Question About Enhancements to Data Exporters and IDR API

Hello Rapid7 community, with the recent updates and “re-imagining of Investigation Management” (What's New in InsightIDR: Q4 2021 in Review | Rapid7 Blog) is it on the roadmap to expand on the data being provided through Data Exporters for investigations, and specifically the universal webhook exporter? (Universal Webhook | InsightIDR Documentation)

This data exporter is currently lacking the following pieces of information that were recently added to the Investigations page in Rapid7:

  • Priority/severity
  • MITRE ATT&CK TTP Mappings

Having both of these included in the data provided by the exporter would be excellent and such a quality of life improvement for us.

In the same vein, is there a roadmap for an update of the IDR API? It would be excellent if the API could also interact with these additional new fields in the Investigations, and also be able to add Notes to an investigation.

1 Like

Hi @achesterton, our esteemed @maura_folliard can hopefully shed some light on the Webhook and data exporter piece, as for the API - our new Investigation API is currently in early access and is undergoing some tweaks before we release it to be Generally Available, we are aiming to get this out this quarter.

Hi @achesterton, as David said, we are currently working on the API to update it with the new information/fields on investigations (disposition, priority, etc). The initial API will not include the ability to add notes, but we do have on our roadmap to build this out as well! It will just be released a bit after the initial updates. As for the data exporter and webhook, that is not currently on our roadmap but let me take this back to the team and see how we can prioritize it.

Thank you so much for your feedback, we really do appreciate it!

Thanks,
Maura

1 Like

Thanks for the information and responses from both of you.

@maura_folliard just wondering what the outcome(s) of the internal discussion around improving the Data Exporters was?

Hi @achesterton,

That update to the data exporter is still not currently planned. You said adding these bits of information would be a quality of life improvement for you all, but I’d love to hear a bit more on how? What are the use cases you are looking to fill? All of your feedback is super helpful as we look to build out our roadmap!

Thanks,
Maura

Hi @maura_folliard

Our use case is using the data exporter to send all Investigations to our SOAR platform which then parses the investigation data and generates cases in our central case management system.

Having the ATT&CK TTP Mappings in the data exporter will allow us to add these to the cases in our system, and likewise having the severity data will let us allocate severity levels.
Both of these assist our team with being able to effectively triage all items in our case management system, and provide a solid starting point when they go to investigate that specific case.
Having this additional data also opens up future possibilities for additional automation in our SOAR.

Similar for having the API be able to add Notes to an investigation, is this allows us to make a note in our case management system on that particular ticket and use our SOAR platform to add that same note to the corresponding Investigation in IDR.
This would be a much more efficient workflow for our team than having to go out of our case management system and into an IDR instance just to add a note to a given investigation.

Hopefully that describes our major use cases for you sufficiently.

1 Like

@david_smith @maura_folliard
Great news that the Investigation API will get some additional updates.
Would it be possible to get access the the EA of it to start play around a bit with it already?

@achesterton I reached out to the support and got access to the EA part of the new API, here is a print of the information they have available in there now.
If you want to start play in the API you could probably just reach out to support and they will give you the details.
R7_InvestigationAPI

We need this to update Investigation Disposition in InsightIDR via InsightConnect.

Good morning Richard.

Your information is of great importance. We have a problem with the platform and this information is of great interest to us.
Please could you share the code you have used to receive this information?

Thank you very much for your help.

1 Like

Sorry for the late response but here comes the ps code I used to gather investigation information.

# These are the headers that we will use for all the Invoke commands
    $R7IDRHeaders = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
    $R7IDRHeaders.Add("X-Api-Key", "$R7GQLkey")
    $R7IDRHeaders.Add("Accept-Version", "strong-force-preview")
    $R7IDRHeaders.Add("Content-type", "application/json")

    # Create a timestamp that we can use as a starting point
    # We will use current time minus 1 day and format it according to IDR documented body request format.
    $StartTime = Get-Date -date $(Get-Date).adddays(-1) -format yyyy-MM-ddThh:mm:ss.fffZ

# Create a request body that we will use to filter out the Open incidents in our wanted priorities
        $RequestBody = "{
        `"start_time`": `"$StartTime`",
        `"search`": [
        {
        `"terms`": [`"$Prio`"],
        `"fields`": [`"priority`"]
        },
        {
        `"terms`": [`"OPEN`"],
        `"fields`": [`"status`"]
        }
        ]
        }"

$ResponseData = Invoke-RestMethod "https://$DataRegion.api.insight.rapid7.com/idr/im/investigations/_search" -Method 'POST' -Headers $R7IDRHeaders -Body $RequestBody

Obviously you will need to define the parameters but I had that done in different functions.
$R7GQLkey - your API key
$Prio - valid set is “LOW”, “MEDIUM”, “HIGH”, “CRITICAL”
$DataRegion - valid set is “eu”, “au”, “ap”, “ca”,“us”