Just started using InsightIDR in our organization and hoping to replace some alert functionality from our old Kiwi syslog server. One thing I haven’t been able to do figure out is how to customize the details sent in an email alert. An example would be instead of getting the entire contents of an event that might contain 15-20 fields, I only want to see maybe 5 of them. Is this capability even possible in InsightIDR? I figure it would have to come down to what is displayed from the query, but I also can’t figure out how to only display specific fields when running a query. Am I out of luck with these requests?
we currently don’t support this natively in IDR. However combining InsightIDR and InsightConnect would allow you to potentially get you what you are after.
Essentially you would utilize the IDR plugin (which allows an ICON workflow to be triggered by a UBA or ABA alert) and then from there depending on the alert you would need to fetch and manipulate the evidence and/or investigation details and use the Email plugin to output the result to the target.
This would require an ICON license however, (IDR Ultimate comes with Insight Connect automation IDR Advanced Requires a separate purchase) you could achieve the same outcome by utilizing the universal webhook and trimming the fields in the evidence/payload to only include the desired ones using a custom script.
Thanks for your response, David. I don’t think the webhook will be an option for us, but i’ll look a little more into it to make sure. As far as I know, we didn’t get the ICON licensing with IDR, so I think we might just be out of luck. Very unfortunate, since it seems like a pretty standard function with email alerts for other applications.
It’s certainly a common feature request so you are not alone there. And I agree the webhook option is not exactly turnkey - it would require a significant lift.