InsightIDR4Py

mbabinski · October 29, 2021, 10:00pm

Greetings,

I’ve just developed a Python script which I’ve dubbed InsightIDR4Py, that simplifies the process of querying logs using the InsightIDR REST API. I’ve been using this for a couple weeks now for threat data enrichment and reporting, and found it quite useful/stable.

Example usage:

import InsightIDR4Py as idr

# define the query parameters
logset_name = "DNS Query"
query = "where(public_suffix IN [buzz, top, club, work, surf, tw, gq, ml, cf, biz, tk, cam, xyz, bond])"
time_range = "Last 36 Hours"

# query the logs
events = idr.QueryEvents(logset_name, query, time_range)

# print out an event
print(event[0])

Result:

{'timestamp': '2021-09-28T15:11:45.000Z', 'asset': 'windesk05.organization.com', 'source_address': '192.168.4.10', 'query': 'regulationprivilegescan.top', 'public_suffix': 'top', 'top_private_domain': 'regulationprivilegescan.top', 'query_type': 'A', 'source_data': '09/28/2021 8:11:45 AM 1480 PACKET  00000076ED1A0140 UDP Rcv 192.168.4.121   c3b3   Q [0001   D   NOERROR] A      (3)regulationprivilegescan(3)top(0)'}

I hope you find this useful! Feel free to reach out here, on GH, or Twitter (@micahbabinski) with any feedback. I am fairly new to security and Rapid7, so I know I have a lot to learn!

Kind regards,
Micah Babinski

some_rando · December 17, 2021, 10:27pm

Nice. I am going to check this out!

ss153152 · January 5, 2023, 2:53am

Hi i was trying to see how you stopped your while loop as im running into a. problem with my code, did you not use the cursor for the next set of data?