Investigations

Investigation Responsibility Tags for MDR Customers

If you are an MDR customer, as of December 2022, we have added a Rapid7 Managed tag to our Investigations experience to make it easier to determine which investigations are the responsibility of our MDR SOC team and which ones are yours to manage.

Investigations are an aggregate of the applicable alert data in a single place and are closely tied to Alerts and Detection Rules. In InsightIDR, investigations may be created by a user or by the system.

Explore an investigation

You can view investigations in several ways, allowing you to get the context you need to effectively prioritize, sort, and respond to an incident.

Investigations

The main Investigations page provides you with an overview of all investigations, both system-created and user-created, which are displayed in order of priority.

This view can be refined even further by using the filters. You can filter investigations by:

  • Date Range - The default selection is 28 days.
  • Priority - The options are Critical, High, Medium, Low, and Unspecified.
  • Status - The options are Open, Investigating, Waiting, and Closed.
  • Assignee - The user who is assigned to the investigation.

Investigation Details

To view the Investigations Details page, select any investigation. From this page, you can examine the finer details, such as the activity that triggered the creation of the investigation and a timeline of events.

You can also explore the contextual data and take actions on your investigation.

At the top of the page, the main investigation details card is displayed. For user-created investigations, the details shown are:

  • The name of the investigation
  • The date it was created
  • The date and time it was last accessed
  • The most recent detection
  • The status, priority, assignee, and disposition

For system-created investigations, the investigation name is generated by the alert that triggered it.

Learn more about updating the primary investigation attributes, such as the status, priority, assignee, and disposition.

Timeline view

From the Investigation Details page, you can view all of the activity and information related to the investigation in the form of a timeline or a table, including the users and assets that are involved.

Guide to timeline icons and options

An investigation timeline can include a variety of events, with each type represented by a unique icon. Here is a list of the icons and what they represent: Investigation Timeline icons and their meanings

Some events in the timeline have an Evidence option, which you can select to open a panel with these tabs:

  • Rule Context - This is the threat group associated with the detection rule that created the investigation. It includes all of the detection rules associated with that same threat group in addition to the rule that created the investigation.
  • Rule Logic - This is the query that the detection rule uses to generate a detection.
  • Evidence - Here you can view the detection rule that created the investigation as well as the content in your environment that matched the rule logic.
  • MITRE ATT&CK - This shows how the related detection rule maps to the MITRE ATT&CK framework. You’ll get deeper insight into an attacker’s position in the attack chain, context into the nature of a detection, and knowledge of common mitigation strategies used to respond to an attack.

System-created investigations

System-created investigations are automatically generated when a pre-configured detection rule detects something unusual in your environment, triggering an alert. They can be generated by Attacker Behavior Analytics rules, User Behavior Analytics rules, and Custom Alerts.

InsightIDR adds related detections to an open system-created investigation when:

  • ABA, UBA, and Custom Alerts trigger the investigation
    • ABA detection rules where the rule action is set to "Create Investigations"
    • UBA detection rules where the alert modification is set to ON
    • Custom Alerts are configured to generate alerts
  • The related detections are the same type and have the same primary actor
  • User created investigations are manually created by users.

Alert throttling for Attacker Behavior Analytics detection rules

If an Attacker Behavior Analytics rule triggers a large quantity of alerts in a small time frame, the total number of alerts sent to Investigations is capped. Alerts are restricted according to these limits:

  • 20 alerts per asset per minute
  • 500 alerts per organization per minute

Sometimes investigations are automatically generated by alerts that are later deemed unnecessary or outdated. This can create unwanted noise in your environment. If this happens, you can control the alerts that are automatically generated by InsightIDR's ABA and UBA detection rules by modifying the ABA detection rule action or updating UBA alert modification.

Create a manual investigation

You can manually create an investigation from the User Details page or Investigations page in InsightIDR.

To create an investigation:

  1. From the left hand menu of InsightIDR, go to Investigations.
  2. Click Create Investigation.
  3. In the Enter Name field, provide the name of the investigation.
  4. (Optional) In the Select Assignee field, type and select the name of the user to whom you want to assign the investigation.
  5. In the Select Priority field, choose Critical, High, Medium, or Low.
  6. Click Create Investigation.
  7. (Optional) Take action by using an automation workflow from multiple plugins or Insight Agent actions.

Once the investigation has been created, you can add data to your investigation.

Investigate an asset or a user

  1. From the InsightIDR left menu, select Users and Accounts. The Users and Accounts page opens.
  2. Select a user category.
  3. Search for the user.
  4. Select the user. The User Details page will open.
  5. Select Investigate [User Name]. The Create Investigation modal appears.
  6. Add an Investigation name, date range, other assets or users to the investigation.
  7. Click Save.
  8. (Optional) If you need more evidence, you can configure Scheduled Forensics to gather information for you.
  9. (Optional) Take action by using an automated workflow from multiple plugins or Insight Agent actions.

