Investigations

Investigations are an aggregate of the applicable alert data in a single place and are closely tied to Alerts and Detection Rules.

Types of investigations

In InsightIDR, investigations can be created by the system or by a user.

System-created investigations

System-created investigations are automatically generated when a detection rule detects something unusual in your environment, triggering an alert. Investigations can be generated by detection rules, legacy detection rules, and basic detection rules.

InsightIDR adds related detections to an open, system-created investigation when:

  • Detection rules trigger an investigation
    • Detection rules and legacy detection rules where the rule action is set to "Create Investigations"
    • Basic detection rules are configured to generate investigations
  • The related detections are the same type and have the same primary actor.

Throttling for detection rules

If a detection rule triggers a large quantity of detections in a small time frame, InsightIDR will restrict the number of alerts and investigations created. These limits differ between detection rules and legacy UBA detection rules.

Detection Rules
The total number of alerts sent to investigations are restricted according to these limits:

  • 20 alerts per asset, per minute
  • 500 alerts per organization, per minute

Legacy UBA detection rules
Legacy rules do not create alerts, only investigations. The number of investigations created are restricted according to this limit:

  • 50 investigations per legacy rule, per 5-minute window

The throttle resets every five minutes, meaning you may see up to 100 investigations within a 5-minute period if the investigations fall into two separate 5-minute windows.

View examples of throttling for legacy UBA rules
In this scenario, the number of investigations are throttled after 50 investigations have been created.
Legacy rule detectionsInvestigations created by InsightIDR
10:20 AM created 25 Third Party Alert investigations25 investigations created
10:22 AM created 20 Third Party Alert investigations20 investigations created
10:23 AM created 10 Third Party Alert investigationsOnly 5 investigations created, the remainder is throttled
10:24 AM created 5 Third Party Alert investigations0 investigations created

In this scenario, investigations are not throttled because only 50 investigations are created per each 5-minute interval.

Legacy rule detectionsInvestigations created by InsightIDR
10:19 AM created 50 Third Party Alert investigations50 investigations created
10:20 AM created 50 Third Party Alert investigations50 investigations created

Sometimes investigations and alerts are automatically generated, but are later deemed unnecessary or outdated. This can create unwanted noise in your environment. If this happens, you can control the investigations and alerts that are automatically generated by InsightIDR's detection rules by modifying the detection rule action or for legacy rules, updating the legacy rule action.

User-created investigations

You can manually create an investigation if you would like to investigate the activity of a user or asset. To learn how to get started, visit Create an investigation.

Explore an investigation

You can view investigations in several ways, allowing you to get the context you need to effectively prioritize, sort, and respond to an incident.

Investigations

The main Investigations page provides you with an overview of all investigations, both system-created and user-created, which are displayed in order of priority.

This view can be refined even further by using the filters. You can filter investigations by:

  • Date Range - The date that the investigation was created. The default selection is 28 days.
  • Responsibility - Displays for Managed Detection and Response (MDR) customers only. Indicates whether the investigation is the responsibility of your company or the Rapid7 MDR SOC.
  • Priority - The priority assigned to the investigation, based on the impact and urgency of the detections and assets associated with it. The options are Critical, High, Medium, and Low.
  • Status - Indicates where the investigation is in the triage process. The options are Open, Investigating, Waiting, and Closed.
  • Detection Rule - The detection rule that created the investigation.
  • MITRE ATT&CK Coverage - The MITRE ATT&CK tactic associated with the detection rule that created the investigation.
  • Investigation Type - Indicates how the investigation was created. The options are User, Detection Rule, Scheduled Endpoint Queries, and Automation.
  • Assignee - The user who is assigned to the investigation.

Search your investigations

You can search for specific investigations using the search field. This field allows you to search using:

  • Investigation names
  • Users associated with the investigation
  • Assets that might be found within an investigation

View linked assets and users

Investigations often have actors, assets or users, associated with them. From the main Investigations page, you can view high-level asset and user information by expanding an investigation card. For a more detailed view, click into an investigation.

To view the assets and users of an investigation:

  1. Select an investigation.
  2. Select the arrow dropdown on the far right of the investigations card. Investigations dropdown
  3. Use the tabs provided to view all linked assets or users, or use search to find a specific user or asset.

Investigation details

To view the Investigations Details page, select any investigation. From this page, you can examine the finer details, such as the activity that triggered the creation of the investigation and a timeline of events.

You can also explore the contextual data and take actions on your investigation.

At the top of the page, the main investigation details card is displayed. For user-created investigations, the details shown are:

  • The name of the investigation
  • The date it was created
  • The date and time it was last accessed
  • The most recent detection
  • The status, priority, assignee, and disposition

For system-created investigations, the investigation name is generated by the detection rule that triggered it.

Learn more about updating the primary investigation attributes, such as the status, priority, assignee, and disposition.

Timeline view

From the Investigation Details page, you can view all of the activity and information related to the investigation in the form of a timeline or a table, including the users and assets that are involved.

Guide to timeline icons and options

An investigation timeline can include a variety of events, with each type represented by a unique icon. Here is a list of the icons and what they represent:

IconMeaning
Lightning bolt iconAlert
Flag iconNotable behavior
Search iconLogs
Play iconWorkflow
Crosshairs iconEndpoint queries
Document iconNotes
Person iconUser
Computer iconAsset
Line iconAutomation workflow

Alerts in investigations

In the timeline and table, InsightIDR provides extra details and actions for the alert event type, which allows you to gain helpful context during the investigation process.

