Rapid7 InsightIDR V2

the rapid7 insightidr v2 connector enables seamless integration with swimlane turbine, providing users with the ability to automate and orchestrate security operations tasks rapid7 insightidr v2 is a powerful security analytics and incident detection platform that enables teams to detect and investigate security incidents quickly this connector allows swimlane turbine users to automate key security operations tasks such as assigning users to investigations, closing multiple investigations, managing saved queries, and updating investigation statuses by integrating with rapid7 insightidr v2, users can streamline their incident response process, reduce manual workload, and accelerate threat detection and resolution within the swimlane turbine platform prerequisites to effectively utilize the rapid7 insightidr v2 connector within swimlane turbine, ensure you have the following prerequisites api key authentication url the base endpoint url for the rapid7 insightidr api api key a valid api key provided by rapid7 to authenticate api requests capabilities this connector provides the following capabilities assign user to investigation bulk close investigations create a saved query create investigation delete a saved query get investigation get product list alerts by investigation list alerts investigation list all saved queries list investigations retrieve evidence for alert run saved query search investigations set disposition investigation set priority investigation and so on asset setup fill in the region parameter with the data center used for your account to find the data center, log in to your insightidr account, then look at the url of the home page the url should look similar to this region http //region idr insight rapid7 com indicates your data center enter that as the value in the region parameter actions setup you need a threat key in order to use actions that manage threats if you do not have a threat to use, follow the instructions here to create a new threat for actions that take datetime inputs, you can use any standard datetime format configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x api key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions assign user to investigation assign a user to an investigation in rapid7 insightidr v2 by specifying the investigation id and user's email address endpoint url idr/v2/investigations/{{id}}/assignee method put input argument name type required description id string required unique identifier multi customer boolean optional parameter for assign user to investigation headers object required http headers for the request accept version string required parameter for assign user to investigation user email address string required parameter for assign user to investigation output parameter type description status code number http status code of the response reason string response reason phrase assignee object output field assignee email string output field email name string name of the resource created time string time value disposition string output field disposition first alert time string time value last accessed string output field last accessed latest alert time string time value organization id string unique identifier priority string output field priority responsibility string output field responsibility rrn string output field rrn source string output field source status string status value tags array output field tags title string output field title example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "assignee" {}, "created time" "string", "disposition" "string", "first alert time" "string", "last accessed" "string", "latest alert time" "string", "organization id" "string", "priority" "string", "responsibility" "string", "rrn" "string", "source" "string", "status" "active", "tags" \[], "title" "string" } } ] bulk close investigations closes multiple investigations in rapid7 insightidr within a specified date range, requiring 'from', 'source', and 'to' parameters endpoint url idr/v2/investigations/bulk close method post input argument name type required description headers object required http headers for the request accept version string required parameter for bulk close investigations alert type string optional type of the resource detection rule rrn string optional parameter for bulk close investigations disposition string optional parameter for bulk close investigations from string required parameter for bulk close investigations max investigations to close number optional parameter for bulk close investigations source string required parameter for bulk close investigations to string required parameter for bulk close investigations output parameter type description status code number http status code of the response reason string response reason phrase ids array unique identifier num closed number output field num closed example \[ { "status code" 200, "response headers" {}, "reason" "", "json body" { "ids" \[], "num closed" 2 } } ] create a saved query initiates the creation of a saved query in rapid7 insightidr using the provided 'saved query' details endpoint url /log search/query/saved queries method post input argument name type required description saved query object required parameter for create a saved query name string required the name for the saved query leql object required parameter for create a saved query during object optional parameter for create a saved query from number optional the start of the time range for the query, as a unix timestamp in milliseconds to number optional the end of the time range for the query, as a unix timestamp in milliseconds time range string optional relative time range (instead of absolute from + to time range) possible values are "yesterday", "today" and "last x timeunits" where x is the number of time unit back from the current server time supported time units (case insensitive) are min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s) and year(s) statement string required the leql query run against the log(s) if empty, the query retrieves all log entries in the specified time range logs array optional the log keys of the logs which the query is run against output parameter type description status code number http status code of the response reason string response reason phrase saved query object output field saved query id string unique identifier name string name of the resource leql object output field leql statement string output field statement during object output field during time range object output field time range to object output field to from object output field from logs array output field logs example \[ { "status code" 201, "response headers" { "date" "fri, 21 jun 2024 09 18 35 gmt", "content type" "application/json", "content length" "180", "connection" "keep alive", "vary" "origin, accept encoding, origin", "location" "https //us3 api insight rapid7 com/log search/query/saved queries/00000000 0000 ", "strict transport security" "max age=31536000; includesubdomains", "r7 correlation id" "3f4f3a96 4af9 4229 9303 30dd632beb93", "access control allow credentials" "true", "access control expose headers" "r7 correlation id", "ratelimit limit" "1500", "ratelimit reset" "900", "ratelimit remaining" "1499", "x ratelimit limit" "1500", "x ratelimit reset" "900" }, "reason" "created", "json body" { "saved query" {} } } ] create investigation initiate a manual investigation in rapid7 insightidr v2 with custom headers and json body data endpoint url idr/v2/investigations method post input argument name type required description headers object required http headers for the request accept version string required parameter for create investigation assignee object optional parameter for create investigation email string optional parameter for create investigation disposition string optional parameter for create investigation priority string optional parameter for create investigation status string optional status value title string optional parameter for create investigation output parameter type description status code number http status code of the response reason string response reason phrase assignee object output field assignee email string output field email name string name of the resource created time string time value disposition string output field disposition first alert time string time value last accessed string output field last accessed latest alert time string time value organization id string unique identifier priority string output field priority responsibility string output field responsibility rrn string output field rrn source string output field source status string status value tags array output field tags title string output field title example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "assignee" {}, "created time" "string", "disposition" "string", "first alert time" "string", "last accessed" "string", "latest alert time" "string", "organization id" "string", "priority" "string", "responsibility" "string", "rrn" "string", "source" "string", "status" "active", "tags" \[], "title" "string" } } ] delete a saved query removes a specified saved query from rapid7 insightidr using the provided unique saved query id endpoint url /log search/query/saved queries/{{saved query id}} method delete input argument name type required description saved query id string required the id of the saved query output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 204, "response headers" { "date" "fri, 21 jun 2024 09 07 47 gmt", "connection" "keep alive", "vary" "origin, origin", "strict transport security" "max age=31536000; includesubdomains", "r7 correlation id" "5d143985 8028 4204 a2f9 f18e1848b30b", "access control allow credentials" "true", "access control expose headers" "r7 correlation id", "ratelimit limit" "1500", "ratelimit reset" "445", "ratelimit remaining" "1497", "x ratelimit limit" "1500", "x ratelimit reset" "445", "x ratelimit remaining" "1497" }, "reason" "no content", "response text" "" } ] get investigation retrieve a specific investigation in rapid7 insightidr v2 using the unique identifier (id) provided in path parameters endpoint url idr/v2/investigations/{{id}} method get input argument name type required description id string required unique identifier multi customer boolean optional parameter for get investigation headers object required http headers for the request accept version string required parameter for get investigation output parameter type description status code number http status code of the response reason string response reason phrase assignee object output field assignee email string output field email name string name of the resource created time string time value disposition string output field disposition first alert time string time value last accessed string output field last accessed latest alert time string time value organization id string unique identifier priority string output field priority responsibility string output field responsibility rrn string output field rrn source string output field source status string status value tags array output field tags title string output field title example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "assignee" {}, "created time" "string", "disposition" "string", "first alert time" "string", "last accessed" "string", "latest alert time" "string", "organization id" "string", "priority" "string", "responsibility" "string", "rrn" "string", "source" "string", "status" "active", "tags" \[], "title" "string" } } ] get product list alerts by investigation retrieve all rapid7 insightidr alerts associated with a given investigation identifier, including path parameters and headers endpoint url idr/v2/investigations/{{identifier}}/rapid7 product alerts method get input argument name type required description identifier string required unique identifier multi customer boolean optional parameter for get product list alerts by investigation headers object required http headers for the request accept version string required parameter for get product list alerts by investigation output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "tue, 25 jul 2023 05 13 19 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, max age=0, must revalidate", "expires" "0", "pragma" "no cache", "x content type options" "nosniff", "x frame options" "deny", "x xss protection" "1; mode=block", "vary" "origin", "access control allow credentials" "true" }, "reason" "ok", "json body" \[ {} ] } ] list alerts investigation retrieve all alerts associated with a given investigation in rapid7 insightidr v2, utilizing the unique identifier endpoint url idr/v2/investigations/{{identifier}}/alerts method get input argument name type required description identifier string required unique identifier index number optional parameter for list alerts investigation multi customer boolean optional parameter for list alerts investigation size number optional parameter for list alerts investigation headers object required http headers for the request accept version string required parameter for list alerts investigation output