Hello all,
I’m wondering if there’s a way to list all investigations that include a certain asset / user name. I’m trying to create a workflow for an alert that is causing a lot of false positives in our environment. The workflow should automatically perform some preanalysis and should close the incident in certain situations. One of these preanalysis steps is to check if there are any open investigations for the asset that is involved in the alert.
Is there a way to search investigations by asset name?
Hi @Ge72w108, with our V2 Investigation API you can search for investigations that contain various elements, including assets InsightIDR API Documentation
namely actor_asset_hostname
David
Hey @Ge72w108, that action @david_smith mentioned is also built-in to the latest version of the InsightIDR plugin, so it can easily be added to a workflow! You’d just want to make sure you have the latest version of the plugin (currently 4.0.0) installed & configured in your environment, then you should see the Search Investigations action as an option in the workflow builder.
1 Like