Investigations are an aggregate of the applicable alert data in a single place and are closely tied to Alerts and Detection Rules.
Types of investigations
System-created investigations are automatically generated when a detection rule detects something unusual in your environment, triggering an alert. Investigations can be generated by detection rules, legacy detection rules, and basic detection rules.
InsightIDR adds related detections to an open system-created investigation when:
- Detection rules trigger an investigation
- Detection rules and legacy detection rules where the rule action is set to "Create Investigations"
- Basic detection rules are configured to generate alerts
- The related detections are the same type and have the same primary actor.
Alert throttling for detection rules
If a detection rule triggers a large quantity of alerts in a small time frame, the total number of alerts sent to Investigations is capped. Alerts are restricted according to these limits:
- 20 alerts per asset per minute
- 500 alerts per organization per minute
Sometimes investigations are automatically generated by alerts that are later deemed unnecessary or outdated. This can create unwanted noise in your environment. If this happens, you can control the alerts that are automatically generated by InsightIDR's detection rules by modifying the detection rule action or for legacy rules, updating the legacy rule action.
You can manually create an investigation if you would like to investigate the activity of a user or asset. To learn how to get started, visit Create an investigation.
Explore an investigation
You can view investigations in several ways, allowing you to get the context you need to effectively prioritize, sort, and respond to an incident.
The main Investigations page provides you with an overview of all investigations, both system-created and user-created, which are displayed in order of priority.
This view can be refined even further by using the filters. You can filter investigations by:
- Date Range - The default selection is 28 days.
- Priority - The options are Critical, High, Medium, Low, and Unspecified.
- Status - The options are Open, Investigating, Waiting, and Closed.
- Assignee - The user who is assigned to the investigation.
Search your investigations
You can search for specific investigations using the search field. This field allows you to search using:
- Investigation names
- Users associated with the investigation
- Assets that might be found within an investigation
View linked assets and users
Investigations often have actors, assets or users, associated with them. From the main Investigations page, you can view high-level asset and user information by expanding an investigation card. For a more detailed view, click into an investigation.
To view the assets and users of an investigation:
- Select an investigation.
- Select the arrow dropdown on the far right of the investigations card.
- Use the tabs provided to view all linked assets or users, or use search to find a specific user or asset.
To view the Investigations Details page, select any investigation. From this page, you can examine the finer details, such as the activity that triggered the creation of the investigation and a timeline of events.
You can also explore the contextual data and take actions on your investigation.
At the top of the page, the main investigation details card is displayed. For user-created investigations, the details shown are:
- The name of the investigation
- The date it was created
- The date and time it was last accessed
- The most recent detection
- The status, priority, assignee, and disposition
For system-created investigations, the investigation name is generated by the alert that triggered it.
From the Investigation Details page, you can view all of the activity and information related to the investigation in the form of a timeline or a table, including the users and assets that are involved.
Alerts in investigations
In the timeline and table, InsightIDR provides extra details and actions for the alert event type, which allows you to gain helpful context during the investigation process.
View alert details
Select the Alert Details button to open a panel with information about the alert.
The Evidence tab displays the primary information about the alert’s current state and how it was generated.
The top of the tab provides an overview of the alert. The expandable sections provide information about how the alert was generated, including:
- Description and Recommendation - Includes a brief description of the alert and a recommendations for triage.
- Process Tree - Displays for Managed Detection and Response (MDR) customers only. Includes details about the process that occurred when the alert was generated and the processes that occurred before and after.
- Rule Logic and Matched Data - Includes the detection rule logic that generated the alert and the corresponding key-value payload data from your environment. You can view the payload data as a table or in JSON format, and you can use the Highlight matching keys and Filter matching keys toggles to quickly view the values that the detection rule alerted you to. Adjust your view of this section using the Show Rule Logic and Hide Rule Logic buttons.
The Exceptions tab displays information about any exceptions that exist in the detection rule that generated the alert. The detection rule exceptions provide additional context around the intent behind the rule and can help indicate whether the resulting alert represents suspicious behavior.
You can also create new exceptions on this tab for key-value pairs that are relevant to the specific alert. Read more about creating detection rule exceptions.
The MITRE ATT&CK tab includes the MITRE ATT&CK tactic mapped to the detection rule that generated the alert. The MITRE ATT&CK tactic helps direct you to other areas in your environment that might be compromised by the threat, if the alert represents suspicious activity.
Read more about which ABA detection rules map to which MITRE ATT&CK tactics.
Remove an alert
Select the Remove Alert button to disassociate the alert from the investigation. Removing an alert from an investigation does not delete it from InsightIDR.
No data displaying in the audit log?
To view the audit log, you need access to the InsightIDR Investigations log. Read more about managing access to logs and log sets in the Insight Platform documentation. Contact your Platform Administrator for questions about your permissions.
The audit log is a detailed chronological view of every action taken in relation to a particular investigation. It can help contribute to strengthened security reporting and compliance within your organization.
The additional benefits of using an audit log include improved team collaboration, the ability to analyze user activity and their response time during security breaches, recommending new security procedures, and providing legal evidence.
The audit log collects data about all of the updates to an investigation, when they were made, and by whom. From the audit log panel, you can filter your view to focus on any of the information you are looking for, such as:
- Any changes to the disposition, priority, assignee, or status
- The endpoint queries that were run
- Any comments and attachments that were added
To view and download the audit log:
- Open an investigation.
- Click the Audit Log button.
- In the Audit Log panel, set the date range for the updates that you want to view.
- Optionally, select filters to streamline your view of the updates.
- To save the audit log locally, click the Download button. The downloaded log contains the updates that occurred within the selected date range only.
To search the data in the audit log, go to Log Search and select the Audit Logs log set. Read Event Types and Keys to understand which keys are available to use in your query.
Investigation responsibility for MDR customers
If you are a Managed Detection and Response (MDR) customer, you can view the Rapid7 Managed tag in our Investigations experience to determine which investigations are the responsibility of our MDR SOC team and which ones are yours to manage.