I’ve just developed a Python script which I’ve dubbed InsightIDR4Py, that simplifies the process of querying logs using the InsightIDR REST API. I’ve been using this for a couple weeks now for threat data enrichment and reporting, and found it quite useful/stable.

Example usage:

import InsightIDR4Py as idr

# define the query parameters
logset_name = "DNS Query"
query = "where(public_suffix IN [buzz, top, club, work, surf, tw, gq, ml, cf, biz, tk, cam, xyz, bond])"
time_range = "Last 36 Hours"

# query the logs
events = idr.QueryEvents(logset_name, query, time_range)

# print out an event


{'timestamp': '2021-09-28T15:11:45.000Z', 'asset': '', 'source_address': '', 'query': '', 'public_suffix': 'top', 'top_private_domain': '', 'query_type': 'A', 'source_data': '09/28/2021 8:11:45 AM 1480 PACKET  00000076ED1A0140 UDP Rcv   c3b3   Q [0001   D   NOERROR] A      (3)regulationprivilegescan(3)top(0)'}

I hope you find this useful! Feel free to reach out here, on GH, or Twitter (@micahbabinski) with any feedback. I am fairly new to security and Rapid7, so I know I have a lot to learn!

Kind regards,
Micah Babinski