Create and Manage Investigations
When an alert has been triggered, InsightIDR allows you to start investigations into the incident. Investigations can be manual or automatic. An investigation is automatically opened when InsightIDR detects malicious or suspicious activity within your network. Manual investigations can be opened by the operator. You can add network data, logs, or forensics job data to an investigation to contextualize it.
Create an Investigation
You can also open a new investigation to search for something specific. Select New Investigation and enter the name of your new investigation.
Once the new investigation is created, you can add data to the investigation such as endpoint or asset data, network data, and raw logs. See Add Data to Investigations for more information.
You can also export the data to a PDF document or send it out to data exporters, such as ServiceNow. PDFs are available in the Report Archive.
Exported data will have a UTC timestamp.
Close an Investigation
Lastly, you can close an investigation. Choose whether or not you'd like to be alerted for exploit mitigations on the process for any asset(s).
You can close an investigation from within the "Details" page.
Or, you can close the investigation from the Investigation Timeline.
When you close an investigation, there is sometimes an option "Do Not Alert for..." Select this option if you want to whitelist an asset or user when the same action that triggered the investigation happens again.
You can change these kinds of behaviors in Alerts under Settings > Alert Settings.
From the Investigations Timeline, you can filter investigations by the following:
- date range
- alert by attack chain
- alert type
- who the investigation is assigned to
- who the investigation was created by
- the type of [scheduled forensic job](doc:scheduled-forensics
You can now assign open investigations to individual users and know exactly what your team is working on. Users will receive an email whenever they are assigned to a new investigation.
Click the "Assign" dropdown and type in the user's name to assign.
During Investigations, you can now add notes to each investigation as you see fit. On the investigations page, you can see how many notes an open investigation has.
Click into the Investigation details to see the exact note, or add notes yourself.