Investigation

Investigations are an aggregate of the applicable alert data in a single place and are closely tied to Alerts and Detection Rules. In InsightIDR, investigations may be created by a user or by the system.

Explore an Investigation

The Investigations pages allows you to quickly search through your data and provides you with the context you need to effectively prioritize, sort, and respond to an incident. Let’s take a closer look at the key components that make up an investigation:

Investigations Page

The main Investigations page provides you with an overview of all investigations, both systems created and manually created, organised by priority.

This view can be refined even further by using the filters on the left hand side. You can filter investigations by:

  • Date Range: The default selection is 28 days.
  • Priority: Critical, High, Medium, Low and Unspecified
  • Status: Open, Investigating and Closed
  • Assignee: Users assigned to the investigation
Investigation Details

Click into an investigations to view the Invesigations Page. This detailed view gives you an overview of everything related to that particular investigation:

  • Name of the investigation, the date it was created, as well as the status, priority, assignee, disposition, customer, and recent detection and last accessed date.
  • Notes related to the investigation
  • Contextual data
Timeline View
This view provides you with all the activity and information related to the investigation in the form of a timeline or a table, including the users and assets involved.

Some events in the timeline have a See More option. Selecting this will open a peek panel with 4 tabs:

  • Rule Context: This is the threat group associated with the detection rule that created the investigation. It includes all of the detection rules associated with that same threat group in addition to the rule that created the investigation.
  • Rule Logic: This is the query that the detection rule uses to generate a detection.
  • Evidence: Here you can view the detection rule that created the investigation as well as the content in your environment that matched the rule logic.
  • MITRE ATT&CK: This shows how the related detection rule maps to the MITRE ATT&CK framework. You’ll get deeper insight into an attacker’s position in the attack chain, context into the nature of a detection, and knowledge of common mitigation strategies used to respond to an attack.

Timeline Icons

An investigation timeline can include a variety of event types. Each type is represented by a unique icon: Investigation Timeline icons and their meanings

System Created Investigations

System-created investigations are automatically generated when a pre-configured detection rule detects something unusual in your environment, triggering an alert. They can be generated by Attacker Behavior Analytics rules, User Behavior Analytics rules, and Custom Alerts.

InsightIDR adds related detections to an open system-created investigation when:

  • ABA, UBA and Custom Alerts trigger the investigation
    • ABA detection rules where the rule action is set to "Create Investigations"
    • UBA detection rules where the alert modification is set to ON
    • Custom Alerts are configured to generate alerts
  • The related detections are the same type and have the same primary actor
  • User created investigations are manually created by users.

Alert throttling for Attacker Behavior Analytics detection rules

If an Attacker Behavior Analytics rule triggers a large quantity of alerts in a small time frame, the total number of alerts sent to Investigations is capped. Alerts are restricted according to these limits:

  • 20 alerts per asset per minute
  • 500 alerts per organization per minute

Sometimes investigations are automatically generated by alerts that are later deemed unnecessary or outdated. This can create unwanted noise in your environment. If this happens, you can control the alerts that are automatically generated by InsightIDR's ABA and UBA detection rules by modifying the ABA detection rule action or updating UBA alert modification.

Create a Manual Investigation

You can manually create an investigation from the User Details page or Investigations page in InsightIDR.

To create an investigation:

  1. From the left hand menu of InsightIDR, go to Investigations.
  2. Click Create Investigation.
  3. In the Enter Name field, provide the name of the investigation.
  4. (Optional) In the Select Assignee field, type and select the name of the user to whom you want to assign the investigation.
  5. In the Select Priority field, choose Critical, High, Medium, or Low.
  6. Click Create Investigation.
  7. (Optional) Take action by using an automated workflow from multiple plugins or Insight Agent actions.

Once the investigation has been created, you can add data to your investigation.

Investigate an asset or user

  1. From the InsightIDR left menu, select Users and Accounts. The Users and Accounts page opens.
  2. Select a user category.
  3. Search for the user.
  4. Select the user. The User Details page will open.
  5. Select Investigate [User Name]. The Create Investigation modal appears.
  6. Add an Investigation name, date range, other assets or users to the investigation.
  7. Click Save.
  8. (Optional) If you need more evidence, you can configure Scheduled Forensics to gather information for you.
  9. (Optional) Take action by using an automated workflow from multiple plugins or Insight Agent actions.

Assign Investigations

You can assign open investigations to individual users and know exactly what your team is working on. Users will receive an email whenever they are assigned to a new investigation.

To assign a user to an investigation:

  1. Select an investigation.
  2. Click on the assignee dropdown.
  3. Enter the assignee’s name.
  4. Select the assignee.

Add Data to an Investigation

Once an investigation is created, you can add data to the investigation such as actor data and raw logs. If you are using a Windows machine, you can add endpoint or asset data to your investigation.

Add Endpoint Job Data

You can add endpoint data to investigations to see processes and forensic data, such as DNS cache, installed services, or registry keys.

To add endpoint data to an investigation:

  1. Within an investigation, click Explore Contextual Data.
  2. Select Query Endpoint
  3. Choose the job(s) you want to run. Configure any additional details required.
  4. Add one or more endpoints or add an asset group.
  5. Click Save.

