Skip to content

Commit

Permalink
Refining Schema for other query actions
Browse files Browse the repository at this point in the history
  • Loading branch information
@rmurray-r7
rmurray-r7 committed Dec 17, 2024
1 parent 4f4d490 commit f733b8a
Show file tree
Hide file tree
Showing 6 changed files with 361 additions and 51 deletions.
8 changes: 4 additions & 4 deletions plugins/rapid7_insightidr/.CHECKSUM
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"spec": "f7a752d6162db43ab5a2af23d8fdded1",
"spec": "696ad2ef53e23becbc514ade6b807b86",
"manifest": "447c02c4e8eff1ffc54155a48b270af3",
"setup": "00df4e2ab481d3954b493d8e94670fca",
"schemas": [
Expand All @@ -9,11 +9,11 @@
},
{
"identifier": "advanced_query_on_log/schema.py",
"hash": "5095f41c5b730886b330614a79dc0551"
"hash": "04f457e70ed006499969f3871fd60314"
},
{
"identifier": "advanced_query_on_log_set/schema.py",
"hash": "b5b2c8b6a3b884b33241f87004815459"
"hash": "651d3e1a7ce2676f00851d04e596584c"
},
{
"identifier": "assign_user_to_investigation/schema.py",
Expand Down Expand Up @@ -113,7 +113,7 @@
},
{
"identifier": "query/schema.py",
"hash": "440b96851f6c0090adde3f3709aa6259"
"hash": "3a8132d5735fdbb53f9f26e40cb1ada9"
},
{
"identifier": "replace_indicators/schema.py",
Expand Down
35 changes: 26 additions & 9 deletions plugins/rapid7_insightidr/help.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -377,7 +377,7 @@ Example input:
| :--- | :--- | :--- | :--- | :--- |
|count|integer|True|Number of log entries found|10|
|results_events|[]events|False|Query Results|[{"labels": [],"timestamp": 1601598638768,"sequence_number": 123456789123456789,"log_id": "64z0f0p9-1a99-4501-xe36-a6d03687f313","message": {"timestamp": "2020-10-02T00:29:14.649Z","destination_asset": "iagent-win7","source_asset_address": "192.168.100.50","destination_asset_address": "example-host","destination_local_account": "user","logon_type": "NETWORK","result": "SUCCESS","new_authentication": "false","service": "ntlmssp ","source_json": {"sourceName": "Microsoft-Windows-Security-Auditing","insertionStrings": ["S-1-0-0","-","-","0x0","X-X-X-XXXXXXXXXXX","user@example.com","example-host","0x204f163c","3","NtLmSsp ","NTLM","","{00000000-0000-0000-0000-000000000000}","-","NTLM V2","128","0x0","-","192.168.50.1","59090"],"eventCode": 4624,"computerName": "example-host","sid": "","isDomainController": false,"eventData": null,"timeWritten": "2020-10-02T00:29:13.670722000Z"}},"links": [{"rel": "Context","href": "https://us.api.insight.rapid7.com/log_search/query/context/xxxx"}],"sequence_number_str": "123456789123456789"}]|
|results_statistical|statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}|
|results_statistical|results_statistics|False|Query Results|{"leql":{"during":{"from":1699579214000,"to":1699622414000},"statement":"groupby(r7_context.asset.name)"},"logs":["123456-abcd-1234-abcd-123456abc"],"search_stats":{"bytes_all":9961260,"bytes_checked":9961260,"duration_ms":19,"events_all":1640,"events_checked":1640,"events_matched":1639,"index_factor":0.0},"statistics":{"all_exact_result":true,"cardinality":0,"from":1699579214000,"granularity":4320000,"groups":[{"linux":{"count":1163.0}},{"windowsx64":{"count":476.0}}],"groups_timeseries":[{"linux":{"groups_timeseries":[],"series":[{"count":45.0},{"count":21.0},{"count":16.0},{"count":270.0},{"count":27.0},{"count":43.0},{"count":27.0},{"count":39.0},{"count":29.0},{"count":646.0}],"totals":{"count":1163.0}}},{"windowsx64":{"groups_timeseries":[],"series":[{"count":54.0},{"count":40.0},{"count":60.0},{"count":37.0},{"count":42.0},{"count":62.0},{"count":41.0},{"count":47.0},{"count":49.0},{"count":44.0}],"totals":{"count":476.0}}}],"others":{"series":[]},"stats":{},"status":200,"timeseries":{},"to":1699622414000,"type":"count"}}|

