Create and Manage Investigations

When an alert has been triggered, InsightIDR allows you to start investigations into the incident. Investigations can be manual or automatic. An investigation is automatically opened when InsightIDR detects malicious or suspicious activity within your network. Manual investigations can be opened by the operator. You can add network data, logs, or forensics job data to an investigation to contextualize it.

You can Modify Built-In Alerts to suit your needs or change Alerts Settings.

Create an Investigation

You can also open a new investigation to search for something specific. Select New Investigation and enter the name of your new investigation.

Add Data

Once the new investigation is created, you can add data to the investigation such as endpoint or asset data, network data, and raw logs. See Add Data to Investigations for more information.

Export Data

You can also export the data to a PDF document or send it out to data exporters, such as ServiceNow. PDFs are available in the Report Archive.

Exported data will have a UTC timestamp.

Close an Investigation

Lastly, you can close an investigation. Choose whether or not you'd like to be alerted for exploit mitigations on the process for any asset(s).

You can close an investigation from within the "Details" page.

Or, you can close the investigation from the Investigation Timeline.

Allowlist Rules

When you close an investigation, there is sometimes an option "Do Not Alert for..." Select this option if you want to allowlist an asset or user when the same action that triggered the investigation happens again.

You can change these kinds of behaviors in Alerts under Settings > Alert Settings.

Manage Investigations

From the Investigations Timeline, you can filter investigations by the following:

  • date range
  • status
  • alert by attack chain
  • alert type
  • threat
  • who the investigation is assigned to
  • who the investigation was created by
  • the type of [scheduled forensic job](doc:scheduled-forensics

Assign Investigations

You can now assign open investigations to individual users and know exactly what your team is working on. Users will receive an email whenever they are assigned to a new investigation.

Click the "Assign" dropdown and type in the user's name to assign.

Investigation Notes

During Investigations, you can now add notes to each investigation as you see fit. On the investigations page, you can see how many notes an open investigation has.

Click into the Investigation details to see the exact note, or add notes yourself.