We are trying to get them, the Rapid7 support tell us the following, but didn´t help a lot.
Once you use the Search API to retrieve the alert_rrn - https://docs.rapid7.com/insightidr/api/alert-triage/#tag/Alerts/operation/searchAlerts
You can then pass that into this request to get the Alert Evidence - https://docs.rapid7.com/insightidr/api/alert-triage/#tag/Alerts/operation/getAlertEvidences
You can work with Investigations by using this API - InsightIDR API Documentation
Anyone has postman or python samples to achieve this?
ilovesoar
February 18, 2025, 10:17pm
2
Do you have specific investigations you want to grab?
Yes, No.
What I´d like to do is to be able to grab the evidences, I actually don´t care if it´s of an specific investigation, or each that is being opened.
Thanks
Hi Mike,
https://help.rapid7.com/insightidr/en-us/api/v2/docs.html#tag/Investigations
First you need to get a list of alerts associated with an investigation
Get investigation alerts
Then you use the alert RRNs to retrieve the evidence associated with them
https://docs.rapid7.com/insightidr/api/alert-triage/
Retrieves evidence associated with an alert
Hope this helps,
1 Like
ilovesoar
February 19, 2025, 5:12pm
5
I ran into the same issue. You can get the evidence and actors for an alert, but not for an investigation. The closest thing is ‘Get investigation by rrn’. But that does not give you any evidence or alert info.
What I want is to get the evidence for an investigation and do actions on that information.
ilovesoar
February 19, 2025, 5:15pm
6
How would you do this in the workflow using plugins?
ilovesoar
February 19, 2025, 6:03pm
7
Take a look at this workflow R7 published - Create Incident in ServiceNow from IDR Investigation