Query regarding IDR API

lakshmikanth · February 6, 2023, 8:27am

Hi
We are using api’s to generate weekly and monthly reports for the IDR Investigations.

I see that using /idr/v1/investigations, v1 version gives the ‘alert.type’ and /idr/v2/investigations ,the v2 version gives the alert ‘priority’.

These are the output for each of the calls:
v1 output

{
      "id": "",
      "rrn": "",
      "title": "",
      "status": "",
      "source": "ALERT",
      "disposition": "BENIGN",
      "assignee": {
        "name": "",
        "email": ""
      },
      "alerts": [
        {
          "type": "Custom Alert - Pattern Detection",
          "type_description": "One or more logs matched the pattern you defined.",
          "first_event_time": "2023-01-01T05:56:49.034Z"
        }
      ],
      "created_time": "2023-01-01T06:02:28.523Z"
    },

v2 output

{
      "rrn": "",
      "organization_id": "",
      "title": "",
      "source": "ALERT",
      "status": "CLOSED",
      "priority": "LOW",
      "last_accessed": "2023-01-01T06:02:28.523Z",
      "created_time": "2023-01-01T06:02:28.523Z",
      "disposition": "BENIGN",
      "assignee": {
        "name": "",
        "email": ""
      },
      "first_alert_time": "2023-01-01T06:02:28.523Z",
      "latest_alert_time": "2023-01-01T06:02:28.523Z"
    }

Is there a way to get both ‘priority’ and ‘alerts.type’ from a single call?

aturner_a · September 19, 2023, 4:25am

Hey Lakshmikanth,

Did you ever get an answer here?
I am at the same point of wanting to extract alert_type as well as priority and cannot get both from V2 API

mbabinski88 · September 24, 2023, 7:26pm

Hey there. According to the documentation, this is not possible with a single V2 API call. However, it can be accomplished using multiple API calls. Using InsightIDR4Py you could do something like:

import InsightIDR4Py as idr
from datetime import datetime, timedelta, timezone

# define API key (store this value securely)
api_key = "API_Key_Here"

# connect to InsightIDR API
api = idr.InsightIDR(api_key)

# list investigations from the past 7 days
start_time_7d_ago = (datetime.now(timezone.utc) - timedelta(7)).strftime("%Y-%m-%dT%H:%M:%SZ")
investigations = api.ListInvestigations(start_time=start_time_7d_ago)

# add the alerts for each investigation
for investigation in investigations:
    inv_id = investigation["rrn"]
    alerts = api.ListAlertsByInvestigation(inv_id)
    investigation["alerts"] = alerts

Hope this helps!

Micah