Querying Primary User & IDR Search Errors

I’m trying to resolve addresses and hostnames to primary users in a response workflow using the InsightIDR plugin’s Advanced Query action, and only about 5% of my runs are successful while the rest fail with the following error :

{'links': [{'rel': 'Self', 'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006'}], 'id': '00000000-0000-0000-0000-000000000006'} is not of type 'string'

Failed validating 'type' in schema['properties']['results']['items']['properties']['labels']['items']:
    {'type': 'string'}

On instance['results'][2]['labels'][0]:
    {'id': '00000000-0000-0000-0000-000000000006',
     'links': [{'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006',
                'rel': 'Self'}]}
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 311, in handle_step
    output = self.start_step(input_message['body'], 'action', logger, log_stream, is_test, is_debug)
  File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/plugin.py", line 426, in start_step
    step.output.validate(output)
  File "/usr/local/lib/python3.7/site-packages/komand-1.0.1-py3.7.egg/komand/variables.py", line 79, in validate
    validate(parameters, self.schema)
  File "/usr/local/lib/python3.7/site-packages/jsonschema-2.3.0-py3.7.egg/jsonschema/validators.py", line 432, in validate
    cls(schema, *args, **kwargs).validate(instance)
  File "/usr/local/lib/python3.7/site-packages/jsonschema-2.3.0-py3.7.egg/jsonschema/validators.py", line 117, in validate
    raise error
jsonschema.exceptions.ValidationError: {'links': [{'rel': 'Self', 'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006'}], 'id': '00000000-0000-0000-0000-000000000006'} is not of type 'string'

Failed validating 'type' in schema['properties']['results']['items']['properties']['labels']['items']:
    {'type': 'string'}

On instance['results'][2]['labels'][0]:
    {'id': '00000000-0000-0000-0000-000000000006',
     'links': [{'href': 'https://us.api.insight.rapid7.com/log_search/management/labels/00000000-0000-0000-0000-000000000006',
                'rel': 'Self'}]}

Is there a better way to dip into IDR’s private intelligence, like the primary user and recent inbound/outbound authentication data, or is this possibly something we could gather from the Insight Agent plugin in the future? It would be really, really handy to resolve users to devices, and devices to users!

That’s a bug, I’ll pass that on and we’ll get it fixed.

1 Like