Happy Thursday,
Hope someone can help me out here as I am venturing into ICON territory and it becomes a little tricky 
So we are having a custom alert that triggers a workflow, and because it is a custom alert it does not include the invesigation_id, but only the alert_id.
Based on the custom alert we have triggered some chat bot flows and that works fine, but we would like the result from the chat bot back into the created investigation.
How I was planning it is to have an API call (in python) being made to find the investigation ID.
This works like a charm in IDLE:
import requests
# Base URL for the InsightIDR API
base_url = 'https://eu.api.insight.rapid7.com/idr/v1'
# Alert ID to search for
alert_id = '123456'
# URL for the investigations endpoint
url = f'{base_url}/investigations?alert_id={alert_id}'
# Headers for the API request
headers = {
'X-Api-Key': api_key
}
# Make the API request
response = requests.get(url, headers=headers)
# Get the JSON response
data = response.json()
# Filter the investigations to get only the open ones
open_investigations = [investigation for investigation in data['data'] if investigation['status'] == 'OPEN']
# Extract only the IDs of the open investigations
open_investigation_ids = [investigation['id'] for investigation in open_investigations]
# Print the open investigation IDs
print(data)
first part of the outcome is and it goes further including alert_id:
{'data': [{'id': '1234', 'rrn': 'rrn:investigation:eu:abcd12389:investigation:XXX', 'title': 'Suspicious Authentication - Ipxo Limited', 'status': 'OPEN'
However, the same script failed in ICON:
def run(params={}):
import requests
# Base URL for the InsightIDR API
base_url = 'https://eu.api.insight.rapid7.com/idr/v1'
# Alert ID to search for
alert_id = params.get('alert_id')
# URL for the investigations endpoint
url = f'{base_url}/investigations?alert_id={alert_id}'
# Make the API request
response = requests.get(url)
# Get the JSON response
response_json = response.json()
# Filter the response to get only the open investigations
open_investigations = [investigation for investigation in response_json if investigation['status'] == 'OPEN']
# Extract only the IDs of the open investigations
open_investigation_ids = [investigation['id'] for investigation in open_investigations]
# Return the open investigation IDs
return {"open_investigation_ids": open_investigation_ids}
And the error is:
Could not run supplied script Response was: 'data'
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/python_3_script_rapid7_plugin-4.0.5-py3.8.egg/icon_python_3_script/actions/run/action.py", line 31, in run
out = self._exec_python_function(function_=function_, params=params)
File "/usr/local/lib/python3.8/site-packages/python_3_script_rapid7_plugin-4.0.5-py3.8.egg/icon_python_3_script/actions/run/action.py", line 59, in _exec_python_function
out = locals()[function_name](params.get(Input.INPUT))
File "<string>", line 23, in run
KeyError: 'data'
So dearest community… what am I missing here?