Multi-Customer Investigations
With Multi-Customer Investigations, Managed Security Service Providers (MSSPs) can easily manage investigations across all of their managed customers, generating tremendous time-savings for analysts. With this feature, analysts will be enabled to:
- Aggregate a view of investigations for multiple customers and regions
- Search, filter, and take action on any of their customers’ investigations from a single view
- Seamlessly switch between end-customer environments
Multi-Customer Investigations adhere to data sovereignty rules by ensuring customer data is never at rest outside of the designated region. The Multi-Customer Investigations feature is available to Rapid7 MSSP partners who meet the licensing requirements.
Licensing Requirements
Your system must meet the following requirements to access and use the capability described in this article:
- You must be an MSSP Partner with an active license to an SIEM (InsightIDR) subscription and this must have partner status enabled.
- MSSP end-customers must also have valid SIEM (InsightIDR) licenses, which must be associated with the partner account. If there are end-customers that are not associated with the MSSP partner account, these cannot be managed using the multi-customer features.
Read MSSP Customer Management to learn more about licensing requirements.
Terminology
| Term | Definition |
|---|---|
| Primary Customer | Refers to the SIEM (InsightIDR) instance where analyst accounts are created. Previously this was referred to as multi-customer access (MCA). Also known as MSSP Partner account. There is only one Primary Customer associated with a multi-customer investigation license. |
| Customers | Refers to MSSP Partner end-customers. Customers are associated with and managed by the Primary Customer. |
| Multi-Customer Navigation | The navigation menu that displays at the top of the multi-customer investigation experience and allows you to display all investigations or switch between customer environments from a single login. |
| Single Customer Investigation View | When an analyst clicks on an Investigation from within the multi-customer view, they are brought into that customer’s InsightDR context where they can access features such as Log Search. |
| Customer Table | Displays the Primary Customer and its associated customers. Serves as the entry point for the multi-customer investigation experience. |
Multi-Customer Investigation Menu
You can navigate seamlessly between customers and investigations using the Multi-Customer menu, or jump to the Insight Platform Customer Table to view the Pinned Customer (your pinned account) and a list of your customers. Here is a breakdown of the Multi-Customer menu.
Multi-Customer Menu Key:
- The Multi-Customer Menu allows you to seamlessly navigate between your list of customers and investigations.
- Select Customers to display all your customers in a single view
- Select All Investigations to display all investigations associated with your customers
- Click View Customer Table to exit SIEM (InsightIDR) and open the Customer Table.
Manage your multi-customer investigations
The following sections contain information on using multi-customer investigations. To complete the tasks outlined in this documentation, you must meet the licensing requirements, and have multi-customer investigations enabled.
Access the Multi-Customer Investigations interface
The Customer Table is where the multi-customer investigation flow begins. The Primary Customer account, which is pinned to the Customer Table, serves as the access point for multi-customer investigations.
To access Multi-Customer Investigations:
- From the Select Customer Account table, click the pinned account. Insight Platform Home will appear.
- Select the SIEM (InsightIDR) card to enter the multi-customer investigation experience.
Select a single customer
In Multi-Customer Investigations, you can quickly review and prioritize a single customer’s investigations and determine what action to take by opening the single customer investigation view. When you select a single customer, you are brought into that customer’s SIEM (InsightIDR) environment, which means that the SIEM (InsightIDR) left menu, Log Search, and Investigation details are aligned with the selected customer.
Single customer investigations are sorted by priority levels critical, high, medium and low. Analysts can quickly identify which customer’s investigations need their attention first and prioritize their workload.
To select a single-customer investigation:
- Open Multi-Customer Investigations in SIEM (InsightIDR).
- From the Multi-Customer Navigation, select Customers.
- Find the customer whose environment you want to view, and click Manage Investigations. The selected customer’s SIEM (InsightIDR) environment will open.
Display all investigations
- Click All Investigations in the Multi-Customer Navigation to display all investigations on one page.
- You can also quickly update an investigation’s status, assign an investigation, or filter investigations by customer.
Update your Multi-Customer Investigation settings
To enable this setting, your customers must have valid SIEM (InsightIDR) licenses that are associated with your Rapid7 partner account.
You can easily enable or turn off multi-customer investigations from your SIEM (InsightIDR) User Profile settings.
- From the SIEM (InsightIDR) left menu, click Settings > User Preferences.
- Under Profile Preferences, locate Multi Customer Investigations, and switch the toggle ON or OFF.
Troubleshooting
Why can’t I see my customer investigations within the all investigations view?
The most common reason for this is that the analyst does not have access to their managed customers SIEM (InsightIDR) instance. MSSP analysts need both permission to access the customer and an SIEM (InsightIDR) role within that customer’s instance. This can be rectified using Multi-Customer User Admin.
Learn more by reading MSSP Customer Management > Assign one or more users access to a managed customer .