To preface, I’m aware this has been asked before, but the answer does not provide a resolution for my situation.
I’m making a workflow that will create an investigation upon a certain order of events. In that investigation, I’m wanting to add alerts from those events. The rule action for the trigger detection is set to “create alert” but the alert rrn is not available in the output. Is there another workflow step that I can use to pull the rrn?
EDIT: Simply put, I want to create an alert with this workflow and add it to a new investigation.
We do something similar to this. To start with, I was confusing the Alert RRN with the Investigation RRN. I ended up using the Rapid 7 InsightIDR plugin - Search Investigation with [{“field”:“title”,“value”:“{{["IDR Alert"].[alert].[name]}}”,“operator”:“CONTAINS”},{“field”:“status”,“value”:“OPEN”,“operator”:“EQUALS”}]
This should return the alert investigation rrn
Sorry if i have misunderstood your question.
Not quite what I’m looking for.
Simply put, I want to create an alert with this workflow and add it to a new investigation. The Alert RRN is needed for that but I can’t find it in any of the steps output.
I would suggest the new Alert Trigger instead of the ABA trigger.
I am not sure what you are wanting to pull out of log search, but the Alert RRN is part of the payload when triggering from the Alert instead of the detection.
When searching triggers it will not be one of the “From Insight Platform” options. It will be down in the plugins section where you would find other tools like Crowdstrike, & SentinelOne.
Is there a way to filter which alert to trigger instead of sending all alerts to teams? For example, only running the job if the alert title equals “Privilege Escalation”
If you navigate to your alerts within the UI of IDR you can create a filter. That is the same thing you will use in the trigger setup within InsightConnect.
You could also let it fire for all investigations, and then after the trigger create a decision point that checks for the title of the investigation. Today you might only be interested in a single investigation title. Once you get that working, tomorrow you might be interested in a different title. You can just add another path to your original decision. This allows you to use one workflow to handle multiple event types, rather than needing a workflow per type.
Only issue is, when we apply filters in the Trigger, we don’t get evidence of the alert on teams. Just the title. I may have to stick with the longer workflow.
If you trigger from the Detection, the detection is also the evidence. It is just a one and done, but no way to accurately tie that detection to an alert or an investigation. So it is convenient, but more so if you never log into InsightIDR to manage alerts or investigations.
If you trigger from an alert it is also very convenient, because one alert only has one evidence. After the alert trigger you add another step that is Get Evidence Details. Then you have all the data that is important to you as a security practitioner.
If you trigger from an investigation you must list ALERTS associated with the investigation. This has the potential to be multiple alerts, not just one. Then you have to loop over the alerts list, within the loop you have to fetch the evidence for each alert.
Your Teams message can get you all the same details no matter which route you go, but you do have to add the steps in to get the evidence.