Querying Primary User & IDR Search Errors

evan_nichols · May 4, 2021, 1:03pm

I’m trying to resolve addresses and hostnames to primary users in a response workflow using the InsightIDR plugin’s Advanced Query action, and only about 5% of my runs are successful while the rest fail with the following error :

{'links': [{'rel': 'Self', 'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006'}], 'id': '00000000-0000-0000-0000-000000000006'} is not of type 'string'

Failed validating 'type' in schema['properties']['results']['items']['properties']['labels']['items']:
    {'type': 'string'}

On instance['results'][2]['labels'][0]:
    {'id': '00000000-0000-0000-0000-000000000006',
     'links': [{'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006',
                'rel': 'Self'}]}
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 311, in handle_step
    output = self.start_step(input_message['body'], 'action', logger, log_stream, is_test, is_debug)
  File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 426, in start_step
    step.output.validate(output)
  File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/variables.py", line 79, in validate
    validate(parameters, self.schema)
  File "/usr/local/lib/python3.7/site-packages/jsonschema-2.3.0-py3.7.egg/jsonschema/validators.py", line 432, in validate
    cls(schema, *args, **kwargs).validate(instance)
  File "/usr/local/lib/python3.7/site-packages/jsonschema-2.3.0-py3.7.egg/jsonschema/validators.py", line 117, in validate
    raise error
jsonschema.exceptions.ValidationError: {'links': [{'rel': 'Self', 'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006'}], 'id': '00000000-0000-0000-0000-000000000006'} is not of type 'string'

Failed validating 'type' in schema['properties']['results']['items']['properties']['labels']['items']:
    {'type': 'string'}

On instance['results'][2]['labels'][0]:
    {'id': '00000000-0000-0000-0000-000000000006',
     'links': [{'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006',
                'rel': 'Self'}]}

Is there a better way to dip into IDR’s private intelligence, like the primary user and recent inbound/outbound authentication data, or is this possibly something we could gather from the Insight Agent plugin in the future? It would be really, really handy to resolve users to devices, and devices to users!

joey_mcadams · May 4, 2021, 2:26pm

That’s a bug, I’ll pass that on and we’ll get it fixed.

john_breen · May 26, 2021, 9:12pm

Any update on this bug? We just wasted 4 hours troubleshooting for no reason before we found this post.

john_breen · May 27, 2021, 11:44pm

I am opening a support case.

joey_mcadams · May 28, 2021, 1:43pm

Sorry for the delay, we’ve been talking about this one internally as it’s kind of tricky from an input/output perspective. It may also cross teams for a fix, which is also a delay.

We’re shooting for a fix early next week. Don’t quote me on that, as it’s a tricky one, but that’s the tentative plan.

Again, we’re terribly sorry for the inconvenience and we hope to have a fix in soon.

evan_nichols · July 27, 2021, 11:49am

Any word on this issue?

mberezin · May 6, 2022, 6:17pm

This bug has been patched as of InsightIDR plugin version 3.1.5. Thank you for your patience.