Investigation RRN or ID from an ABA Alert?

icitrowske · February 3, 2023, 6:56pm

Hello,

I have a workflow with an ABA trigger, I’ve been unable to find the specific Investigation RRN or ID to then update the status or assign an owner to that specific investigation.

Has anyone figured out a solution for this?

Michael-Cochran-Rapid7 · February 3, 2023, 7:30pm

The RRN should output as part of the trigger, what type of ABA alert are you trying to trigger off of and I can take a look.

icitrowske · February 3, 2023, 8:33pm

I’m using the “Process Start Event” alerts as triggers.

The following JSON objects are the only RRNs I’m able to find:
“r7_context”: {
“asset”: {
“name”: “##########”,
“rrn”: “rrn:uba:##:ID###:asset:######”
}
},
“detectionRule”: {
“name”: “Credential Access - Querying Registry for Stored Credentials”,
“priorityLevel”: “Medium”,
“rrn”: “rrn:cba:::detection-rule:R7KIIBVHN9YD”,
“ruleAction”: “CREATES_INVESTIGATIONS”,
“versionRrn”: “”
},

Eric-Wilson · February 28, 2023, 3:56pm

The ABA alert does not output the ID or RRN of an investigation because its triggering at the detection level before an investigation is created. If you want to tie the two together you can do an Investigation search with the ABA detectionRule name and get what is needed. An example of what I’ve used in the search investigations is below.

[{“field”:“title”,“value”:“{{["Process Start Event"].[detectionRule].[name]}}”,“operator”:“CONTAINS”},{“field”:“status”,“value”:“OPEN”,“operator”:“EQUALS”}]

jamesy_dobbin · June 1, 2023, 2:16pm

Hi Eric,

Could you expand on this a little more, please? I am building a workflow to assign ABA investigations based on the current on call user in PagerDuty but using the get investigation method with the IDR plugin, it still requests the RRN or ID.

It seems a little odd to me that there is no native method to get the investigation as part of the trigger.

Thanks,
Jamesy

Michael-Cochran-Rapid7 · June 1, 2023, 2:24pm

You have to use the Search Investigation Action with the search string Eric posted above, not Get Investigation action. The reason it does not come across with the trigger is that the alert fires and triggers the workflow before IDR creates an investigation.

Alert received
Trigger fires
Investigation created

jamesy_dobbin · June 1, 2023, 2:25pm

Got it Michael, thanks for the prompt reply

jamesy_dobbin · June 1, 2023, 3:02pm

Thinking on this a little more, it still seems very inefficient, as I would have to run a check for every detection rule within the ABA categories.

Is there a better way of doing this natively?

Eric-Wilson · June 1, 2023, 3:26pm

If you want to use a workflow for assigning users based on your on-call availability it may be best to use IDR’s webhook feature alongside the InsightConnect API trigger. This will generate at the investigation level and give you all the details you need to assign specific investigation, but not include the more detailed evidence portion of the ABA detection.

You can find more information below on these two features.

IDR Webhook: Universal Webhook | InsightIDR Documentation
InsightConnect API Trigger: Set Up an API Trigger | InsightConnect Documentation

Michael-Cochran-Rapid7 · June 1, 2023, 3:40pm

The search step would use the output of the trigger to search for that specific rule name in the investigation search step. Are you wanting to create a workflow that runs on every ABA detection rule, or specific categories?

jamesy_dobbin · June 1, 2023, 8:00pm

I would like to trigger in all instances of an ABA alert. I currently have it set up this way for UBA.

dome · November 3, 2023, 1:57pm

Hi Eric,
Sorry, I replaced the variable

{{[“Process Start Event”].[detectionRule].[name]}}

with mine

{{[“Anomalous Data Transfer”].[detectionRule].[name]}}

Since it is a workflow based on this ABA, however the execution gives me the following error

Connect: Connecting…
rapid7/Rapid7 InsightIDR:6.0.0. Step name: get_investigation
Not Found (404): No investigation exists with id [{“field”:“title”,“value”:“Network Flow - Anomalous Data Transfer”,“operator”:“EQUALS”}.
An error occurred during plugin execution!

