diff --git a/Packs/Rapid7_InsightIDR/.secrets-ignore b/Packs/Rapid7_InsightIDR/.secrets-ignore
index a4027f0b406c..4fa756ff6c37 100644
--- a/Packs/Rapid7_InsightIDR/.secrets-ignore
+++ b/Packs/Rapid7_InsightIDR/.secrets-ignore
@@ -3,4 +3,6 @@
 172.16.100.22
 192.168.91.11
 192.168.91.19
-test@panw.com
\ No newline at end of file
+test@panw.com
+test@test.com
+https://us.api.insight.rapid7.com
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/README.md b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/README.md
index e2d710158306..326b232ae0dd 100644
--- a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/README.md
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/README.md
@@ -1,154 +1,181 @@
-Rapid7 InsightIDR is a Cloud-Based SIEM that detect and respond to security incidents.
-This integration was integrated and tested with version 1.0.0 of Rapid7 InsightIDR.
+Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. Together, these form Extended Detection and Response (XDR). InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to weed through thousands of data streams.
+This integration was integrated and tested with cloud version of Rapid7 InsightIDR.
+
 ## Configure Rapid7 InsightIDR on Cortex XSOAR
 
 1. Navigate to **Settings** > **Integrations** > **Servers & Services**.
 2. Search for Rapid7 InsightIDR.
 3. Click **Add instance** to create and configure a new integration instance.
 
-| **Parameter** | **Description** | **Required** |
-| --- | --- | --- |
-| region | Insight cloud server region \(i.e EU\) | True |
-| apiKey | InsightIDR API key | True |
-| isFetch | Fetch incidents | False |
-| incidentType | Incident type | False |
-| first_fetch | First fetch timestamp \(`<number>` `<time unit>`, e.g., 12 hours, 7 days\) | False |
-| max_fetch | Fetch Limit | False |
-| insecure | Trust any certificate \(not secure\) | False |
-| proxy | Use system proxy settings | False |
+    | **Parameter** | **Description** | **Required** |
+    | --- | --- | --- |
+    | Insight cloud server region |  | True |
+    | InsightIDR API key |  | False |
+    | Fetch incidents |  | False |
+    | Incident type |  | False |
+    | First fetch timestamp (&lt;number&gt; &lt;time unit&gt;, e.g., 12 hours, 7 days) |  | False |
+    | Fetch Limit | Max number of alerts per fetch. Default is 50. | False |
+    | Multi customer | Indicates whether the requester has multi-customer access. | False |
+    | Use API Version 2 by default | Whether to use API version 2 by default for investigation commands (Can be overriden by passing the api_version argument). | False |
+    | Trust any certificate (not secure) |  | False |
+    | Use system proxy settings |  | False |
 
 4. Click **Test** to validate the URLs, token, and connection.
+
 ## Commands
+
 You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
 After you successfully execute a command, a DBot message appears in the War Room with the command details.
+
 ### rapid7-insight-idr-list-investigations
-***
-List open/closed investigations
 
+***
+List all investigations. Retrieve a list of investigations matching the given request parameters. The investigations are sorted by investigation created_time in descending order. Investigations are an aggregate of the applicable alert data in a single place and are closely tied to Alerts and Detection Rules.
 
 #### Base Command
 
 `rapid7-insight-idr-list-investigations`
+
 #### Input
 
 | **Argument Name** | **Description** | **Required** |
-| --- | --- | --- |
-| time_range | An optional time range string (i.e 1 week, 1 day) | Optional | 
-| start_time | An optional ISO formatted timestamp. Only investigations whose createTime is after this date will be returned by the api. If this parameter is omitted investigations with any create_time may be returned - Use ISO time format (i.e 2018-07-01T00:00:00Z) | Optional | 
-| end_time | An optional ISO formatted timestamp. Only investigations whose createTime is before this date will be returned by the api. If this parameter is omitted investigations with any create_time may be returned - Use ISO time format (i.e 2018-07-01T00:00:00Z) | Optional | 
-| statuses | Only an investigation whose status matches one of the entries in the list will be returned. If this parameter is omitted investigations with any status may be returned. | Optional | 
-| index | The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0 | Optional | 
-| page_size | The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000 | Optional | 
-
+| --- | --- |--------------|
+| api_version | The InsightIDR API version to request to. Possible values are: V1, V2, Default. Default is Default. | Optional     |
+| index | The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0. Default is 0. | Optional     |
+| page_size | The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000. | Optional     |
+| limit | The maximum number of records to retrieve. Default is 50. | Optional     |
+| statuses | A comma-separated list of investigation statuses to include in the result. For example, Open,Closed. Possible values are: open, investigating, closed. | Optional     |
+| sources | A comma-separated list of investigation sources to include in the result. For example, User,Alert. Relevant when api_version is V2 only. Possible values are: User, Alert. | Optional     |
+| priorities | A comma-separated list of investigation priorities to include in the result. For example, Low,Medium. Relevant when api_version is V2 only. Possible values are: Unspecified, Low, Medium, High, Critical. | Optional     |
+| assignee_email | A user's email address. Only investigations assigned to that user will be included. For example, test@test.com. | Optional     |
+| time_range | An optional time range string (i.e., 1 week, 1 day). | Optional     |
+| start_time | The time an investigation is opened. Only investigations whose created_time is after this date will be returned by the API. Must be an ISO-formatted timestamp. For example, 2018-07-01T00:00:00Z. Default is 28 days prior. Relevant when api_version is V2 only. | Optional     |
+| end_time | The time an investigation is closed. Only investigations whose created_time is before this date will be returned by the API. Must be an ISO-formatted timestamp. For example, 2018-07-28T23:59:00Z. Default is the current time. Relevant when api_version is V2 only. | Optional     |
+| sort_field | A field for investigations to be sorted by. Relevant when api_version is V2 only. Possible values are: Created time, Priority, RRN Last Created Alert, Last Detection Alert. Default is Created time. | Optional     |
+| sort_direction | The sorting direction. Relevant when api_version is V2 only. Possible values are: ASC, DESC. Default is DESC. | Optional     |
+| tags | A comma-separated list of tags to include in the result. Only investigations who have all specified tags will be included. For example, my_teg,test_tag. Relevant when api_version is V2 only. | Optional     |
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.Investigation.title | String | Title of investigation | 
-| Rapid7InsightIDR.Investigation.id | String | ID of investigation | 
-| Rapid7InsightIDR.Investigation.status | String | Whether it is open or closed | 
-| Rapid7InsightIDR.Investigation.created_time | String | Time the investigation was created | 
-| Rapid7InsightIDR.Investigation.source | String | Source of the investigation | 
-| Rapid7InsightIDR.Investigation.assignee.email | String | Email of investigation assignee | 
-| Rapid7InsightIDR.Investigation.assignee.name | String | Name of investigation assignee | 
-| Rapid7InsightIDR.Investigation.alert.type | String | Type of alert in the investigation | 
-| Rapid7InsightIDR.Investigation.alert.type_description | String | Type description of alert in the investigation | 
-| Rapid7InsightIDR.Investigation.alert.first_event_time | String | first event time of alert in the investigation | 
-
-
-#### Command Example
-```!rapid7-insight-idr-list-investigations time_range="27 days"```
-
+| Rapid7InsightIDR.Investigation.responsibility | String | The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection &amp; Response customers. |
+| Rapid7InsightIDR.Investigation.first_alert_time | String | The create time of the first alert belonging to this investigation \(if any\). Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.latest_alert_time | Date | The create time of the most recent alert belonging to this investigation \(if any\). Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.assignee.email | String | The email of the assigned user \(if any\). |
+| Rapid7InsightIDR.Investigation.assignee.name | String | The name of the assigned user \(if any\). |
+| Rapid7InsightIDR.Investigation.disposition | String | The disposition of this investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.created_time | Date | The time this investigation was created. |
+| Rapid7InsightIDR.Investigation.last_accessed | Date | The time this investigation was last viewed or modified. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.priority | String | The priority of the investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.status | String | The status of the investigation. |
+| Rapid7InsightIDR.Investigation.source | String | How this investigation was generated. |
+| Rapid7InsightIDR.Investigation.title | String | The name of the investigation. |
+| Rapid7InsightIDR.Investigation.organization_id | String | The ID of the organization that owns this investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.rrn | String | The Rapid7 Resource Names of the investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.id | String | The ID of the investigation. Relevant when api_version is V1 only. |
+| Rapid7InsightIDR.Investigation.alert.type | String | Type of alert in the investigation. Relevant when api_version is V1 only. |
+| Rapid7InsightIDR.Investigation.alert.type_description | String | The description of the type of alert in the investigation. Relevant when api_version is V1 only. |
+| Rapid7InsightIDR.Investigation.alert.first_event_time | String | First event time of the alert in the investigation. Relevant when api_version is V1 only. |
+
+#### Command example
+```!rapid7-insight-idr-list-investigations api_version=V2 limit=1```
 #### Context Example
 ```json
 {
     "Rapid7InsightIDR": {
-        "Investigation": [
-            {
-                "alerts": [],
-                "created_time": "2020-12-29T10:00:00.526Z",
-                "id": "15229912-517a-4bc7-8257-3e7da8205df6",
-                "source": "HUNT",
-                "status": "CLOSED",
-                "title": "forensics 1 job at 20201229T100000.346Z"
-            },
-            {
-                "alerts": [],
-                "created_time": "2020-12-04T10:00:00.515Z",
-                "id": "d3e4c470-1472-49ad-839b-fefa9b0683c5",
-                "source": "HUNT",
-                "status": "CLOSED",
-                "title": "forensics 1 job at 20201204T100000.288Z"
-            },
-            {
-                "alerts": [],
-                "created_time": "2020-12-03T10:00:00.873Z",
-                "id": "ed14f1a1-6806-49a6-8ee4-9f9b7ef1701c",
-                "source": "HUNT",
-                "status": "OPEN",
-                "title": "forensics 1 job at 20201203T100000.405Z"
-            }
-        ]
+        "Investigation": {
+            "assignee": {
+                "email": "test@test.com",
+                "name": "test"
+            },
+            "created_time": "2024-03-05T12:53:02.722Z",
+            "disposition": "NOT_APPLICABLE",
+            "first_alert_time": null,
+            "last_accessed": "2024-03-05T16:18:19.186Z",
+            "latest_alert_time": null,
+            "organization_id": "123-123-123",
+            "priority": "HIGH",
+            "responsibility": null,
+            "rrn": "rrn:investigation:eu:123-123-123:investigation:SF6PGC3DEOLJ",
+            "source": "USER",
+            "status": "CLOSED",
+            "title": "demo2025"
+        }
     }
 }
 ```
 
 #### Human Readable Output
 
->### Requested Investigations
->|title|id|status|created_time|source|
->|---|---|---|---|---|
->| forensics 1 job at 20201229T100000.346Z | 15229912-517a-4bc7-8257-3e7da8205df6 | CLOSED | 2020-12-29T10:00:00.526Z | HUNT |
->| forensics 1 job at 20201204T100000.288Z | d3e4c470-1472-49ad-839b-fefa9b0683c5 | CLOSED | 2020-12-04T10:00:00.515Z | HUNT |
->| forensics 1 job at 20201203T100000.405Z | ed14f1a1-6806-49a6-8ee4-9f9b7ef1701c | OPEN | 2020-12-03T10:00:00.873Z | HUNT |
+>### Investigations
+>|Title|Rrn|Status|Created Time|Source|Assignee|Priority|
+>|---|---|---|---|---|---|---|
+>| demo2025 | rrn:investigation:eu:123-123-123:investigation:SF6PGC3DEOLJ | CLOSED | 2024-03-05T12:53:02.722Z | USER | name: test<br/>email: test@test.com | HIGH |
 
 
 ### rapid7-insight-idr-get-investigation
-***
-Get a single open/closed investigation
 
+***
+Get a specific investigation. This investigation is specified by either ID or Rapid7 Resource Names (RRN). (If multi-customer is set to true, the investigation_id must be in the RRN format).
 
 #### Base Command
 
 `rapid7-insight-idr-get-investigation`
-#### Input
 
-| **Argument Name** | **Description** | **Required** |
-| --- | --- | --- |
-| investigation_id | ID of the investigation to get | Required | 
+#### Input
 
+| **Argument Name** | **Description**                                                                                                                                                                                                                   | **Required** |
+| --- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --- |
+| api_version | The InsightIDR API version to request to. Possible values are: V1, V2, Default. Default is Default.                                                                                                                               | Optional |
+| investigation_id | The ID or Rapid7 Resource Names (RRN) of the investigation to retrieve. (If api_version=V2, the ID of the investigation must be in the RRN format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs. | Required |
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.Investigation.title | String | Title of investigation | 
-| Rapid7InsightIDR.Investigation.id | String | ID of investigation | 
-| Rapid7InsightIDR.Investigation.status | String | Whether it is open or closed | 
-| Rapid7InsightIDR.Investigation.created_time | String | Time the investigation was created | 
-| Rapid7InsightIDR.Investigation.source | String | Source of the investigation | 
-| Rapid7InsightIDR.Investigation.assignee.email | String | Email of investigation assignee | 
-| Rapid7InsightIDR.Investigation.assignee.name | String | Name of investigation assignee | 
-| Rapid7InsightIDR.Investigation.alert.type | String | Type of alert in the investigation | 
-| Rapid7InsightIDR.Investigation.alert.type_description | String | Type description of alert in the investigation | 
-| Rapid7InsightIDR.Investigation.alert.first_event_time | String | first event time of alert in the investigation | 
-
-
-#### Command Example
-```!rapid7-insight-idr-get-investigation investigation_id=15229912-517a-4bc7-8257-3e7da8205df6```
-
+| Rapid7InsightIDR.Investigation.responsibility | String | The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection &amp; Response customers. |
+| Rapid7InsightIDR.Investigation.first_alert_time | String | The create time of the first alert belonging to this investigation \(if any\). Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.latest_alert_time | Date | The create time of the most recent alert belonging to this investigation \(if any\). Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.assignee.email | String | The email of the assigned user \(if any\). |
+| Rapid7InsightIDR.Investigation.assignee.name | String | The name of the assigned user \(if any\). |
+| Rapid7InsightIDR.Investigation.disposition | String | The disposition of this investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.created_time | Date | The time this investigation was created. |
+| Rapid7InsightIDR.Investigation.last_accessed | Date | The time this investigation was last viewed or modified. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.priority | String | The priority of the investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.status | String | The status of the investigation. |
+| Rapid7InsightIDR.Investigation.source | String | How this investigation was generated. |
+| Rapid7InsightIDR.Investigation.title | String | The name of the investigation. |
+| Rapid7InsightIDR.Investigation.organization_id | String | The ID of the organization that owns this investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.rrn | String | The Rapid7 Resource Names of the investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.id | String | The ID of the investigation. Relevant when api_version is V1 only. |
+| Rapid7InsightIDR.Investigation.alert.type | String | Type of alert in the investigation. Relevant when api_version is V1 only. |
+| Rapid7InsightIDR.Investigation.alert.type_description | String | The description of the alert type in the investigation. Relevant when api_version is V1 only. |
+| Rapid7InsightIDR.Investigation.alert.first_event_time | String | First event time of alert in the investigation. Relevant when api_version is V1 only. |
+
+#### Command example
+```!rapid7-insight-idr-get-investigation investigation_id=3793645a-6484-4a7e-9228-7aeb4ba97472 api_version=V2```
 #### Context Example
 ```json
 {
     "Rapid7InsightIDR": {
         "Investigation": {
-            "alerts": [],
-            "created_time": "2020-12-29T10:00:00.526Z",
-            "id": "15229912-517a-4bc7-8257-3e7da8205df6",
-            "source": "HUNT",
-            "status": "CLOSED",
-            "title": "forensics 1 job at 20201229T100000.346Z"
+            "assignee": {
+                "email": "test@test.com",
+                "name": "test"
+            },
+            "created_time": "2024-03-05T19:02:28.419Z",
+            "disposition": "UNDECIDED",
+            "first_alert_time": null,
+            "last_accessed": "2024-03-05T19:07:07.790Z",
+            "latest_alert_time": null,
+            "organization_id": "123-123-123",
+            "priority": "UNSPECIFIED",
+            "responsibility": null,
+            "rrn": "rrn:investigation:eu:123-123-123:investigation:UFBFNSRZG4N2",
+            "source": "USER",
+            "status": "OPEN",
+            "title": "test1"
         }
     }
 }
@@ -156,117 +183,110 @@ Get a single open/closed investigation
 
 #### Human Readable Output
 
->### Investigation Information (id: 15229912-517a-4bc7-8257-3e7da8205df6)
->|title|id|status|created_time|source|
->|---|---|---|---|---|
->| forensics 1 job at 20201229T100000.346Z | 15229912-517a-4bc7-8257-3e7da8205df6 | CLOSED | 2020-12-29T10:00:00.526Z | HUNT |
+>### Investigation "3793645a-6484-4a7e-9228-7aeb4ba97472" Information
+>|Title|Rrn|Status|Created Time|Source|Assignee|Priority|
+>|---|---|---|---|---|---|---|
+>| test1 | rrn:investigation:eu:123-123-123:investigation:UFBFNSRZG4N2 | OPEN | 2024-03-05T19:02:28.419Z | USER | name: test<br/>email: test@test.com | UNSPECIFIED |
 
 
 ### rapid7-insight-idr-close-investigations
-***
-Close several investigations in bulk by time range
 
+***
+Close all investigations that match the provided request parameters. If there are any investigations found associated with Threat Command alerts within the given request parameters, they will be closed in Threat Command with the close reason, "Other".
 
 #### Base Command
 
 `rapid7-insight-idr-close-investigations`
+
 #### Input
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| start_time | An ISO formatted timestamp. Only investigations whose createTime is after this date will be returned by the API. If this parameter is omitted investigations with any create_time may be returned - Use ISO time format (i.e 2018-07-01T00:00:00Z) | Required | 
-| end_time | An ISO formatted timestamp. Only investigations whose createTime is before this date will be returned by the API. If this parameter is omitted investigations with any create_time may be returned - Use ISO time format (i.e 2018-07-01T00:00:00Z) | Required | 
-| source | The name of an investigation source. Only investigations from this source will be closed. If the source is ALERT, an alert type must be specified as well. | Required | 
-| alert_type | The category of alerts that should be closed. This parameter is required if the source is ALERT and ignored for other sources. This value must exactly match the alert type returned by the List Investigations response. | Optional | 
-| max_investigations_to_close | An optional maximum number of alerts to close with this request. If this parameter is not specified then there is no maximum. If this limit is exceeded, then a 400 error response is returned. The minimum value is 0. | Optional | 
-
+| source | The name of an investigation source. Only investigations from this source will be closed. If the source is ALERT, an alert type or a detection rule RRN must be specified as well. Possible values are: ALERT, MANUAL, HUNT. | Required |
+| end_time | An ISO formatted timestamp. Only investigations whose createTime is before this date will be returned by the API. For example, 2018-07-28T23:59:00Z. Default is the current time. | Required |
+| start_time | An ISO formatted timestamp. Only investigations whose createTime is after this date will be returned by the API. For example, 2018-07-01T00:00:00Z. | Required |
+| alert_type | The category of types of alerts that should be closed. Use rapid7-insight-idr-list-investigations or rapid7-insight-idr-list-investigation-alerts to get the alert types. Required when sourceis ALERT. | Optional |
+| disposition | A disposition to set the investigation to. Possible values are: Undecided, Benign, Malicious, Not Applicable. Default is Not Applicable. | Optional |
+| detection_rule_rrn | The Rapid7 Resource Names (RRN) of the detection rule. Only investigations that are associated with this detection rule will be closed. If a detection rule RRN is given, thealert_typeis required to be 'Attacker Behavior Detected'.  Userapid7-insight-idr-get-investigationto retrieve the investigationdetection_rule_rrn. | Optional |
+| max_investigations_to_close | The maximum number of alerts to close. If this parameter is not specified then there is no maximum. The minimum description is 0. | Optional |
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.Investigation.id | String | ID of investigation | 
+| Rapid7InsightIDR.Investigation.id | String | The ID of the investigation. |
+| Rapid7InsightIDR.Investigation.status | String | The new status (Closed) of the investigation. |
 
-
-#### Command Example
+#### Command example
 ```!rapid7-insight-idr-close-investigations source=HUNT start_time=2020-12-04T10:00:00.515Z end_time=2020-12-29T10:00:00.526Z```
-
-#### Context Example
-```json
-{
-    "Rapid7InsightIDR": {
-        "Investigation": [
-            {
-                "id": "15229912-517a-4bc7-8257-3e7da8205df6",
-                "status": "CLOSED"
-            },
-            {
-                "id": "d3e4c470-1472-49ad-839b-fefa9b0683c5",
-                "status": "CLOSED"
-            }
-        ]
-    }
-}
-```
-
 #### Human Readable Output
 
->### Closed Investigations IDs
->|id|
->|---|
->| 15229912-517a-4bc7-8257-3e7da8205df6,<br/>d3e4c470-1472-49ad-839b-fefa9b0683c5 |
+>### Investigation '[]' (0) was successfully closed.
+>**No entries.**
 
 
 ### rapid7-insight-idr-assign-user
-***
-Assign a user by email to an investigation
 
+***
+Assign a user by email to an investigation. Users will receive an email whenever they are assigned to a new investigation
 
 #### Base Command
 
 `rapid7-insight-idr-assign-user`
-#### Input
 
-| **Argument Name** | **Description** | **Required** |
-| --- | --- | --- |
-| investigation_id | ID of the investigation to assign the user to | Required | 
-| user_email_address | The email address of the user to assign to this Investigation. Same email used to log into the insight platform | Required | 
+#### Input
 