parameter type description status code number http status code of the response reason string response reason phrase metadata object response data index number output field index size number output field size total pages number output field total pages total data number response data data array response data alert source string output field alert source alert type string type of the resource alert type description string type of the resource created time string time value detection rule rrn object output field detection rule rrn rule name string name of the resource rule rrn string output field rule rrn first event time string time value id string unique identifier latest event time string time value title string output field title example \[ { "status code" 200, "response headers" { "date" "tue, 25 jul 2023 05 00 27 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, max age=0, must revalidate", "expires" "0", "pragma" "no cache", "x content type options" "nosniff", "x frame options" "deny", "x xss protection" "1; mode=block", "vary" "origin", "access control allow credentials" "true" }, "reason" "ok", "json body" { "data" \[] }, "metadata" { "index" 10, "size" 20, "total pages" 1, "total data" 1 } } ] list all saved queries retrieve all saved queries from rapid7 insightidr for analysis or investigation purposes endpoint url /log search/query/saved queries method get output parameter type description status code number http status code of the response reason string response reason phrase saved queries array output field saved queries id string unique identifier name string name of the resource leql object output field leql statement string output field statement during object output field during time range object output field time range to object output field to from object output field from logs array output field logs example \[ { "status code" 200, "response headers" { "date" "fri, 21 jun 2024 09 00 13 gmt", "content type" "application/json", "content length" "191", "connection" "keep alive", "vary" "origin, accept encoding, origin", "strict transport security" "max age=31536000; includesubdomains", "r7 correlation id" "14f165c3 d476 45e3 a9f1 13df3a33426b", "access control allow credentials" "true", "access control expose headers" "r7 correlation id", "ratelimit limit" "1500", "ratelimit reset" "900", "ratelimit remaining" "1499", "x ratelimit limit" "1500", "x ratelimit reset" "900", "x ratelimit remaining" "1499" }, "reason" "ok", "json body" { "saved queries" \[] } } ] list investigations retrieve a paginated list of investigations from rapid7 insightidr using specified request headers endpoint url idr/v2/investigations method get input argument name type required description assignee email string optional parameter for list investigations end time string optional time value index number optional parameter for list investigations multi customer boolean optional parameter for list investigations priorities string optional parameter for list investigations size number optional parameter for list investigations sort string optional parameter for list investigations sources string optional parameter for list investigations start time string optional time value statuses string optional status value tags string optional parameter for list investigations headers object required http headers for the request accept version string required parameter for list investigations output parameter type description status code number http status code of the response reason string response reason phrase data array response data assignee object output field assignee email string output field email name string name of the resource created time string time value disposition string output field disposition first alert time string time value last accessed string output field last accessed latest alert time string time value organization id string unique identifier priority string output field priority responsibility string output field responsibility rrn string output field rrn source string output field source status string status value tags array output field tags title string output field title metadata object response data index number output field index size number output field size total data number response data total pages number output field total pages example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" \[], "metadata" {} } } ] retrieve evidence for alert retrieve associated evidence for a specific alert in rapid7 insightidr using the alert's unique resource name (rrn) endpoint url /idr/at/alerts/{{alert rrn}}/evidences method get input argument name type required description alert rrn string required the unique identifier of the alert index number optional the index of the page to retrieve (zero indexed) size number optional the size of the page to retrieve headers object required http headers for the request accept version string required acknowledges the api preview status output parameter type description status code number http status code of the response reason string response reason phrase evidences array unique identifier rrn string output field rrn version number output field version created at string output field created at updated at string output field updated at evented at string output field evented at external source string output field external source event type string type of the resource data string response data metadata object response data index number output field index size number output field size items in index number output field items in index total items number output field total items is last index boolean output field is last index example \[ { "status code" 200, "response headers" { "date" "fri, 21 jun 2024 08 01 46 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "r7 correlation id" "04bad1e4 ac8d 4645 adc2 9d4d3588cb80", "vary" "accept encoding, origin", "content encoding" "gzip", "x envoy upstream service time" "261", "server" "istio envoy", "x envoy decorator operation" "protonclass1apigatewayapp default svc cluster local 9873/ ", "access control allow credentials" "true", "access control expose headers" "r7 correlation id", "ratelimit limit" "250", "ratelimit reset" "19", "ratelimit remaining" "249" }, "reason" "ok", "json body" { "evidences" \[], "metadata" {} } } ] run saved query executes a predefined saved query within rapid7 insightidr using the provided 'saved query id' endpoint url /log search/query/saved query/{{saved query id}} method get input argument name type required description saved query id string required