Rapid7 InsightIDR

the rapid7 insightidr connector enables integration with the insightidr siem platform to automate threat detection and response activities rapid7 insightidr is a leading security information and event management (siem) platform that offers advanced threat detection and response capabilities this connector enables swimlane turbine users to automate key security operations tasks, such as threat investigation, alert management, and indicator enrichment, directly within the insightidr environment by integrating with rapid7 insightidr, security teams can streamline their workflows, enhance their threat intelligence, and rapidly respond to incidents, all while minimizing manual effort and reducing response times prerequisites to utilize the rapid7 insightidr connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the necessary parameters url endpoint for the rapid7 insightidr api api key unique identifier used to authenticate with the rapid7 insightidr api capabilities this connector provides the following capabilities create custom threat create a saved query delete a saved query get investigation alerts get queries list all saved queries manage investigations manage threats retrieve evidence for alert retrieve logs retrieve a single alert retrieve multiple alerts run saved query asset setup fill in the region parameter with the data center used for your account to find the data center, log in to your insightidr account, then look at the url of the home page the url should look similar to this http //region idr insight rapid7 com region indicates your data center enter that as the value in the region parameter actions setup you need a https //insightidr help rapid7 com/docs/use the threat api#section generate the threat key in order to use actions that manage threats if you do not have a threat to use, follow the instructions https //insightidr help rapid7 com/docs/add and manage threats to create a new threat for actions that take datetime inputs, you can use any standard datetime format, or put in a relative time relative time format for the current time now any other time (+/ )(integer) (milliseconds|seconds|minutes|days|weeks|months|years) examples now 1 months +3 days 123 seconds notes for get a saved query the following outputs should be a list type logs time range groups group time series others stats notes https //insightidr help rapid7 com/docs/insightidr rest api https //help rapid7 com/insightidr/en us/api/v1/docs html https //\[region] api insight rapid7 com/idr/v2/investigations configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x api key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add indicators to threat adds indicators to an existing threat in rapid7 insightidr, requiring a specific threat key and indicator format endpoint url customthreats/key/{{key}}/indicators/add method post input argument name type required description path parameters key string required parameters for the add indicators to threat action parameters format string required parameters for the add indicators to threat action ips array optional parameter for add indicators to threat hashes array optional parameter for add indicators to threat domain names array optional name of the resource urls array optional url endpoint for the request input example {"parameters" {"format" "json"},"json body" {"ips" \["123 123 123 123"],"hashes" \["b95663ec7339033cf1fde459a34b6606"],"domain names" \["rapid com"],"urls" \["https //myuniqueexample com/endpoint","https //google com"]},"path parameters" {"key" "156c9e48 64da 4bba 939e e1c329be591b"}} output parameter type description status code number http status code of the response reason string response reason phrase rejected indicators array output field rejected indicators threat object output field threat threat indicator count number count value threat name string name of the resource threat note string output field threat note threat published boolean output field threat published output example {"status code" 404,"response headers" {"date" "thu, 15 dec 2022 18 14 08 gmt","content type" "application/json; charset=utf 8","content length" "127","connection" "keep alive"},"reason" "not found","json body" {"rejected indicators" \["blacklisted","invalid"],"threat" {"indicator count" 1,"name" "threat","note" "notes","published"\ true}}} assign user to investigation assign a user to an existing investigation in rapid7 insightidr by specifying the investigation id and user's email address endpoint url /idr/v2/investigations/{{id}}/assignee method put input argument name type required description path parameters id string required parameters for the assign user to investigation action parameters multi customer boolean optional indicates whether the requester has multi customer access user email address string optional parameter for assign user to investigation input example {"parameters" {"multi customer"\ false},"json body" {"user email address" "travis\@cryptonomicon work"},"path parameters" {"id" "723dc6a0 ae08 4404 986c 36310f15b679"}} output parameter type description status code number http status code of the response reason string response reason phrase rrn string output field rrn organization id string unique identifier title string output field title source string output field source status string status value priority string output field priority last accessed string output field last accessed created time string time value disposition string output field disposition assignee object output field assignee assignee name string name of the resource assignee email string output field assignee email first alert time string time value latest alert time string time value responsibility string output field responsibility output example {"rrn" "string","organization id" "string","title" "string","source" "string","status" "active","priority" "string","last accessed" "string","created time" "string","disposition" "string","assignee" {"name" "example name","email" "user\@example com"},"first alert time" "string","latest alert time" "string","responsibility" "string"} bulk close investigations closes multiple investigations in rapid7 insightidr for a given date range, utilizing 'from', 'to', and 'source' parameters endpoint url idr/v1/investigations/bulk close method post input argument name type required description source string optional parameter for bulk close investigations alert type string optional type of the resource from string optional parameter for bulk close investigations to string optional parameter for bulk close investigations max investigations to close string optional parameter for bulk close investigations verbose errors string optional error message if any input example {"json body" {"source" "alert","alert type" "lateral movement service account","from" "2022 01 10t00 00 00z","to" "2023 04 21t00 00 00z","max investigations to close" "1","verbose errors" ""}} output