Rapid7 InsightIDR

the rapid7 insightidr connector enables integration with the insightidr siem platform to automate threat detection and response activities rapid7 insightidr is a leading security information and event management (siem) platform that offers advanced threat detection and response capabilities this connector enables swimlane turbine users to automate key security operations tasks, such as threat investigation, alert management, and indicator enrichment, directly within the insightidr environment by integrating with rapid7 insightidr, security teams can streamline their workflows, enhance their threat intelligence, and rapidly respond to incidents, all while minimizing manual effort and reducing response times prerequisites to utilize the rapid7 insightidr connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the necessary parameters url endpoint for the rapid7 insightidr api api key unique identifier used to authenticate with the rapid7 insightidr api capabilities this connector provides the following capabilities create custom threat create a saved query delete a saved query get investigation alerts get queries list all saved queries manage investigations manage threats retrieve evidence for alert retrieve logs retrieve a single alert retrieve multiple alerts run saved query asset setup fill in the region parameter with the data center used for your account to find the data center, log in to your insightidr account, then look at the url of the home page the url should look similar to this http //region idr insight rapid7 com region indicates your data center enter that as the value in the region parameter actions setup you need a threat key https //insightidr help rapid7 com/docs/use the threat api#section generate the threat key in order to use actions that manage threats if you do not have a threat to use, follow the instructions here https //insightidr help rapid7 com/docs/add and manage threats to create a new threat for actions that take datetime inputs, you can use any standard datetime format, or put in a relative time relative time format for the current time now any other time (+/ )(integer) (milliseconds|seconds|minutes|days|weeks|months|years) examples now 1 months +3 days 123 seconds notes for get a saved query the following outputs should be a list type logs time range groups group time series others stats configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x api key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add indicators to threat adds indicators to an existing threat in rapid7 insightidr, requiring a specific threat key and indicator format endpoint url customthreats/key/{{key}}/indicators/add method post input argument name type required description key string required parameter for add indicators to threat format string required parameter for add indicators to threat ips array optional parameter for add indicators to threat hashes array optional parameter for add indicators to threat domain names array optional name of the resource urls array optional url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase rejected indicators array output field rejected indicators threat object output field threat indicator count number count value name string name of the resource note string output field note published boolean output field published example \[ { "status code" 404, "response headers" { "date" "thu, 15 dec 2022 18 14 08 gmt", "content type" "application/json; charset=utf 8", "content length" "127", "connection" "keep alive" }, "reason" "not found", "json body" { "rejected indicators" \[], "threat" {} } } ] assign user to investigation assign a user to an existing investigation in rapid7 insightidr by specifying the investigation id and user's email address endpoint url /idr/v2/investigations/{{id}}/assignee method put input argument name type required description id string required unique identifier multi customer boolean optional indicates whether the requester has multi customer access user email address string required parameter for assign user to investigation output parameter type description status code number http status code of the response reason string response reason phrase rrn string output field rrn organization id string unique identifier title string output field title source string output field source status string status value priority string output field priority last accessed string output field last accessed created time string time value disposition string output field disposition assignee object output field assignee name string name of the resource email string output field email first alert time string time value latest alert time string time value responsibility string output field responsibility example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "rrn" "string", "organization id" "string", "title" "string", "source" "string", "status" "active", "priority" "string", "last accessed" "string", "created time" "string", "disposition" "string", "assignee" {}, "first alert time" "string", "latest alert time" "string", "responsibility" "string" } } ] bulk close investigations closes multiple investigations in rapid7 insightidr for a given date range, utilizing 'from', 'to', and 'source' parameters endpoint url idr/v1/investigations/bulk close method post input argument name type required description source string required parameter for bulk close investigations alert type string optional type of the resource from string required parameter for bulk close investigations to string required parameter for bulk close investigations max investigations to close string optional parameter for bulk close investigations verbose errors string optional error message if any output parameter type description status code number http status code of the response reason string response