With UBAs artifacts can be inserted into workflows to add notes to the investigation.
I’m not seeing that happen with workflows triggered by custom alerts.
Is there a way to do that?
In my example, I want to take the ticket number from our Jira ticketing system and add that to an artifact in the investigation for cross-reference.
@aaron_denton I submitted a feature request exactly for this today.
same problem here
If I understood it correctly this is due to the fact that the workflow is triggered by the custom detection trigger and not by the Investigation.
What we did was to create a check in the workflow that collects the new investigations from IDR and matched the name of the investigation to the pattern from the custom alert trigger.
That way we can get the ID of the investigation and add details to that investigation thanks to that.
Unfortunately you can’t add it as an artifact at this point but we add it as a comment instead. Then we at least get information added in these ones automatically.
We use the “Search Investigation” action and build a match filter like this:
[{“field”:“title”,“value”:“{{["IDR Alert"].[alert].[name]}}”,“operator”:“CONTAINS”},{“field”:“title”,“value”:“{{["IDR Alert"].[logs].[0].[name]}}”,“operator”:“CONTAINS”},{“field”:“title”,“value”:“{{["IDR Alert"].[logs].[0].[logSet].[0].[name]}}”,“operator”:“CONTAINS”},{“field”:“status”,“value”:“OPEN”,“operator”:“EQUALS”}]
Has anyone found another way round this? Had cases where multiple comments are added to one investigation
At this time there is not an automated way to send an artifact into the investigation pane when a job is ran.
When you say you’ve had cases where multiple comments are added to one investigation, can you elaborate?
Why are multiple comments added? Do you have multiple workflows that are triggered when the Investigation is created?