Close an investigation

You can close an investigation from the Investigations or Investigation Details pages.

To close an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select Close.
  4. Select a Disposition.
  5. Click the Close Investigation button.

Apply allowlist rules

When you close certain investigations, you can add allowlist rules. Allowlist rules let InsightIDR know that it doesn’t need to open automatic investigations when it detects activity from the specified user or asset. Use an allowlist rule to prevent investigations from automatically opening for a specific asset or user in the future. The steps to create allowlist rules are different for ABA and UBA detection rules.

ABA detection rules and allowlisting

To allowlist assets or users for Attacker Behavior Analytics (ABA) rules, you need to create an exception.

  1. Navigate to Detection Rules > Attacker Behavior Analytics.
  2. Select a detection rule.
  3. Select the exceptions tab.
  4. Click the Create New Exception button.
  5. Enter the exception conditions.
  6. Name the exception.
  7. Optionally, add a note.
  8. Click the Create Exception button.
UBA detection rules and allowlisting

You can view modifications to User Behavior Analytics (UBA) rules by navigating to Detection Rules > Alert Modifications.

To allowlist an investigation:

  1. Select an investigation.
  2. Click the Close Investigation button.
  3. Select Allowlist and Close or Modify and Close.
  4. Select an allowlist rule or detection modification.
  5. Select a Disposition.
  6. Click the Apply Rule and Close or Apply Modification and Close button.

Bulk-close investigations

You can bulk-close investigations of the same type within a selected date range from the Investigations and Investigation Details screens.

To bulk-close an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select Bulk Close.
  4. Select a Disposition to apply to all of the bulk-closed investigations.
  5. Click the Close Investigations button.

Reopen an investigation

Investigations can be reopened from either the Investigations home or Investigation Details pages.

To reopen an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select Open.