Multi-Customer Investigations

With Multi-Customer Investigations, Managed Security Service Providers (MSSPs) can easily manage investigations across all of their managed customers, generating tremendous time-savings for analysts. With this feature, analysts will be enabled to:

  • Aggregate a view of investigations for multiple customers and regions
  • Search, filter, and take action on any of their customers’ investigations from a single view
  • Seamlessly switch between end-customer environments

Multi-Customer Investigations adhere to data sovereignty rules by ensuring customer data is never at rest outside of the designated region. The Multi-Customer Investigations feature is available to Rapid7 MSSP partners who meet the licensing requirements.

Licensing Requirements

Your system must meet the following requirements to access and use the capability described in this article:

  • You must be an MSSP Partner with an active license to an InsightIDR subscription and this must have partner status enabled.
  • MSSP end-customers must also have valid InsightIDR licenses, which must be associated with the partner account. If there are end-customers that are not associated with the MSSP partner account, these cannot be managed using the multi-customer features.

Read MSSP Customer Management to learn more about licensing requirements.

Terminology

TermDefinition
Primary CustomerRefers to the InsightIDR instance where analyst accounts are created. Previously this was referred to as multi-customer access (MCA). Also known as MSSP Partner account. There is only one Primary Customer associated with a multi-customer investigation license.
CustomersRefers to MSSP Partner end-customers. Customers are associated with and managed by the Primary Customer.
Multi-Customer NavigationThe navigation menu that displays at the top of the multi-customer investigation experience and allows you to display all investigations or switch between customer environments from a single login.
Single Customer Investigation ViewWhen an analyst clicks on an Investigation from within the multi-customer view, they are brought into that customer's InsightDR context where they can access features such as Log Search.
Customer TableDisplays the Primary Customer and its associated customers. Serves as the entry point for the multi-customer investigation experience.

Multi-Customer Investigation Menu

You can navigate seamlessly between customers and investigations using the Multi-Customer menu, or jump to the Insight Platform Customer Table to view the Pinned Customer (your pinned account) and a list of your customers. Here is a breakdown of the Multi-Customer menu.
Multi-Customer Navigation

Multi-Customer Menu Key:

  1. The Multi-Customer Menu allows you to seamlessly navigate between your list of customers and investigations.
  2. Select Customers to display all your customers in a single view
  3. Select All Investigations to display all investigations associated with your customers
  4. Click View Customer Table to exit InsightIDR and open the Customer Table.

Manage your multi-customer investigations

The following sections contain information on using multi-customer investigations. To complete the tasks outlined in this documentation, you must meet the licensing requirements, and have multi-customer investigations enabled.

Access the Multi-Customer Investigations interface

The Customer Table is where the multi-customer investigation flow begins. The Primary Customer account, which is pinned to the Customer Table, serves as the access point for multi-customer investigations.

To access Multi-Customer Investigations:

  1. From the Select Customer Account table, click the pinned account. Insight Platform Home will appear. Insight Platform Multi-Customer Entry Point
  2. Select the InsightIDR card to enter the multi-customer investigation experience.

Select a single customer

In Multi-Customer Investigations, you can quickly review and prioritize a single customer’s investigations and determine what action to take by opening the single customer investigation view. When you select a single customer, you are brought into that customer’s InsightIDR environment, which means that the InsightIDR left menu, Log Search, and Investigation details are aligned with the selected customer.

Single customer investigations are sorted by priority levels critical, high, medium and low. Analysts can quickly identify which customer’s investigations need their attention first and prioritize their workload.

To select a single-customer investigation:

  1. Open Multi-Customer Investigations in InsightIDR.
  2. From the Multi-Customer Navigation, select Customers.
  3. Find the customer whose environment you want to view, and click Manage Investigations. The selected customer’s InsightIDR environment will open.

Display all investigations

  1. Click All Investigations in the Multi-Customer Navigation to display all investigations on one page.
  2. You can also quickly update an investigation's status, assign an investigation, or filter investigations by customer.

Multi-Customer Investigations tab

Update your Multi-Customer Investigation settings

To enable this setting, your customers must have valid InsightIDR licenses that are associated with your Rapid7 partner account.

You can easily enable or turn off multi-customer investigations from your InsightIDR User Profile settings.

  1. From the InsightIDR left menu, click Settings > User Preferences.
  2. Under Profile Preferences, locate Multi Customer Investigations, and switch the toggle ON or OFF.
    InsightIDR User Preferences menu

Troubleshooting

Why can’t I see my customer investigations within the all investigations view?

The most common reason for this is that the analyst does not have access to their managed customers InsightIDR instance. MSSP analysts need both permission to access the customer and an InsightIDR role within that customer's instance. This can be rectified using Multi-Customer User Admin.

Learn more by reading MSSP Customer Management > Assign one or more users access to a managed customer.