the id of the saved query time range string optional an alternative to the from and to query parameters possible values are "yesterday", "today" and "last x timeunits" where x is the number of time unit back from the current server time supported time units (case insensitive) are min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s) and year(s) if "time range" is used, then the "from" and "to" query parameters must not be used from number optional the start of the time range for the query, as a unix timestamp in milliseconds to number optional the end of the time range for the query, as a unix timestamp in milliseconds per page number optional number of log entries to return per page, up to 500(the maximum allowed) kvp info boolean optional when set to true, the events object that is returned will additionally contain information about all the key value pairs in each returned log entry most recent first boolean optional when set to true, the query returns the most recent events first when set to false, it returns the oldest events first output parameter type description status code number http status code of the response reason string response reason phrase logs array output field logs leql object output field leql statement string output field statement during object output field during from number output field from to number output field to events array output field events labels array output field labels links array output field links rel string output field rel href string output field href id string unique identifier timestamp number output field timestamp sequence number number output field sequence number log id string unique identifier message string response message links array output field links rel string output field rel href string output field href sequence number str number output field sequence number str kvp info array output field kvp info key object output field key text string output field text example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "logs" \[], "leql" {}, "events" \[] } } ] search investigations performs a search for investigations in rapid7 insightidr v2 using specified criteria and returns matching results requires headers and path parameters endpoint url idr/v2/investigations/{{ search}} method post input argument name type required description index number optional parameter for search investigations multi customer boolean optional parameter for search investigations size number optional parameter for search investigations headers object required http headers for the request accept version string required parameter for search investigations search string required parameter for search investigations end time string optional time value search array optional parameter for search investigations field string optional parameter for search investigations operator string optional parameter for search investigations value object optional value for the parameter sort array optional parameter for search investigations field string optional parameter for search investigations order string optional parameter for search investigations start time string optional time value title string optional parameter for search investigations output parameter type description status code number http status code of the response reason string response reason phrase data array response data assignee object output field assignee email string output field email name string name of the resource created time string time value disposition string output field disposition first alert time string time value last accessed string output field last accessed latest alert time string time value organization id string unique identifier priority string output field priority responsibility string output field responsibility rrn string output field rrn source string output field source status string status value tags array output field tags title string output field title metadata object response data index number output field index size number output field size total data number response data total pages number output field total pages example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" \[], "metadata" {} } } ] set disposition investigation updates the disposition of an investigation in rapid7 insightidr using its id and returns the updated details endpoint url idr/v2/investigations/{{id}}/disposition/{{disposition}} method put input argument name type required description disposition string required parameter for set disposition investigation id string required unique identifier multi customer boolean optional parameter for set disposition investigation headers object required http headers for the request accept version string required parameter for set disposition investigation output parameter type description status code number http status code of the response reason string response reason phrase assignee object output field assignee email string output field email name string name of the resource created time string time value disposition string output field disposition first alert time string time value last accessed string output field last accessed latest alert time string time value organization id string unique identifier priority string output field priority responsibility string output field responsibility rrn string output field rrn source string output field source status string status value tags array output field tags title string output field title example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "assignee" {}, "created time" "string", "disposition" "string", "first alert time" "string", "last accessed" "string", "latest alert time" "string", "organization id" "string", "priority" "string", "responsibility" "string", "rrn" "string", "source" "string", "status" "active", "tags" \[], "title" "string" } } ] set priority investigation assign a priority level to a specific investigation in rapid7 insightidr by using the investigation's id or rrn endpoint url idr/v2/investigations/{{id}}/priority/{{priority}} method put input argument name type required description id string required unique identifier priority string required parameter for set priority investigation multi customer boolean optional parameter for set priority investigation headers object required http headers for the request accept version string required parameter for set priority investigation output parameter type description status code number http status code of the response reason string response reason phrase assignee object output field assignee email string