Multi-Customer Investigations
Copy link

With Multi-Customer Investigations, Managed Security Service Providers (MSSPs) can easily manage investigations across all of their managed customers, generating tremendous time-savings for analysts. With this feature, analysts will be enabled to:

  • Aggregate a view of investigations for multiple customers and regions
  • Search, filter, and take action on any of their customers’ investigations from a single view
  • Seamlessly switch between end-customer environments

Multi-Customer Investigations adhere to data sovereignty rules by ensuring customer data is never at rest outside of the designated region. The Multi-Customer Investigations feature is available to Rapid7 MSSP partners who meet the licensing requirements.

Licensing Requirements
Copy link

Your system must meet the following requirements to access and use the capability described in this article:

  • You must be an MSSP Partner with an active license to an SIEM (InsightIDR) subscription and this must have partner status enabled.
  • MSSP end-customers must also have valid SIEM (InsightIDR) licenses, which must be associated with the partner account. If there are end-customers that are not associated with the MSSP partner account, these cannot be managed using the multi-customer features.

Read MSSP Customer Management to learn more about licensing requirements.

Terminology
Copy link

TermDefinition
Primary CustomerRefers to the SIEM (InsightIDR) instance where analyst accounts are created. Previously this was referred to as multi-customer access (MCA). Also known as MSSP Partner account. There is only one Primary Customer associated with a multi-customer investigation license.
CustomersRefers to MSSP Partner end-customers. Customers are associated with and managed by the Primary Customer.
Multi-Customer NavigationThe navigation menu that displays at the top of the multi-customer investigation experience and allows you to display all investigations or switch between customer environments from a single login.
Single Customer Investigation ViewWhen an analyst clicks on an Investigation from within the multi-customer view, they are brought into that customer’s InsightDR context where they can access features such as Log Search.
Customer TableDisplays the Primary Customer and its associated customers. Serves as the entry point for the multi-customer investigation experience.

Multi-Customer Investigation Menu
Copy link

You can navigate seamlessly between customers and investigations using the Multi-Customer menu, or jump to the Insight Platform Customer Table to view the Pinned Customer (your pinned account) and a list of your customers. Here is a breakdown of the Multi-Customer menu.

Multi-Customer Navigation

Multi-Customer Menu Key:

  1. The Multi-Customer Menu allows you to seamlessly navigate between your list of customers and investigations.
  2. Select Customers to display all your customers in a single view
  3. Select All Investigations to display all investigations associated with your customers
  4. Click View Customer Table to exit SIEM (InsightIDR) and open the Customer Table.

Manage your multi-customer investigations
Copy link

The following sections contain information on using multi-customer investigations. To complete the tasks outlined in this documentation, you must meet the licensing requirements, and have multi-customer investigations enabled.

Access the Multi-Customer Investigations interface
Copy link

The Customer Table is where the multi-customer investigation flow begins. The Primary Customer account, which is pinned to the Customer Table, serves as the access point for multi-customer investigations.

To access Multi-Customer Investigations:

  1. From the Select Customer Account table, click the pinned account. Insight Platform Home will appear.
Insight Platform Multi-Customer Entry Point
  1. Select the SIEM (InsightIDR) card to enter the multi-customer investigation experience.

Select a single customer
Copy link

In Multi-Customer Investigations, you can quickly review and prioritize a single customer’s investigations and determine what action to take by opening the single customer investigation view. When you select a single customer, you are brought into that customer’s SIEM (InsightIDR) environment, which means that the SIEM (InsightIDR) left menu, Log Search, and Investigation details are aligned with the selected customer.

Single customer investigations are sorted by priority levels critical, high, medium and low. Analysts can quickly identify which customer’s investigations need their attention first and prioritize their workload.

To select a single-customer investigation:

  1. Open Multi-Customer Investigations in SIEM (InsightIDR).
  2. From the Multi-Customer Navigation, select Customers.
  3. Find the customer whose environment you want to view, and click Manage Investigations. The selected customer’s SIEM (InsightIDR) environment will open.

Display all investigations
Copy link

  1. Click All Investigations in the Multi-Customer Navigation to display all investigations on one page.
  2. You can also quickly update an investigation’s status, assign an investigation, or filter investigations by customer.
Multi-Customer Investigations tab

Update your Multi-Customer Investigation settings
Copy link

⚠️

To enable this setting, your customers must have valid SIEM (InsightIDR) licenses that are associated with your Rapid7 partner account.

You can easily enable or turn off multi-customer investigations from your SIEM (InsightIDR) User Profile settings.

  1. From the SIEM (InsightIDR) left menu, click Settings > User Preferences.
  2. Under Profile Preferences, locate Multi Customer Investigations, and switch the toggle ON or OFF.
SIEM (InsightIDR) User Preferences menu

Troubleshooting
Copy link

Why can’t I see my customer investigations within the all investigations view?

The most common reason for this is that the analyst does not have access to their managed customers SIEM (InsightIDR) instance. MSSP analysts need both permission to access the customer and an SIEM (InsightIDR) role within that customer’s instance. This can be rectified using Multi-Customer User Admin.

Learn more by reading MSSP Customer Management > Assign one or more users access to a managed customer.