Collected endpoint data will appear on the Investigation timeline as an "Actor."

Add Actor Data

You can add data from your network from a specific date range and associated with specific users. The list of available network data is:

  • Account modified
  • Advanced malware alert
  • Asset authentication
  • Cloud service account modified
  • DNS query
  • firewall
  • IDS
  • Ingress authentication
  • Virus infection
  • Web proxy

To add actor data to an investigation:

  1. Within an investigation, click on the Explore Contextual Data dropdown.
  2. Select Inspect Actor Activity.
  3. Select your date range.
  4. Select users or assets to add as Investigation actors.
  5. Click Save.

Added users and assets will appear on the Investigation timeline as Actors.

Add Log Data

Any log data that is ingested by InsightIDR can be added to an Investigation.

To add log data to an investigation:

  1. Within an investigation, click Explore Contextual Data.
  2. Select Search Logs.
  3. Select one or more logs or log sets.
  4. Define your query. See Log Search for more information on writing queries.
  5. Find the desired log data.
  6. Select Send to Investigation to add the log data as an Actor. After you do this, you will have the ability to add context to your selected logs.
  7. Click Save. The log line will then appear in the Investigation timeline.
Export Data
You can also export the data to a PDF document or send it out to all data exporters, such as ServiceNow.

Apply Allowlist Rules

Allowlist rules let InsightIDR know that it doesn’t need to open automatic investigations when it detects activity from the specified user or asset. When you close certain investigations, you’ll see an option to add allowlist rules. Use an allowlist rule if you would like to prevent investigations from automatically opening for a specific asset or user in the future. The steps to create allowlist rules are different for ABA and UBA detection rules.

ABA detection rules and allowlisting

To allowlist assets or users for Attacker Behavior Analytics (ABA) rules, you need to create an exception.

  1. Navigate to Detection Rules > Attacker Behavior Analytics.
  2. Select a detection rule.
  3. Select the exceptions tab.
  4. Click Create New Exception.
  5. Enter the exception conditions.
  6. Name the exception.
  7. Add a note (optional).
  8. Click Create Exception.
UBA detection rules and allowlisting

You can view modifications to User Behavior Analytics (UBA) rules by navigating to Detection Rules > Alert Modifications.

To allowlist an investigation:

  1. Select an investigation.
  2. Click Close Investigation.
  3. Select Allowlist and Close or Modify and Close.
  4. Select an allowlist rule or detection modification.
  5. Ensure you select a disposition if you haven’t already done so.
  6. Click Apply Rule and Close or Apply Modification and Close.

Manage Investigation Priority

Investigation priority is the scale given to an investigation based on the impact and urgency of the detections and assets associated with it.

System created investigations inherit the priority level of the detection rule that triggered it and are automatically prioritised into one of 4 categories: critical, high, medium, or low. Investigations without a priority rating are labeled "Unspecified". User-created investigations require a priority level to be selected before an investigation can be successfully created.

Override the Inherited Priority Level

To override the inherited priority level for an investigation, select the Priority dropdown and choose a diferent priority.

When you change the priority of a system created investigation, you are overriding the inherited priority for that investigation, but not for the detection rule that created it.

Update the Investigation Status

Once investigations are created they are given a status of open. This status is displayed on both the Investigations page and the Investigation Details page. The status of an investigation can be updated at any time to investigating. However, to update it to closed, a disposition must be selected.

To update the status of an investigation:

  1. Select an investigation.
  2. Click Status dropdown.
  3. Select a status.

View Linked Assets and Users

Investigations often have actors, assets or users, associated with them. From the main Investigations page, you can view high level asset and user information by expanding an investigation card. For a more detailed view, click into an investigation.

To view the assets and users of an investigation:

  1. Select an investigation.
  2. Select the arrow dropdown on the far right of the investigations card. Investigations dropdown
  3. Use the tabs provided to view all linked assets or users, or use search to find a specific user or asset.

Add Notes to an Investigation

On the investigations details page, you can view notes associated with an open investigation or add new notes.

To add investigation notes:

  1. Select an investigation.
  2. Click Notes.
  3. Enter your notes.
  4. Click Save.

Take action on an Investigation

Taking action on an investigation allows you to utilise prebuilt workflows to automatically respond to detections as they emerge in your environment.

To take action:

  1. Select an investigation.
  2. Click Take Action button.
  3. Select a workflow.
  4. Complete configuration.
  5. Click Take Action to save.

Close an Investigation

You can close an investigation from the Investigations or Investigation Details pages.

To close an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select close.
  4. Select a disposition if you have not done so already.
  5. Click Close Investigation.

Bulk Close Investigations

You can also bulk close investigations of the same type within a selected date range from the Investigations and Investigation Details screens.

To bulk close an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select bulk close.
  4. Select a disposition if you have not done so already. This will apply to all of the bulk closed investigations.
  5. Click Close Investigations.

Reopen an Investigation

Investigations can be reopened from either the Investigations home or Investigation Details pages.

To reopen an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select Open.

Search your Investigations

You can search for specific investigations using the search field. This field allows you to search using:

  • Investigation names
  • Users associated with the investigation
  • Assets that might be found within an investigation