IDR Alerts closure

Hi Team,

Need your help here…

Please share if we have any options to identify who has closed one particular alert.
For example, one alert was triggered and someone from the team has closed that alert without assigning and without adding notes. So here we are facing some difficulties to identify who has closed that specific alert. Kindly share the options/steps.

Thanks.

1 Like

This screams feature request… :wink:

Would be nice to see it in the timeline like: End (closed Date/ Time by User)

And also directly on the Investigations view:
Investigation created: Date / Time by User/System
and on the next line
Investigation closed: Date / Time by User
and maybe
Investigation repoened: Date / Time by User

1 Like

Hey @robert_holzer and @natraj_rajaram ,

You can see this if you have your Insight Audit Log turned on. If it is not currently enabled, I highly recommend you turn it on. This won’t help with previously closed investigations or anything prior to enablement, but going forward you will see exactly the type of data for many things including closed investigations:

https://docs.rapid7.com/insightidr/audit-logging/

Hi @SDavis!
Yes, Audit logging was enabled in our environment already and it’s okay to have the information somewhere, but it would be way more convinient to have it right at the investigation. I guess it’s no big deal to check for the information @natraj_rajaram asked for at the Platform Home, but maybe in the future this would be a nice enhancement.

4 Likes

The investigations piece as a whole needs a lot of work.

Try finding an investigation that you looked at from a few months ago - without knowing the exact date. There’s no search functionality within the investigations themselves so its a bit hit and miss.

The audit log is useful to some extent, but again - the log set that this data ultimately is stored to - isn’t searchable. i.e would also be great to be able to setup custom alerts against this for specific activities - ie. event source deleted.

Agreed. Would be very convenient and a good initial step to have the closure details automatically added as notes to the investigation. I’ll see who I can talk to about whether this is already been brought up or a new idea.

Hey @perry_satchwell-cox,

I also agree there is plenty of opportunities for improvements to the investigations area of IDR, as you’re aware, currently having to adjust the date range in order to find a closed out investigation is not convenient or quick, with a huge opportunity for hit and miss. I’ll see if there is anything on the roadmap for investigation search functionality improvements!

1 Like

@perry_satchwell-cox and @robert_holzer,

Just took a look and there are definitely improvements on the roadmap for the investigations page! Looks like an investigation search bar will be added in the next few months!

1 Like

Great, look forward to it - we were told last year there were improvements on the roadmap for this - will be good to see some changes.

Something else we would love to see - is historical alerts against the user / asset, so you can see some trend data for repeat instances. Currently we have to rely on an external Wiki to document things like this rather than having the information available in IDR - which seems silly, seeing as it already has it there.

2 Likes

That would have been a really useful thing to have for sure!