Need help with search filter in InsightIDR New Investigations trigger

ilovesoar · February 14, 2025, 2:51pm

I have in the Search box:

[{“field”:“title”,“value”:“Suspicious Authentication - Non-Approved Country”,“operator”:“EQUALS”}]

Have not seen a new job even with those events happening.

Darrick_Hall · February 14, 2025, 2:55pm

If you create a snippet with a single step in the snippet using the InsightIDR “Search Investigations” action, I am curious if that filter will return any investigations for you.

Darrick_Hall · February 14, 2025, 3:00pm

It appears that EQUALS is not an option with this endpoint.

https://help.rapid7.com/insightidr/en-us/api/v2/docs.html#tag/Investigations/operation/searchInvestigations

ilovesoar · February 14, 2025, 3:02pm

InsightIDR plugin is not an option in new snippets XD

Darrick_Hall · February 14, 2025, 3:06pm

ilovesoar · February 17, 2025, 8:53pm

So running this as a snippet gets some results back. But that is the same query being used as a trigger in another test workflow that still has not triggered yet.

snippet - selected a start and end time
{
“end_time”: “2025-02-17T00:00:00-06:00”,
“index”: 0,
“search”: [
{
“field”: “title”,
“operator”: “CONTAINS”,
“value”: “Suspicious Authentication - Non-Approved Country”
}
],
“size”: 100,
“sort”: ,
“start_time”: “2025-02-10T00:00:00-06:00”
}

workflow trigger - new investigations (not working)

{
“field”: “title”,
“operator”: “CONTAINS”,
“value”: “Suspicious Authentication - Non-Approved Country”
}

ilovesoar · February 18, 2025, 5:19pm

Going back to the setup step - does the api key to IDR need to be an org key or user key? I have a user key currently.

Darrick_Hall · April 23, 2025, 1:35pm

Apologies I did not see your response.

I use a platform key for just about everything I do. I am not sure if there is a requirement for a user key over a platform key.

I understand your desire to filter and only have the workflow trigger for a specific investigation type.

For me the way I handle this is a decision in the workflow, not a filter. I do not want to manage a workflow per investigation title.

I allow my Investigation trigger to catch everything. I then have a decision that starts with two paths.

Path1 is my title I am interested in building my automation around. Path two is other. Once I’ve built out my automation for the initial type I wanted, then I add another path, and work on my next investigation type keeping my “other” path. This allows fewer workflows that can manage many different event types.

The added bonus, if the workflow is capturing all investigation types, when you are ready to build upon a different path, you’ve likely already captured that investigation type, so you can just find the job, hit rerun the job, and build out everything without any extra effort wondering if the logic is correct.