Querying Primary User & IDR Search Errors

I’m trying to resolve addresses and hostnames to primary users in a response workflow using the InsightIDR plugin’s Advanced Query action, and only about 5% of my runs are successful while the rest fail with the following error :

{'links': [{'rel': 'Self', 'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006'}], 'id': '00000000-0000-0000-0000-000000000006'} is not of type 'string'

Failed validating 'type' in schema['properties']['results']['items']['properties']['labels']['items']:
    {'type': 'string'}

On instance['results'][2]['labels'][0]:
    {'id': '00000000-0000-0000-0000-000000000006',
     'links': [{'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006',
                'rel': 'Self'}]}
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 311, in handle_step
    output = self.start_step(input_message['body'], 'action', logger, log_stream, is_test, is_debug)
  File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 426, in start_step
    step.output.validate(output)
  File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/variables.py", line 79, in validate
    validate(parameters, self.schema)
  File "/usr/local/lib/python3.7/site-packages/jsonschema-2.3.0-py3.7.egg/jsonschema/validators.py", line 432, in validate
    cls(schema, *args, **kwargs).validate(instance)
  File "/usr/local/lib/python3.7/site-packages/jsonschema-2.3.0-py3.7.egg/jsonschema/validators.py", line 117, in validate
    raise error
jsonschema.exceptions.ValidationError: {'links': [{'rel': 'Self', 'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006'}], 'id': '00000000-0000-0000-0000-000000000006'} is not of type 'string'

Failed validating 'type' in schema['properties']['results']['items']['properties']['labels']['items']:
    {'type': 'string'}

On instance['results'][2]['labels'][0]:
    {'id': '00000000-0000-0000-0000-000000000006',
     'links': [{'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006',
                'rel': 'Self'}]}

Is there a better way to dip into IDR’s private intelligence, like the primary user and recent inbound/outbound authentication data, or is this possibly something we could gather from the Insight Agent plugin in the future? It would be really, really handy to resolve users to devices, and devices to users!

1 Like

That’s a bug, I’ll pass that on and we’ll get it fixed.

2 Likes

Any update on this bug? We just wasted 4 hours troubleshooting for no reason before we found this post.

I am opening a support case.

Sorry for the delay, we’ve been talking about this one internally as it’s kind of tricky from an input/output perspective. It may also cross teams for a fix, which is also a delay.

We’re shooting for a fix early next week. Don’t quote me on that, as it’s a tricky one, but that’s the tentative plan.

Again, we’re terribly sorry for the inconvenience and we hope to have a fix in soon.

Any word on this issue?

1 Like