Need a query for all investigations created with a certain service_info.investigation_name
would expect to see created date, current assignee, status, disposition
and for bonus points
it would be nice for it to identify all the user and assets on that investigation.
Hi,
the log search audit log for IDR Investigations doesn’t get written to every time an investigation is created. It is only written to when an investigation is interacted with, such as changing status or assignee.
You can achieve what you are asking via API, or by using the Investigation Management page with filters applied.
David