Hi Everyone -
I’m currently building an InsightConnect workflow that automates the closure of InsightIDR investigations. I’ve already configured a successful bulk close setup for Third Party Alerts using the Close Investigations in Bulk step filtered by:
- source = ALERT
- alert_type = Third Party Alert
- time range
- max investigations to close
However, I now want to target only investigations triggered by a specific detection rule in this case, one of our Okta rules (e.g., Okta - Login Failures or other variations).
The bulk close step does not support filtering by detection rule name.
Appreciate any insight, best practices, or workarounds you’ve used.