reason phrase ids array unique identifier file name string name of the resource file string output field file num closed number output field num closed example \[ { "status code" 200, "response headers" { "date" "thu, 15 dec 2022 19 58 04 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, max age=0, must revalidate", "expires" "0", "pragma" "no cache", "x content type options" "nosniff", "x frame options" "deny", "x xss protection" "1; mode=block", "vary" "origin", "access control allow credentials" "true" }, "reason" "ok", "json body" { "ids" \[], "num closed" 0 } } ] create a saved query initiates the creation of a saved query in rapid7 insightidr using the specified 'saved query' json body endpoint url /log search/query/saved queries method post input argument name type required description saved query object required parameter for create a saved query name string required the name for the saved query leql object required parameter for create a saved query during object optional parameter for create a saved query from number optional the start of the time range for the query, as a unix timestamp in milliseconds to number optional the end of the time range for the query, as a unix timestamp in milliseconds time range string optional relative time range (instead of absolute from + to time range) possible values are "yesterday", "today" and "last x timeunits" where x is the number of time unit back from the current server time supported time units (case insensitive) are min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s) and year(s) statement string required the leql query run against the log(s) if empty, the query retrieves all log entries in the specified time range logs array optional the log keys of the logs which the query is run against output parameter type description status code number http status code of the response reason string response reason phrase saved query object output field saved query id string unique identifier name string name of the resource leql object output field leql statement string output field statement during object output field during time range object output field time range to object output field to from object output field from logs array output field logs example \[ { "status code" 201, "response headers" { "date" "fri, 21 jun 2024 09 18 35 gmt", "content type" "application/json", "content length" "180", "connection" "keep alive", "vary" "origin, accept encoding, origin", "location" "https //us3 api insight rapid7 com/log search/query/saved queries/00000000 0000 ", "strict transport security" "max age=31536000; includesubdomains", "r7 correlation id" "3f4f3a96 4af9 4229 9303 30dd632beb93", "access control allow credentials" "true", "access control expose headers" "r7 correlation id", "ratelimit limit" "1500", "ratelimit reset" "900", "ratelimit remaining" "1499", "x ratelimit limit" "1500", "x ratelimit reset" "900" }, "reason" "created", "json body" { "saved query" {} } } ] create custom threat generates a custom threat in rapid7 insightidr with specific details, notes, and indicators like ips, hashes, domains, and urls endpoint url idr/v1/customthreats method post input argument name type required description threat string required parameter for create custom threat note string required parameter for create custom threat indicators object required parameter for create custom threat ips array required parameter for create custom threat hashes array required parameter for create custom threat domain names array required name of the resource urls array required url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase message string response message correlation id string unique identifier example \[ { "status code" 500, "response headers" { "date" "mon, 12 dec 2022 21 35 58 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, max age=0, must revalidate", "expires" "0", "pragma" "no cache", "x content type options" "nosniff", "x frame options" "deny", "x xss protection" "1; mode=block", "vary" "origin", "access control allow credentials" "true" }, "reason" "server error", "json body" { "message" "a server error occurred", "correlation id" "132237aa 1c8d 4f1d ae90 80f48e2e1088" } } ] delete a saved query remove a specific saved query from rapid7 insightidr using the unique saved query id endpoint url /log search/query/saved queries/{{saved query id}} method delete input argument name type required description saved query id string required the id of the saved query output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 204, "response headers" { "date" "fri, 21 jun 2024 09 07 47 gmt", "connection" "keep alive", "vary" "origin, origin", "strict transport security" "max age=31536000; includesubdomains", "r7 correlation id" "5d143985 8028 4204 a2f9 f18e1848b30b", "access control allow credentials" "true", "access control expose headers" "r7 correlation id", "ratelimit limit" "1500", "ratelimit reset" "445", "ratelimit remaining" "1497", "x ratelimit limit" "1500", "x ratelimit reset" "445", "x ratelimit remaining" "1497" }, "reason" "no content", "response text" "" } ] get a saved query executes a saved query in rapid7 insightidr using the specified query id and returns the results endpoint url log search/query/saved queries/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase saved query object output field saved query id string unique identifier name string name of the resource leql object output field leql statement string output field statement during object output field during time range object output field time range to object output field to from object output field from logs array output field logs example \[ { "status code" 200, "response headers" { "date" "wed, 14 dec 2022 15 11 13 gmt", "content type" "application/json", "content length" "228", "connection" "keep alive", "r7 correlation id" "8dd3331b 9c80 406d acc4 81b9a3d6aa94", "vary" "accept encoding, origin", "content encoding" "gzip", "access control allow credentials" "true", "ratelimit limit" "1500", "ratelimit reset" "900", "ratelimit remaining" "1499", "x ratelimit limit" "1500", "x ratelimit reset" "900", "x ratelimit remaining" "1499" }, "reason" "ok", "json body" { "saved query" {} } } ] get investigation alerts retrieve alerts associated with a specific investigation in rapid7 insightidr by using the unique identifier endpoint url /idr/v2/investigations/{{identifier}}/alerts method get input argument name type required description identifier string required the id of the investigation index number optional the optional 0 based index of the page to retrieve must be an integer greater than or equal to 0 multi customer boolean optional indicates whether the requester has multi customer access if set to true, the id of the investigation must be in the rrn format, the region of the rrn must match the region of the endpoint size number optional the optional size of the page to retrieve must be an integer greater than 0, or less than or equal to 100 output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier title string output field title alert type string type of the resource alert type description string type of the resource created time string time value first event time string time value latest event time string time value alert source string output field alert source detection rule rrn object output field detection rule rrn rule name string name of the resource rule rrn string output field rule rrn metadata object response data index number output field index size number output field size total pages number output field total pages total data number response data example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" \[], "metadata" {} } } ] get investigations retrieve matching investigations from rapid7 insightidr based on specified parameters endpoint url idr/v1/investigations method get input argument name type required description start time string optional time value end time string optional time value limit string optional parameter for get investigations statuses string optional status value output parameter type description status code number http status code of the response reason string response reason phrase data array response data id string unique identifier rrn string output field rrn title string output field title status string status value source string output field source disposition string output field disposition alerts array output field alerts type string type of the resource type description string type of the resource first event time string time value created time string time value assignee object output field assignee name string name of the resource email string output field email metadata object response data index number output field index size number output field size total pages number output field total pages total data number response data example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" \[], "metadata" {} } } ] get log retrieves a specific log from rapid7 insightidr using the unique log identifier endpoint url log search/management/logs/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase log object output field log id string unique identifier name string name of the resource tokens array output field tokens structures array output field structures user data object response data le expire backup string output field le expire backup le log type string type of the resource platform managed string output field platform managed source type string type of the resource token seed object output field token seed retention period string output field retention period links array output field links rel string output field rel href string output field href rrn string output field rrn logsets info array output field logsets info id string unique identifier name string name of the resource rrn string output field rrn links array output field links rel string output field rel href string output field href example \[ { "status code" 200, "response headers" { "date" "tue, 13 dec 2022 19 14 29 gmt", "content type" "application/json", "content length" "460", "connection" "keep alive", "r7 correlation id" "ee3427f3 175e 4b34 8172 4df714109137", "vary" "accept encoding, origin", "content encoding" "gzip", "access control allow credentials" "true", "ratelimit limit" "1500", "ratelimit reset" "440", "ratelimit remaining" "1498", "x ratelimit limit" "1500", "x ratelimit reset" "440", "x ratelimit remaining" "1498" }, "reason" "ok", "json body" { "log" {} } } ] get logs pulls all log entries from rapid7 insightidr, offering a complete overview of event streams for in depth analysis endpoint url log search method get output parameter type description status code number http status code of the response reason string response reason phrase /log search/management/actions/{id}/targets object unique identifier path string output field path verbs array output field verbs /log search/management/aws/cloudtrails/{id} object unique identifier path string output field path verbs array output field verbs /log search/usage/accounts/{accountid}/logs object unique identifier path string output field path verbs array output field verbs /log search/query/logs/{log keys}/{saved query id} object unique identifier path string output field path verbs array output field verbs /log search/audit/query/{id} object unique identifier path string output field path verbs array output field verbs /log search/management/logsets object output field /log search/management/logsets path string output field path verbs array output field verbs /log search/management/accounts/{accountid}/apikeys object unique identifier path string output field path verbs array output field verbs /log search/management/actions object output field /log search/management/actions path string output field path example \[ { "status code" 200, "response headers" { "date" "mon, 12 dec 2022 17 14 27 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "r7 correlation id" "15a2e950 7497 4f75 b624 ba04b423cd8d", "vary" "accept encoding, origin", "content encoding" "gzip", "access control allow credentials" "true", "ratelimit limit" "500", "ratelimit reset" "380", "ratelimit remaining" "496", "x ratelimit limit" "500", "x ratelimit reset" "380", "x ratelimit remaining" "496" }, "reason" "ok", "json body" { "/log search/management/actions/{id}/targets" {}, "/log search/management/aws/cloudtrails/{id}" {}, "/log search/usage/accounts/{accountid}/logs" {}, "/log search/query/logs/{log keys}/{saved query id}" {}, "/log search/audit/query/{id}" {}, "/log search/management/logsets" {}, "/log search/management/accounts/{accountid}/apikeys" {}, "/log search/management/actions" {}, "/log search/query/saved queries" {}, "/log search/management/organizations/plans" {}, "/log search/management/labels/{id}" {}, "/log search/management/targets/{id}" {}, "/log search/management/logsets/reserved/{id}" {}, "/log search/datahub/rules" {}, "/log search/query/context/{id}" {} } } ] get query executes a log entry query language (leql) query within rapid7 insightidr to retrieve targeted log entry data, requiring a json body input endpoint url log search/query/logs method post input argument name type required description leql object optional parameter for get query during object optional parameter for get query from number optional parameter for get query to number optional parameter for get query statement string optional parameter for get query logs array optional parameter for get query output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs progress number output field progress events array output field events file name string name of the resource file string output field file partial object output field partial cardinality number output field cardinality granularity number output field granularity from number output field from to number output field to type string type of the resource stats object output field stats global timeseries object output field global timeseries count number count value groups array output field groups file name string name of the resource file string output field file others object output field others status number status value timeseries object output field timeseries global timeseries array output field global timeseries count number count value groups timeseries array output field groups timeseries example \[ { "status code" 202, "response headers" { "date" "tue, 13 dec 2022 18 54 26 gmt", "content type" "application/json", "content length" "3667", "connection" "keep alive", "r7 correlation id" "6f05e429 c746 43aa 896c 9f283bee6bd3", "vary" "origin", "access control allow credentials" "true", "ratelimit limit" "1500", "ratelimit reset" "734", "ratelimit remaining" "1497", "x ratelimit limit" "1500", "x ratelimit reset" "734", "x ratelimit remaining" "1497" }, "reason" "accepted", "json body" { "logs" \[], "progress" 0, "events" \[], "partial" {}, "links" \[], "id" "7e181339 b45c 4d3e a766 5078a56eafa7 1 71500d0065a84bd213d5ce098f52d334673dfe48 ", "leql" {} } } ] list all saved queries retrieve all saved queries from rapid7 insightidr to support analysis or investigation efforts endpoint url /log search/query/saved queries method get output parameter type description status code number http status code of the response reason string response reason phrase saved queries array output field saved queries id string unique identifier name string name of the resource leql object output field leql statement string output field statement during object output field during time range object output field time range to object output field to from object output field from logs array output field logs example \[ { "status code" 200, "response headers" { "date" "fri, 21 jun 2024 09 00 13 gmt", "content type" "application/json", "content length" "191", "connection" "keep alive", "vary" "origin, accept encoding, origin", "strict transport security" "max age=31536000; includesubdomains", "r7 correlation id" "14f165c3 d476 45e3 a9f1 13df3a33426b", "access control allow credentials" "true", "access control expose headers" "r7 correlation id", "ratelimit limit" "1500", "ratelimit reset" "900", "ratelimit remaining" "1499", "x ratelimit limit" "1500", "x ratelimit reset" "900", "x ratelimit remaining" "1499" }, "reason" "ok", "json body" { "saved queries" \[] } } ] list query endpoints retrieve a comprehensive list of available query api endpoints from rapid7 insightidr endpoint url log search/query method get output parameter type description status code number http status code of the response reason string response reason phrase /log search/query/logs/{log keys}/{saved query id} object unique identifier path string output field path verbs array output field verbs /log search/query/dataview/saved query/{saved query id} object response data path string output field path verbs array output field verbs /log search/query object output field /log search/query path string output field path verbs array output field verbs /log search/query/saved queries/{id} object unique identifier path string output field path verbs array output field verbs /log search/query/metrics/{id} object unique identifier path string output field path verbs array output field verbs /log search/query/context/{id} object unique identifier path string output field path verbs array output field verbs /log search/query/logs/{log keys} object output field /log search/query/logs/{log keys} path string output field path verbs array output field verbs /log search/query/repeated/{id} object unique identifier path string output field path example \[ { "status code" 200, "response headers" { "date" "wed, 14 dec 2022 22 03 27 gmt", "content type" "application/json", "content length" "380", "connection" "keep alive", "r7 correlation id" "7d3877b2 bc53 4da0 b23c 19853fc7f47e", "vary" "accept encoding, origin", "content encoding" "gzip", "access control allow credentials" "true", "ratelimit limit" "1500", "ratelimit reset" "900", "ratelimit remaining" "1499", "x ratelimit limit" "1500", "x ratelimit reset" "900", "x ratelimit remaining" "1499" }, "reason" "ok", "json body" { "/log search/query/logs/{log keys}/{saved query id}" {}, "/log search/query/dataview/saved query/{saved query id}" {}, "/log search/query" {}, "/log search/query/saved queries/{id}" {}, "/log search/query/metrics/{id}" {}, "/log search/query/context/{id}" {}, "/log search/query/logs/{log keys}" {}, "/log search/query/repeated/{id}" {}, "/log search/query/logsets/{id}" {}, "/log search/query/saved queries" {}, "/log search/query/dataview/logs/{log keys}" {}, "/log search/query/saved query/{saved query id}" {}, "/log search/query/variables/{id}" {}, "/log search/query/logsets" {}, "/log search/query/reserved/logs/{name}" {} } } ] query individual log sets retrieve details for a specific log set in rapid7 insightidr using the provided unique identifier endpoint url log search/query/logsets/{{id}} method get input argument name type required description id string required unique identifier query string optional parameter for query individual log sets from string optional parameter for query individual log sets to string optional parameter for query individual log sets time range string optional parameter for query individual log sets kvp info string optional parameter for query individual log sets label string optional parameter for query individual log sets labels string optional parameter for query individual log sets sequence number string optional parameter for query individual log sets output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs leql object output field leql statement string output field statement during object output field during from number output field from to number output field to events array output field events labels array output field labels links array output field links rel string output field rel href string output field href id string unique identifier timestamp number output field timestamp sequence number number output field sequence number log id string unique identifier message string response message links array output field links rel string output field rel href string output field href sequence number str number output field sequence number str kvp info array output field kvp info key object output field key text string output field text example \[ { "status code" 404, "response headers" { "date" "thu, 15 dec 2022 18 36 49 gmt", "content type" "application/json", "content length" "43", "connection" "keep alive", "r7 correlation id" "89318875 0b80 4e24 a99b e19be82be430", "vary" "origin", "access control allow credentials" "true", "ratelimit limit" "1500", "ratelimit reset" "899", "ratelimit remaining" "1499", "x ratelimit limit" "1500", "x ratelimit reset" "899", "x ratelimit remaining" "1499" }, "reason" "not found", "json body" { "logs" \[], "leql" {}, "events" \[] } } ] query individual logs retrieve specific log entries from rapid7 insightidr using a unique log identifier endpoint url log search/query/logs/{{id}} method get input argument name type required description id string required unique identifier query string optional parameter for query individual logs kvp info boolean optional parameter for query individual logs label string optional parameter for query individual logs labels string optional parameter for query individual logs sequence number string optional parameter for query individual logs time range string optional parameter for query individual logs output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs progress number output field progress events array output field events file name string name of the resource file string output field file links array output field links rel string output field rel href string output field href id string unique identifier leql object output field leql statement object output field statement during object output field during from number output field from to number output field to time range string output field time range example \[ { "status code" 202, "response headers" { "date" "thu, 15 dec 2022 15 18 39 gmt", "content type" "application/json", "content length" "322", "connection" "keep alive", "r7 correlation id" "b2ce1333 657e 4823 bd3b 8e24ea69c8df", "vary" "accept encoding, origin", "content encoding" "gzip", "access control allow credentials" "true", "ratelimit limit" "1500", "ratelimit reset" "837", "ratelimit remaining" "1498", "x ratelimit limit" "1500", "x ratelimit reset" "837", "x ratelimit remaining" "1498" }, "reason" "accepted", "json body" { "logs" \[], "progress" 0, "events" \[], "links" \[], "id" "7af4ff00 0cf1 43b8 990d 7ce487d6b18d 0\ ff5ba98820f24a7d12a7fe2b63c86c3a40bdbd6d ", "leql" {} } } ] query multiple log sets executes a query across multiple log sets in rapid7 insightidr, utilizing the provided logset name as a parameter endpoint url log search/query/logsets method get input argument name type required description logset name string required name of the resource from string optional parameter for query multiple log sets to string optional parameter for query multiple log sets label string optional parameter for query multiple log sets labels string optional parameter for query multiple log sets per page string optional parameter for query multiple log sets kvp info string optional parameter for query multiple log sets sequence number string optional parameter for query multiple log sets output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs leql object output field leql statement string output field statement during object output field during from number output field from to number output field to events array output field events labels array output field labels links array output field links rel string output field rel href string output field href id string unique identifier timestamp number output field timestamp sequence number number output field sequence number log id string unique identifier message string response message links array output field links rel string output field rel href string output field href sequence number str number output field sequence number str kvp info array output field kvp info key object output field key text string output field text example \[ { "status code" 404, "response headers" { "date" "thu, 15 dec 2022 18 20 15 gmt", "content type" "application/json", "content length" "43", "connection" "keep alive", "r7 correlation id" "c3c8f87a 6ac7 4ced acd9 757e6bac80af", "vary" "origin", "access control allow credentials" "true", "ratelimit limit" "1500", "ratelimit reset" "899", "ratelimit remaining" "1499", "x ratelimit limit" "1500", "x ratelimit reset" "899", "x ratelimit remaining" "1499" }, "reason" "not found", "json body" { "logs" \[], "leql" {}, "events" \[] } } ] query multiple logs executes a query across multiple log sets in rapid7 insightidr, utilizing the 'logs' parameter provided in the json body input endpoint url log search/query/logs method post input argument name type required description per page number optional number of log entries to return per page, up to 500(the maximum allowed) export format string optional if included, the query results will be exported to the given format currently only csv is supported this parameter is only for non statistical search queries (i e no 'calculate' and/or 'groupby' clauses) results are limited to the first 1 million log entries, and only one export job may run per account at a time results are limited to the first 1 million log entries, and only one export job may run per account at a time the response will be a 202, and the response body will contain a link for polling the export job (on the /exports/{id} endpoint) kvp info boolean optional when set to true, the events object that is returned will additionally contain information about all the key value pairs in each returned log entry most recent first boolean optional when set to true, the query returns the most recent events first when set to false, it returns the oldest events first labels string optional a set of ' ' separated label uuids only entries which have a label matching one of these uuids will be returned this only works with non statistical queries (i e no 'groupby' or 'calculate' clauses) takes precedence over the 'label' parameter sequence number number optional if this query parameter is included, the query results will additionally include all log entries received in the from millisecond which have sequence numbers larger than the one specified sequence numbers are identifiers used to distinguish between log entries received in the same millisecond if a log entry was split up into several log entries during ingestion, then those chunks are ordered by sequence number logs array required the log keys of the logs which the query is run against leql object optional the leql statement of the query, along with the time range during object optional parameter for query multiple logs from number optional the start of the time range for the query, as a unix timestamp in milliseconds to number optional the end of the time range for the query, as a unix timestamp in milliseconds time range string optional relative time range (instead of absolute from + to time range) possible values are yesterday, today last x timeunits where x is the number of time unit back from the current server time supported time units (case insensitive) min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s), year(s) statement string optional the leql query run against the log(s) if empty, the query retrieves all log entries in the specified time range cannot be empty for saved queries output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs progress number output field progress events array output field events links array output field links rel string output field rel href string output field href id string unique identifier leql object output field leql statement object output field statement during object output field during from number output field from to number output field to example \[ { "status code" 202, "response headers" { "date" "wed, 14 dec 2022 21 27 14 gmt", "content type" "application/json", "content length" "494", "connection" "keep alive", "r7 correlation id" "0611c3c7 7edd 4d1f 80c5 4e6d31883898", "vary" "origin", "access control allow credentials" "true", "ratelimit limit" "1500", "ratelimit reset" "899", "ratelimit remaining" "1499", "x ratelimit limit" "1500", "x ratelimit reset" "899", "x ratelimit remaining" "1499" }, "reason" "accepted", "json body" { "logs" \[], "progress" 0, "events" \[], "links" \[], "id" "728dd6af 2c9c 4ac7 88cb b75186c13ddb 0 09e6611db97108ad61d61c2aedce629a69681d0e ", "leql" {} } } ] replace indicators for threat replaces all indicators for a specified threat in rapid7 insightidr, requiring a threat key and format specification endpoint url idr/v1/customthreats/key/{{key}}/indicators/replace method post input argument name type required description key string required parameter for replace indicators for threat format string required parameter for replace indicators for threat ips array optional parameter for replace indicators for threat hashes array optional parameter for replace indicators for threat domain names array optional name of the resource urls array optional url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase rejected indicators array output field rejected indicators threat object output field threat indicator count number count value name string name of the resource note string output field note published boolean output field published example \[ { "status code" 404, "response headers" { "date" "thu, 15 dec 2022 20 19 07 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, max age=0, must revalidate", "expires" "0", "pragma" "no cache", "x content type options" "nosniff", "x frame options" "deny", "x xss protection" "1; mode=block", "vary" "origin", "access control allow credentials" "true" }, "reason" "not found", "json body" { "rejected indicators" \[], "threat" {} } } ] retrieve a single alert retrieve a specific alert from rapid7 insightidr using the unique resource resolution name (rrn) endpoint url /idr/at/alerts/{{alert rrn}} method get input argument name type required description alert rrn string required the unique identifier of the alert output parameter type description status code number http status code of the response reason string response reason phrase rrn string output field rrn version number output field version created at string output field created at updated at string output field updated at alerted at string output field alerted at ingested at string output field ingested at external source string output field external source external id string unique identifier organization object output field organization id string unique identifier name string name of the resource region string output field region product token string output field product token customer id string unique identifier customer name string name of the resource customer code string output field customer code customer group string output field customer group flags array output field flags title string output field title type string type of the resource rule object output field rule rrn string output field rrn name string name of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "rrn" "string", "version" 0, "created at" "2019 08 24t14 15 22z", "updated at" "2019 08 24t14 15 22z", "alerted at" "2019 08 24t14 15 22z", "ingested at" "2019 08 24t14 15 22z", "external source" "string", "external id" "string", "organization" {}, "title" "string", "type" "string", "rule" {}, "rule matching keys" \[], "rule keys of interest" \[], "responsibility" "unmapped" } } ] retrieve evidence for alert retrieve evidence for a specific alert in rapid7 insightidr using the unique alert rrn path parameters and headers are required endpoint url /idr/at/alerts/{{alert rrn}}/evidences method get input argument name type required description alert rrn string required the unique identifier of the alert index number optional the index of the page to retrieve (zero indexed) size number optional the size of the page to retrieve headers object required http headers for the request accept version string required acknowledges the api preview status output parameter type description status code number http status code of the response reason string response reason phrase evidences array unique identifier rrn string output field rrn version number output field version created at string output field created at updated at string output field updated at evented at string output field evented at external source string output field external source event type string type of the resource data string response data metadata object response data index number output field index size number output field size items in index number output field items in index total items number output field total items is last index boolean output field is last index example \[ { "status code" 200, "response headers" { "date" "fri, 21 jun 2024 08 01 46 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "r7 correlation id" "04bad1e4 ac8d 4645 adc2 9d4d3588cb80", "vary" "accept encoding, origin", "content encoding" "gzip", "x envoy upstream service time" "261", "server" "istio envoy", "x envoy decorator operation" "protonclass1apigatewayapp default svc cluster local 9873/ ", "access control allow credentials" "true", "access control expose headers" "r7 correlation id", "ratelimit limit" "250", "ratelimit reset" "19", "ratelimit remaining" "249" }, "reason" "ok", "json body" { "evidences" \[], "metadata" {} } } ] retrieve multiple alerts retrieve multiple alerts from rapid7 insightidr using a list of record resource names (rrns) provided in the json body endpoint url /idr/at/alerts/ops/rrns method post input argument name type required description strict boolean optional indicates whether to return a 404 error if no alerts are found rrns array required the rrns for the alerts to retrieve field ids array optional additional fields to include for each alert no additional fields are included if field ids is empty output parameter type description status code number http status code of the response reason string response reason phrase alerts array output field alerts rrn string output field rrn version number output field version created at string output field created at updated at string output field updated at alerted at string output field alerted at ingested at string output field ingested at external source string output field external source external id string unique identifier organization object output field organization id string unique identifier name string name of the resource region string output field region product token string output field product token customer id string unique identifier customer name string name of the resource customer code string output field customer code customer group string output field customer group flags array output field flags title string output field title type string type of the resource rule object output field rule rrn string output field rrn example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "alerts" \[], "region failures" \[] } } ] run saved query executes a predefined saved query in rapid7 insightidr using a unique identifier endpoint url /log search/query/saved query/{{saved query id}} method get input argument name type required description saved query id string required the id of the saved query time range string optional an alternative to the from and to query parameters possible values are "yesterday", "today" and "last x timeunits" where x is the number of time unit back from the current server time supported time units (case insensitive) are min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s) and year(s) if "time range" is used, then the "from" and "to" query parameters must not be used from number optional the start of the time range for the query, as a unix timestamp in milliseconds to number optional the end of the time range for the query, as a unix timestamp in milliseconds per page number optional number of log entries to return per page, up to 500(the maximum allowed) kvp info boolean optional when set to true, the events object that is returned will additionally contain information about all the key value pairs in each returned log entry most recent first boolean optional when set to true, the query returns the most recent events first when set to false, it returns the oldest events first output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs leql object output field leql statement string output field statement during object output field during from number output field from to number output field to events array output field events labels array output field labels links array output field links rel string output field rel href string output field href id string unique identifier timestamp number output field timestamp sequence number number output field sequence number log id string unique identifier message string response message links array output field links rel string output field rel href string output field href sequence number str number output field sequence number str kvp info array output field kvp info key object output field key text string output field text example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "logs" \[], "leql" {}, "events" \[] } } ] set investigation status updates an existing investigation's status in rapid7 insightidr using the provided id and status values endpoint url idr/v1/investigations/{{id}}/status/{{status}} method put input argument name type required description id string required unique identifier status string required status value output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier rrn string output field rrn title string output field title status string status value source string output field source disposition string output field disposition alerts array output field alerts type string type of the resource type description string type of the resource first event time string time value created time string time value example \[ { "status code" 200, "response headers" { "date" "thu, 15 dec 2022 19 19 41 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, max age=0, must revalidate", "expires" "0", "pragma" "no cache", "x content type options" "nosniff", "x frame options" "deny", "x xss protection" "1; mode=block", "vary" "origin", "access control allow credentials" "true" }, "reason" "ok", "json body" { "id" "723dc6a0 ae08 4404 986c 36310f15b679", "rrn" "rrn\ investigation\ us3 5a732972 2bde 48e0 a915 8bca071f7e18\ investigation\ qjj46kn ", "title" "ip address 10 32 0 186 attempted connections to 14 honeypot ports on honeypot sw\ ", "status" "open", "source" "alert", "disposition" "undecided", "alerts" \[], "created time" "2022 12 05t20 56 12 801z" } } ] response headers header description example access control allow credentials http response header access control allow credentials true access control expose headers http response header access control expose headers r7 correlation id cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 74 content type the media type of the resource application/json date the date and time at which the message was originated mon, 12 dec 2022 21 35 58 gmt expires the date/time after which the response is considered stale 0 location the url to redirect a page to https //us3 api insight rapid7 com/log search/query/saved queries/00000000 0000 1618 0000 000000000000 https //us3 api insight rapid7 com/log search/query/saved queries/00000000 0000 1618 0000 000000000000 pragma http response header pragma no cache r7 correlation id http response header r7 correlation id 8dd3331b 9c80 406d acc4 81b9a3d6aa94 ratelimit limit http response header ratelimit limit 250 ratelimit remaining http response header ratelimit remaining 1499 ratelimit reset http response header ratelimit reset 837 server information about the software used by the origin server istio envoy set cookie http response header set cookie jsessionid=883942048cc2f899a4a907e50abcce92; path=/; httponly strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding, origin x content type options http response header x content type options nosniff x envoy decorator operation http response header x envoy decorator operation protonclass1apigatewayapp default svc cluster local 9873 / x envoy upstream service time http response header x envoy upstream service time 261 x frame options http response header x frame options deny x ratelimit limit the number of requests allowed in the current rate limit window 500 notes all api documentation https //insightidr help rapid7 com/docs/insightidr rest apidocumentation for new api https //help rapid7 com/insightidr/en us/api/v1/docs html https //\[region] api insight rapid7 com/idr/v2/investigations