Analyze an investigation

Once an investigation is created, you can use InsightIDR’s built-in capabilities to analyze data within the investigation, configure the status, priority, and disposition of the investigation, and communicate updates with your team.

Add data to an investigation

You can add data to an investigation (such as actor data and raw logs) to help you analyze the events that caused the suspicious activity. If you are using a Windows machine, you can add endpoint or asset data to your investigation.

Add endpoint job data

You can add endpoint data to investigations to see processes and forensic data, such as DNS cache, installed services, or registry keys.

To add endpoint data to an investigation:

  1. Within an investigation, select Explore Contextual Data > Query Endpoints.
  2. Choose one or more jobs to run, and configure any required details.
  3. Add one or more endpoints or add an asset group.
  4. Click the Save button. Collected endpoint data displays in the Investigation timeline as an Actor.
Add actor data

You can add data from your network that occurred during a specific date range and is associated with specific users. The list of available network data is:

  • Account modified
  • Advanced malware alert
  • Asset authentication
  • Cloud service account modified
  • DNS query
  • Firewall
  • IDS
  • Ingress authentication
  • Virus infection
  • Web proxy

To add actor data to an investigation:

  1. Within an investigation, select Explore Contextual Data > Inspect Actor Activity.
  2. Select your date range.
  3. Select users or assets to add as investigation actors.
  4. Click the Save button. Added users and assets will appear on the Investigation timeline as Actors.
Add log data

Any log data that is ingested by InsightIDR can be added to an investigation.

To add log data to an investigation:

  1. Within an investigation, select Explore Contextual Data > Search Logs.
  2. Select one or more logs or log sets.
  3. Define your query. See Log Search for more information on writing queries.
  4. Select one or more log entries to add to the investigation.
  5. Select Add to Investigation.
  6. Specify a Title and add Details, which you use to identify the log data later.
  7. Click Add Log Entries to Investigation. The log entry displays in the investigation.

Tip: You can also add log data from Alert Details

To save time, you can also search logs and add log data directly within the context of an alert, when viewing the alert's details.

Export data
You can export the data to a PDF document or send it out to all data exporters, such as ServiceNow.

Update the investigation status

You can use an investigation’s status to indicate where the investigation is in the triage process. Available statuses include:

  • Open - The default status for all new investigations.
  • Investigating - The investigation is in progress.
  • Waiting - Progress on the investigation has paused while more information is gathered.
  • Closed - The investigation has ended. A disposition must be selected to set this status.

The status is displayed on both the Investigations page and the Investigation Details page.

To update the status of an investigation:

  1. Select an investigation.
  2. Select an option from the Status dropdown.

Manage the investigation priority

Investigation priority is the scale given to an investigation based on the impact and urgency of the detections and assets associated with it.

System-created investigations inherit the priority level of the detection rule that triggered it and are automatically prioritized into one of 4 categories: critical, high, medium, or low. Investigations without a priority rating are labeled "Unspecified". User-created investigations require a priority level to be selected before an investigation can be successfully created.

To override the inherited priority level for an investigation:

  • Select the Priority dropdown and choose a different priority. When you change the priority of a system-created investigation, you are overriding the inherited priority for that investigation, but not for the detection rule that created it.

Update the investigation disposition

An investigation’s disposition captures the conclusion that your organization drew from the triage process or if the triage process is still in progress. You can select a disposition to indicate whether the investigation represented a legitimate threat.

New investigations are assigned a disposition by default. Automatically created investigations inherit their disposition from alerts and detections. Manually created investigations have a disposition of Undecided.

Disposition types

The available dispositions include:

Undecided

Apply this disposition temporarily when you have not yet determined whether the events represented by this investigation are benign, malicious, or unknown.

You cannot close an investigation if the disposition is set to Undecided.

Benign

Apply this disposition when the events represented by this investigation are known or expected behavior and are not predicted to result in an actual or potentially adverse effect on an information system or the information residing therein.

You might determine that the events are fulfilling an accepted business use-case within the context of your environment. Therefore, no reporting or other action is required on this event.

Use a benign classification for events that are clearly associated with non-malicious, non-suspicious, or very common low-to-no risk behaviors in the context of your environment.

Example: Benign events can include proper practices performed by a system administrator or common user behaviors.

Malicious

Apply this disposition when the events represented by this investigation are associated with malicious activity, and were reported to you. Malicious events are actions that are intended to breach computer networks and - if uninterrupted - can result in an adverse effect on an information system or its information.

Example: You receive an incident notification. Further analysis is carried out and there are indications of a compromise. The malicious activity results in changes to your environment, such as password resets or the reconfiguration of services.

Unknown

Apply this disposition when it is truly unknown whether an event is related to malicious activity and there are no further lines of inquiry available to take. The events represented by this investigation could be malicious, but it’s not possible to make that determination based on the data that’s currently available.

Not Applicable

Apply this disposition to investigations that contain no activity that needs further scrutiny.

Some alerts occur due to compliance warnings or the inactivity of protective software. You can use InsightIDR to receive notifications about specific risks to your network, but they aren’t the result of malicious activity.

To update an investigation’s disposition:

  1. Select an investigation.
  2. Select an option from the Disposition dropdown.

Add an assignee to an investigation

You can assign open investigations to individual users and know exactly what your team is working on. Users will receive an email whenever they are assigned to a new investigation.

To assign a user to an investigation:

  1. Select an investigation.
  2. Click the Assignee dropdown.
  3. Enter the assignee’s name.
  4. Select the assignee.

Add comments to an investigation

You can add and view comments that are associated with an investigation on the Investigation Details page.

To add comments:

  1. Select an investigation.
  2. Click the Comments button.
  3. Enter your comment.
  4. Click the Save button.

Add attachments to an investigation

You can provide additional context to your investigations by uploading attachments.

Attachments can also be added along with a comment and are subject to some limitations:

  • They must be less than 50MB in size.
  • A maximum of 10 attachments are allowed for each comment.
  • A maximum of 50 attachments are allowed for each investigation.

Malware samples cannot be uploaded

All attachments are scanned for malicious content when they are uploaded. Malware samples are not allowed and will be treated as malicious content, which restricts users from accessing them.

To add attachments:

  1. Select an investigation.
  2. Click the Add Attachments button.
  3. Drop a file or browse your computer and select one.
  4. Click Add to investigation.
  5. Click the Save button.

Create automation workflows from investigations

You can use prebuilt workflows such as quarantining assets, creating tickets, and running custom security flows to automatically respond to detections as they emerge in your environment. Read more about automation workflows.

To set up an automation workflow:

  1. Open the investigation.
  2. Click the Take action button.
  3. Select an action category.
  4. Select an automation action to take. Depending on the automation action, you may need to take additional configuration steps. These can range from finding an asset to quarantine to creating a Jira ticket. Follow the configuration prompts to complete the setup.
  5. Click the Take Action button.

Continue an investigation in Velociraptor

InsightIDR Ultimate customers have access to a version of the open source, Digital Forensics and Incident Response (DFIR) tool, Velociraptor, which integrates with InsightIDR to add DFIR capabilities to your investigative toolset. With integrated Velociraptor, you can detect on events that Velociraptor monitors and pivot to Velociraptor when researching an investigation.

To continue an investigation in Velociraptor:

  1. Open an investigation that was created from a Velociraptor detection rule.
  2. Click View in Velociraptor. Velociraptor opens the associated artifact event page in a new tab.

Read more about how Velociraptor works with InsightIDR investigations.