Is there a way to query a user’s primary device in a workflow? For example: let’s say a Cloud Service Activity detection rule triggers and the log provides no source device but obviously provides username, uPN, rrn, etc.. There must be some way to leverage one of those to query what the IDR GUI shows as the user’s primary device so it could be used in an ICONN workflow . . . . .
Thanks,
Craig
I can ask around Craig. I am not aware of any api call that will tell you that information, but I learn new things everyday.
You might also ask in the IDR channel if there is a log query to show a users primary device. What we can do with InsightConnect is run log query’s. If there is a log search that can yield those results we can guide you in creating that action to run.
Thanks as always, Darrick
Here is what I am thinking might work:
Use the account value “user@contoso.com” from the investigation/log to do an Active Directory search for the user’s UPN, and then pull the sAMAccountName
Use the IDR “Advance Query on Log” to run a LEQL search like this:
"where(“lastLoggedInUser” = " ")
. . . . which will yield a hostname key value, and which for our environment will almost always be the user’s primary device.
What I’m not sure of is how to populate my empty quotes in “lastLoggedInUser” = " " with the sAMAccountName that was found on the Active Directory user query.
Craig
I’m not sure what you mean how to populate your empty quotes.
They won’t be empty, they will use the variable from your ldap query results.
If you name your ldap query step “Query” your variable would probably be something like {{[“Query”].[results].[0].[lastloggedinuser]}} making your log search query something like
"where(“lastLoggedInUser” = “{{[“Query”].[results].[0].[lastloggedinuser]}}”).
Thanks, Darrick
I think you understood my question exactly. I think I am close but just have to learn the syntax and get that right.
Right now I have:
where(“lastLoggedInUser” = “{{[“Query Active Directory Accounts”].[results].[attributes].[sAMAccountName].[0]}}”)
. .. . but I don’t seem to be getting any output when testing.
My output is:
{
“$success”: true,
“count”: 0,
“results_events”:
}
Craig
What variable are you using? Can you copy it from the builder and paste it here.
Should be a bit different: {{[“Query Active Directory Accounts”].[results].[attributes].[sAMAccountName].[0]}}
I think this would be accurate:
{{[“Query Active Directory Accounts”].[results].[0].[attributes].[sAMAccountName]}}
If you view the job output from your query and don’t view it as raw json it is easier.
If you need to drop down the arrow to see what you want to get to, then you need to include whatever the value is next to the arrow.
So when you are viewing the query results it is an array, because it is potentially more than one result.
0 is the first item returned so you include it.
Viewing my screenshot, if I wanted to get to the name variable this is how I would do it.
{{[“Convert Extract Names Output to Object”].[output].[assets_names].[0].[name]}}
Thanks, Darrick. That is so simple and logical. 
I guess I was paying too much attention to the numbers, brackets, and parentheses. Now it’s on to the next step of pulling the hostname from a log.
Craig
So testing is now error-free but I simply get no results after the log query runs. If I run the very same query manually in IDR log search I get results and desired output. The log I get on the log-search part of the workflow is:
rapid7/Rapid7 InsightIDR:12.0.1. Step name: advanced_query_on_log_set
Getting log entries from: https://us.api.insight.rapid7.com/log_search/management/logsets
Checking Endpoint Agent against Audit Logs
Checking Endpoint Agent against File Modification Activity
Checking Endpoint Agent against Endpoint Agent
Log set found.
Found log set with name Endpoint Agent and ID: 3131132d-2b08-4ad2-b861-6a6d15fbdd24
Getting logs from: https://us.api.insight.rapid7.com/log_search/query/logsets/3131132d-2b08-4ad2-b861-6a6d15fbdd24
Using parameters: {‘query’: ‘where(“lastLoggedInUser” = “xxxxxxx”)’, ‘from’: 1753471343000, ‘to’: 1753474943000, ‘per_page’: 500}
Got a callback url. Polling results…
Trying to get results from callback URL: https://us.api.insight.rapid7.com/log_search/query/9d169a15-b3ab-4ea2-b7ab-147f7c15cdbc:11:MTAuMC4yMy4xMDE:500:bad49261ab8b83f8e4d9743cf9bebc3ef4c1c50b:
IDR Response Status Code: 200
No more results to process. Exiting.
