I would like to get the alert evidence using the API endpoint documented here:
https://docs.rapid7.com/insightidr/api/alert-triage/#operation/getAlertEvidences
This endpoint requires an alert_rrn but I only have an alert “id” returned from this endpoint:
/idr/v2/investigations/{identifier}/alerts
documented here: InsightIDR API Documentation
How can I get an alert_rrn given in “id”
I’m not sure why this hasnt been answered by someone from R7 yet.
The API around investigations and alerts is quite underdeveloped and the documentation is confusing at best.
Thanks for your help! I guess i have no access to your IBM Accounts …?!
Oops. Here is the pointer to the public github resilient-community-apps/fn_rapid7_insight_idr at main · ibmresilient/resilient-community-apps · GitHub
The Rapid7 REST calls are in this file resilient-community-apps/fn_rapid7_insight_idr/fn_rapid7_insight_idr/lib/app_common.py at main · ibmresilient/resilient-community-apps · GitHub .
https://ibmresilient.github.io/resilient-community-apps/fn_rapid7_insight_idr/README.html