parameter type description status code number http status code of the response reason string response reason phrase ids array unique identifier ids file name string unique identifier ids file string unique identifier num closed number output field num closed output example {"status code" 200,"response headers" {"date" "thu, 15 dec 2022 19 58 04 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, max age=0, must revalidate","expires" "0","pragma" "no cache","x content type options" "nosniff","x frame options" "deny","x xss protection" "1; mode=block","vary" "origin","access control allow credentials" "true"},"reason" "ok","json body" {"ids" \[],"num closed" 0}} create a saved query initiates the creation of a saved query in rapid7 insightidr using the specified 'saved query' json body endpoint url /log search/query/saved queries method post input argument name type required description saved query object optional parameter for create a saved query saved query name string required the name for the saved query saved query leql object required parameter for create a saved query saved query leql during object optional parameter for create a saved query saved query leql during from number optional the start of the time range for the query, as a unix timestamp in milliseconds saved query leql during to number optional the end of the time range for the query, as a unix timestamp in milliseconds saved query leql during time range string optional relative time range (instead of absolute from + to time range) possible values are "yesterday", "today" and "last x timeunits" where x is the number of time unit back from the current server time supported time units (case insensitive) are min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s) and year(s) saved query leql statement string required the leql query run against the log(s) if empty, the query retrieves all log entries in the specified time range saved query logs array optional the log keys of the logs which the query is run against input example {"json body" {"saved query" {"name" "saved query 2","leql" {"statement" "where(test)"}}}} output parameter type description status code number http status code of the response reason string response reason phrase saved query object output field saved query saved query id string unique identifier saved query name string name of the resource saved query leql object output field saved query leql saved query leql statement string output field saved query leql statement saved query leql during object output field saved query leql during saved query leql during time range object output field saved query leql during time range saved query leql during to object output field saved query leql during to saved query leql during from object output field saved query leql during from saved query logs array output field saved query logs output example {"status code" 201,"response headers" {"date" "fri, 21 jun 2024 09 18 35 gmt","content type" "application/json","content length" "180","connection" "keep alive","vary" "origin, accept encoding, origin","location" "https //us3 api insight rapid7 com/log search/query/saved queries/00000000 0000 ","strict transport security" "max age=31536000; includesubdomains","r7 correlation id" "3f4f3a96 4af9 4229 9303 30dd632beb93","access control allow credentials" "true","access control expose headers" "r create custom threat generates a custom threat in rapid7 insightidr with specific details, notes, and indicators like ips, hashes, domains, and urls endpoint url idr/v1/customthreats method post input argument name type required description threat string optional parameter for create custom threat note string optional parameter for create custom threat indicators object optional parameter for create custom threat indicators ips array required parameter for create custom threat indicators hashes array required parameter for create custom threat indicators domain names array required name of the resource indicators urls array required url endpoint for the request input example {"json body" {"threat" "threatname","note" "notetext","indicators" {"ips" \["192 108 0 1"],"hashes" \["b95663ec7339033cf1fde459a34b6606"],"domain names" \["mailxpy com"],"urls" \[" http //www mailxpy com/login/index php"]}}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message correlation id string unique identifier output example {"status code" 500,"response headers" {"date" "mon, 12 dec 2022 21 35 58 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, max age=0, must revalidate","expires" "0","pragma" "no cache","x content type options" "nosniff","x frame options" "deny","x xss protection" "1; mode=block","vary" "origin","access control allow credentials" "true"},"reason" "server error","json body" {"message" "a server error occurred","corre delete a saved query remove a specific saved query from rapid7 insightidr using the unique saved query id endpoint url /log search/query/saved queries/{{saved query id}} method delete input argument name type required description path parameters saved query id string required the id of the saved query input example {"path parameters" {"saved query id" "00000000 0000 1616 0000 000000000000"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {"date" "fri, 21 jun 2024 09 07 47 gmt","connection" "keep alive","vary" "origin, origin","strict transport security" "max age=31536000; includesubdomains","r7 correlation id" "5d143985 8028 4204 a2f9 f18e1848b30b","access control allow credentials" "true","access control expose headers" "r7 correlation id","ratelimit limit" "1500","ratelimit reset" "445","ratelimit remaining" "1497","x ratelimit limit" "1500","x ratelimit reset" "445","x ratelimit remaining get a saved query executes a saved query in rapid7 insightidr using the specified query id and returns the results endpoint url log search/query/saved queries/{{id}} method get input argument name type required description path parameters id string required parameters for the get a saved query action input example {"path parameters" {"id" "00000000 0000 0838 0000 000000000000"}} output parameter type description status code number http status code of the response reason string response reason phrase saved query object output field saved query saved query id string unique identifier saved query name string name of the resource saved query leql object output field saved query leql saved query leql statement string output field saved query leql statement saved query leql during object output field saved query leql during saved query leql during time range object output field saved query leql during time range saved query leql during to object output field saved query leql during to saved query leql during from object output field saved query leql during from saved query logs array output field saved query logs output example {"status code" 200,"response headers" {"date" "wed, 14 dec 2022 15 11 13 