View alert details

Select the Alert Details button to open a panel with information about the alert.

Evidence

The Evidence tab displays the primary information about the alert’s current state and how it was generated. The top of the tab provides an overview of the alert, including the Alert Title, Priority, Assignee, Disposition, and Status. If you’re an MDR customer and the alert is managed by Rapid7, this tab also displays the Rapid7 managed tag, as well as any other tags that the Rapid7 SOC has added to the alert. The expandable sections provide information about how the alert was generated, including:

  • Description and Recommendation - A brief description of the alert and recommendation(s) for triage.
  • Process Tree - Details about the process that occurred when the alert was generated and the processes that occurred before and after.
  • Rule Logic and Matched Data - Detection rule logic that generated the alert and the corresponding key-value payload data from your environment.
    • View the payload data as a table or in JSON format.
    • Select the Highlight matching keys and Filter matching keys toggles to quickly view the values that the detection rule alerted you to.
    • Click Show Rule Logic and Hide Rule Logic to adjust your view.
    • Click View Log Entry in the alert payload to view the associated log entry in Log Search with the relevant log and time range selected.

Different Experience for AWS GuardDuty Alerts

As part of an open beta, we are currently experimenting with a new layout for Evidence. This new layout only appears for alerts generated by AWS GuardDuty. This new layout will continue to be revised over the coming months. When viewing an alert from GuardDuty, the Evidence tab contains four sub-tabs:

  • Alert Overview - This tab displays information that is similar to a non-Guard Duty alert's Evidence tab, providing details about how and why the alert was generated.
  • Impacted Resources - Displays details about the resources that are potentially impacted by the alert.
  • Remediation, Scripts & Queries - Provides remediation steps as well as scripts and queries you can use to assist with remediation.
  • AWS GuardDuty JSON - Displays the full JSON of the AWS GuardDuty alert object.
Exceptions

The Exceptions tab displays information about any exceptions that exist in the detection rule that generated the alert. The detection rule exceptions provide additional context around the intent behind the rule and can help indicate whether the resulting alert represents suspicious behavior.

You can also create new exceptions on this tab for key-value pairs that are relevant to the specific alert. Read more about creating detection rule exceptions.

Audit Log

The Audit Log tab includes a detailed chronological view of every action taken in relation to the alert, when the action was taken, and by which user.

Read more about viewing the alert audit log.

MITRE ATT&CK

The MITRE ATT&CK tab includes the MITRE ATT&CK tactic mapped to the detection rule that generated the alert. The MITRE ATT&CK tactic helps direct you to other areas in your environment that might be compromised by the threat, if the alert represents suspicious activity.

Read more about which ABA detection rules map to which MITRE ATT&CK tactics.

Remove an alert

Select the Remove Alert button to disassociate the alert from the investigation. Removing an alert from an investigation does not delete it from InsightIDR.

Audit logs

No data displaying in the audit log?

To view the audit logs, you need access to the InsightIDR Investigations and InsightIDR Alerts logs. Read more about managing access to logs and log sets in the Insight Platform documentation. Contact your Platform Administrator for questions about your permissions.

The audit log is a detailed chronological view of every action taken in relation to a particular object. It can help contribute to strengthened security reporting and compliance within your organization.

The additional benefits of using an audit log include improved team collaboration, the ability to analyze user activity and their response time during security breaches, recommending new security procedures, and providing legal evidence.

InsightIDR has two audit logs, one for investigations and one for alerts.

Investigations audit log

The investigations audit log collects data about all of the updates to an investigation, when they were made, and by which user. From the audit log panel, you can filter your view to focus on any of the information you are looking for, such as:

  • Any changes to the disposition, priority, assignee, or status
  • The endpoint queries that were run
  • Any comments and attachments that were added

To view and download the investigations audit log:

  1. From the left menu, go to Investigations.
  2. Select an investigation.
  3. Click Audit Log.
  4. In the Audit Log panel, set the date range for the updates that you want to view.
  5. Optionally, select filters to streamline your view of the updates.
  6. To save the audit log locally, click the Download button. The downloaded log contains the updates that occurred within the selected date range only.

To query the investigations audit log in Log Search:

  1. From the left menu, go to Log Search.
  2. Select the Audit Logs log set with the InsightIDR Investigations log. Read about Event Types and Keys to understand which keys are available to use in your query.
Alerts audit log

The alerts audit log captures data about all of the updates to an alert, when they were made, and by whom.

To view an alert’s audit log:

  1. From the left menu, go to Investigations.
  2. Select an investigation.
  3. Select the Alert Details button for the alert with the audit log you want to view.
  4. Click the Audit Log tab.
  5. On the left, apply filters to locate the audit log entries that you want to view.
  6. On the right, expand each audit log entry to view its details.

To query the alert audit log in Log Search:

  1. From the left menu, go to Log Search.
  2. Select the Audit Logs log set with the InsightIDR Alerts log. Read about Event Types and Keys to understand which keys are available to use in your query.

Investigation responsibility for MDR customers

If you are a Managed Detection and Response (MDR) customer, you can view the Rapid7 Managed tag in our Investigations experience to determine which investigations are the responsibility of our MDR SOC team and which ones are yours to manage.