Investigations

Investigations are an aggregate of the applicable alert data in a single place and are closely tied to Alerts and Detection Rules.

Types of investigations

In InsightIDR, investigations can be created by the system or by a user.

System-created investigations

System-created investigations are automatically generated when a detection rule detects something unusual in your environment, triggering an alert. Investigations can be generated by Attacker Behavior Analytics rules, User Behavior Analytics rules, and Custom Alerts.

InsightIDR adds related detections to an open system-created investigation when:

  • ABA detection rules, UBA detection rules, and Custom Alerts trigger an investigation
    • ABA detection rules where the rule action is set to "Create Investigations"
    • UBA detection rules where the rule action is set to "Create Investigations"
    • Custom Alerts are configured to generate alerts
  • The related detections are the same type and have the same primary actor.

Alert throttling for Attacker Behavior Analytics detection rules

If an Attacker Behavior Analytics rule triggers a large quantity of alerts in a small time frame, the total number of alerts sent to Investigations is capped. Alerts are restricted according to these limits:

  • 20 alerts per asset per minute
  • 500 alerts per organization per minute

Sometimes investigations are automatically generated by alerts that are later deemed unnecessary or outdated. This can create unwanted noise in your environment. If this happens, you can control the alerts that are automatically generated by InsightIDR's ABA and UBA detection rules by modifying the ABA detection rule action or updating UBA rule action.

User-created investigations

You can manually create an investigation if you would like to investigate the activity of a user or asset. To learn how to get started, visit Create an investigation.

Explore an investigation

You can view investigations in several ways, allowing you to get the context you need to effectively prioritize, sort, and respond to an incident.

Investigations

The main Investigations page provides you with an overview of all investigations, both system-created and user-created, which are displayed in order of priority.

This view can be refined even further by using the filters. You can filter investigations by:

  • Date Range - The default selection is 28 days.
  • Priority - The options are Critical, High, Medium, Low, and Unspecified.
  • Status - The options are Open, Investigating, Waiting, and Closed.
  • Assignee - The user who is assigned to the investigation.

Search your investigations

You can search for specific investigations using the search field. This field allows you to search using:

  • Investigation names
  • Users associated with the investigation
  • Assets that might be found within an investigation

View linked assets and users

Investigations often have actors, assets or users, associated with them. From the main Investigations page, you can view high-level asset and user information by expanding an investigation card. For a more detailed view, click into an investigation.

To view the assets and users of an investigation:

  1. Select an investigation.
  2. Select the arrow dropdown on the far right of the investigations card. Investigations dropdown
  3. Use the tabs provided to view all linked assets or users, or use search to find a specific user or asset.

Investigation details

To view the Investigations Details page, select any investigation. From this page, you can examine the finer details, such as the activity that triggered the creation of the investigation and a timeline of events.

You can also explore the contextual data and take actions on your investigation.

At the top of the page, the main investigation details card is displayed. For user-created investigations, the details shown are:

  • The name of the investigation
  • The date it was created
  • The date and time it was last accessed
  • The most recent detection
  • The status, priority, assignee, and disposition

For system-created investigations, the investigation name is generated by the alert that triggered it.

Learn more about updating the primary investigation attributes, such as the status, priority, assignee, and disposition.

Timeline view

From the Investigation Details page, you can view all of the activity and information related to the investigation in the form of a timeline or a table, including the users and assets that are involved.

Guide to timeline icons and options

An investigation timeline can include a variety of events, with each type represented by a unique icon. Here is a list of the icons and what they represent: Investigation Timeline icons and their meanings

Some events in the timeline have an Evidence option, which you can select to open a panel with these tabs:

  • Rule Context - This is the threat group associated with the detection rule that created the investigation. It includes all of the detection rules associated with that same threat group in addition to the rule that created the investigation.
  • Rule Logic - This is the query that the detection rule uses to generate a detection.
  • Evidence - Here you can view the detection rule that created the investigation as well as the content in your environment that matched the rule logic.
  • MITRE ATT&CK - This shows how the related detection rule maps to the MITRE ATT&CK framework. You’ll get deeper insight into an attacker’s position in the attack chain, context into the nature of a detection, and knowledge of common mitigation strategies used to respond to an attack.

Audit log

No data displaying in the audit log?

To view the audit log, you need access to the InsightIDR Investigations log. Read more about managing access to logs and log sets in the Insight Platform documentation. Contact your Platform Administrator for questions about your permissions.

The audit log is a detailed chronological view of every action taken in relation to a particular investigation. It can help contribute to strengthened security reporting and compliance within your organization.

The additional benefits of using an audit log include improved team collaboration, the ability to analyze user activity and their response time during security breaches, recommending new security procedures, and providing legal evidence.

The audit log collects data about all of the updates to an investigation, when they were made, and by whom. From the audit log panel, you can filter your view to focus on any of the information you are looking for, such as:

  • Any changes to the disposition, priority, assignee, or status
  • The endpoint queries that were run
  • Any comments and attachments that were added

To view and download the audit log:

  1. Open an investigation.
  2. Click the Audit Log button.
  3. In the Audit Log panel, set the date range for the updates that you want to view.
  4. Optionally, select filters to streamline your view of the updates.
  5. To save the audit log locally, click the Download button. The downloaded log contains the updates that occurred within the selected date range only.

To search the data in the audit log, go to Log Search and select the Audit Logs log set. Read Event Types and Keys to understand which keys are available to use in your query.

Investigation responsibility for MDR customers

If you are a Managed Detection and Response (MDR) customer, you can view the Rapid7 Managed tag in our Investigations experience to determine which investigations are the responsibility of our MDR SOC team and which ones are yours to manage.