Greetings,
I’ve just developed a Python script which I’ve dubbed InsightIDR4Py, that simplifies the process of querying logs using the InsightIDR REST API. I’ve been using this for a couple weeks now for threat data enrichment and reporting, and found it quite useful/stable.
Example usage:
import InsightIDR4Py as idr
# define the query parameters
logset_name = "DNS Query"
query = "where(public_suffix IN [buzz, top, club, work, surf, tw, gq, ml, cf, biz, tk, cam, xyz, bond])"
time_range = "Last 36 Hours"
# query the logs
events = idr.QueryEvents(logset_name, query, time_range)
# print out an event
print(event[0])
Result:
{'timestamp': '2021-09-28T15:11:45.000Z', 'asset': 'windesk05.organization.com', 'source_address': '192.168.4.10', 'query': 'regulationprivilegescan.top', 'public_suffix': 'top', 'top_private_domain': 'regulationprivilegescan.top', 'query_type': 'A', 'source_data': '09/28/2021 8:11:45 AM 1480 PACKET 00000076ED1A0140 UDP Rcv 192.168.4.121 c3b3 Q [0001 D NOERROR] A (3)regulationprivilegescan(3)top(0)'}
I hope you find this useful! Feel free to reach out here, on GH, or Twitter (@micahbabinski) with any feedback. I am fairly new to security and Rapid7, so I know I have a lot to learn!
Kind regards,
Micah Babinski