Sending results to orchestrator.
Craig
When you do your query in IDR are you doing a query on multiple logs, or is it a specific log that you query?
We have an advanced query on log that you might try.
Additionally for your input are you using a log name, or are you using a log id? I would use a log ID. You can grab the log id by selecting that specific log only, and then hitting run on log search. You don’t need to enter any query just hit run. Up in the URL you can grab the ID.
For this URL the log id is what is contained between the percent signs.
22f8cd6520-249f-49c6-b192-ab1af8249e
I would create a net new snippet, and only have the single action, advanced query on log. Get the query to work without using any variables. Once it works, then hit the configure button in the snippet. Create an input variable called target or samaccountname make it a string for data type.
Open your query step again, delete the samaccountname from your query, and replace it with the variable you created.
save the step.
Hit Test and it will now ask you to type out a target samaccountname.
Ensure that works, and then you should be good to replicate inside of your workflow.
I’ve been using the Advanced Query and targeting the Rapid7 agent. I have it mostly working now via your latest instructions for creating a new single action snippet.
As my next workflow action I’ve got Type Converter converting the JSON output from a string to an object. Now I’m trying to figure out how to extract the hostname value into a variable.
Craig
I’ve tried for hours now to try to go from a working snippet to a workflow that uses a variable in the R7 log search and can’t get it to work. My LEQL for my search is:
where(“lastLoggedInUser” = “{{[“Query Active Directory Accounts”].[results].[0].[sAMAaccountName]}}”)
But I can’t get the input for the key value to use the sAMAccountName from the AD query:
The variable you are using is missing attributes.
{{[“Query Active Directory Accounts”].[results].[0].[sAMAaccountName]}} is what you are using.
{{[“Query Active Directory Accounts”].[results].[0].[attributes].[sAMAaccountName]}} is what you need.
If you have to drop down an arrow to see the value you want to use, you have to include whatever value that drop down arrow is.
I’m not sure if I copied/pasted wrong in my last post but either way I am still not getting the sAMAccountName value passed into the query when making sure I have:
where(“lastLoggedInUser” = “{{[“Query Active Directory Accounts”].[results].[0].[attributes].[sAMAaccountName]}}”)
The input still shows as blank:
Object (6)
log_set : Endpoint Agent
query : where("lastLoggedInUser” = “”)
If I replace “{{[“Query Active Directory Accounts”].[results].[0].[attributes].[sAMAaccountName]}}” with any sAMAccountName and test the workflow I get log data returned.
Can you take the variable you are trying to pass to your query and instead pass it into an artifact?
Can you check your active directory output and ensure you are still passing a user that is being found in active directory.
Perhaps in all your testing you were looking up Bob as the user samaccountname and it was finding results.
Now you are trying to use it in your workflow and you are targeting a different user, but that user for whatever reason isn’t actually being found in your active directory environment, so the count is 0 and you wouldn’t expect a value to be populated in the query.
I’ve been using my own sAMAccountName for the entirety of testing and if I remove the variable in the log search step and replace it with my SAM in double quotes I get log data returned that I expect and want.
I’ll see what I can learn how to create an artifact the log query can use.
Apologies Craig.
I wasn’t meaning to try and create an artifact so that you can use that output to push to your log query step.
I was suggesting you use an artifact use the variable that should be sAMAccountName in the artifact step. Once you can see your variable is hitting the artifact step, then you can proceed to your log query with the same variable that you used in your artifact step.
For those following along something was corrupt with the step itself.
As we can see above the LDAP query step was working, however we couldn’t get any data to pass from the LDAP query to another step.
We deleted the step, recreated it, and it worked just fine.
Good morning, Darrick.
I can’t even BEGIN to thank you enough for your help on this!! Not only did you resolve this for me but I was then able to quickly and easily create an additional artifact that pulls the hostname from the IDR agent log.
Craig
