How to get Alert RRN from Detection Rule

To preface, I’m aware this has been asked before, but the answer does not provide a resolution for my situation.

I’m making a workflow that will create an investigation upon a certain order of events. In that investigation, I’m wanting to add alerts from those events. The rule action for the trigger detection is set to “create alert” but the alert rrn is not available in the output. Is there another workflow step that I can use to pull the rrn?

EDIT: Simply put, I want to create an alert with this workflow and add it to a new investigation.

We do something similar to this. To start with, I was confusing the Alert RRN with the Investigation RRN. I ended up using the Rapid 7 InsightIDR plugin - Search Investigation with [{“field”:“title”,“value”:“{{["IDR Alert"].[alert].[name]}}”,“operator”:“CONTAINS”},{“field”:“status”,“value”:“OPEN”,“operator”:“EQUALS”}]
This should return the alert investigation rrn
Sorry if i have misunderstood your question.

Not quite what I’m looking for.
Simply put, I want to create an alert with this workflow and add it to a new investigation. The Alert RRN is needed for that but I can’t find it in any of the steps output.

What type of Detection Rule are you working with?

It’s a regular Detection Rule (I believe ABA). To clarify it’s not Legacy UBA, nor Basic Detection Rule

Can you describe your workflow up to this point?

What is the trigger that is kicking off the workflow? Knowing this will help understand what is already available.

We have a trigger for Alerts that was released a few months back. I am not sure if you have tried that out.

If you are using an ABA trigger, this is firing off before an investigation or an alert happens, so no alert RRN is going to be available.

  1. Trigger: Insight IDR Detection Rule
  2. Advanced Query on Log Set
  3. Decision: if {{[“Advanced Query”].[count]}}>0
  4. Create Investigation
  5. ** Add alert from trigger to the investigation

I would suggest the new Alert Trigger instead of the ABA trigger.

Screenshot 2024-09-06 at 12.31.16 PM

I am not sure what you are wanting to pull out of log search, but the Alert RRN is part of the payload when triggering from the Alert instead of the detection.

When searching triggers it will not be one of the “From Insight Platform” options. It will be down in the plugins section where you would find other tools like Crowdstrike, & SentinelOne.

Thank you Darrick, I should be able to make this work

1 Like

How can I modify the api to use us3 url and not us? I am currently getting this error:
Expected ‘us’ but was ‘us3’.

You set this up in your connection for the InsightIDR plugin.

Mine is set to my region but still.

@Darrick_Hall Thank you!. There was one more connection using US1. Its all good now!

Is there a way to filter which alert to trigger instead of sending all alerts to teams? For example, only running the job if the alert title equals “Privilege Escalation”

If you navigate to your alerts within the UI of IDR you can create a filter. That is the same thing you will use in the trigger setup within InsightConnect.

If you highlight the title and then click “add to query” you will get something like this:

I am using investigation and not alert. I did something different but not sure if its more efficient.

I triggered by detection and performed a search for a specific investigation and obtained the rrn in the next step.

Will doing something like this filter which investigation will trigger?

Yes.

You could also let it fire for all investigations, and then after the trigger create a decision point that checks for the title of the investigation. Today you might only be interested in a single investigation title. Once you get that working, tomorrow you might be interested in a different title. You can just add another path to your original decision. This allows you to use one workflow to handle multiple event types, rather than needing a workflow per type.

1 Like

Only issue is, when we apply filters in the Trigger, we don’t get evidence of the alert on teams. Just the title. I may have to stick with the longer workflow.

Evidence comes from a different step.

If you trigger from the Detection, the detection is also the evidence. It is just a one and done, but no way to accurately tie that detection to an alert or an investigation. So it is convenient, but more so if you never log into InsightIDR to manage alerts or investigations.

If you trigger from an alert it is also very convenient, because one alert only has one evidence. After the alert trigger you add another step that is Get Evidence Details. Then you have all the data that is important to you as a security practitioner.

If you trigger from an investigation you must list ALERTS associated with the investigation. This has the potential to be multiple alerts, not just one. Then you have to loop over the alerts list, within the loop you have to fetch the evidence for each alert.

Your Teams message can get you all the same details no matter which route you go, but you do have to add the steps in to get the evidence.