+| **Argument Name** | **Description**                                                                                                                                                                                                                                                     | **Required** |
+| --- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --- |
+| api_version | The InsightIDR API version to request to. Possible values are: V1, V2, Default. Default is Default.                                                                                                                                                                 | Optional |
+| investigation_id | Comma-separated list of the ID or Rapid7 Resource Names (RRN) of the investigation to assign the user to. (If api_version=V2, the ID of the investigation must be in the RRN format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs. | Required |
+| user_email_address | The email address of the user to assign to this investigation. This is the same email used to log into the insight platform. For example, test@test.com. Use rapid7-insight-idr-list-users to retrieve the user email list. Relevant when api_version is V2 only.   | Required |
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.Investigation.title | String | Title of investigation | 
-| Rapid7InsightIDR.Investigation.id | String | ID of investigation | 
-| Rapid7InsightIDR.Investigation.status | String | Whether it is open or closed | 
-| Rapid7InsightIDR.Investigation.created_time | String | Time the investigation was created | 
-| Rapid7InsightIDR.Investigation.source | String | Source of the investigation | 
-| Rapid7InsightIDR.Investigation.assignee.email | String | Email of investigation assignee | 
-| Rapid7InsightIDR.Investigation.assignee.name | String | Name of investigation assignee | 
-| Rapid7InsightIDR.Investigation.alert.type | String | Type of alert in the investigation | 
-| Rapid7InsightIDR.Investigation.alert.type_description | String | Type description of alert in the investigation | 
-| Rapid7InsightIDR.Investigation.alert.first_event_time | String | first event time of alert in the investigation | 
-
-
-#### Command Example
-```!rapid7-insight-idr-assign-user investigation_id=ed475853-05da-4a8a-9f99-b9139d0fe8c0  user_email_address=test@panw.com```
-
+| Rapid7InsightIDR.Investigation.responsibility | String | The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection &amp; Response customers. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.latest_alert_time | String | The create time of the most recent alert belonging to this investigation \(if any\). Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.assignee.email | String | The email of the assigned user. |
+| Rapid7InsightIDR.Investigation.assignee.name | String | The name of the assigned user. |
+| Rapid7InsightIDR.Investigation.disposition | String | The disposition of this investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.created_time | String | The time this investigation was created. |
+| Rapid7InsightIDR.Investigation.last_accessed | String | The time this investigation was last viewed or modified. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.priority | String | The investigations priority. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.status | String | The status of the investigation. |
+| Rapid7InsightIDR.Investigation.source | String | How this investigation was generated. |
+| Rapid7InsightIDR.Investigation.title | String | The name of the investigation. |
+| Rapid7InsightIDR.Investigation.organization_id | String | The ID of the organization that owns this investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.rrn | String | The Rapid7 Resource Names of the investigation. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.id | String | The ID of the investigation. Relevant when api_version is V1 only. |
+| Rapid7InsightIDR.Investigation.alert.type_description | String | The description of this type of alert \(if any\). Relevant when api_version is V1 only. |
+| Rapid7InsightIDR.Investigation.alert.type | String | The alert's type. Relevant when api_version is V1 only. |
+| Rapid7InsightIDR.Investigation.alert.first_event_time | String | The create time of the first alert belonging to this investigation \(if any\). Relevant when api_version is V1 only. |
+
+#### Command example
+```!rapid7-insight-idr-assign-user investigation_id=3793645a-6484-4a7e-9228-7aeb4ba97472 user_email_address=test@test.com api_version=V2```
 #### Context Example
 ```json
 {
     "Rapid7InsightIDR": {
         "Investigation": {
-            "alerts": [],
             "assignee": {
-                "email": "test@panw.com",
-                "name": "Yoel Katzir"
-            },
-            "created_time": "2020-11-15T10:00:00.448Z",
-            "id": "ed475853-05da-4a8a-9f99-b9139d0fe8c0",
-            "source": "HUNT",
-            "status": "CLOSED",
-            "title": "forensics 1 job at 20201115T100000.120Z"
+                "email": "test@test.com",
+                "name": "test"
+            },
+            "created_time": "2024-03-05T19:02:28.419Z",
+            "disposition": "UNDECIDED",
+            "first_alert_time": null,
+            "last_accessed": "2024-03-05T19:07:30.382Z",
+            "latest_alert_time": null,
+            "organization_id": "123-123-123",
+            "priority": "UNSPECIFIED",
+            "responsibility": null,
+            "rrn": "rrn:investigation:eu:123-123-123:investigation:UFBFNSRZG4N2",
+            "source": "USER",
+            "status": "OPEN",
+            "title": "test1"
         }
     }
 }
@@ -274,121 +294,133 @@ Assign a user by email to an investigation
 
 #### Human Readable Output
 
->### Investigation Information (id: ed475853-05da-4a8a-9f99-b9139d0fe8c0)
->|title|id|status|created_time|source|assignee|
->|---|---|---|---|---|---|
->| forensics 1 job at 20201115T100000.120Z | ed475853-05da-4a8a-9f99-b9139d0fe8c0 | CLOSED | 2020-11-15T10:00:00.448Z | HUNT | name: Yoel Katzir<br/>email: test@panw.com |
+>### Investigation '3793645a-6484-4a7e-9228-7aeb4ba97472' was successfully assigned to test@test.com.
+>|Title|Rrn|Status|Created Time|Source|Assignee|Priority|
+>|---|---|---|---|---|---|---|
+>| test1 | rrn:investigation:eu:123-123-123:investigation:UFBFNSRZG4N2 | OPEN | 2024-03-05T19:02:28.419Z | USER | name: test<br/>email: test@test.com | UNSPECIFIED |
 
 
 ### rapid7-insight-idr-set-status
-***
-Set investigation status to open/closed
 
+***
+Set the status of the investigation, which is specified by ID or Rapid7 Resource Names (RRN).
 
 #### Base Command
 
 `rapid7-insight-idr-set-status`
-#### Input
 
-| **Argument Name** | **Description** | **Required** |
-| --- | --- | --- |
-| investigation_id | ID of the investigation to set the status of | Required | 
-| status | The new status for the investigation | Required | 
+#### Input
 
+| **Argument Name** | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                                       | **Required** |
+| --- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --- |
+| api_version | The InsightIDR API version to request to. Possible values are: V1, V2, Default. Default is Default.                                                                                                                                                                                                                                                                                                                                                                   | Optional |
+| investigation_id | Comma-separated list of the ID or Rapid7 Resource Names (RRN) of the investigation to be changed.  (If api_version=V2, the ID of the investigation must be in the RRN format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs.                                                                                                                                                                                                          | Required |
+| status | The new status for the investigation.  Open - The default status for all new investigations. Investigating - The investigation is in progress. Waiting - Progress on the investigation has paused while more information is gathered. Closed - The investigation has ended. A disposition must be selected to set this status. Possible values are: open, closed, investigating, waiting.                                                                             | Required |
+| threat_command_free_text | Additional information provided by the user when closing a Threat Command alert. Relevant when status=closed and api_version is V2 only.                                                                                                                                                                                                                                                                                                                              | Optional |
+| threat_command_close_reason | The Threat Command reason for closing, applicable only if the investigation being closed has an associated alert in Threat Command. The Close Reason description depends on the Threat Command alert type. Relevant when status=closed and api_version is V2 only. Possible values are: Problem Solved, Informational Only, Problem We Are Already Aware Of, Not Related To My Company, False Positive, Legitimate Application/ Profile, Company Owned Domain, Other. | Optional |
+| disposition | A disposition to set the investigation to. Relevant when status=closed and api_version is V2 only. Possible values are: benign, malicious, not_applicable.                                                                                                                                                                                                                                                                                                            | Optional |
 
 #### Context Output
 
-| **Path** | **Type** | **Description** |
-| --- | --- | --- |
-| Rapid7InsightIDR.Investigation.title | String | Title of investigation | 
-| Rapid7InsightIDR.Investigation.id | String | ID of investigation | 
-| Rapid7InsightIDR.Investigation.status | String | Whether it is open or closed | 
-| Rapid7InsightIDR.Investigation.created_time | String | Time the investigation was created | 
-| Rapid7InsightIDR.Investigation.source | String | Source of the investigation | 
-| Rapid7InsightIDR.Investigation.assignee_email | String | Email of investigation assignee | 
-| Rapid7InsightIDR.Investigation.assignee_name | String | Name of investigation assignee | 
-| Rapid7InsightIDR.Investigation.alert_type | String | Type of alert in the investigation | 
-
-
-#### Command Example
-```!rapid7-insight-idr-set-status status=open investigation_id=15229912-517a-4bc7-8257-3e7da8205df6,d3e4c470-1472-49ad-839b-fefa9b0683c5```
-
+| **Path**                                              | **Type** | **Description**                                                                                                                                                                                                               |
+|-------------------------------------------------------| --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Rapid7InsightIDR.Investigation.responsibility         | String | The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection &amp; Response customers. Relevant when api_version is V2 only. |
+| Rapid7InsightIDR.Investigation.latest_alert_time      | String | The create time of the most recent alert belonging to this investigation \(if any\). Relevant when api_version is V2 only.                                                                                                    |
+| Rapid7InsightIDR.Investigation.assignee.email         | String | The email of the assigned user Relevant when api_version is V2 only.                                                                                                                                                          |
+| Rapid7InsightIDR.Investigation.assignee_email         | String | The email of the assigned user. Relevant when api_version is V2 only.                                                                                                                                                         |
+| Rapid7InsightIDR.Investigation.assignee_name          | String | The name of the assigned user. Relevant when api_version is V1 only.                                                                                                                                                          |
+| Rapid7InsightIDR.Investigation.alert.type | String | The alert's type. Relevant when api_version is V1 only.                                                                                                                                                                       |
+| Rapid7InsightIDR.Investigation.assignee.name          | String | The name of the assigned user. Relevant when api_version is V2 only.                                                                                                                                                          |
+| Rapid7InsightIDR.Investigation.disposition            | String | The disposition of this investigation. Relevant when api_version is V2 only.                                                                                                                                                  |
+| Rapid7InsightIDR.Investigation.created_time           | String | The time this investigation was created.                                                                                                                                                                                      |
+| Rapid7InsightIDR.Investigation.last_accessed          | String | The time this investigation was last viewed or modified. Relevant when api_version is V2 only.                                                                                                                                |
+| Rapid7InsightIDR.Investigation.priority               | String | The investigations priority. Relevant when api_version is V2 only.                                                                                                                                                            |
+| Rapid7InsightIDR.Investigation.status                 | String | The status of the investigation.                                                                                                                                                                                              |
+| Rapid7InsightIDR.Investigation.source                 | String | How this investigation was generated.                                                                                                                                                                                         |
+| Rapid7InsightIDR.Investigation.title                  | String | The name of the investigation.                                                                                                                                                                                                |
+| Rapid7InsightIDR.Investigation.organization_id        | String | The ID of the organization that owns this investigation. Relevant when api_version is V2 only.                                                                                                                                |
+| Rapid7InsightIDR.Investigation.rrn                    | String | The Rapid7 Resource Names of the investigation. Relevant when api_version is V2 only.                                                                                                                                         |
+| Rapid7InsightIDR.Investigation.id                     | String | The ID of the investigation. Relevant when api_version is V1 only.                                                                                                                                                            |
+| Rapid7InsightIDR.Investigation.alert.type_description | String | The description of this type of alert \(if any\). Relevant when api_version is V1 only.                                                                                                                                       |
+| Rapid7InsightIDR.Investigation.alert.type             | String | The alert's type. Relevant when api_version is V2 only.                                                                                                                                                                       |
+| Rapid7InsightIDR.Investigation.alert_type             | String | The alert's type. Relevant when api_version is V1 only.                                                                                                                                                                       |
+| Rapid7InsightIDR.Investigation.alert.first_event_time | String | The create time of the first alert belonging to this investigation \(if any\). Relevant when api_version is V1 only.                                                                                                          |
+
+#### Command example
+```!rapid7-insight-idr-set-status status=open investigation_id=3793645a-6484-4a7e-9228-7aeb4ba97472 api_version=V2```
 #### Context Example
 ```json
 {
     "Rapid7InsightIDR": {
-        "Investigation": [
-            {
-                "alerts": [],
-                "created_time": "2020-12-29T10:00:00.526Z",
-                "id": "15229912-517a-4bc7-8257-3e7da8205df6",
-                "source": "HUNT",
-                "status": "OPEN",
-                "title": "forensics 1 job at 20201229T100000.346Z"
-            },
-            {
-                "alerts": [],
-                "created_time": "2020-12-04T10:00:00.515Z",
-                "id": "d3e4c470-1472-49ad-839b-fefa9b0683c5",
-                "source": "HUNT",
-                "status": "OPEN",
-                "title": "forensics 1 job at 20201204T100000.288Z"
-            }
-        ]
+        "Investigation": {
+            "assignee": {
+                "email": "test@test.com",
+                "name": "test"
+            },
+            "created_time": "2024-03-05T19:02:28.419Z",
+            "disposition": "UNDECIDED",
+            "first_alert_time": null,
+            "last_accessed": "2024-03-05T19:07:33.509Z",
+            "latest_alert_time": null,
+            "organization_id": "123-123-123",
+            "priority": "UNSPECIFIED",
+            "responsibility": null,
+            "rrn": "rrn:investigation:eu:123-123-123:investigation:UFBFNSRZG4N2",
+            "source": "USER",
+            "status": "OPEN",
+            "title": "test1"
+        }
     }
 }
 ```
 
 #### Human Readable Output
 
->### Investigation Information (id: 15229912-517a-4bc7-8257-3e7da8205df6,d3e4c470-1472-49ad-839b-fefa9b0683c5)
->|title|id|status|created_time|source|
->|---|---|---|---|---|
->| forensics 1 job at 20201229T100000.346Z | 15229912-517a-4bc7-8257-3e7da8205df6 | OPEN | 2020-12-29T10:00:00.526Z | HUNT |
->| forensics 1 job at 20201204T100000.288Z | d3e4c470-1472-49ad-839b-fefa9b0683c5 | OPEN | 2020-12-04T10:00:00.515Z | HUNT |
+>### Investigation '3793645a-6484-4a7e-9228-7aeb4ba97472' status was successfully updated to open.
+>|Title|Rrn|Status|Created Time|Source|Assignee|Priority|
+>|---|---|---|---|---|---|---|
+>| test1 | rrn:investigation:eu:123-123-123:investigation:UFBFNSRZG4N2 | OPEN | 2024-03-05T19:02:28.419Z | USER | name: test<br/>email: test@test.com | UNSPECIFIED |
 
 
 ### rapid7-insight-idr-add-threat-indicators
-***
-Add new indicators to a threat
 
+***
+Adds new indicators to a threat (IP addresses, hashes, domains, and URLs).
 
 #### Base Command
 
 `rapid7-insight-idr-add-threat-indicators`
+
 #### Input
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| key | Key of the threat (or threats) to add indicators to | Required | 
-| ip_addresses | IPs indicators to add | Optional | 
-| hashes | hashes indicators to add | Optional | 
-| domain_names | Domain indicators to add | Optional | 
-| url | URL indicators to add | Optional | 
-
+| key | Key of the threat (or threats) to add indicators to. | Required |
+| ip_addresses | IP address indicators to add. | Optional |
+| hashes | Hash indicators to add. | Optional |
+| domain_names | Domain indicators to add. | Optional |
+| url | URL indicators to add. | Optional |
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.Threat.name | String | Name of the Threat. | 
-| Rapid7InsightIDR.Threat.note | String | Notes for the Threat. | 
-| Rapid7InsightIDR.Threat.indicator_count | Number | How many indicators the threat has. | 
-| Rapid7InsightIDR.Threat.published | Boolean | Whether or not the threat is published. | 
-
-
-#### Command Example
-```!rapid7-insight-idr-add-threat-indicators key=75fd98f3-a88c-475e-be39-ad9e44ecc6db ip_addresses=x.x.x.x```
+| Rapid7InsightIDR.Threat.name | String | Name of the threat. |
+| Rapid7InsightIDR.Threat.note | String | Notes for the threat. |
+| Rapid7InsightIDR.Threat.indicator_count | Number | How many indicators the threat has. |
+| Rapid7InsightIDR.Threat.published | Boolean | Whether or not the threat is published. |
 
+#### Command example
+```!rapid7-insight-idr-add-threat-indicators key=76b06783-83cb-4018-b828-82a917278940 ip_addresses=20.20.20.20```
 #### Context Example
 ```json
 {
     "Rapid7InsightIDR": {
         "Threat": {
             "indicator_count": 2,
-            "name": "Threat2",
-            "note": "This is Threat2 desciption",
-            "published": false
+            "name": "test",
+            "note": "",
+            "published": true
         }
     }
 }
@@ -396,53 +428,51 @@ Add new indicators to a threat
 
 #### Human Readable Output
 
->### Threat Information (key: 75fd98f3-a88c-475e-be39-ad9e44ecc6db)
->|name|note|indicator_count|published|
->|---|---|---|---|
->| Threat2 | This is Threat2 desciption | 2 | false |
+>### Threat Information (key: 76b06783-83cb-4018-b828-82a917278940)
+>|name|indicator_count|published|
+>|---|---|---|
+>| test | 2 | true |
 
 
 ### rapid7-insight-idr-replace-threat-indicators
-***
-Delete existing indicators and insert new ones.
 
+***
+Deletes existing indicators from a threat and adds new indicators to the threat.
 
 #### Base Command
 
 `rapid7-insight-idr-replace-threat-indicators`
+
 #### Input
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| key | Key of the threat (or threats) to replace indicators for | Required | 
-| ip_addresses | IPs indicators to add | Optional | 
-| hashes | hashes indicators to add | Optional | 
-| domain_names | Domain indicators to add | Optional | 
-| url | URL indicators to add | Optional | 
-
+| key | Key of the threat (or threats) to replace indicators for. | Required |
+| ip_addresses | IP address indicators to add. | Optional |
+| hashes | Hash indicators to add. | Optional |
+| domain_names | Domain indicators to add. | Optional |
+| url | URL indicators to add. | Optional |
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.Threat.name | String | Name of the Threat. | 
-| Rapid7InsightIDR.Threat.note | String | Notes for the Threat. | 
-| Rapid7InsightIDR.Threat.indicator_count | Number | How many indicators the threat has. | 
-| Rapid7InsightIDR.Threat.published | Boolean | Whether or not the threat is published. | 
-
-
-#### Command Example
-```!rapid7-insight-idr-replace-threat-indicators key=75fd98f3-a88c-475e-be39-ad9e44ecc6db ip_addresses=x.x.x.x```
+| Rapid7InsightIDR.Threat.name | String | Name of the threat. |
+| Rapid7InsightIDR.Threat.note | String | Notes for the threat. |
+| Rapid7InsightIDR.Threat.indicator_count | Number | How many indicators the threat has. |
+| Rapid7InsightIDR.Threat.published | Boolean | Whether or not the threat is published. |
 
