I am right now building a workflow, which fetches the investigation details from last 12 hrs. I have used a loop to loop over “investigation_id” and within the loop I am using an InsightIDR solution, which gives me the investigation details something like this,
Investigations Details
Investigation Title : Domain xyz.com, a look-alike of owned domain xyz.com, was visited by 8 accounts/assets
Investigation Tags : NA
RRN: rrn:investigation:sadsdftujhsdbfsdjchmsdbcjsdfkc,sdbfksd
Created Time: 2025-10-01T07:50:52.457Z
Latest Alert Time: 2025-10-01T07:33:42Z
Source: ALERT
SOC Analyst Name: ABC
SOC Analyst Mail id: ABC@random.com
Alert Priority: MEDIUM
Investigation Disposition: BENIGN
Investigation Status: INVESTIGATING
First Triggered datetime: 2025-10-01T07:50:50.881Z
Now above is the artifact content I have formatted for each iteration within the loop. Now I need to combine these, for instance 3 investigations are done or 3 alerts triggered from last 12 hrs, then the loop will have 3 iterations and I will end up with 3 separate artifacts. So, I want to combine all these 3 content in one file and send it to teams, if not files at least combine them together and send the combined content to teams.
Any solution for this? If you have any idea on this please help me with that.
You will want to take a look at loop outputs. You can output the content of your artifacts to the loop and then reference them in the high level workflow view for sending to Teams.
I configured the loop output in the similar fashion which they have shown in the above mentioned video links. Now, I can get the output as array of strings, with output of each iteration as one single string contained within a double quotes(" "). I tried sending it as an input to python script and get the json object as output, so that I can convert json into csv strings. Let’s see I would try with all possible plugins to write the data into one consolidated file or page from where I can just get the overall details of investigations done past 12 hrs.
I am curious if you can speak to the use case of this workflow?
Why do you want 12 hours worth of investigations rolled into a single Teams message? Is it only specific investigations? Is it only specific information from each investigation you are looking for?
If you are fine sharing the details it might help come up with a more effective solution.
Yes Darrick, as I mentioned in the original post, I will be fetching those details from InsightIDR lnvestigations logs using “advanced query on logs” plugin. And then formatted the artifact content in such a way that, only required fields such as, Investigations Title, RRN, Assignee Name, Email, Ingested Time, Severity, etc… will be displayed as artifact content. This is what I get in each iteration in the loop. I append them onto global artifact and again which is stored as array of strings.