Hi! We’re seeing multiple investigations triggering for a series of related events on specific user’s accounts off the back of a pre-built MITRE ATT&CK rule. Is there a way to get InsightIDR to automatically tag any new events into the existing open investigation instead of creating multiple separate investigations as new events on the same assets trigger the same rule?
Hi @thobbs2 would it be possible for you to raise a support case about this? Our normal behavior is to chain reoccurrences of the same behavior to open investigations, if this is not happening we would like to take a closer look at some examples.
David
1 Like