Create and Manage Investigations
When an alert has been triggered, InsightIDR allows you to start investigations into the incident. Investigations can be manual or automatic. An investigation is automatically created from an alert when InsightIDR detects malicious or suspicious activity within your network. Manual investigations can be opened by the operator. You can add network data, logs, or forensics job data to an investigation to contextualize it.
Investigations created by alerts
When an investigation is generated from an alert, as long as it remains open, related alerts of the same type and with the same key are added to the open investigation as they occur. Alerts triggered by UBA rules have an associated key that differs based on the type of alert and context of the investigation. For example, this key could be the user affected, the source user, the asset affected, or the source asset, depending on the situation. If other events with the same key occur, they will be automatically added to an existing investigation if open.
Create an Investigation
You can also open a new investigation to search for something specific. Select New Investigation and enter the name of your new investigation.
Once the new investigation is created, you can add data to the investigation such as endpoint or asset data, network data, and raw logs. See Add Data to Investigations for more information.
You can also export the data to a PDF document or send it out to data exporters, such as ServiceNow. PDFs are available in the Report Archive.
Exported data will have a UTC timestamp.
Close an Investigation
Lastly, you can close an investigation. Choose whether or not you'd like to be alerted for exploit mitigations on the process for any asset(s).
You can close an investigation from within the "Details" page.
Or, you can close the investigation from the Investigation Timeline.
When you close an investigation, there is sometimes an option "Do Not Alert for..." Select this option if you want to allowlist an asset or user when the same action that triggered the investigation happens again.
You can create and view modifications to User Behavior Analytics (UBA) rules under Detection Rules > Alert Modifications.
To allowlist assets or users for Attacker Behavior Analytics (ABA) rules, create an exception. Navigate to Detection Rules > Attacker Behavior Analytics and click into a detection rule to create an exception.
From the Investigations Timeline, you can filter investigations by the following:
- date range
- alert by attack chain
- alert type
- who the investigation is assigned to
- who the investigation was created by
- the type of [scheduled forensic job](doc:scheduled-forensics
You can now assign open investigations to individual users and know exactly what your team is working on. Users will receive an email whenever they are assigned to a new investigation.
Click the "Assign" dropdown and type in the user's name to assign.
You can add notes to an investigation as you see fit. On the investigations page, you can see how many notes an open investigation has.
Click into the Investigation details to see the exact note, or add notes yourself.