+#### Command example
+```!rapid7-insight-idr-replace-threat-indicators key=76b06783-83cb-4018-b828-82a917278940 ip_addresses=30.30.30.30```
 #### Context Example
 ```json
 {
     "Rapid7InsightIDR": {
         "Threat": {
             "indicator_count": 1,
-            "name": "Threat2",
-            "note": "This is Threat2 desciption",
-            "published": false
+            "name": "test",
+            "note": "",
+            "published": true
         }
     }
 }
@@ -450,102 +480,96 @@ Delete existing indicators and insert new ones.
 
 #### Human Readable Output
 
->### Threat Information (key: 75fd98f3-a88c-475e-be39-ad9e44ecc6db)
->|name|note|indicator_count|published|
->|---|---|---|---|
->| Threat2 | This is Threat2 desciption | 1 | false |
+>### Threat Information (key: 76b06783-83cb-4018-b828-82a917278940)
+>|name|indicator_count|published|
+>|---|---|---|
+>| test | 1 | true |
 
 
 ### rapid7-insight-idr-list-logs
-***
-List all existing logs for an account
 
+***
+Lists all existing logs for an account.
 
 #### Base Command
 
 `rapid7-insight-idr-list-logs`
+
 #### Input
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
 
-
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.Log.name | String | Log name | 
-| Rapid7InsightIDR.Log.id | String | Log ID | 
+| Rapid7InsightIDR.Log.name | String | Log name. |
+| Rapid7InsightIDR.Log.id | String | Log ID. |
 
-
-#### Command Example
+#### Command example
 ```!rapid7-insight-idr-list-logs```
-
 #### Context Example
 ```json
 {
     "Rapid7InsightIDR": {
         "Log": [
             {
-                "id": "a668beb0-a769-4329-9c95-eeef55fb33d3",
+                "id": "ee919c89-22c7-490e-be3e-db8994ee21cb",
                 "links": [
                     {
-                        "href": "https://us.api.insight.rapid7.com/log_search/management/logs/a668beb0-a769-4329-9c95-eeef55fb33d3/topkeys",
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/ee919c89-22c7-490e-be3e-db8994ee21cb/topkeys",
                         "rel": "Related"
                     }
                 ],
                 "logsets_info": [
                     {
-                        "id": "c826ff7f-683a-4f9c-9167-9edec6979bbb",
+                        "id": "ef427412-18cb-4f23-af30-a36e8efb4efb",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logsets/c826ff7f-683a-4f9c-9167-9edec6979bbb",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/ef427412-18cb-4f23-af30-a36e8efb4efb",
                                 "rel": "Self"
                             }
                         ],
-                        "name": "Unparsed Data",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:c826ff7f-683a-4f9c-9167-9edec6979bbb"
+                        "name": "Audit Logs",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:ef427412-18cb-4f23-af30-a36e8efb4efb"
                     }
                 ],
-                "name": "Windows Defender",
+                "name": "InsightIDR Investigations",
                 "retention_period": "default",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:a668beb0-a769-4329-9c95-eeef55fb33d3",
-                "source_type": "token",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:ee919c89-22c7-490e-be3e-db8994ee21cb",
+                "source_type": "internal",
                 "structures": [
-                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                    "fa6a4440-4579-4a03-be08-c259a84db062"
                 ],
                 "token_seed": null,
-                "tokens": [
-                    "3fcfc8c1-32f7-4d97-9a1b-bd372236dfe5"
-                ],
-                "user_data": {
-                    "platform_managed": "true"
-                }
+                "tokens": [],
+                "user_data": {}
             },
             {
-                "id": "82b2969c-8597-41a3-9e2a-4bce4d0f6ab6",
+                "id": "17803c57-9124-43d1-a5d1-1e974042b481",
                 "links": [
                     {
-                        "href": "https://us.api.insight.rapid7.com/log_search/management/logs/82b2969c-8597-41a3-9e2a-4bce4d0f6ab6/topkeys",
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/17803c57-9124-43d1-a5d1-1e974042b481/topkeys",
                         "rel": "Related"
                     }
                 ],
                 "logsets_info": [
                     {
-                        "id": "f6e6410d-deb4-4b56-9c90-300f4cdaf46d",
+                        "id": "e4f0787b-ff40-4587-986f-42ee27e7ffc0",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logsets/f6e6410d-deb4-4b56-9c90-300f4cdaf46d",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/e4f0787b-ff40-4587-986f-42ee27e7ffc0",
                                 "rel": "Self"
                             }
                         ],
                         "name": "Internal Logs",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:f6e6410d-deb4-4b56-9c90-300f4cdaf46d"
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:e4f0787b-ff40-4587-986f-42ee27e7ffc0"
                     }
                 ],
                 "name": "Web Access Log",
                 "retention_period": "default",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:82b2969c-8597-41a3-9e2a-4bce4d0f6ab6",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:17803c57-9124-43d1-a5d1-1e974042b481",
                 "source_type": "internal",
                 "structures": [],
                 "token_seed": null,
@@ -553,29 +577,29 @@ List all existing logs for an account
                 "user_data": {}
             },
             {
-                "id": "bd65dfa8-7ddf-42b0-bf8c-27853bca1618",
+                "id": "fdf33f7b-edf9-4e2c-98f3-527ab62e124c",
                 "links": [
                     {
-                        "href": "https://us.api.insight.rapid7.com/log_search/management/logs/bd65dfa8-7ddf-42b0-bf8c-27853bca1618/topkeys",
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/fdf33f7b-edf9-4e2c-98f3-527ab62e124c/topkeys",
                         "rel": "Related"
                     }
                 ],
                 "logsets_info": [
                     {
-                        "id": "f6e6410d-deb4-4b56-9c90-300f4cdaf46d",
+                        "id": "e4f0787b-ff40-4587-986f-42ee27e7ffc0",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logsets/f6e6410d-deb4-4b56-9c90-300f4cdaf46d",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/e4f0787b-ff40-4587-986f-42ee27e7ffc0",
                                 "rel": "Self"
                             }
                         ],
                         "name": "Internal Logs",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:f6e6410d-deb4-4b56-9c90-300f4cdaf46d"
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:e4f0787b-ff40-4587-986f-42ee27e7ffc0"
                     }
                 ],
                 "name": "Alert Audit Log",
                 "retention_period": "default",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:bd65dfa8-7ddf-42b0-bf8c-27853bca1618",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:fdf33f7b-edf9-4e2c-98f3-527ab62e124c",
                 "source_type": "internal",
                 "structures": [
                     "fa6a4440-4579-4a03-be08-c259a84db062"
@@ -585,101 +609,183 @@ List all existing logs for an account
                 "user_data": {}
             },
             {
-                "id": "ab5a7594-5fde-4c5c-9ee6-e67291f0a40c",
+                "id": "3a813f0d-a3a8-47f8-b69e-67ff327f4383",
                 "links": [
                     {
-                        "href": "https://us.api.insight.rapid7.com/log_search/management/logs/ab5a7594-5fde-4c5c-9ee6-e67291f0a40c/topkeys",
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/3a813f0d-a3a8-47f8-b69e-67ff327f4383/topkeys",
                         "rel": "Related"
                     }
                 ],
                 "logsets_info": [
                     {
-                        "id": "74c4af9d-2673-4bc2-b8e8-afe3d1354987",
+                        "id": "86484c1c-7aa8-4316-bb0d-bdb8e479e65b",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logsets/74c4af9d-2673-4bc2-b8e8-afe3d1354987",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/86484c1c-7aa8-4316-bb0d-bdb8e479e65b",
                                 "rel": "Self"
                             }
                         ],
-                        "name": "Asset Authentication",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:74c4af9d-2673-4bc2-b8e8-afe3d1354987"
+                        "name": "Endpoint Activity",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:86484c1c-7aa8-4316-bb0d-bdb8e479e65b"
                     }
                 ],
-                "name": "Endpoint Agents",
+                "name": "Netbios Poisoning",
                 "retention_period": "default",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:ab5a7594-5fde-4c5c-9ee6-e67291f0a40c",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:3a813f0d-a3a8-47f8-b69e-67ff327f4383",
                 "source_type": "token",
                 "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
                     "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
                 ],
                 "token_seed": null,
                 "tokens": [
-                    "b6c9d703-d3b5-4752-b24f-2aaf76bb7932"
+                    "6db7d337-b7ca-435b-babf-63efb6f8a9c3"
                 ],
                 "user_data": {
+                    "le_expire_backup": "false",
+                    "le_log_type": "eet",
                     "platform_managed": "true"
                 }
             },
             {
-                "id": "7efaf894-cf8a-4ed2-9495-77395bf2e5a6",
+                "id": "f1242448-a2ae-436a-925e-adebd71cbce5",
                 "links": [
                     {
-                        "href": "https://us.api.insight.rapid7.com/log_search/management/logs/7efaf894-cf8a-4ed2-9495-77395bf2e5a6/topkeys",
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/f1242448-a2ae-436a-925e-adebd71cbce5/topkeys",
                         "rel": "Related"
                     }
                 ],
                 "logsets_info": [
                     {
-                        "id": "5e6303c5-ef5e-4384-b1f7-13668a4a0d39",
+                        "id": "27bf96d8-4ec0-49ad-a3a7-4f6cdfb24354",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logsets/5e6303c5-ef5e-4384-b1f7-13668a4a0d39",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/27bf96d8-4ec0-49ad-a3a7-4f6cdfb24354",
                                 "rel": "Self"
                             }
                         ],
-                        "name": "Raw Log",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:5e6303c5-ef5e-4384-b1f7-13668a4a0d39"
+                        "name": "Endpoint Health",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:27bf96d8-4ec0-49ad-a3a7-4f6cdfb24354"
                     }
                 ],
-                "name": "PersonalLogs",
+                "name": "Job Status",
                 "retention_period": "default",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:7efaf894-cf8a-4ed2-9495-77395bf2e5a6",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:f1242448-a2ae-436a-925e-adebd71cbce5",
                 "source_type": "token",
                 "structures": [
-                    "fa6a4440-4579-4a03-be08-c259a84db062"
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "9a9d3e69-44f2-4233-beae-ecc766c93b90"
+                ],
+                "user_data": {
+                    "le_expire_backup": "false",
+                    "le_log_type": "eet",
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "id": "676e5e4e-638e-4df5-b6a5-3a92a5c858ac",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/676e5e4e-638e-4df5-b6a5-3a92a5c858ac/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "0d1b319d-d2ca-4427-945c-5af8fc9c9f59",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/0d1b319d-d2ca-4427-945c-5af8fc9c9f59",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Unparsed Data",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:0d1b319d-d2ca-4427-945c-5af8fc9c9f59"
+                    }
+                ],
+                "name": "Windows Defender",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:676e5e4e-638e-4df5-b6a5-3a92a5c858ac",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "b8566a56-d0f6-4898-ab33-0edeeb223941"
+                ],
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "id": "8b780f32-a897-42e9-a0ef-d48278e7ea89",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/8b780f32-a897-42e9-a0ef-d48278e7ea89/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "86484c1c-7aa8-4316-bb0d-bdb8e479e65b",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/86484c1c-7aa8-4316-bb0d-bdb8e479e65b",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Endpoint Activity",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:86484c1c-7aa8-4316-bb0d-bdb8e479e65b"
+                    }
+                ],
+                "name": "Local Service Creation",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:8b780f32-a897-42e9-a0ef-d48278e7ea89",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
                 ],
                 "token_seed": null,
                 "tokens": [
-                    "47b697be-f283-4257-876e-c4c716563ef7"
+                    "e6ef532f-47cb-42f6-be41-e8f767768279"
                 ],
                 "user_data": {
+                    "le_expire_backup": "false",
+                    "le_log_type": "eet",
                     "platform_managed": "true"
                 }
             },
             {
-                "id": "c5f51e68-809f-4272-b714-275f3019ddd5",
