Add Data to Investigations

When you open an investigation, you can add the following types of data:

  • Endpoint or asset data
  • Network data
  • Raw data

You can only add endpoint or asset data to your investigation on a Windows machine.

Endpoint Job Data

You can add endpoint data to investigations to see processes and forensic data, such as DNS cache, installed services, or registry keys, among many others.

To add endpoint data to an investigation:

  1. Select Add Endpoint Job data from the dropdown.
  2. Choose the job(s) you want to run. Configure any additional details required.
  3. Add one or more endpoints or add an asset group.
  4. Click Save.

Collected data will appear on the Investigation timeline as an "Actor."

Network Data

You can add data from your network from a specific date range and from specific users. The list of available network data is:

  • Account modified
  • Advanced malware alert
  • Asset authentication
  • Cloud service account modified
  • DNS query
  • firewall
  • IDS
  • Ingress authentication
  • Virus infection
  • Web proxy

To add network data to an investigation:

  1. Select Add Network Data from the dropdown.
  2. Select your date range.
  3. Select users or assets to add as Investigation actors.
  4. Click Save.

Added users and assets will appear on the Investigation timeline as Actors.

Log Data

Any of the log data ingested by InsightIDR is available as Investigation data.

To add log data to an investigation:

  1. Select Add Log Data from the dropdown.
  2. Select one or more logs or log sets.
  3. Define your query. See log Search for more information on writing queries.
  4. Find the desired log data.
  5. Select Send to Investigation to add the log data as an Actor. After you do this, you will have the ability to add context to your selected logs.
  6. Click Save. The log line will then appear in the Investigation timeline.