I have in the Search box:
[{“field”:“title”,“value”:“Suspicious Authentication - Non-Approved Country”,“operator”:“EQUALS”}]
Have not seen a new job even with those events happening.
If you create a snippet with a single step in the snippet using the InsightIDR “Search Investigations” action, I am curious if that filter will return any investigations for you.
It appears that EQUALS is not an option with this endpoint.
1 Like
InsightIDR plugin is not an option in new snippets XD
So running this as a snippet gets some results back. But that is the same query being used as a trigger in another test workflow that still has not triggered yet.
snippet - selected a start and end time
{
“end_time”: “2025-02-17T00:00:00-06:00”,
“index”: 0,
“search”: [
{
“field”: “title”,
“operator”: “CONTAINS”,
“value”: “Suspicious Authentication - Non-Approved Country”
}
],
“size”: 100,
“sort”: ,
“start_time”: “2025-02-10T00:00:00-06:00”
}
workflow trigger - new investigations (not working)
{
“field”: “title”,
“operator”: “CONTAINS”,
“value”: “Suspicious Authentication - Non-Approved Country”
}
Going back to the setup step - does the api key to IDR need to be an org key or user key? I have a user key currently.