+                "id": "196d3f6e-d92c-40df-88b0-5c622da6396b",
                 "links": [
                     {
-                        "href": "https://us.api.insight.rapid7.com/log_search/management/logs/c5f51e68-809f-4272-b714-275f3019ddd5/topkeys",
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/196d3f6e-d92c-40df-88b0-5c622da6396b/topkeys",
                         "rel": "Related"
                     }
                 ],
                 "logsets_info": [
                     {
-                        "id": "f6e6410d-deb4-4b56-9c90-300f4cdaf46d",
+                        "id": "e4f0787b-ff40-4587-986f-42ee27e7ffc0",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logsets/f6e6410d-deb4-4b56-9c90-300f4cdaf46d",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/e4f0787b-ff40-4587-986f-42ee27e7ffc0",
                                 "rel": "Self"
                             }
                         ],
                         "name": "Internal Logs",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:f6e6410d-deb4-4b56-9c90-300f4cdaf46d"
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:e4f0787b-ff40-4587-986f-42ee27e7ffc0"
                     }
                 ],
                 "name": "Log Updates",
                 "retention_period": "default",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:c5f51e68-809f-4272-b714-275f3019ddd5",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:196d3f6e-d92c-40df-88b0-5c622da6396b",
                 "source_type": "internal",
                 "structures": [
                     "fa6a4440-4579-4a03-be08-c259a84db062"
@@ -687,6 +793,304 @@ List all existing logs for an account
                 "token_seed": null,
                 "tokens": [],
                 "user_data": {}
+            },
+            {
+                "id": "ed3599b4-a857-47ed-bde5-4e9baf9c6864",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/ed3599b4-a857-47ed-bde5-4e9baf9c6864/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "0122d7b5-6632-47c0-abf0-68c8545a6fd4",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/0122d7b5-6632-47c0-abf0-68c8545a6fd4",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Virus Alert",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:0122d7b5-6632-47c0-abf0-68c8545a6fd4"
+                    }
+                ],
+                "name": "Endpoint Agents",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:ed3599b4-a857-47ed-bde5-4e9baf9c6864",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "3ddf97fb-d590-4b9f-a312-1ca8aebbba76"
+                ],
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "id": "d04903f1-a710-4c6c-ac16-0bf2e39f411d",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/d04903f1-a710-4c6c-ac16-0bf2e39f411d/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "86484c1c-7aa8-4316-bb0d-bdb8e479e65b",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/86484c1c-7aa8-4316-bb0d-bdb8e479e65b",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Endpoint Activity",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:86484c1c-7aa8-4316-bb0d-bdb8e479e65b"
+                    }
+                ],
+                "name": "Process Start Events",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:d04903f1-a710-4c6c-ac16-0bf2e39f411d",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "ba013edf-2877-4a80-819c-006b5e8c06de"
+                ],
+                "user_data": {
+                    "le_expire_backup": "false",
+                    "le_log_type": "eet",
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "id": "7bd5dbe6-9745-4386-8ff9-44c3cc2d5883",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/7bd5dbe6-9745-4386-8ff9-44c3cc2d5883/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "e4a59aa9-d8ef-45ee-af04-eb6fc929c1cf",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/e4a59aa9-d8ef-45ee-af04-eb6fc929c1cf",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Active Directory Admin Activity",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:e4a59aa9-d8ef-45ee-af04-eb6fc929c1cf"
+                    }
+                ],
+                "name": "Endpoint Agents",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:7bd5dbe6-9745-4386-8ff9-44c3cc2d5883",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "a84f5643-f816-47bb-9133-fc8c3add4359"
+                ],
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "id": "b4d09423-9d8f-4eb3-9638-657a3b6824d5",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/b4d09423-9d8f-4eb3-9638-657a3b6824d5/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "78677867-e594-462a-aaad-923fe45d6efe",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/78677867-e594-462a-aaad-923fe45d6efe",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Host To IP Observations",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:78677867-e594-462a-aaad-923fe45d6efe"
+                    }
+                ],
+                "name": "Endpoint Agents",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:b4d09423-9d8f-4eb3-9638-657a3b6824d5",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "3e99ac75-0c5d-4472-83a6-ace858ebbba4"
+                ],
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "id": "0a6a2612-e8c8-454a-a1bf-62e4d3f17304",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/0a6a2612-e8c8-454a-a1bf-62e4d3f17304/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "91de4b59-8324-45ed-8994-4604d918eb8d",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/91de4b59-8324-45ed-8994-4604d918eb8d",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Asset Authentication",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:91de4b59-8324-45ed-8994-4604d918eb8d"
+                    }
+                ],
+                "name": "Endpoint Agents",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:0a6a2612-e8c8-454a-a1bf-62e4d3f17304",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "c596d84d-9e56-4d98-9b2b-7fcb347376ef"
+                ],
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "id": "1dc31fad-20e9-4946-856e-7da6ddf8910e",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/1dc31fad-20e9-4946-856e-7da6ddf8910e/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "0122d7b5-6632-47c0-abf0-68c8545a6fd4",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/0122d7b5-6632-47c0-abf0-68c8545a6fd4",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Virus Alert",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:0122d7b5-6632-47c0-abf0-68c8545a6fd4"
+                    }
+                ],
+                "name": "Carbon",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:1dc31fad-20e9-4946-856e-7da6ddf8910e",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "4581d7af-ea5b-40fc-b119-c57bf473b44f"
+                ],
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "id": "9355519b-cbc7-4e78-82aa-70e468ee2599",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/9355519b-cbc7-4e78-82aa-70e468ee2599/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "665aa34b-e489-4b78-a020-76203dbb2eea",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/665aa34b-e489-4b78-a020-76203dbb2eea",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "File Access Activity",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:665aa34b-e489-4b78-a020-76203dbb2eea"
+                    }
+                ],
+                "name": "Endpoint Agents",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:9355519b-cbc7-4e78-82aa-70e468ee2599",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "69106621-037b-4040-91f2-8a6d2d074f9b"
+                ],
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "id": "a679d822-bd3c-4807-a16d-4efd8ca248ab",
+                "links": [
+                    {
+                        "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/a679d822-bd3c-4807-a16d-4efd8ca248ab/topkeys",
+                        "rel": "Related"
+                    }
+                ],
+                "logsets_info": [
+                    {
+                        "id": "02f12c43-91b8-44d4-969e-8a5216781a5c",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logsets/02f12c43-91b8-44d4-969e-8a5216781a5c",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "File Modification Activity",
+                        "rrn": "rrn:logsearch:eu:123-123-123:logset:02f12c43-91b8-44d4-969e-8a5216781a5c"
+                    }
+                ],
+                "name": "Endpoint Agents",
+                "retention_period": "default",
+                "rrn": "rrn:logsearch:eu:123-123-123:log:a679d822-bd3c-4807-a16d-4efd8ca248ab",
+                "source_type": "token",
+                "structures": [
+                    "9bceaf29-b72b-4259-94e4-0300e170157d",
+                    "12d8ca9d-3b1b-4a36-b564-45de5f8425e9"
+                ],
+                "token_seed": null,
+                "tokens": [
+                    "91e38fb4-3e44-4c42-80d2-ba50a73944be"
+                ],
+                "user_data": {
+                    "platform_managed": "true"
+                }
             }
         ]
     }
@@ -698,39 +1102,47 @@ List all existing logs for an account
 >### List Logs
 >|name|id|
 >|---|---|
->| Windows Defender | a668beb0-a769-4329-9c95-eeef55fb33d3 |
->| Web Access Log | 82b2969c-8597-41a3-9e2a-4bce4d0f6ab6 |
->| Alert Audit Log | bd65dfa8-7ddf-42b0-bf8c-27853bca1618 |
->| Endpoint Agents | ab5a7594-5fde-4c5c-9ee6-e67291f0a40c |
->| PersonalLogs | 7efaf894-cf8a-4ed2-9495-77395bf2e5a6 |
->| Log Updates | c5f51e68-809f-4272-b714-275f3019ddd5 |
+>| InsightIDR Investigations | ee919c89-22c7-490e-be3e-db8994ee21cb |
+>| Web Access Log | 17803c57-9124-43d1-a5d1-1e974042b481 |
+>| Alert Audit Log | fdf33f7b-edf9-4e2c-98f3-527ab62e124c |
+>| Netbios Poisoning | 3a813f0d-a3a8-47f8-b69e-67ff327f4383 |
+>| Job Status | f1242448-a2ae-436a-925e-adebd71cbce5 |
+>| Windows Defender | 676e5e4e-638e-4df5-b6a5-3a92a5c858ac |
+>| Local Service Creation | 8b780f32-a897-42e9-a0ef-d48278e7ea89 |
+>| Log Updates | 196d3f6e-d92c-40df-88b0-5c622da6396b |
+>| Endpoint Agents | ed3599b4-a857-47ed-bde5-4e9baf9c6864 |
+>| Process Start Events | d04903f1-a710-4c6c-ac16-0bf2e39f411d |
+>| Endpoint Agents | 7bd5dbe6-9745-4386-8ff9-44c3cc2d5883 |
+>| Endpoint Agents | b4d09423-9d8f-4eb3-9638-657a3b6824d5 |
+>| Endpoint Agents | 0a6a2612-e8c8-454a-a1bf-62e4d3f17304 |
+>| Carbon | 1dc31fad-20e9-4946-856e-7da6ddf8910e |
+>| Endpoint Agents | 9355519b-cbc7-4e78-82aa-70e468ee2599 |
+>| Endpoint Agents | a679d822-bd3c-4807-a16d-4efd8ca248ab |
 
 
 ### rapid7-insight-idr-list-log-sets
-***
-List all existing log sets for an account
 
+***
+Lists all existing log sets for your InsightsIDR instance.
 
 #### Base Command
 
 `rapid7-insight-idr-list-log-sets`
+
 #### Input
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
 
-
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.LogSet.name | String | Log name | 
-| Rapid7InsightIDR.LogSet.id | String | Log ID | 
-
+| Rapid7InsightIDR.LogSet.name | String | Log name. |
+| Rapid7InsightIDR.LogSet.id | String | Log ID. |
 
-#### Command Example
+#### Command example
 ```!rapid7-insight-idr-list-log-sets```
-
 #### Context Example
 ```json
 {
@@ -738,108 +1150,293 @@ List all existing log sets for an account
         "LogSet": [
             {
                 "description": null,
-                "id": "f6e6410d-deb4-4b56-9c90-300f4cdaf46d",
+                "id": "665aa34b-e489-4b78-a020-76203dbb2eea",
+                "logs_info": [
+                    {
+                        "id": "9355519b-cbc7-4e78-82aa-70e468ee2599",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/9355519b-cbc7-4e78-82aa-70e468ee2599",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Endpoint Agents",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:9355519b-cbc7-4e78-82aa-70e468ee2599"
+                    }
+                ],
+                "name": "File Access Activity",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:665aa34b-e489-4b78-a020-76203dbb2eea",
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "description": null,
+                "id": "ef427412-18cb-4f23-af30-a36e8efb4efb",
+                "logs_info": [
+                    {
+                        "id": "ee919c89-22c7-490e-be3e-db8994ee21cb",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/ee919c89-22c7-490e-be3e-db8994ee21cb",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "InsightIDR Investigations",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:ee919c89-22c7-490e-be3e-db8994ee21cb"
+                    }
+                ],
+                "name": "Audit Logs",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:ef427412-18cb-4f23-af30-a36e8efb4efb",
+                "user_data": {}
+            },
+            {
+                "description": null,
+                "id": "27bf96d8-4ec0-49ad-a3a7-4f6cdfb24354",
+                "logs_info": [
+                    {
+                        "id": "f1242448-a2ae-436a-925e-adebd71cbce5",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/f1242448-a2ae-436a-925e-adebd71cbce5",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Job Status",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:f1242448-a2ae-436a-925e-adebd71cbce5"
+                    }
+                ],
+                "name": "Endpoint Health",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:27bf96d8-4ec0-49ad-a3a7-4f6cdfb24354",
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "description": null,
+                "id": "0122d7b5-6632-47c0-abf0-68c8545a6fd4",
+                "logs_info": [
+                    {
