to log into multiple portals to see our priority tasks. We really need to include links to the insightIDR investigations, but without the URLs or investigation IDs being returned from the API, it seems we can’t.
I accidentally came across a solution that may help.
You can swap the investigation ID in the URL for the RRN and it will load the investigation in the browser. In my case, I use FortiSOAR to query the investigation API. It returns the RRN which I then plugin to the URL programmatically by adding the RRN into a variable and then plugging that into the Insight URL: