Create and Manage Investigations

When an alert has been triggered, InsightIDR allows you to start investigations into the incident. Investigations can be manual or automatic. An investigation is automatically created from an alert when InsightIDR detects malicious or suspicious activity within your network. Manual investigations can be opened by the operator. You can add network data, logs, or forensics job data to an investigation to contextualize it.

You can Modify Detection Rules to suit your needs or change Alerts Settings.

Investigations created by alerts

When an investigation is generated from an alert, as long as it remains open, related alerts of the same type and with the same key are added to the open investigation as they occur. Alerts triggered by UBA rules have an associated key that differs based on the type of alert and context of the investigation. For example, this key could be the user affected, the source user, the asset affected, or the source asset, depending on the situation. If other events with the same key occur, they will be automatically added to an existing investigation if open.

Create an Investigation

You can also open a new investigation to search for something specific. Select New Investigation and enter the name of your new investigation.

Add Data

Once the new investigation is created, you can add data to the investigation such as endpoint or asset data, network data, and raw logs. See Add Data to Investigations for more information.

Export Data

You can also export the data to a PDF document or send it out to data exporters, such as ServiceNow.

Exported data will have a UTC timestamp.

Close an Investigation

Lastly, you can close an investigation. Choose whether or not you'd like to be alerted for exploit mitigations on the process for any asset(s).

You can close an investigation from within the "Details" page.

Or, you can close the investigation from the Investigation Timeline.

Allowlist Rules

When you close an investigation, there is sometimes an option "Do Not Alert for..." Select this option if you want to allowlist an asset or user when the same action that triggered the investigation happens again.

You can create and view modifications to User Behavior Analytics (UBA) rules under Detection Rules > Alert Modifications.

To allowlist assets or users for Attacker Behavior Analytics (ABA) rules, create an exception. Navigate to Detection Rules > Attacker Behavior Analytics and click into a detection rule to create an exception.

Manage Investigations

From the Investigations Timeline, you can filter investigations by the following:

  • date range
  • status
  • alert by attack chain
  • alert type
  • threat
  • who the investigation is assigned to
  • who the investigation was created by
  • the type of [scheduled forensic job](doc:scheduled-forensics

Assign Investigations

You can now assign open investigations to individual users and know exactly what your team is working on. Users will receive an email whenever they are assigned to a new investigation.

Click the "Assign" dropdown and type in the user's name to assign.

Investigation Notes

You can add notes to an investigation as you see fit. On the investigations page, you can see how many notes an open investigation has.

Click into the Investigation details to see the exact note, or add notes yourself.