+                        "id": "1dc31fad-20e9-4946-856e-7da6ddf8910e",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/1dc31fad-20e9-4946-856e-7da6ddf8910e",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Carbon",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:1dc31fad-20e9-4946-856e-7da6ddf8910e"
+                    },
+                    {
+                        "id": "ed3599b4-a857-47ed-bde5-4e9baf9c6864",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/ed3599b4-a857-47ed-bde5-4e9baf9c6864",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Endpoint Agents",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:ed3599b4-a857-47ed-bde5-4e9baf9c6864"
+                    }
+                ],
+                "name": "Virus Alert",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:0122d7b5-6632-47c0-abf0-68c8545a6fd4",
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "description": null,
+                "id": "02f12c43-91b8-44d4-969e-8a5216781a5c",
+                "logs_info": [
+                    {
+                        "id": "a679d822-bd3c-4807-a16d-4efd8ca248ab",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/a679d822-bd3c-4807-a16d-4efd8ca248ab",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Endpoint Agents",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:a679d822-bd3c-4807-a16d-4efd8ca248ab"
+                    }
+                ],
+                "name": "File Modification Activity",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:02f12c43-91b8-44d4-969e-8a5216781a5c",
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "description": null,
+                "id": "91de4b59-8324-45ed-8994-4604d918eb8d",
+                "logs_info": [
+                    {
+                        "id": "0a6a2612-e8c8-454a-a1bf-62e4d3f17304",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/0a6a2612-e8c8-454a-a1bf-62e4d3f17304",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Endpoint Agents",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:0a6a2612-e8c8-454a-a1bf-62e4d3f17304"
+                    }
+                ],
+                "name": "Asset Authentication",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:91de4b59-8324-45ed-8994-4604d918eb8d",
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "description": null,
+                "id": "0d1b319d-d2ca-4427-945c-5af8fc9c9f59",
+                "logs_info": [
+                    {
+                        "id": "676e5e4e-638e-4df5-b6a5-3a92a5c858ac",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/676e5e4e-638e-4df5-b6a5-3a92a5c858ac",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Windows Defender",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:676e5e4e-638e-4df5-b6a5-3a92a5c858ac"
+                    }
+                ],
+                "name": "Unparsed Data",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:0d1b319d-d2ca-4427-945c-5af8fc9c9f59",
+                "user_data": {
+                    "platform_managed": "true"
+                }
+            },
+            {
+                "description": null,
+                "id": "e4f0787b-ff40-4587-986f-42ee27e7ffc0",
                 "logs_info": [
                     {
-                        "id": "82b2969c-8597-41a3-9e2a-4bce4d0f6ab6",
+                        "id": "17803c57-9124-43d1-a5d1-1e974042b481",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logs/82b2969c-8597-41a3-9e2a-4bce4d0f6ab6",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/17803c57-9124-43d1-a5d1-1e974042b481",
                                 "rel": "Self"
                             }
                         ],
                         "name": "Web Access Log",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:82b2969c-8597-41a3-9e2a-4bce4d0f6ab6"
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:17803c57-9124-43d1-a5d1-1e974042b481"
                     },
                     {
-                        "id": "bd65dfa8-7ddf-42b0-bf8c-27853bca1618",
+                        "id": "196d3f6e-d92c-40df-88b0-5c622da6396b",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logs/bd65dfa8-7ddf-42b0-bf8c-27853bca1618",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/196d3f6e-d92c-40df-88b0-5c622da6396b",
                                 "rel": "Self"
                             }
                         ],
-                        "name": "Alert Audit Log",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:bd65dfa8-7ddf-42b0-bf8c-27853bca1618"
+                        "name": "Log Updates",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:196d3f6e-d92c-40df-88b0-5c622da6396b"
                     },
                     {
-                        "id": "c5f51e68-809f-4272-b714-275f3019ddd5",
+                        "id": "fdf33f7b-edf9-4e2c-98f3-527ab62e124c",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logs/c5f51e68-809f-4272-b714-275f3019ddd5",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/fdf33f7b-edf9-4e2c-98f3-527ab62e124c",
                                 "rel": "Self"
                             }
                         ],
-                        "name": "Log Updates",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:c5f51e68-809f-4272-b714-275f3019ddd5"
+                        "name": "Alert Audit Log",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:fdf33f7b-edf9-4e2c-98f3-527ab62e124c"
                     }
                 ],
                 "name": "Internal Logs",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:f6e6410d-deb4-4b56-9c90-300f4cdaf46d",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:e4f0787b-ff40-4587-986f-42ee27e7ffc0",
                 "user_data": {}
             },
             {
                 "description": null,
-                "id": "74c4af9d-2673-4bc2-b8e8-afe3d1354987",
+                "id": "e4a59aa9-d8ef-45ee-af04-eb6fc929c1cf",
                 "logs_info": [
                     {
-                        "id": "ab5a7594-5fde-4c5c-9ee6-e67291f0a40c",
+                        "id": "7bd5dbe6-9745-4386-8ff9-44c3cc2d5883",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logs/ab5a7594-5fde-4c5c-9ee6-e67291f0a40c",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/7bd5dbe6-9745-4386-8ff9-44c3cc2d5883",
                                 "rel": "Self"
                             }
                         ],
                         "name": "Endpoint Agents",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:ab5a7594-5fde-4c5c-9ee6-e67291f0a40c"
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:7bd5dbe6-9745-4386-8ff9-44c3cc2d5883"
                     }
                 ],
-                "name": "Asset Authentication",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:74c4af9d-2673-4bc2-b8e8-afe3d1354987",
+                "name": "Active Directory Admin Activity",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:e4a59aa9-d8ef-45ee-af04-eb6fc929c1cf",
                 "user_data": {
                     "platform_managed": "true"
                 }
             },
             {
                 "description": null,
-                "id": "c826ff7f-683a-4f9c-9167-9edec6979bbb",
+                "id": "86484c1c-7aa8-4316-bb0d-bdb8e479e65b",
                 "logs_info": [
                     {
-                        "id": "a668beb0-a769-4329-9c95-eeef55fb33d3",
+                        "id": "3a813f0d-a3a8-47f8-b69e-67ff327f4383",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logs/a668beb0-a769-4329-9c95-eeef55fb33d3",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/3a813f0d-a3a8-47f8-b69e-67ff327f4383",
                                 "rel": "Self"
                             }
                         ],
-                        "name": "Windows Defender",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:a668beb0-a769-4329-9c95-eeef55fb33d3"
+                        "name": "Netbios Poisoning",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:3a813f0d-a3a8-47f8-b69e-67ff327f4383"
+                    },
+                    {
+                        "id": "8b780f32-a897-42e9-a0ef-d48278e7ea89",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/8b780f32-a897-42e9-a0ef-d48278e7ea89",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Local Service Creation",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:8b780f32-a897-42e9-a0ef-d48278e7ea89"
+                    },
+                    {
+                        "id": "d04903f1-a710-4c6c-ac16-0bf2e39f411d",
+                        "links": [
+                            {
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/d04903f1-a710-4c6c-ac16-0bf2e39f411d",
+                                "rel": "Self"
+                            }
+                        ],
+                        "name": "Process Start Events",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:d04903f1-a710-4c6c-ac16-0bf2e39f411d"
                     }
                 ],
-                "name": "Unparsed Data",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:c826ff7f-683a-4f9c-9167-9edec6979bbb",
+                "name": "Endpoint Activity",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:86484c1c-7aa8-4316-bb0d-bdb8e479e65b",
                 "user_data": {
                     "platform_managed": "true"
                 }
             },
             {
                 "description": null,
-                "id": "5e6303c5-ef5e-4384-b1f7-13668a4a0d39",
+                "id": "78677867-e594-462a-aaad-923fe45d6efe",
                 "logs_info": [
                     {
-                        "id": "7efaf894-cf8a-4ed2-9495-77395bf2e5a6",
+                        "id": "b4d09423-9d8f-4eb3-9638-657a3b6824d5",
                         "links": [
                             {
-                                "href": "https://us.api.insight.rapid7.com/log_search/management/logs/7efaf894-cf8a-4ed2-9495-77395bf2e5a6",
+                                "href": "https://eu.api.insight.rapid7.com/log_search/management/logs/b4d09423-9d8f-4eb3-9638-657a3b6824d5",
                                 "rel": "Self"
                             }
                         ],
-                        "name": "PersonalLogs",
-                        "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:log:7efaf894-cf8a-4ed2-9495-77395bf2e5a6"
+                        "name": "Endpoint Agents",
+                        "rrn": "rrn:logsearch:eu:123-123-123:log:b4d09423-9d8f-4eb3-9638-657a3b6824d5"
                     }
                 ],
-                "name": "Raw Log",
-                "rrn": "rrn:logsearch:us:7a6865a8-3594-43c2-9625-93dbcd0e1f78:logset:5e6303c5-ef5e-4384-b1f7-13668a4a0d39",
+                "name": "Host To IP Observations",
+                "rrn": "rrn:logsearch:eu:123-123-123:logset:78677867-e594-462a-aaad-923fe45d6efe",
                 "user_data": {
                     "platform_managed": "true"
                 }
@@ -854,57 +1451,529 @@ List all existing log sets for an account
 >### List Log Sets
 >|name|id|
 >|---|---|
->| Internal Logs | f6e6410d-deb4-4b56-9c90-300f4cdaf46d |
->| Asset Authentication | 74c4af9d-2673-4bc2-b8e8-afe3d1354987 |
->| Unparsed Data | c826ff7f-683a-4f9c-9167-9edec6979bbb |
->| Raw Log | 5e6303c5-ef5e-4384-b1f7-13668a4a0d39 |
+>| File Access Activity | 665aa34b-e489-4b78-a020-76203dbb2eea |
+>| Audit Logs | ef427412-18cb-4f23-af30-a36e8efb4efb |
+>| Endpoint Health | 27bf96d8-4ec0-49ad-a3a7-4f6cdfb24354 |
+>| Virus Alert | 0122d7b5-6632-47c0-abf0-68c8545a6fd4 |
+>| File Modification Activity | 02f12c43-91b8-44d4-969e-8a5216781a5c |
+>| Asset Authentication | 91de4b59-8324-45ed-8994-4604d918eb8d |
+>| Unparsed Data | 0d1b319d-d2ca-4427-945c-5af8fc9c9f59 |
+>| Internal Logs | e4f0787b-ff40-4587-986f-42ee27e7ffc0 |
+>| Active Directory Admin Activity | e4a59aa9-d8ef-45ee-af04-eb6fc929c1cf |
+>| Endpoint Activity | 86484c1c-7aa8-4316-bb0d-bdb8e479e65b |
+>| Host To IP Observations | 78677867-e594-462a-aaad-923fe45d6efe |
 
 
 ### rapid7-insight-idr-download-logs
-***
-Download up to 10 logs for an account.
 
+***
+Downloads logs from your InsightsIDR instance. The maximum number of logs per call is 10.
 
 #### Base Command
 
 `rapid7-insight-idr-download-logs`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| log_ids | IDs of the logs to download - up to 10 logs allowed. | Required |
+| start_time | Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. This is optional if time_range is supplied. | Optional |
+| end_time | Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. | Optional |
+| time_range | The relative time range in a readable format. Optional if "from" \ is supplied. For example: Last 4 Days. Note that if start_time, end_time and\ \ time_range is not provided the default will be Last 3 days. | Optional |
+| query | The LEQL query to match desired log events. Do not use a calculation. For more information: https://docs.rapid7.com/insightidr/build-a-query/. | Optional |
+| limit | The maximum number of log events to download; cannot exceed 20 million. The default is 20 million. The argument value should be written like this: "10 thousand" or "2 million"). | Optional |
+
+#### Context Output
+
+There is no context output for this command.
+#### Command example
+```!rapid7-insight-idr-download-logs log_ids=ee919c89-22c7-490e-be3e-db8994ee21cb time_range="last 7 days"```
+#### Context Example
+```json
+{
+    "InfoFile": {
+        "EntryID": "692@3eb6b0b2-d80d-4c3a-8c97-1d191f5a42fe",
+        "Extension": "log",
+        "Info": "text/x-log; charset=utf-8",
+        "Name": "InsightIDRInvestigations_2024-02-27_190751_2024-03-05_190751.log",
+        "Size": 70908,
+        "Type": "ASCII text, with very long lines"
+    }
+}
+```
+
+#### Human Readable Output
+
+
+
+### rapid7-insight-idr-query-log
+
+***
+Queries within a log for certain values.
+
+#### Base Command
+
+`rapid7-insight-idr-query-log`
+
