Actions on multiple investigations

InsightIDR
1

I’ve just started with InsightIDR and we get a lot of Investigations that are related to the same issue (PUP detected by our endpoint protection, potential malware that we haven’t removed yet), and I wanted to know if there’s a way to do two things:

  1. Assign multiple Investigations to a person at once
  2. Close multiple Investigations at one time, with the same notes, based on some manner of filter (asset name, user name, etc.)

Cheers

2

Hi,

currently there is no easy way to assign investigations to users en masse except through the API,

see here: https://help.rapid7.com/insightidr/en-us/api/v1/docs.html#operation/assignUserToInvestigation

as for closing Investigations, within the UI you will see this option

Screen Shot 2021-02-03 at 2.59.02 PM

Close all Investigations of type in this date range, which should enable you to clean up these alerts.

Alternatively, you can also close Investigations in bulk via the API:

3
  1. Assign multiple Investigations to a person at once

I am not aware of a straight forward method.
Potentially you can extract the IDs of the investigation you interested in using the API:

E.g.:
curl --output investigations.json --silent -k -H “X-Api-Key: xxxxxxx-zzzz-aaaa-bbbb-123456789012” -H “Content-Type: application/json” https:///eu.api.insight.rapid7.com/idr/v1/investigations?end_time=2021-02-03T00:00:00Z&index=0&size=1000&start_time=2018-07-01T00:00:00Z&statuses=OPEN

(The API will return a limited number of investigations so it needs to be run multiple times with different start and stop times)

Then use the list of IDs to create script that will go over this list of IDs and assign them to InsightIDR user using this API:

Unless you are comfortable with APIs and scripting this task might be easier to achieve manually.

  1. Close multiple Investigations at one time, with the same notes, based on some manner of filter (asset name, user name, etc.)
    First option - via API:
    https://help.rapid7.com/insightidr/en-us/api/v1/docs.html#operation/bulkCloseInvestigations

Second option - from the GUI:
Navigate to Investigations:


In the left panel filter by “Alert type” or “Threat” or “Alert by attack chain” - whatever is suitable in your case.
Next click on the “Close” drop down menu on any of the investigations.
There is an option called - “Close all investigations of type in this date range”
This will close all displayed investigations.
You can further filter the list of investigations using the “Date range” filter - in the left panel.

I am not aware of any ways to filter investigations based on asset name or user name or an option add notes at bulk.

You can always contact Rapid7 support from InsightIDR GUI:
“Help” button - top right corner “Request Support”

They will provide the most adequate answer.

Regards

1 Like
4

Anyone know if this behavior has been updated? The ability to update multiple investigations at once?

5

Hello! I know using the API can be intimidating, but with a bit of Python knowledge (and the right tools) this can be achieved. I maintain a Python package called Insightidr4py that takes a lot of the complexity out of it. The article below shows how to use this and even includes an example script tool to do some of the exact stuff you are talking about. Hope this helps. https://micahbabinski.medium.com/button-pusher-to-masterbuilder-automating-siem-workflows-3f51874a80e