Assign investigations to users

You can assign open investigations to individual users and know exactly what your team is working on. Users will receive an email whenever they are assigned to a new investigation.

To assign a user to an investigation:

  1. Select an investigation.
  2. Click on the assignee dropdown.
  3. Enter the assignee’s name.
  4. Select the assignee.

Add data to an investigation

Once an investigation is created, you can add data to the investigation such as actor data and raw logs. If you are using a Windows machine, you can add endpoint or asset data to your investigation.

Add Endpoint Job Data

You can add endpoint data to investigations to see processes and forensic data, such as DNS cache, installed services, or registry keys.

To add endpoint data to an investigation:

  1. Within an investigation, click Explore Contextual Data.
  2. Select Query Endpoint
  3. Choose the job(s) you want to run. Configure any additional details required.
  4. Add one or more endpoints or add an asset group.
  5. Click Save.

Collected endpoint data will appear on the Investigation timeline as an "Actor."

Add Actor Data

You can add data from your network from a specific date range and associated with specific users. The list of available network data is:

  • Account modified
  • Advanced malware alert
  • Asset authentication
  • Cloud service account modified
  • DNS query
  • firewall
  • IDS
  • Ingress authentication
  • Virus infection
  • Web proxy

To add actor data to an investigation:

  1. Within an investigation, click on the Explore Contextual Data dropdown.
  2. Select Inspect Actor Activity.
  3. Select your date range.
  4. Select users or assets to add as Investigation actors.
  5. Click Save.

Added users and assets will appear on the Investigation timeline as Actors.

Add Log Data

Any log data that is ingested by InsightIDR can be added to an Investigation.

To add log data to an investigation:

  1. Within an investigation, click Explore Contextual Data.
  2. Select Search Logs.
  3. Select one or more logs or log sets.
  4. Define your query. See Log Search for more information on writing queries.
  5. Find the desired log data.
  6. Select Send to Investigation to add the log data as an Actor. After you do this, you will have the ability to add context to your selected logs.
  7. Click Save. The log line will then appear in the Investigation timeline.
Export Data
You can also export the data to a PDF document or send it out to all data exporters, such as ServiceNow.

Apply allowlist rules

Allowlist rules let InsightIDR know that it doesn’t need to open automatic investigations when it detects activity from the specified user or asset. When you close certain investigations, you’ll see an option to add allowlist rules. Use an allowlist rule if you would like to prevent investigations from automatically opening for a specific asset or user in the future. The steps to create allowlist rules are different for ABA and UBA detection rules.

ABA detection rules and allowlisting

To allowlist assets or users for Attacker Behavior Analytics (ABA) rules, you need to create an exception.

  1. Navigate to Detection Rules > Attacker Behavior Analytics.
  2. Select a detection rule.
  3. Select the exceptions tab.
  4. Click Create New Exception.
  5. Enter the exception conditions.
  6. Name the exception.
  7. Add a note (optional).
  8. Click Create Exception.
UBA detection rules and allowlisting

You can view modifications to User Behavior Analytics (UBA) rules by navigating to Detection Rules > Alert Modifications.

To allowlist an investigation:

  1. Select an investigation.
  2. Click Close Investigation.
  3. Select Allowlist and Close or Modify and Close.
  4. Select an allowlist rule or detection modification.
  5. Ensure you select a disposition if you haven’t already done so.
  6. Click Apply Rule and Close or Apply Modification and Close.

Manage the investigation priority

Investigation priority is the scale given to an investigation based on the impact and urgency of the detections and assets associated with it.

System-created investigations inherit the priority level of the detection rule that triggered it and are automatically prioritized into one of 4 categories: critical, high, medium, or low. Investigations without a priority rating are labeled "Unspecified". User-created investigations require a priority level to be selected before an investigation can be successfully created.

Override the inherited priority level

To override the inherited priority level for an investigation, select the Priority dropdown and choose a different priority.

When you change the priority of a system created investigation, you are overriding the inherited priority for that investigation, but not for the detection rule that created it.

Update the investigation status

You can use an investigation’s status to indicate where the investigation is in the triage process. Available statuses include:

  • Open - The default status for all new investigations.
  • Investigating - The investigation is in progress.
  • Waiting - Progress on the investigation has paused while more information is gathered.
  • Closed - The investigation has ended. A disposition must be selected to set this status.

The status is displayed on both the Investigations page and the Investigation Details page.

To update the status of an investigation:

  1. Select an investigation.
  2. Select an option from the Status dropdown.

Update the investigation disposition

An investigation’s disposition captures the conclusion that your organization drew from the triage process or if the triage process is still in progress. You can select a disposition to indicate whether the investigation represented a legitimate threat.

New investigations are assigned a disposition by default. Automatically created investigations inherit their disposition from alerts and detections. Manually created investigations have a disposition of Undecided.

Disposition types

The available dispositions include:

Undecided

Apply this disposition temporarily when you have not yet determined whether the events represented by this investigation are benign, malicious, or unknown.

You cannot close an investigation if the disposition is set to Undecided.

Benign

Apply this disposition when the events represented by this investigation are known or expected behavior and are not predicted to result in an actual or potentially adverse effect on an information system or the information residing therein.

You might determine that the events are fulfilling an accepted business use-case within the context of your environment. Therefore, no reporting or other action is required on this event.

Use a benign classification for events that are clearly associated with non-malicious, non-suspicious, or very common low-to-no risk behaviors in the context of your environment.

Example: Benign events can include proper practices performed by a system administrator or common user behaviors.

Malicious

Apply this disposition when the events represented by this investigation are associated with malicious activity, and were reported to you. Malicious events are actions that are intended to breach computer networks and - if uninterrupted - can result in an adverse effect on an information system or its information.

Example: You receive an incident notification. Further analysis is carried out and there are indications of a compromise. The malicious activity results in changes to your environment, such as password resets or the reconfiguration of services.

Unknown

Apply this disposition when it is truly unknown whether an event is related to malicious activity and there are no further lines of inquiry available to take. The events represented by this investigation could be malicious, but it’s not possible to make that determination based on the data that’s currently available.

Not Applicable

Apply this disposition to investigations that contain no activity that needs further scrutiny.

Some alerts occur due to compliance warnings or the inactivity of protective software. You can use InsightIDR to receive notifications about specific risks to your network, but they aren’t the result of malicious activity.

To update an investigation’s disposition:

  1. Select an investigation.
  2. Select an option from the Disposition dropdown.

View linked assets and users

Investigations often have actors, assets or users, associated with them. From the main Investigations page, you can view high level asset and user information by expanding an investigation card. For a more detailed view, click into an investigation.

To view the assets and users of an investigation:

  1. Select an investigation.
  2. Select the arrow dropdown on the far right of the investigations card. Investigations dropdown
  3. Use the tabs provided to view all linked assets or users, or use search to find a specific user or asset.

View the audit log

The audit log is a detailed chronological view of every action taken in relation to a particular investigation. It can help contribute to strengthened security reporting and compliance within your organization.

The additional benefits of using an audit log include improved team collaboration, the ability to analyze user activity and their response time during security breaches, recommending new security procedures, and providing legal evidence.

The audit log collects data about all of the updates to an investigation, when they were made, and by whom. From the audit log panel, you can filter your view to focus on any of the information you are looking for, such as:

  • Any changes to the disposition, priority, assignee, or status
  • The endpoint queries that were run
  • Any comments and attachments that were added

To view and download the audit log:

  1. Open an investigation.
  2. Click Audit Log.
  3. In the Audit Log panel, set the date range for the updates that you want to view.
  4. Optionally, select filters to streamline your view of the updates.
  5. To save the audit log locally, click Download. The downloaded log contains the updates that fall within the selected date range only.

Add comments to an investigation

On the Investigations Details page, you can add and view comments that are associated with an investigation.

To add comments:

  1. Select an investigation.
  2. Click Comments.
  3. Enter your comment.
  4. Click Save.

Add attachments to an investigation

You can provide additional context to your investigations by uploading attachments.

Attachments can also be added along with a comment and are subject to some limitations:

  • They must be less than 50MB in size.
  • A maximum of 10 attachments are allowed for each comment.
  • A maximum of 50 attachments are allowed for each investigation.

Malware samples cannot be uploaded

All attachments are scanned for malicious content when they are uploaded. Malware samples are not allowed and will be treated as malicious content, which restricts users from accessing them.

To add attachments:

  1. Select an investigation.
  2. Click Add Attachments.
  3. Drop a file or browse your computer and select one.
  4. Click Add to investigation.
  5. Click Save.

Create automation workflows from investigations

You can use prebuilt workflows such as quarantining assets, creating tickets, and running custom security flows to automatically respond to detections as they emerge in your environment. Read more about automation workflows.

To set up an automation workflow:

  1. Open the investigation.
  2. Click Take action.
  3. Select an action category.
  4. Select an automation action to take. Depending on the automation action, you may need to take additional configuration steps. These can range from finding an asset to quarantine to creating a Jira ticket. Follow the configuration prompts to complete the setup.
  5. Click Take Action.

Close an investigation

You can close an investigation from the Investigations or Investigation Details pages.

To close an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select close.
  4. Select a disposition if you have not done so already.
  5. Click Close Investigation.

Bulk-close investigations

You can also bulk-close investigations of the same type within a selected date range from the Investigations and Investigation Details screens.

To bulk-close an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select Bulk close.
  4. Select a disposition if you have not done so already. This will apply to all of the bulk-closed investigations.
  5. Click Close Investigations.

Reopen an investigation

Investigations can be reopened from either the Investigations home or Investigation Details pages.

To reopen an investigation:

  1. Select an investigation.
  2. Click the Status dropdown.
  3. Select Open.

Search your investigations

You can search for specific investigations using the search field. This field allows you to search using:

  • Investigation names
  • Users associated with the investigation
  • Assets that might be found within an investigation