Hi All,
Apologies if this has been asked or resolved previously but I am creating workflows to gather alert/investigation data but at present I am only able to use the IDR solutions that allow me to pass either the Investigation ID, or the RRN but as of yet I haven’t found a way to use some of the other options such as Get Alert Information as this requires the Alert RRN and I have no idea how to get that early on in the workflow to then leverage that data later on.
Hey @marten_cureton ! Currently, you can retrieve Alert IDs(rrn’s) via the List Alerts for Investigation InsightIDR action. Upstream from that you can either get the Investigation information by searching and listing alerts or you can trigger workflows from the IDR Webhook to get the Investigation ID like some of our latest IDR workflows.
Thanks Eric, I will take a look!
Hi, So I tried using the List Alerts for Investigation but I don’t see an Alert RRN, just an ID which when I pass as the Alert RRN produces an error as it isn’t in the correct format.
Yes, this is expected behavior. Some alerts that are listed are incompatible with the Get Alerts API call. This is usually the case for UBA Alerts or the Legacy Detections. If you try this on an ABA or regular detection the ID comes in with rrn that can be used in the Get Alert call.
Right okay, that does actually make more sense now you have explained it so in this case I will stop chasing my tail as they say. Thank you so much for your responses!