gmt","content type" "application/json","content length" "228","connection" "keep alive","r7 correlation id" "8dd3331b 9c80 406d acc4 81b9a3d6aa94","vary" "accept encoding, origin","content encoding" "gzip","access control allow credentials" "true","ratelimit limit" "1500","ratelimit reset" "900","ratelimit remaining" "1499","x ratelimit limit" "1500","x ratelimit reset" "900","x ratelimit remaining" "1499"},"reason" "ok","j get investigation alerts retrieve alerts associated with a specific investigation in rapid7 insightidr by using the unique identifier endpoint url /idr/v2/investigations/{{identifier}}/alerts method get input argument name type required description path parameters identifier string required the id of the investigation parameters index number optional the optional 0 based index of the page to retrieve must be an integer greater than or equal to 0 parameters multi customer boolean optional indicates whether the requester has multi customer access if set to true, the id of the investigation must be in the rrn format, the region of the rrn must match the region of the endpoint parameters size number optional the optional size of the page to retrieve must be an integer greater than 0, or less than or equal to 100 input example {"parameters" {"index" 0,"multi customer"\ false,"size" 1},"path parameters" {"identifier" "174e4f99 2ac7 4481 9301 4d24c34baf06"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data title string response data data alert type string response data data alert type description string response data data created time string response data data first event time string response data data latest event time string response data data alert source string response data data detection rule rrn object response data data detection rule rrn rule name string response data data detection rule rrn rule rrn string response data metadata object response data metadata index number response data metadata size number response data metadata total pages number response data metadata total data number response data output example {"data" \[{"id" "12345678 1234 1234 1234 123456789abc","title" "string","alert type" "string","alert type description" "string","created time" "string","first event time" "string","latest event time" "string","alert source" "string","detection rule rrn" {}}],"metadata" {"index" 123,"size" 123,"total pages" 123,"total data" 123}} get investigations retrieve matching investigations from rapid7 insightidr based on specified parameters endpoint url idr/v1/investigations method get input argument name type required description parameters start time string optional parameters for the get investigations action parameters end time string optional parameters for the get investigations action parameters limit string optional parameters for the get investigations action parameters statuses string optional parameters for the get investigations action input example {"parameters" {"start time" "2020 01 10t00 00 00z","end time" "2023 04 21t00 00 00z","limit" "50","statuses" "open,closed"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data rrn string response data data title string response data data status string response data data source string response data data disposition string response data data alerts array response data data alerts type string response data data alerts type description string response data data alerts first event time string response data data created time string response data data assignee object response data data assignee name string response data data assignee email string response data metadata object response data metadata index number response data metadata size number response data metadata total pages number response data metadata total data number response data output example {"data" \[{"id" "12345678 1234 1234 1234 123456789abc","rrn" "string","title" "string","status" "active","source" "string","disposition" "string","alerts" \[],"created time" "string","assignee" {}}],"metadata" {"index" 123,"size" 123,"total pages" 123,"total data" 123}} get log retrieves a specific log from rapid7 insightidr using the unique log identifier endpoint url log search/management/logs/{{id}} method get input argument name type required description path parameters id string required parameters for the get log action input example {"path parameters" {"id" "4241b964 2bfd 4135 938e d9b6f412ad66"}} output parameter type description status code number http status code of the response reason string response reason phrase log object output field log log id string unique identifier log name string name of the resource log tokens array output field log tokens log structures array output field log structures log user data object response data log user data le expire backup string response data log user data le log type string response data log user data platform managed string response data log source type string type of the resource log token seed object output field log token seed log retention period string output field log retention period log links array output field log links log links rel string output field log links rel log links href string output field log links href log rrn string output field log rrn log logsets info array output field log logsets info log logsets info id string unique identifier log logsets info name string name of the resource log logsets info rrn string output field log logsets info rrn log logsets info links array output field log logsets info links log logsets info links rel string output field log logsets info links rel log logsets info links href string output field log logsets info links href output example {"status code" 200,"response headers" {"date" "tue, 13 dec 2022 19 14 29 gmt","content type" "application/json","content length" "460","connection" "keep alive","r7 correlation id" "ee3427f3 175e 4b34 8172 4df714109137","vary" "accept encoding, origin","content encoding" "gzip","access control allow credentials" "true","ratelimit limit" "1500","ratelimit reset" "440","ratelimit remaining" "1498","x ratelimit limit" "1500","x ratelimit reset" "440","x ratelimit remaining" "1498"},"reason" "ok","j get logs pulls all log entries from rapid7 insightidr, offering a complete overview of event streams for in depth analysis endpoint url log search method get output parameter type description status code number http status code of the response reason string response reason phrase /log search/management/actions/{id}/targets object unique identifier /log search/management/actions/{id}/targets path string unique identifier /log search/management/actions/{id}/targets verbs array unique identifier /log search/management/aws/cloudtrails/{id} object unique identifier /log search/management/aws/cloudtrails/{id} path string unique identifier /log search/management/aws/cloudtrails/{id} verbs array unique identifier /log search/usage/accounts/{accountid}/logs object unique identifier /log search/usage/accounts/{accountid}/logs path string unique identifier /log search/usage/accounts/{accountid}/logs verbs array unique identifier /log search/query/logs/{log keys}/{saved query id} object unique identifier /log search/query/logs/{log keys}/{saved query id} path string unique identifier /log search/query/logs/{log keys}/{saved query id} verbs array unique identifier /log search/audit/query/{id} object unique identifier /log search/audit/query/{id} path string unique identifier /log search/audit/query/{id} verbs array unique identifier /log search/management/logsets object output field /log search/management/logsets /log search/management/logsets path string output field /log search/management/logsets path /log search/management/logsets verbs array output field /log search/management/logsets verbs /log search/management/accounts/{accountid}/apikeys object unique identifier /log search/management/accounts/{accountid}/apikeys path string unique identifier /log search/management/accounts/{accountid}/apikeys verbs array unique identifier /log search/management/actions object output field /log search/management/actions /log search/management/actions path string output field /log search/management/actions path output example {"status code" 200,"response headers" {"date" "mon, 12 dec 2022 17 14 27 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","r7 correlation id" "15a2e950 7497 4f75 b624 ba04b423cd8d","vary" "accept encoding, origin","content encoding" "gzip","access control allow credentials" "true","ratelimit limit" "500","ratelimit reset" "380","ratelimit remaining" "496","x ratelimit limit" "500","x ratelimit reset" "380","x ratelimit remaining" "496"},"reason" "ok" get query executes a log entry query language (leql) query within rapid7 insightidr to retrieve targeted log entry data, requiring a json body input endpoint url log search/query/logs method post input argument name type required description leql object optional parameter for get query leql during object optional parameter for get query leql during from number optional parameter for get query leql during to number optional parameter for get query leql statement string optional parameter for get query logs array optional parameter for get query input example {"json body" {"leql" {"during" {"from" 1670955839000,"to" 1670956949000},"statement" "where(hostname=desktop qsi525c) calculate(count) timeslice(200)"},"logs" \["4241b964 2bfd 4135 938e d9b6f412ad66","7707f0ef 31f2 4fce 91ba 2eb7fbcdf771"]}} output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs progress number output field progress events array output field events events file name string name of the resource events file string output field events file partial object output field partial partial cardinality number output field partial cardinality partial granularity number output field partial granularity partial from number output field partial from partial to number output field partial to partial type string type of the resource partial stats object output field partial stats partial stats global timeseries object output field partial stats global timeseries partial stats global timeseries count number count value partial groups array output field partial groups partial groups file name string name of the resource partial groups file string output field partial groups file partial others object output field partial others partial status number status value partial timeseries object output field partial timeseries partial timeseries global timeseries array output field partial timeseries global timeseries partial timeseries global timeseries count number count value partial groups timeseries array output field partial groups timeseries output example {"status code" 202,"response headers" {"date" "tue, 13 dec 2022 18 54 26 gmt","content type" "application/json","content length" "3667","connection" "keep alive","r7 correlation id" "6f05e429 c746 43aa 896c 9f283bee6bd3","vary" "origin","access control allow credentials" "true","ratelimit limit" "1500","ratelimit reset" "734","ratelimit remaining" "1497","x ratelimit limit" "1500","x ratelimit reset" "734","x ratelimit remaining" "1497"},"reason" "accepted","json body" {"logs" \["4241b964 2bfd 41 list all saved queries retrieve all saved queries from rapid7 insightidr to support analysis or investigation efforts endpoint url /log search/query/saved queries method get output parameter type description status code number http status code of the response reason string response reason phrase saved queries array output field saved queries saved queries id string unique identifier saved queries name string name of the resource saved queries leql object output field saved queries leql saved queries leql statement string output field saved queries leql statement saved queries leql during object output field saved queries leql during saved queries leql during time range object output field saved queries leql during time range saved queries leql during to object output field saved queries leql during to saved queries leql during from object output field saved queries leql during from saved queries logs array output field saved queries logs output example {"status code" 200,"response headers" {"date" "fri, 21 jun 2024 09 00 13 gmt","content type" "application/json","content length" "191","connection" "keep alive","vary" "origin, accept encoding, origin","strict transport security" "max age=31536000; includesubdomains","r7 correlation id" "14f165c3 d476 45e3 a9f1 13df3a33426b","access control allow credentials" "true","access control expose headers" "r7 correlation id","ratelimit limit" "1500","ratelimit reset" "900","ratelimit remaining" "1499"," list query endpoints retrieve a comprehensive list of available query api endpoints from rapid7 insightidr endpoint url log search/query method get output parameter type description status code number http status code of the response reason string response reason phrase /log search/query/logs/{log keys}/{saved query id} object unique identifier /log search/query/logs/{log keys}/{saved query id} path string unique identifier /log search/query/logs/{log keys}/{saved query id} verbs array unique identifier /log search/query/dataview/saved query/{saved query id} object response data /log search/query/dataview/saved query/{saved query id} path string response data /log search/query/dataview/saved query/{saved query id} verbs array response data /log search/query object output field /log search/query /log search/query path string output field /log search/query path /log search/query verbs array output field /log search/query verbs /log search/query/saved queries/{id} object unique identifier /log search/query/saved queries/{id} path string unique identifier /log search/query/saved queries/{id} verbs array unique identifier /log search/query/metrics/{id} object unique identifier /log search/query/metrics/{id} path string unique identifier /log search/query/metrics/{id} verbs array unique identifier /log search/query/context/{id} object unique identifier /log search/query/context/{id} path string unique identifier /log search/query/context/{id} verbs array unique identifier /log search/query/logs/{log keys} object output field /log search/query/logs/{log keys} /log search/query/logs/{log keys} path string output field /log search/query/logs/{log keys} path /log search/query/logs/{log keys} verbs array output field /log search/query/logs/{log keys} verbs /log search/query/repeated/{id} object unique identifier /log search/query/repeated/{id} path string unique identifier output example {"status code" 200,"response headers" {"date" "wed, 14 dec 2022 22 03 27 gmt","content type" "application/json","content length" "380","connection" "keep alive","r7 correlation id" "7d3877b2 bc53 4da0 b23c 19853fc7f47e","vary" "accept encoding, origin","content encoding" "gzip","access control allow credentials" "true","ratelimit limit" "1500","ratelimit reset" "900","ratelimit remaining" "1499","x ratelimit limit" "1500","x ratelimit reset" "900","x ratelimit remaining" "1499"},"reason" "ok","j query individual log sets retrieve details for a specific log set in rapid7 insightidr using the provided unique identifier endpoint url log search/query/logsets/{{id}} method get input argument name type required description path parameters id string required parameters for the query individual log sets action parameters query string optional parameters for the query individual log sets action parameters from string optional parameters for the query individual log sets action parameters to string optional parameters for the query individual log sets action parameters time range string optional parameters for the query individual log sets action parameters kvp info string optional parameters for the query individual log sets action parameters label string optional parameters for the query individual log sets action parameters labels string optional parameters for the query individual log sets action parameters sequence number string optional parameters for the query individual log sets action input example {"parameters" {"query" "where(foo=bar)","from" "2020 09 17t18 24 57+00 00","to" "1600367097846","time range" "last 20 minutes","kvp info" "false","label" "","labels" "","sequence number" ""},"path parameters" {"id" "1fb16e4a 237e 4bf6 8bbe 5aafda850f3a"}} output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs leql object output field leql leql statement string output field leql statement leql during object output field leql during leql during from number output field leql during from leql during to number output field leql during to events array output field events events labels array output field events labels events labels links array output field events labels links events labels links rel string output field events labels links rel events labels links href string output field events labels links href events labels id string unique identifier events timestamp number output field events timestamp events sequence number number output field events sequence number events log id string unique identifier events message string response message events links array output field events links events links rel string output field events links rel events links href string output field events links href events sequence number str number output field events sequence number str events kvp info array output field events kvp info events kvp info key object output field events kvp info key events kvp info key text string output field events kvp info key text output example {"status code" 404,"response headers" {"date" "thu, 15 dec 2022 18 36 49 gmt","content type" "application/json","content length" "43","connection" "keep alive","r7 correlation id" "89318875 0b80 4e24 a99b e19be82be430","vary" "origin","access control allow credentials" "true","ratelimit limit" "1500","ratelimit reset" "899","ratelimit remaining" "1499","x ratelimit limit" "1500","x ratelimit reset" "899","x ratelimit remaining" "1499"},"reason" "not found","json body" {"logs" \["565c1b7b c08b 4c8 query individual logs retrieve specific log entries from rapid7 insightidr using a unique log identifier endpoint url log search/query/logs/{{id}} method get input argument name type required description path parameters id string required parameters for the query individual logs action parameters query string optional parameters for the query individual logs action parameters kvp info boolean optional parameters for the query individual logs action parameters label string optional parameters for the query individual logs action parameters labels string optional parameters for the query individual logs action parameters sequence number string optional parameters for the query individual logs action parameters time range string optional parameters for the query individual logs action input example {"parameters" {"query" "where(foo=bar)","kvp info"\ false,"label" "","labels" "","sequence number" "","time range" "yesterday"},"path parameters" {"id" "4241b964 2bfd 4135 938e d9b6f412ad66"}} output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs progress number output field progress events array output field events events file name string name of the resource events file string output field events file links array output field links links rel string output field links rel links href string output field links href id string unique identifier leql object output field leql leql statement object output field leql statement leql during object output field leql during leql during from number output field leql during from leql during to number output field leql during to leql during time range string output field leql during time range output example {"status code" 202,"response headers" {"date" "thu, 15 dec 2022 15 18 39 gmt","content type" "application/json","content length" "322","connection" "keep alive","r7 correlation id" "b2ce1333 657e 4823 bd3b 8e24ea69c8df","vary" "accept encoding, origin","content encoding" "gzip","access control allow credentials" "true","ratelimit limit" "1500","ratelimit reset" "837","ratelimit remaining" "1498","x ratelimit limit" "1500","x ratelimit reset" "837","x ratelimit remaining" "1498"},"reason" "accept query multiple log sets executes a query across multiple log sets in rapid7 insightidr, utilizing the provided logset name as a parameter endpoint url log search/query/logsets method get input argument name type required description parameters logset name string required parameters for the query multiple log sets action parameters from string optional parameters for the query multiple log sets action parameters to string optional parameters for the query multiple log sets action parameters label string optional parameters for the query multiple log sets action parameters labels string optional parameters for the query multiple log sets action parameters per page string optional parameters for the query multiple log sets action parameters kvp info string optional parameters for the query multiple log sets action parameters sequence number string optional parameters for the query multiple log sets action input example {"parameters" {"logset name" "endpoint activity, unparsed data","from" "2020 09 17t18 24 57+00 00","to" "1600367097846","label" "00000000 0000 0000 0000 000000000001","labels" "00000000 0000 0000 0000 000000000001 21b21bb8 8869 4e2c 98df 684892e4e112","per page" "10","kvp info" "false","sequence number" ""}} output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs leql object output field leql leql statement string output field leql statement leql during object output field leql during leql during from number output field leql during from leql during to number output field leql during to events array output field events events labels array output field events labels events labels links array output field events labels links events labels links rel string output field events labels links rel events labels links href string output field events labels links href events labels id string unique identifier events timestamp number output field events timestamp events sequence number number output field events sequence number events log id string unique identifier events message string response message events links array output field events links events links rel string output field events links rel events links href string output field events links href events sequence number str number output field events sequence number str events kvp info array output field events kvp info events kvp info key object output field events kvp info key events kvp info key text string output field events kvp info key text output example {"status code" 404,"response headers" {"date" "thu, 15 dec 2022 18 20 15 gmt","content type" "application/json","content length" "43","connection" "keep alive","r7 correlation id" "c3c8f87a 6ac7 4ced acd9 757e6bac80af","vary" "origin","access control allow credentials" "true","ratelimit limit" "1500","ratelimit reset" "899","ratelimit remaining" "1499","x ratelimit limit" "1500","x ratelimit reset" "899","x ratelimit remaining" "1499"},"reason" "not found","json body" {"logs" \["565c1b7b c08b 4c8 query multiple logs executes a query across multiple log sets in rapid7 insightidr, utilizing the 'logs' parameter provided in the json body input endpoint url log search/query/logs method post input argument name type required description parameters per page number optional number of log entries to return per page, up to 500(the maximum allowed) parameters export format string optional if included, the query results will be exported to the given format currently only csv is supported this parameter is only for non statistical search queries (i e no 'calculate' and/or 'groupby' clauses) results are limited to the first 1 million log entries, and only one export job may run per account at a time results are limited to the first 1 million log entries, and only one export job may run per account at a time the response will be a 202, and the response body will contain a link for polling the export job (on the /exports/{id} endpoint) parameters kvp info boolean optional when set to true, the events object that is returned will additionally contain information about all the key value pairs in each returned log entry parameters most recent first boolean optional when set to true, the query returns the most recent events first when set to false, it returns the oldest events first parameters labels string optional a set of ' ' separated label uuids only entries which have a label matching one of these uuids will be returned this only works with non statistical queries (i e no 'groupby' or 'calculate' clauses) takes precedence over the 'label' parameter parameters sequence number number optional if this query parameter is included, the query results will additionally include all log entries received in the from millisecond which have sequence numbers larger than the one specified sequence numbers are identifiers used to distinguish between log entries received in the same millisecond if a log entry was split up into several log entries during ingestion, then those chunks are ordered by sequence number logs array optional the log keys of the logs which the query is run against leql object optional the leql statement of the query, along with the time range leql during object optional parameter for query multiple logs leql during from number optional the start of the time range for the query, as a unix timestamp in milliseconds leql during to number optional the end of the time range for the query, as a unix timestamp in milliseconds leql during time range string optional relative time range (instead of absolute from + to time range) possible values are yesterday, today last x timeunits where x is the number of time unit back from the current server time supported time units (case insensitive) min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s), year(s) leql statement string optional the leql query run against the log(s) if empty, the query retrieves all log entries in the specified time range cannot be empty for saved queries input example {"parameters" {"per page" 50,"export format" "csv","kvp info"\ true,"most recent first"\ true,"labels" "00000000 0000 0000 0000 000000000001 21b21bb8 8869 4e2c 98df 684892e4e112","sequence number" 2234733321019952000},"json body" {"logs" \["565c1b7b c08b 4c87 a42a ab08bad56071","c78579a8 8b20 4e6a d4c0 5287198a263b"],"leql" {"during" {"from" 1609629856000,"to" 1609629992000,"time range" "last 1 hour"},"statement" "where(931dde6c60>=800)"}}} output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs progress number output field progress events array output field events links array output field links links rel string output field links rel links href string output field links href id string unique identifier leql object output field leql leql statement object output field leql statement leql during object output field leql during leql during from number output field leql during from leql during to number output field leql during to output example {"status code" 202,"response headers" {"date" "wed, 14 dec 2022 21 27 14 gmt","content type" "application/json","content length" "494","connection" "keep alive","r7 correlation id" "0611c3c7 7edd 4d1f 80c5 4e6d31883898","vary" "origin","access control allow credentials" "true","ratelimit limit" "1500","ratelimit reset" "899","ratelimit remaining" "1499","x ratelimit limit" "1500","x ratelimit reset" "899","x ratelimit remaining" "1499"},"reason" "accepted","json body" {"logs" \["4241b964 2bfd 413 replace indicators for threat replaces all indicators for a specified threat in rapid7 insightidr, requiring a threat key and format specification endpoint url idr/v1/customthreats/key/{{key}}/indicators/replace method post input argument name type required description path parameters key string required parameters for the replace indicators for threat action parameters format string required parameters for the replace indicators for threat action ips array optional parameter for replace indicators for threat hashes array optional parameter for replace indicators for threat domain names array optional name of the resource urls array optional url endpoint for the request input example {"parameters" {"format" "json"},"json body" {"ips" \["192 108 0 1"],"hashes" \["b95663ec7339033cf1fde459a34b6606"],"domain names" \["mailxpy com"],"urls" \[" http //www mailxpy com/login/index php"]},"path parameters" {"key" "723dc6a0 ae08 4404 986c 36310f15b679"}} output parameter type description status code number http status code of the response reason string response reason phrase rejected indicators array output field rejected indicators threat object output field threat threat indicator count number count value threat name string name of the resource threat note string output field threat note threat published boolean output field threat published output example {"status code" 404,"response headers" {"date" "thu, 15 dec 2022 20 19 07 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, max age=0, must revalidate","expires" "0","pragma" "no cache","x content type options" "nosniff","x frame options" "deny","x xss protection" "1; mode=block","vary" "origin","access control allow credentials" "true"},"reason" "not found","json body" {"rejected indicators" \["blacklisted","invalid retrieve a single alert retrieve a specific alert from rapid7 insightidr using the unique resource resolution name (rrn) endpoint url /idr/at/alerts/{{alert rrn}} method get input argument name type required description path parameters alert rrn string required the unique identifier of the alert input example {"path parameters" {"alert rrn" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase rrn string output field rrn version number output field version created at string output field created at updated at string output field updated at alerted at string output field alerted at ingested at string output field ingested at external source string output field external source external id string unique identifier organization object output field organization organization id string unique identifier organization name string name of the resource organization region string output field organization region organization product token string output field organization product token organization customer id string unique identifier organization customer name string name of the resource organization customer code string output field organization customer code organization customer group string output field organization customer group organization flags array output field organization flags title string output field title type string type of the resource rule object output field rule rule rrn string output field rule rrn rule name string name of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"rrn" "string","version" 0,"created at" "2019 08 24t14 15 22z","updated at" "2019 08 24t14 15 22z","alerted at" "2019 08 24t14 15 22z","ingested at" "2019 08 24t14 15 22z","external source" "string","external id" "string","organization" {"id" "string","name" "string","region" "string","product token" "string","customer id" "string","customer name" "string","customer code" "string","customer group" "string","flags" \[]},"title" "s retrieve evidence for alert retrieve evidence for a specific alert in rapid7 insightidr using the unique alert rrn path parameters and headers are required endpoint url /idr/at/alerts/{{alert rrn}}/evidences method get input argument name type required description path parameters alert rrn string required the unique identifier of the alert parameters index number optional the index of the page to retrieve (zero indexed) parameters size number optional the size of the page to retrieve headers object required http headers for the request headers accept version string required acknowledges the api preview status input example {"parameters" {"index" 0,"size" 1},"path parameters" {"alert rrn" "14457f42 5f94 4125 aa6d b3de4346f2bd"},"headers" {"accept version" "strong force preview"}} output parameter type description status code number http status code of the response reason string response reason phrase evidences array unique identifier evidences rrn string unique identifier evidences version number unique identifier evidences created at string unique identifier evidences updated at string unique identifier evidences evented at string unique identifier evidences external source string unique identifier evidences event type string unique identifier evidences data string response data metadata object response data metadata index number response data metadata size number response data metadata items in index number response data metadata total items number response data metadata is last index boolean response data output example {"status code" 200,"response headers" {"date" "fri, 21 jun 2024 08 01 46 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","r7 correlation id" "04bad1e4 ac8d 4645 adc2 9d4d3588cb80","vary" "accept encoding, origin","content encoding" "gzip","x envoy upstream service time" "261","server" "istio envoy","x envoy decorator operation" "protonclass1apigatewayapp default svc cluster local 9873/ ","access control allow credentials" "true","access control expo retrieve multiple alerts retrieve multiple alerts from rapid7 insightidr using a list of record resource names (rrns) provided in the json body endpoint url /idr/at/alerts/ops/rrns method post input argument name type required description parameters strict boolean optional indicates whether to return a 404 error if no alerts are found rrns array optional the rrns for the alerts to retrieve field ids array optional additional fields to include for each alert no additional fields are included if field ids is empty input example {"parameters" {"strict"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase alerts array output field alerts alerts rrn string output field alerts rrn alerts version number output field alerts version alerts created at string output field alerts created at alerts updated at string output field alerts updated at alerts alerted at string output field alerts alerted at alerts ingested at string output field alerts ingested at alerts external source string output field alerts external source alerts external id string unique identifier alerts organization object output field alerts organization alerts organization id string unique identifier alerts organization name string name of the resource alerts organization region string output field alerts organization region alerts