Skip to main content
Set the status of an investigation.
External DocumentationTo learn more, visit the Rapid7 InsightIDR documentation.

Basic Parameters

ParameterDescription
DispositionA disposition to set the investigation to.

Notes:
- Only used if the new status is CLOSED.
- Defaults to UNDECIDED upon creation.
Investigation IDThe ID or RRN of an investigation to set the status of.
StatusThe status to set for the investigation.
Threat Command - Close ReasonThe threat command reason when setting the investigation to closed.

Note: Use only if the investigation being closed has an associated alert in Threat Command.
Threat Command - Free TextAdditional information to add when closing the investigation.

Advanced Parameters

ParameterDescription
Multi CustomerWhen selected, investigations will be returned from all organizations the connected user has access to.

Note: This feature is available for multi-customer user keys only.

Example Output

{
	"id": "174e4f99-2ac7-4481-9301-4d24c34baf06",
	"rrn": "rrn:investigation:us1:174e4f99-2ac7-4481-9301-4d24c34baf06:investigation:6A74T2A4",
	"title": "Joe enabled account Joebob",
	"status": "OPEN",
	"source": "ALERT",
	"disposition": "BENIGN",
	"assignee": {
		"name": "Ellen Example",
		"email": "example@test.com"
	},
	"alerts": [
		{
			"type": "Account Created",
			"type_description": "A new account has been created.",
			"first_event_time": "2018-06-06T16:56:42Z"
		}
	],
	"created_time": "2018-06-06T16:56:42Z"
}

Workflow Library Example

Set Investigation Status with Rapid7 Insightidr and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop