To preface, I’m aware this has been asked before, but the answer does not provide a resolution for my situation.
I’m making a workflow that will create an investigation upon a certain order of events. In that investigation, I’m wanting to add alerts from those events. The rule action for the trigger detection is set to “create alert” but the alert rrn is not available in the output. Is there another workflow step that I can use to pull the rrn?
EDIT: Simply put, I want to create an alert with this workflow and add it to a new investigation.
We do something similar to this. To start with, I was confusing the Alert RRN with the Investigation RRN. I ended up using the Rapid 7 InsightIDR plugin - Search Investigation with [{“field”:“title”,“value”:“{{["IDR Alert"].[alert].[name]}}”,“operator”:“CONTAINS”},{“field”:“status”,“value”:“OPEN”,“operator”:“EQUALS”}]
This should return the alert investigation rrn
Sorry if i have misunderstood your question.
Not quite what I’m looking for.
Simply put, I want to create an alert with this workflow and add it to a new investigation. The Alert RRN is needed for that but I can’t find it in any of the steps output.
I would suggest the new Alert Trigger instead of the ABA trigger.
I am not sure what you are wanting to pull out of log search, but the Alert RRN is part of the payload when triggering from the Alert instead of the detection.
When searching triggers it will not be one of the “From Insight Platform” options. It will be down in the plugins section where you would find other tools like Crowdstrike, & SentinelOne.
