As the title itself suggests, I have created a playbook that checks for the total closed investigations and total open investigations from last 12 hrs(12 hrs is upper limit they have to query on “audit logs - insightIDR investigations”) and create a detailed report of each investigation and send it to Email or Teams Channel or an individual’s Teams Chat. Here I encountered two issues,
How can I trigger this workflow or make it run every 12 hrs(which means what is the first step I need to add)?
How can I insert those data into .csv file(or any other format if possible)?
You can provide any file name you like. It is a CSV so something like openinvestigations.csv. Then you pass the variable bytes output from your CSV plugin action to the section where it says “content”. It will look like the below example.
I tried creating one sample snippet using Timers plugin(it has two categories one is action and the other one is trigger). I used the action one. Used the timer plugin and set the delay as 30 seconds. In the next step I added one sample artifact with some random texts. I was expecting it to trigger after 30 seconds and show me those artifact contents, once I click on test snippet button. But unfortunately, I didn’t receive the expected outcome. It triggered pretty much earlier than 30 seconds, somewhere like after 17 seconds. I tested it by changing the delay time, yet the same outcome. So, any idea to rectify this?
Regarding Data fetching, is it possible to use a python script, where I can specify any .txt file path(existing in local machine or cloud, if possible) and append the artifact content into the file?
Snippets don’t trigger. If you want to test a delay you have to first kick off the snippet using the test button. Perform an action like a whois ip lookup. Then add in the 30 second delay. Then write the artifact.
I tried this. In a snippet, as a first step performed whois ip look up on an IP address. Then added the 30 second delay using timers plugin. In the third step, used the artifact to display the whois ip lookup returned data. First time, tried it without using timers in between and finished the job in 15 seconds. Second time, tried it with a timers plugin in between and it didn’t even finish, it kept on running. What could be the issue?
As Darrick stated, you can’t test triggers in a snippet. You need to create a workflow with the Timers plugin as the trigger and choose either the daily, hourly, or ever x minutes trigger based on your needs. This will allow you to run a workflow on a timed basis. Again, this cannot be tested in a snippet.
It sounds like you have an issue with your orchestrator then. Please follow the instructions below to troubleshoot your issue or submit a support case so that we can review the issue.
I will talk to my client regarding this and work upon that. Is there any provision to use API trigger and Python script to run the workflow on a regular intervals of time?
You could use the the API trigger if you wanted to run it on a schedule. You would just write a script and set that script as a scheduled task somewhere in your environment. The python plugin will not help you. The timer plugin lets you run a workflow on a set amount of time natively with InsightConnect. Not sure what the purpose would be to take it into a scheduled task, but it could be done.
Yes Darrick, exactly. For API trigger to work, I need to run schedule my python script in my local machine where I run my script, which comes with the limitations such as turning off of computer or simply battery exhausted. In such conditions, the scheduling doesn’t work as expected. So, as per your suggestion, I would go with timer plugin. Right now, while testing it is not producing expected result. May be it will work only when the workflow is in active state. I will get back to this thread.
I don’t know how you would test the timer trigger if the workflow isn’t active.
If you just want to see the timer trigger work as a trigger you can create a new workflow with no steps other than the trigger. Set it for whatever frequency you want, activate it, then watch the jobs get created.
For the API trigger and a script I wasn’t picturing that being on a laptop. More a dedicated server in your environment that only goes down during scheduled maintenance periods.
Actually we are working on client VDI. I don’t have my separate account to activate and test. So to activate any workflow I need their permission. So, yeah. I will ask them for the permission and get back to you Darrick.
Hey Darrick, I need a clarification on Timers plugin.
We are using it to trigger an event every week. We want it to trigger on every monday exactly at 2:00 PM UTC(9AM EST). So, I have included [“Monday”] in day field and [“14:00:00”] in time of the day field. Is that correct? I have seen in documentation of the plugin, in day field they have used all lowercase. Will it cause any error if we write “Monday” instead of “monday”?
That may work, but it’s always best to follow the examples in the documentation as that is what is normally tested when released. That being said, it would be best to use all lowercase in the day field. You time field should be fine.