Oh my bad, Everything is good now. The job I was looking at is from a short snippet. Thank you!
I’ve also had some luck with getting the alert information and then running an advanced query on logs using the log_entry_id value.
My biggest multi-step workaround I include in workflows is pulling the “source_info” object I include in observables or indicators, which is nearly identical to the “service_info” object in audit logs. The legacy ABA detections always included this information but now it’s not in the new investigation triggers (alerts you just have to manually create the service_info.url value with the RRN).
However I have been able to get this information by querying the alert after the trigger, and then if it’s added to an investigation I’d run an Advanced Query on Log using the Audit Logs/Investigations event source for anything containing the service_info.investigation_rrn that matches the investigation_rrn in the alert output.
This sounds tedious but I did this because I found just using the Alerts trigger was not using InsightIDR as designed. That said, it would likely be the easier version of this…then could still get the log event if needed.