output field email name string name of the resource created time string time value disposition string output field disposition first alert time string time value last accessed string output field last accessed latest alert time string time value organization id string unique identifier priority string output field priority responsibility string output field responsibility rrn string output field rrn source string output field source status string status value tags array output field tags title string output field title example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "assignee" {}, "created time" "string", "disposition" "string", "first alert time" "string", "last accessed" "string", "latest alert time" "string", "organization id" "string", "priority" "string", "responsibility" "string", "rrn" "string", "source" "string", "status" "active", "tags" \[], "title" "string" } } ] set status investigation updates the status of a specified investigation in rapid7 insightidr v2 by using its unique id or rrn, requiring path parameters endpoint url idr/v2/investigations/{{id}}/status/{{status}} method put input argument name type required description id string required unique identifier status string required status value multi customer boolean optional parameter for set status investigation headers object required http headers for the request accept version string required parameter for set status investigation disposition string optional parameter for set status investigation threat command close reason string optional response reason phrase threat command free text string optional parameter for set status investigation output parameter type description status code number http status code of the response reason string response reason phrase assignee object output field assignee email string output field email name string name of the resource created time string time value disposition string output field disposition first alert time string time value last accessed string output field last accessed latest alert time string time value organization id string unique identifier priority string output field priority responsibility string output field responsibility rrn string output field rrn source string output field source status string status value tags array output field tags title string output field title example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "assignee" {}, "created time" "string", "disposition" "string", "first alert time" "string", "last accessed" "string", "latest alert time" "string", "organization id" "string", "priority" "string", "responsibility" "string", "rrn" "string", "source" "string", "status" "active", "tags" \[], "title" "string" } } ] update investigation updates specific fields of an investigation in rapid7 insightidr using the provided id or rrn, with required path parameters and headers endpoint url idr/v2/investigations/{{id}} method patch input argument name type required description id string required unique identifier multi customer boolean optional parameter for update investigation headers object required http headers for the request accept version string required parameter for update investigation assignee object optional parameter for update investigation email string optional parameter for update investigation disposition string optional parameter for update investigation priority string optional parameter for update investigation status string optional status value threat command close reason string optional response reason phrase threat command free text string optional parameter for update investigation title string optional parameter for update investigation output parameter type description status code number http status code of the response reason string response reason phrase assignee object output field assignee email string output field email name string name of the resource created time string time value disposition string output field disposition first alert time string time value last accessed string output field last accessed latest alert time string time value organization id string unique identifier priority string output field priority responsibility string output field responsibility rrn string output field rrn source string output field source status string status value tags array output field tags title string output field title example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "assignee" {}, "created time" "string", "disposition" "string", "first alert time" "string", "last accessed" "string", "latest alert time" "string", "organization id" "string", "priority" "string", "responsibility" "string", "rrn" "string", "source" "string", "status" "active", "tags" \[], "title" "string" } } ] response headers header description example access control allow credentials http response header access control allow credentials true access control expose headers http response header access control expose headers r7 correlation id cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 424 content type the media type of the resource application/json date the date and time at which the message was originated wed, 19 jul 2023 07 27 03 gmt expires the date/time after which the response is considered stale 0 location the url to redirect a page to https //us3 api insight rapid7 com/log search/query/saved queries/00000000 0000 1618 0000 000000000000 https //us3 api insight rapid7 com/log search/query/saved queries/00000000 0000 1618 0000 000000000000 pragma http response header pragma no cache r7 correlation id http response header r7 correlation id 14f165c3 d476 45e3 a9f1 13df3a33426b ratelimit limit http response header ratelimit limit 1500 ratelimit remaining http response header ratelimit remaining 1499 ratelimit reset http response header ratelimit reset 19 server information about the software used by the origin server istio envoy strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding, origin x content type options http response header x content type options nosniff x envoy decorator operation http response header x envoy decorator operation protonclass1apigatewayapp default svc cluster local 9873 / x envoy upstream service time http response header x envoy upstream service time 261 x frame options http response header x frame options deny x ratelimit limit the number of requests allowed in the current rate limit window 1500 x ratelimit remaining the number of requests remaining in the current rate limit window 1499 notes all api documentation https //docs rapid7 com/insightidr/insightidr rest api/