*InsightIDR returned a status code of 404: Not Found *
Traceback (most recent call last):

File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-5.2.3-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 409, in handle_step*
output = self.start_step(*
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-5.2.3-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 604, in start_step*
output = func(params)*
File “/usr/local/lib/python3.8/site-packages/rapid7_insightidr_rapid7_plugin-6.0.0-py3.8.egg/komand_rapid7_insightidr/actions/get_investigation/action.py”, line 27, in run*
response = request.resource_request(endpoint, “get”)*
File “/usr/local/lib/python3.8/site-packages/rapid7_insightidr_rapid7_plugin-6.0.0-py3.8.egg/komand_rapid7_insightidr/util/resource_helper.py”, line 124, in resource_request*
raise PluginException(f"InsightIDR returned a status code of {response.status_code}: {status_code_message}")*
insightconnect_plugin_runtime.exceptions.PluginException: An error occurred during plugin execution!

InsightIDR returned a status code of 404: Not Found

What am I doing wrong?

Eric-Wilson · November 3, 2023, 2:17pm

You might want to change the operator to CONTAINS. Additionally, you’ll want to insert a sleep function using the Timers plugin before you perform the search since detections are generated up to 5-7 minutes before an investigation is created.

dome · November 3, 2023, 2:37pm

Same problem:

Connect: Connecting…
rapid7/Rapid7 InsightIDR:6.0.0. Step name: get_investigation
Not Found (404): No investigation exists with id [{“field”:“title”,“value”:“Network Flow - Anomalous Data Transfer”,“operator”:“contains”},{“field”:“status”,“value”:“OPEN”,“operator”:“equals”}].
An error occurred during plugin execution!

InsightIDR returned a status code of 404: Not Found
Traceback (most recent call last):
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-5.2.3-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 409, in handle_step
output = self.start_step(
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-5.2.3-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 604, in start_step
output = func(params)
File “/usr/local/lib/python3.8/site-packages/rapid7_insightidr_rapid7_plugin-6.0.0-py3.8.egg/komand_rapid7_insightidr/actions/get_investigation/action.py”, line 27, in run
response = request.resource_request(endpoint, “get”)
File “/usr/local/lib/python3.8/site-packages/rapid7_insightidr_rapid7_plugin-6.0.0-py3.8.egg/komand_rapid7_insightidr/util/resource_helper.py”, line 124, in resource_request
raise PluginException(f"InsightIDR returned a status code of {response.status_code}: {status_code_message}")
insightconnect_plugin_runtime.exceptions.PluginException: An error occurred during plugin execution!

InsightIDR returned a status code of 404: Not Found

The investigation exists

Eric-Wilson · November 3, 2023, 2:42pm

Operators and Values are case sensitive. You need to change your operators to ALL CAPS like my example above…

dome · November 3, 2023, 3:24pm

Connect: Connecting…
rapid7/Rapid7 InsightIDR:6.0.0. Step name: get_investigation
Not Found (404): No investigation exists with id [{“field”:“title”,“value”:“Network Flow - Anomalous Data Transfer”,“operator”:“CONTAINS”},{“field”:“status”,“value”:“OPEN”,“operator”:“EQUALS”}].
An error occurred during plugin execution!

InsightIDR returned a status code of 404: Not Found
Traceback (most recent call last):
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-5.2.3-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 409, in handle_step
output = self.start_step(
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-5.2.3-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 604, in start_step
output = func(params)
File “/usr/local/lib/python3.8/site-packages/rapid7_insightidr_rapid7_plugin-6.0.0-py3.8.egg/komand_rapid7_insightidr/actions/get_investigation/action.py”, line 27, in run
response = request.resource_request(endpoint, “get”)
File “/usr/local/lib/python3.8/site-packages/rapid7_insightidr_rapid7_plugin-6.0.0-py3.8.egg/komand_rapid7_insightidr/util/resource_helper.py”, line 124, in resource_request
raise PluginException(f"InsightIDR returned a status code of {response.status_code}: {status_code_message}")
insightconnect_plugin_runtime.exceptions.PluginException: An error occurred during plugin execution!

InsightIDR returned a status code of 404: Not Found

Eric-Wilson · November 3, 2023, 3:30pm

SORRY! I just noticed you are using the wrong action. You need to use the Search Investigations action not the Get Investigation action. You can see in the log its expecting an ID, not a search string.

dome · November 3, 2023, 3:54pm

Problem found!! In the command you pasted

The characters “ and ” are present, the correct one is "

Thanks so much