Example output:

Expand Down Expand Up @@ -3068,13 +3068,16 @@ Example output:

|Name|Type|Default|Required|Description|Example|
| :--- | :--- | :--- | :--- | :--- | :--- |
|Computer Name|string|None|None|None|None|
|Event Code|integer|None|None|None|None|
|Event Data|eventData|None|None|None|None|
|Is Domain Controller|boolean|None|None|None|None|
|SID|string|None|None|None|None|
|Source Name|string|None|None|None|None|
|Time Written|string|None|None|None|None|
|Destination Asset|string|None|None|None|None|
|Destination Asset Address|string|None|None|None|None|
|Destination Local Account|string|None|None|None|None|
|Logon Type|string|None|None|None|None|
|New Authentication|string|None|None|None|None|
|Result|string|None|None|None|None|
|Service|string|None|None|None|None|
|Source Asset Address|string|None|None|None|None|
|Source JSON|source_json|None|None|None|None|
|Timestamp|string|None|None|None|None|

**events**

Expand All @@ -3085,6 +3088,7 @@ Example output:
|Log ID|string|None|None|Log ID|None|
|Message|message|None|None|Message|None|
|Sequence Number|integer|None|None|Sequence number|None|
|Sequence Number String|string|None|None|Sequence number string|None|
|Timestamp|integer|None|None|Timestamp|None|

**results_statistics**
Expand Down Expand Up @@ -3114,6 +3118,19 @@ Example output:
|To|integer|None|False|The end of the time range for the query, as a UNIX timestamp in milliseconds|None|
|Type|string|None|False|The type of function performed, for example, "count", "max", "average", "standarddeviation"|None|

**source_json**

|Name|Type|Default|Required|Description|Example|
| :--- | :--- | :--- | :--- | :--- | :--- |
|Computer Name|string|None|False|None|None|
|Event Code|integer|None|False|None|None|
|Event Data|eventData|None|False|None|None|
|Insertion Strings|[]string|None|False|Insertion Strings|None|
|Is Domain Controller|boolean|None|False|None|None|
|SID|string|None|False|None|None|
|Source Name|string|None|False|Source Name|None|
|Time Written|string|None|False|None|None|

**links**

|Name|Type|Default|Required|Description|Example|
Expand Down Expand Up @@ -3410,7 +3427,7 @@ Example output:

# Version History

* 11.0.0 - Updating schema for 'advanced_query_on_log' action to account for missing keys
* 11.0.0 - Updating schema for query actions (`advanced_query_on_log`, `advanced_query_on_log_set` & `query`) to account for missing keys/invalid mapping in the schema
* 10.3.4 - Bumping requirements.txt | SDK bump to 6.2.2
* 10.3.3 - Bumping requirements.txt | SDK bump to 6.2.0
* 10.3.2 - Initial updates for fedramp compliance | Updated SDK to the latest version
Expand Down
84 changes: 78 additions & 6 deletions plugins/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log/schema.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,47 +177,119 @@ class AdvancedQueryOnLogOutput(insightconnect_plugin_runtime.Output):
"$ref": "#/definitions/link"
},
"order": 6
},
"sequence_number_str": {
"type": "string",
"title": "Sequence Number String",
"description": "Sequence number string",
"order": 7
}
}
},
"message": {
"type": "object",
"title": "message",
"properties": {
"timestamp": {
"type": "string",
"title": "Timestamp",
"order": 1
},
"destination_asset": {
"type": "string",
"title": "Destination Asset",
"order": 2
},
"source_asset_address": {
"type": "string",
"title": "Source Asset Address",
"order": 3
},
"destination_asset_address": {
"type": "string",
"title": "Destination Asset Address",
"order": 4
},
"destination_local_account": {
"type": "string",
"title": "Destination Local Account",
"order": 5
},
"logon_type": {
"type": "string",
"title": "Logon Type",
"order": 6
},
"result": {
"type": "string",
"title": "Result",
"order": 7
},
"new_authentication": {
"type": "string",
"title": "New Authentication",
"order": 8
},
"service": {
"type": "string",
"title": "Service",
"order": 9
},
"source_json": {
"$ref": "#/definitions/source_json",
"title": "Source JSON",
"order": 10
}
}
},
"source_json": {
"type": "object",
"title": "source_json",
"properties": {
"sourceName": {
"type": "string",
"title": "Source Name",
"description": "Source Name",
"order": 1
},
"insertionStrings": {
"type": "array",
"title": "Insertion Strings",
"description": "Insertion Strings",
"items": {
"type": "string"
},
"order": 2
},
"eventCode": {
"type": "integer",
"title": "Event Code",
"order": 2
"order": 3
},
"computerName": {
"type": "string",
"title": "Computer Name",
"order": 3
"order": 4
},
"sid": {
"type": "string",
"title": "SID",
"order": 4
"order": 5
},
"isDomainController": {
"type": "boolean",
"title": "Is Domain Controller",
"order": 5
"order": 6
},
"eventData": {
"$ref": "#/definitions/eventData",
"title": "Event Data",
"order": 6
"order": 7
},
"timeWritten": {
"type": "string",
"title": "Time Written",
"order": 7
"order": 8
}
}
},
Expand Down
115 changes: 108 additions & 7 deletions ...ns/rapid7_insightidr/komand_rapid7_insightidr/actions/advanced_query_on_log_set/schema.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output):
"order": 1
},
"results_statistical": {
"$ref": "#/definitions/statistics",
"$ref": "#/definitions/results_statistics",
"title": "Query Results (Statistical)",
"description": "Query Results",
"order": 2
Expand Down Expand Up @@ -195,47 +195,119 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output):
"$ref": "#/definitions/link"
},
"order": 6
},
"sequence_number_str": {
"type": "string",
"title": "Sequence Number String",
"description": "Sequence number string",
"order": 7
}
}
},
"message": {
"type": "object",
"title": "message",
"properties": {
"timestamp": {
"type": "string",
"title": "Timestamp",
"order": 1
},
"destination_asset": {
"type": "string",
"title": "Destination Asset",
"order": 2
},
"source_asset_address": {
"type": "string",
"title": "Source Asset Address",
"order": 3
},
"destination_asset_address": {
"type": "string",
"title": "Destination Asset Address",
"order": 4
},
"destination_local_account": {
"type": "string",
"title": "Destination Local Account",
"order": 5
},
"logon_type": {
"type": "string",
"title": "Logon Type",
"order": 6
},
"result": {
"type": "string",
"title": "Result",
"order": 7
},
"new_authentication": {
"type": "string",
"title": "New Authentication",
"order": 8
},
"service": {
"type": "string",
"title": "Service",
"order": 9
},
"source_json": {
"$ref": "#/definitions/source_json",
"title": "Source JSON",
"order": 10
}
}
},
"source_json": {
"type": "object",
"title": "source_json",
"properties": {
"sourceName": {
"type": "string",
"title": "Source Name",
"description": "Source Name",
"order": 1
},
"insertionStrings": {
"type": "array",
"title": "Insertion Strings",
"description": "Insertion Strings",
"items": {
"type": "string"
},
"order": 2
},
"eventCode": {
"type": "integer",
"title": "Event Code",
"order": 2
"order": 3
},
"computerName": {
"type": "string",
"title": "Computer Name",
"order": 3
"order": 4
},
"sid": {
"type": "string",
"title": "SID",
"order": 4
"order": 5
},
"isDomainController": {
"type": "boolean",
"title": "Is Domain Controller",
"order": 5
"order": 6
},
"eventData": {
"$ref": "#/definitions/eventData",
"title": "Event Data",
"order": 6
"order": 7
},
"timeWritten": {
"type": "string",
"title": "Time Written",
"order": 7
"order": 8
}
}
},
Expand Down Expand Up @@ -416,6 +488,35 @@ class AdvancedQueryOnLogSetOutput(insightconnect_plugin_runtime.Output):
}
}
},
"results_statistics": {
"type": "object",
"title": "results_statistics",
"properties": {
"statistics": {
"$ref": "#/definitions/statistics",
"title": "statistics",
"description": "Holds the overall statistical results",
"order": 1
},
"leql": {
"type": "object",
"title": "LEQL",
"description": "The LEQL 'WHERE' clause to match against",
"order": 2
},
"logs": {
"title": "Logs",
"description": "Holds the Log ID of the matching log entry",
"order": 3
},
"search_stats": {
"type": "object",
"title": "Search Stats",
"description": "Holds data regarding the query execution",
"order": 4
}
}
},
"statistics": {
"type": "object",
"title": "statistics",
Expand Down
Loading

0 comments on commit f733b8a

Please sign in to comment.