I’m trying to write up a workflow that will automate the steps of merging investigations in InsightIDR since this isn’t a native solution yet and we definitely get duplicate detections sometimes. I’m planning to do this by inputting a source and target investigation RRN and moving all comments and alerts over.
The issue I’m seeing is that I can’t update an alert that’s already attached to an investigation to a different investigation. Is there a possible call to “detach” or remove an alert from an investigation?