Getting Evidence from Investigation in InsightConnect

I am trying to create a workflow that performs actions on certain innvestigations based on details of the evidence in the alerts in the investigation. However I don’t see that this is being brought in by the IDR connection in InsightConnect. Is this possible and I am not using the right plugin, if not are there plans to make it possible?

Depending on the investigation alerts you are trying to trigger on you will need to use either the UBA / ABA alert triggers. If you let me know what you are trying to trigger on and what you are wanting to do with the alert I can help you get something up and running.

We are getting a lot of UBA alerts for remote code execution for Screenconnect, since we can’t currently create an exception for these because they are UBA alerts I was hoping to create a workflow in InsightConnect that would update the investigations and close them for us. I was trying to use the IDR connection in Connect to list the investigations then close them based on the evidence within the alert/investigation.

What is the alert type it is triggering off of in IDR?

UBA Alert


Okay I will take a look and see what I can come up with that might help you.