I’m trying to resolve addresses and hostnames to primary users in a response workflow using the InsightIDR plugin’s Advanced Query action, and only about 5% of my runs are successful while the rest fail with the following error :
{'links': [{'rel': 'Self', 'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006'}], 'id': '00000000-0000-0000-0000-000000000006'} is not of type 'string'
Failed validating 'type' in schema['properties']['results']['items']['properties']['labels']['items']:
{'type': 'string'}
On instance['results'][2]['labels'][0]:
{'id': '00000000-0000-0000-0000-000000000006',
'links': [{'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006',
'rel': 'Self'}]}
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 311, in handle_step
output = self.start_step(input_message['body'], 'action', logger, log_stream, is_test, is_debug)
File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 426, in start_step
step.output.validate(output)
File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/variables.py", line 79, in validate
validate(parameters, self.schema)
File "/usr/local/lib/python3.7/site-packages/jsonschema-2.3.0-py3.7.egg/jsonschema/validators.py", line 432, in validate
cls(schema, *args, **kwargs).validate(instance)
File "/usr/local/lib/python3.7/site-packages/jsonschema-2.3.0-py3.7.egg/jsonschema/validators.py", line 117, in validate
raise error
jsonschema.exceptions.ValidationError: {'links': [{'rel': 'Self', 'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006'}], 'id': '00000000-0000-0000-0000-000000000006'} is not of type 'string'
Failed validating 'type' in schema['properties']['results']['items']['properties']['labels']['items']:
{'type': 'string'}
On instance['results'][2]['labels'][0]:
{'id': '00000000-0000-0000-0000-000000000006',
'links': [{'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006',
'rel': 'Self'}]}
Is there a better way to dip into IDR’s private intelligence, like the primary user and recent inbound/outbound authentication data, or is this possibly something we could gather from the Insight Agent plugin in the future? It would be really, really handy to resolve users to devices, and devices to users!