Available Disposition for InsightIDR's investigation in api/plugin?

InsightIDR API
1

When I retrieve an investigation with “Security Testing” set in disposition manually through web interface, i got the following values:
{
“$success”: true,
“investigation”: {
“created_time”: “2025-05-19T10:06:40.701Z”,
“disposition”: “SECURITY_TEST”,
“last_accessed”: “2025-06-03T16:14:16.318Z”,
“organization_id”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“priority”: “HIGH”,
“rrn”: “rrn:investigation:eu:xxxxxxxxxxxxxx”,
“source”: “ALERT”,
“status”: “CLOSED”,
“title”: “xxxxxxxxxxxxxxxxxxxxxx”
}
}

I can’t find this value in api documentation InsightIDR API Documentation, there is only “BENIGN” “MALICIOUS” “NOT_APPLICABLE”

Anyway, I tried naivly to update an investigation with SECURITY_TEST in disposition field with the InsightIDR plugin in InsightConnect and of course, the value does not exist either.
Failed validating ‘enum’ in schema[‘properties’][‘disposition’]:
{‘description’: “Investigation’s disposition”,
‘enum’: [‘’, ‘BENIGN’, ‘MALICIOUS’, ‘NOT_APPLICABLE’],
‘order’: 5,
‘title’: ‘Disposition’,
‘type’: ‘string’}

So is it a lack of update both IDR’s api documentation and IDR plugin in InsightConnect ?
How do I update an investigation with one of the following disposition ?
SECURITY_TEST
FALSE_POSITIVE
UNKNOWN
UNDECIDED

thanks

2

Seems a new feature. Did you reached out to support on this.

I am happy to see that we can change it to our liking, but I have noticed it screws with some automation I have running :frowning:

3

Thanks for your answer. No I didn’t try to reach the support as I’m new on this product and don’t know the process yet.

I managed to get it works temporaly by editing the builded specification file manually in the container.
In case it helps anyone:

  1. ssh to your orchestrator
  2. find the container id running the plugin

docker ps -a | grep insightidr

00f95f0872c0 rapid7/rapid7_insightidr:4.3.0 “/usr/local/bin/koma…” 2 days ago Exited (0) 16 hours ago rapid7_rapid7_insightidr_4.3.0_action
580cc6d72f9b rapid7/rapid7_insightidr:11.0.5 “python /python/src/…” 7 days ago Up 7 minutes 127.0.0.1:32768->10001/tcp rapid7_rapid7_insightidr_11.0.5_action

  1. connect as root inside the container

docker exec -i -t --user root 580cc6d72f9b /bin/sh

Then edit the file (grep -nre “pattern” /python/src to find it easily)
in my case :
vi ./build/lib/komand_rapid7_insightidr/actions/update_investigation/schema.py

Then I was able to complete the enum available actions
[…]
class UpdateInvestigationInput(insightconnect_plugin_runtime.Input):
schema = json.loads(
r"“”
{
“type”: “object”,
“title”: “Variables”,
“properties”: {
“disposition”: {
“type”: “string”,
“title”: “Disposition”,
“description”: “Investigation’s disposition”,
“enum”: [
“”,
“BENIGN”,
“MALICIOUS”,
“NOT_APPLICABLE”,
“SECURITY_TEST”,
“FALSE_POSITIVE”,
“UNKNOWN”,
“UNDECIDED”
],
“order”: 5
},
[…]

Now I guess I have to find a proper way to do that because it will not be persistant when the docker image will be refreshed