Add log info to an investigation

I have created a workflow that inspects the blocked files on our whitelisting app via virustotal, and whenever a blocked file is malicious it shall create an investigation on insight IDR.

the workflow is working just fine. however, the investigation is being created with only a title, status and an assignee,

i need to have to info on the investigation like the triggering logs or the VT report.

i’m not sure how can i do so and need assistance please :slight_smile:

1 Like

I’ve struggled a lot with this. Best i’ve managed so far is to get the log info into a comment which isn’t exactly elegant and has no formatting.

The other option is putting the information into an artifact. Mixed results here. If it’s not a custom alert then the artifact can be viewed from the investigation by clicking into the ‘x workflow ran’ bit in the contexual info pane. If it’s a custom alert then nothing seems to go into the investigation and you have to find the related job to look at the artifact which is very annoying.

It is possible to create a link to the job in a comment but again not elegant. Especially when the comment link isn’t clickable.

We are looking into the same thing. Another option we are looking into is to add the logs results as an attached file. It definitely does not fit well in the overall standard operations in IDR