With UBAs artifacts can be inserted into workflows to add notes to the investigation.
I’m not seeing that happen with workflows triggered by custom alerts.
Is there a way to do that?
In my example, I want to take the ticket number from our Jira ticketing system and add that to an artifact in the investigation for cross-reference.
same problem here
If I understood it correctly this is due to the fact that the workflow is triggered by the custom detection trigger and not by the Investigation.
What we did was to create a check in the workflow that collects the new investigations from IDR and matched the name of the investigation to the pattern from the custom alert trigger.
That way we can get the ID of the investigation and add details to that investigation thanks to that.
Unfortunately you can’t add it as an artifact at this point but we add it as a comment instead. Then we at least get information added in these ones automatically.
We use the “Search Investigation” action and build a match filter like this:
[{“field”:“title”,“value”:“{{["IDR Alert"].[alert].[name]}}”,“operator”:“CONTAINS”},{“field”:“title”,“value”:“{{["IDR Alert"].[logs].[0].[name]}}”,“operator”:“CONTAINS”},{“field”:“title”,“value”:“{{["IDR Alert"].[logs].[0].[logSet].[0].[name]}}”,“operator”:“CONTAINS”},{“field”:“status”,“value”:“OPEN”,“operator”:“EQUALS”}]