Create an investigation
Copy link

You can manually create an investigation from the Investigations page or the User and Accounts page in SIEM (InsightIDR).

Investigate a user or an asset from the Investigations page
Copy link

To create an investigation:

  1. From the SIEM (InsightIDR) left menu, select Investigations.
  2. Click the Create Investigation button.
  3. In the Enter Name field, provide the name of the investigation.
  4. Optionally, in the Select Assignee field, type and select the name of the user to whom you want to assign the investigation.
  5. In the Select Priority field, choose Critical, High, Medium, or Low.
  6. Click the Create Investigation button.
  7. Optionally, take action by using an automated workflow from multiple plugins or Insight Agent actions.

Once the investigation has been created, you can add data to your investigation.

Investigate a user from the User and Accounts page
Copy link

To create an investigation:

  1. From the SIEM (InsightIDR) left menu, select Users and Accounts.
  2. Select a user category.
  3. Search for the user.
  4. Select Investigate [User Name]. The Create Investigation modal appears.
  5. Add an investigation name, date range, and other assets or users to the investigation.
  6. Click the Save button.
  7. Optionally, if you need more evidence, you can schedule endpoint queries to gather information for you.
  8. Optionally, take action by using an automated workflow from multiple plugins or Insight Agent actions.