organization product token string output field alerts organization product token alerts organization customer id string unique identifier alerts organization customer name string name of the resource alerts organization customer code string output field alerts organization customer code alerts organization customer group string output field alerts organization customer group alerts organization flags array output field alerts organization flags alerts title string output field alerts title alerts type string type of the resource alerts rule object output field alerts rule alerts rule rrn string output field alerts rule rrn output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"alerts" \[{}],"region failures" \[{}]}} run saved query executes a predefined saved query in rapid7 insightidr using a unique identifier endpoint url /log search/query/saved query/{{saved query id}} method get input argument name type required description path parameters saved query id string required the id of the saved query parameters time range string optional an alternative to the from and to query parameters possible values are "yesterday", "today" and "last x timeunits" where x is the number of time unit back from the current server time supported time units (case insensitive) are min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s) and year(s) if "time range" is used, then the "from" and "to" query parameters must not be used parameters from number optional the start of the time range for the query, as a unix timestamp in milliseconds parameters to number optional the end of the time range for the query, as a unix timestamp in milliseconds parameters per page number optional number of log entries to return per page, up to 500(the maximum allowed) parameters kvp info boolean optional when set to true, the events object that is returned will additionally contain information about all the key value pairs in each returned log entry parameters most recent first boolean optional when set to true, the query returns the most recent events first when set to false, it returns the oldest events first input example {"parameters" {"time range" "last 6 months","from" 1460557604000,"to" 1460557604000,"per page" 50,"kvp info"\ true,"most recent first"\ false},"path parameters" {"saved query id" "00000000 0000 00cf 0000 000000000000"}} output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs leql object output field leql leql statement string output field leql statement leql during object output field leql during leql during from number output field leql during from leql during to number output field leql during to events array output field events events labels array output field events labels events labels links array output field events labels links events labels links rel string output field events labels links rel events labels links href string output field events labels links href events labels id string unique identifier events timestamp number output field events timestamp events sequence number number output field events sequence number events log id string unique identifier events message string response message events links array output field events links events links rel string output field events links rel events links href string output field events links href events sequence number str number output field events sequence number str events kvp info array output field events kvp info events kvp info key object output field events kvp info key events kvp info key text string output field events kvp info key text output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"logs" \["565c1b7b c08b 4c87 a42a ab08bad56071"],"leql" {"statement" "where(931dde6c60>=800)","during" {}},"events" \[{},{}]}} set investigation status updates an existing investigation's status in rapid7 insightidr using the provided id and status values endpoint url idr/v1/investigations/{{id}}/status/{{status}} method put input argument name type required description path parameters id string required parameters for the set investigation status action path parameters status string required parameters for the set investigation status action input example {"path parameters" {"id" "723dc6a0 ae08 4404 986c 36310f15b679","status" "open"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier rrn string output field rrn title string output field title status string status value source string output field source disposition string output field disposition alerts array output field alerts alerts type string type of the resource alerts type description string type of the resource alerts first event time string time value created time string time value output example {"status code" 200,"response headers" {"date" "thu, 15 dec 2022 19 19 41 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, max age=0, must revalidate","expires" "0","pragma" "no cache","x content type options" "nosniff","x frame options" "deny","x xss protection" "1; mode=block","vary" "origin","access control allow credentials" "true"},"reason" "ok","json body" {"id" "723dc6a0 ae08 4404 986c 36310f15b679","rrn" "r response headers header description example access control allow credentials http response header access control allow credentials true access control expose headers http response header access control expose headers r7 correlation id cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 494 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated fri, 21 jun 2024 07 33 49 gmt expires the date/time after which the response is considered stale 0 location the url to redirect a page to https //us3 api insight rapid7 com/log search/query/saved queries/00000000 0000 1618 0000 000000000000 pragma http response header pragma no cache r7 correlation id http response header r7 correlation id 6f05e429 c746 43aa 896c 9f283bee6bd3 ratelimit limit http response header ratelimit limit 500 ratelimit remaining http response header ratelimit remaining 1499 ratelimit reset http response header ratelimit reset 19 server information about the software used by the origin server istio envoy set cookie http response header set cookie jsessionid=883942048cc2f899a4a907e50abcce92; path=/; httponly strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding, origin x content type options http response header x content type options nosniff x envoy decorator operation http response header x envoy decorator operation protonclass1apigatewayapp default svc cluster local 9873 / x envoy upstream service time http response header x envoy upstream service time 261 x frame options http response header x frame options deny x ratelimit limit the number of requests allowed in the current rate limit window 1500 x ratelimit remaining the number of requests remaining in the current rate limit window 1498 x ratelimit reset the time at which the current rate limit window resets 734 x xss protection http response header x xss protection 0