I would like to get the alert evidence using the API endpoint documented here:
https://docs.rapid7.com/insightidr/api/alert-triage/#operation/getAlertEvidences
This endpoint requires an alert_rrn but I only have an alert “id” returned from this endpoint:
/idr/v2/investigations/{identifier}/alerts
documented here: InsightIDR API Documentation
How can I get an alert_rrn given in “id”
I’m not sure why this hasnt been answered by someone from R7 yet.
The API around investigations and alerts is quite underdeveloped and the documentation is confusing at best.
As I remember we had to work directly with Rapid7 to gain access to an unrestricted endpoint (undocumented?) to get the evidence and the endpoint needed to be turned on by Rapid7.
Here is a pointer to the Rapid7 InsightIDR integration that I wrote at the time I post this message https://github.ibm.com/Resilient/resilient-community-apps/tree/master/fn_rapid7_insight_idr.
The Rapid7 REST calls are in this file https://github.ibm.com/Resilient/resilient-community-apps/blob/master/fn_rapid7_insight_idr/fn_rapid7_insight_idr/lib/app_common.py
Hope this helps!