I’ve just started with InsightIDR and we get a lot of Investigations that are related to the same issue (PUP detected by our endpoint protection, potential malware that we haven’t removed yet), and I wanted to know if there’s a way to do two things:
Assign multiple Investigations to a person at once
Close multiple Investigations at one time, with the same notes, based on some manner of filter (asset name, user name, etc.)
Second option - from the GUI:
Navigate to Investigations:
In the left panel filter by “Alert type” or “Threat” or “Alert by attack chain” - whatever is suitable in your case.
Next click on the “Close” drop down menu on any of the investigations.
There is an option called - “Close all investigations of type in this date range”
This will close all displayed investigations.
You can further filter the list of investigations using the “Date range” filter - in the left panel.
I am not aware of any ways to filter investigations based on asset name or user name or an option add notes at bulk.
You can always contact Rapid7 support from InsightIDR GUI:
“Help” button - top right corner “Request Support”
Hello! I know using the API can be intimidating, but with a bit of Python knowledge (and the right tools) this can be achieved. I maintain a Python package called Insightidr4py that takes a lot of the complexity out of it. The article below shows how to use this and even includes an example script tool to do some of the exact stuff you are talking about. Hope this helps. https://micahbabinski.medium.com/button-pusher-to-masterbuilder-automating-siem-workflows-3f51874a80e