Hello,
I have a workflow with an ABA trigger, I’ve been unable to find the specific Investigation RRN or ID to then update the status or assign an owner to that specific investigation.
Has anyone figured out a solution for this?
The RRN should output as part of the trigger, what type of ABA alert are you trying to trigger off of and I can take a look.
I’m using the “Process Start Event” alerts as triggers.
The following JSON objects are the only RRNs I’m able to find:
“r7_context”: {
“asset”: {
“name”: “##########”,
“rrn”: “rrn:uba:##:ID###:asset:######”
}
},
“detectionRule”: {
“name”: “Credential Access - Querying Registry for Stored Credentials”,
“priorityLevel”: “Medium”,
“rrn”: “rrn:cba:::detection-rule:R7KIIBVHN9YD”,
“ruleAction”: “CREATES_INVESTIGATIONS”,
“versionRrn”: “”
},
The ABA alert does not output the ID or RRN of an investigation because its triggering at the detection level before an investigation is created. If you want to tie the two together you can do an Investigation search with the ABA detectionRule name and get what is needed. An example of what I’ve used in the search investigations is below.
[{“field”:“title”,“value”:“{{["Process Start Event"].[detectionRule].[name]}}”,“operator”:“CONTAINS”},{“field”:“status”,“value”:“OPEN”,“operator”:“EQUALS”}]