Close an investigation

You can close an investigation from the Investigations or Investigation Details pages.

To close an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select Close.
  4. Select a Disposition.
  5. Click the Close Investigation button.

Apply allowlist rules

When you close certain investigations, you can add allowlist rules. Allowlist rules let InsightIDR know that it doesn’t need to open automatic investigations when it detects activity from the specified user or asset. Use an allowlist rule to prevent investigations from automatically opening for a specific asset or user in the future. The steps to create allowlist rules are different for detection rules and legacy detection rules.

Detection rules and allowlisting

To allowlist assets or users for detection rules, you need to create an exception.

  1. Navigate to Detection Rules > Detection Rule Library.
  2. Select a detection rule.
  3. Select the exceptions tab.
  4. Click the Create New Exception button.
  5. Enter the exception conditions.
  6. Name the exception.
  7. Optionally, add a note.
  8. Click the Create Exception button.
Legacy detection rules and allowlisting

You can view modifications to legacy detection rules by navigating to Detection Rules > Legacy Rule Modifications.

To allowlist an investigation:

  1. Select an investigation.
  2. Click the Close Investigation button.
  3. Select Allowlist and Close or Modify and Close.
  4. Select an allowlist rule or detection modification.
  5. Select a Disposition.
  6. Click the Apply Rule and Close or Apply Modification and Close button.

Bulk-close investigations

You can bulk-close investigations of the same type within a selected date range from the Investigations and Investigation Details screens.

Investigations created manually from an alert must be closed one at a time

You can't close investigations in bulk that were created manually from an alert.

To bulk-close an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select Bulk Close.
  4. Select a Disposition to apply to all of the bulk-closed investigations.
  5. Click the Close Investigations button.

Reopen an investigation

Investigations can be reopened from either the Investigations home or Investigation Details pages.

To reopen an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select Open.