 #### Input
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| log_ids | IDs of the logs to download - up to 10 logs allowed. | Required | 
-| start_time | Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. This is optional if time_range is supplied. | Optional | 
-| end_time | Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. | Optional | 
-| time_range | The relative time range in a readable format. Optional if from is supplied. Example: Last 4 Days. Note that if start_time, end_time and time_range is not provided - The default will be Last 3 days. | Optional | 
-| query | The LEQL query to match desired log events. Do not use a calculation.more info: https://docs.rapid7.com/insightidr/build-a-query/ | Optional | 
-| limit | Max number of log events to download; cannot exceed 20 million. The default is 20 million (Note that a number should be written like "10 thousand" or "2 million") | Optional | 
+| log_id | Log entries log key. | Required |
+| query | A valid LEQL query to run against the log. For more information: https://docs.rapid7.com/insightidr/build-a-query/. | Required |
+| time_range | A time range string (i.e., 1 week, 1 day). When using this parameter, start_time and end_time isn't needed. | Optional |
+| start_time | Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000. | Optional |
+| end_time | Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000. | Optional |
+| logs_per_page | The maximum number of log entries to return per page. Default of 50. | Optional |
+| sequence_number | The earlier sequence number of a log entry to start searching from. | Optional |
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Rapid7InsightIDR.Event.log_id | String | ID of the log the event appears in. |
+| Rapid7InsightIDR.Event.message | String | Event message. |
+| Rapid7InsightIDR.Event.timestamp | Number | Time when the event was triggered. |
+
+### rapid7-insight-idr-query-log-set
+
+***
+Queries within a log set for certain values.
+
+#### Base Command
+
+`rapid7-insight-idr-query-log-set`
 
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| log_set_id | ID of the log set. | Required |
+| query | A valid LEQL query to run against the log. For more information: https://docs.rapid7.com/insightidr/build-a-query/. | Required |
+| time_range | A time range string (e.g., 1 week, 1 day). When using this parameter, start_time and end_time isn't needed. | Optional |
+| start_time | Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000. | Optional |
+| end_time | Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000. | Optional |
+| logs_per_page | The maximum number of log entries to return per page. Default of 50. | Optional |
+| sequence_number | The earlier sequence number of a log entry to start searching from. | Optional |
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
+| Rapid7InsightIDR.Event.log_id | String | ID of the log the event appears in. |
+| Rapid7InsightIDR.Event.message | String | Event message. |
+| Rapid7InsightIDR.Event.timestamp | Number | Time when the event was triggered. |
 
+### rapid7-insight-idr-create-investigation
 
-#### Command Example
-```!rapid7-insight-idr-download-logs log_ids=ab5a7594-5fde-4c5c-9ee6-e67291f0a40c time_range="last 7 days"```
+***
+Create a new investigation manually.
+
+#### Base Command
+
+`rapid7-insight-idr-create-investigation`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| title | The name of the investigation. | Required |
+| status | The status of the investigation. Open - The default status for all new investigations. Investigating - The investigation is in progress. Closed - The investigation has ended. A disposition must be selected to set this status. Possible values are: Open, Investigating, Closed. Default is Open. | Optional |
+| priority | The priority for the investigation. Investigation priority is the scale given to an investigation based on the impact and urgency of the detections and assets associated with it. Possible values are: Unspecified, Low, Medium, High, Critical. Default is Unspecified. | Optional |
+| disposition | The disposition for the investigation. Select a disposition to indicate whether the investigation represented a legitimate threat. Possible values are: Undecided, Benign, Malicious, Not Applicable. Default is Undecided. | Optional |
+| user_email_address | The email address of the user to assign to this investigation. This is the same email used to log into the insight platform. Use rapid7-insight-idr-list-users to retrieve the user email list. | Optional |
+
+#### Context Output
 
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Rapid7InsightIDR.Investigation.responsibility | String | The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection &amp; Response customers. |
+| Rapid7InsightIDR.Investigation.latest_alert_time | String | The create time of the most recent alert belonging to this investigation \(if any\). |
+| Rapid7InsightIDR.Investigation.first_alert_time | String | The create time of the first alert belonging to this investigation \(if any\). |
+| Rapid7InsightIDR.Investigation.assignee.email | String | The email of the assigned user \(if any\). |
+| Rapid7InsightIDR.Investigation.assignee.name | String | The name of the assigned user \(if any\). |
+| Rapid7InsightIDR.Investigation.disposition | String | The disposition of this investigation. |
+| Rapid7InsightIDR.Investigation.created_time | Date | The time this investigation was created. |
+| Rapid7InsightIDR.Investigation.last_accessed | Date | The time this investigation was last viewed or modified. |
+| Rapid7InsightIDR.Investigation.priority | String | The priority of the investigation. |
+| Rapid7InsightIDR.Investigation.status | String | The status of the investigation. |
+| Rapid7InsightIDR.Investigation.source | String | How this investigation was generated. |
+| Rapid7InsightIDR.Investigation.title | String | The name of the investigation. |
+| Rapid7InsightIDR.Investigation.organization_id | String | The ID of the organization that owns this investigation. |
+| Rapid7InsightIDR.Investigation.rrn | String | The Rapid7 Resource Names of the investigation. |
+
+#### Command example
+```!rapid7-insight-idr-create-investigation title=test limit=1```
 #### Context Example
 ```json
 {
-    "InfoFile": {
-        "EntryID": "8090@e5ab5eb3-dafd-4dbc-8239-201263c94952",
-        "Extension": "log",
-        "Info": "log",
-        "Name": "EndpointAgents_2020-12-22_114727_2020-12-29_114727.log",
-        "Size": 0,
-        "Type": "empty"
+    "Rapid7InsightIDR": {
+        "Investigation": {
+            "assignee": null,
+            "created_time": "2024-03-05T19:07:04.610Z",
+            "disposition": "UNDECIDED",
+            "first_alert_time": null,
+            "last_accessed": "2024-03-05T19:07:04.610Z",
+            "latest_alert_time": null,
+            "organization_id": "123-123-123",
+            "priority": "UNSPECIFIED",
+            "responsibility": null,
+            "rrn": "rrn:investigation:eu:123-123-123:investigation:U92BZEYO124T",
+            "source": "USER",
+            "status": "OPEN",
+            "title": "test"
+        }
+    }
+}
+```
+
+#### Human Readable Output
+
+>### Investigation 'rrn:investigation:eu:123-123-123:investigation:U92BZEYO124T' was successfuly created.
+>|Title|Rrn|Status|Created Time|Source|Priority|
+>|---|---|---|---|---|---|
+>| test | rrn:investigation:eu:123-123-123:investigation:U92BZEYO124T | OPEN | 2024-03-05T19:07:04.610Z | USER | UNSPECIFIED |
+
+
+### rapid7-insight-idr-update-investigation
+
+***
+Updates multiple fields in a single operation for an investigation, specified by ID or Rapid7 Resource Names (RRN). (If multi-customer set to true, the investigation_id must be in the RRN format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs
+
+#### Base Command
+
+`rapid7-insight-idr-update-investigation`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| investigation_id | The ID or Rapid7 Resource Names (RRN) of the investigation to to update. (If api_version=V2, the ID of the investigation must be in the RRN format). | Required |
+| title | The name of the investigation. | Optional |
+| status | The status of the investigation.  Open - The default status for all new investigations. Investigating - The investigation is in progress. Closed - The investigation has ended. A disposition must be selected to set this status. Possible values are: Open, Investigating, Closed. | Optional |
+| priority | The priority for the investigation. Investigation priority is the scale given to an investigation based on the impact and urgency of the detections and assets associated with it. Possible values are: Unspecified, Low, Medium, High, Critical. | Optional |
+| disposition | The disposition for the investigation. Select a disposition to indicate whether the investigation represented a legitimate threat. Possible values are: Undecided, Benign, Malicious, Not Applicable. | Optional |
+| user_email_address | The email address of the user to assign to this investigation. This is the same email used to log into the insight platform. | Optional |
+| threat_command_free_text | Additional information provided by the user when closing a Threat Command alert. Relevant when status=Closed. | Optional |
+| threat_command_close_reason | The Threat Command reason for closing, applicable only if the investigation being closed has an associated alert in Threat Command. The Close Reason description depends on the Threat Command alert type.  Relevant when status=Closed. Possible values are: Problem Solved, Informational Only, Problem We Are Already Aware Of, Not Related To My Company, False Positive, Legitimate Application/ Profile, Company Owned Domain, Other. | Optional |
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Rapid7InsightIDR.Investigation.responsibility | String | The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection &amp; Response customers. |
+| Rapid7InsightIDR.Investigation.latest_alert_time | String | The create time of the most recent alert belonging to this investigation \(if any\). |
+| Rapid7InsightIDR.Investigation.first_alert_time | String | The create time of the first alert belonging to this investigation \(if any\). |
+| Rapid7InsightIDR.Investigation.assignee_email | String | The email of the assigned user. |
+| Rapid7InsightIDR.Investigation.assignee_name | String | The name of the assigned user. |
+| Rapid7InsightIDR.Investigation.disposition | String | The disposition of this investigation. |
+| Rapid7InsightIDR.Investigation.created_time | Date | The time this investigation was created. |
+| Rapid7InsightIDR.Investigation.last_accessed | Date | The time this investigation was last viewed or modified. |
+| Rapid7InsightIDR.Investigation.priority | String | The priority of the investigation. |
+| Rapid7InsightIDR.Investigation.status | String | The status of the investigation. |
+| Rapid7InsightIDR.Investigation.source | String | How this investigation was generated. |
+| Rapid7InsightIDR.Investigation.title | String | The name of the investigation. |
+| Rapid7InsightIDR.Investigation.organization_id | String | The ID of the organization that owns this investigation. |
+| Rapid7InsightIDR.Investigation.rrn | String | The Rapid7 Resource Names of the investigation. |
+
+#### Command example
+```!rapid7-insight-idr-update-investigation investigation_id=3793645a-6484-4a7e-9228-7aeb4ba97472 title=test1```
+#### Context Example
+```json
+{
+    "Rapid7InsightIDR": {
+        "Investigation": {
+            "assignee": {
+                "email": "test@test.com",
+                "name": "test"
+            },
+            "created_time": "2024-03-05T19:02:28.419Z",
+            "disposition": "UNDECIDED",
+            "first_alert_time": null,
+            "last_accessed": "2024-03-05T19:07:07.790Z",
+            "latest_alert_time": null,
+            "organization_id": "123-123-123",
+            "priority": "UNSPECIFIED",
+            "responsibility": null,
+            "rrn": "rrn:investigation:eu:123-123-123:investigation:UFBFNSRZG4N2",
+            "source": "USER",
+            "status": "OPEN",
+            "title": "test1"
+        }
+    }
+}
+```
+
+#### Human Readable Output
+
+>### Investigation '3793645a-6484-4a7e-9228-7aeb4ba97472' was successfuly updated.
+>|Title|Rrn|Status|Created Time|Source|Assignee|Priority|
+>|---|---|---|---|---|---|---|
+>| test1 | rrn:investigation:eu:123-123-123:investigation:UFBFNSRZG4N2 | OPEN | 2024-03-05T19:02:28.419Z | USER | name: test<br/>email: test@test.com | UNSPECIFIED |
+
+
+### rapid7-insight-idr-search-investigation
+
+***
+Search for investigations matching the given search/sort criteria.
+
+#### Base Command
+
+`rapid7-insight-idr-search-investigation`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| start_time | An optional ISO formatted timestamp for the start of the time period to search for matching investigations. Only investigations whose created_time is after this date will be returned. For example, 2018-07-01T00:00:00Z. Default is 28 days ago. | Optional |
+| end_time | An optional ISO formatted timestamp for the end of the time period to search for matching investigations. Only investigations whose created_time is before this date will be returned. For example,2018-07-28T23:59:00Z. Default is the current time. | Optional |
+| actor_asset_hostname | A comma-separated list of hostnames. | Optional |
+| actor_user_name | A comma-separated list of user names. | Optional |
+| alert_mitre_t_codes | A comma-separated list of mitre_t_codes. | Optional |
+| alert_rule_rrn | A comma-separated list of Rapid7 Resource Names. | Optional |
+| assignee_id | A comma-separated list of assignee IDs. | Optional |
+| organization_id | A comma-separated list of organization IDs. | Optional |
+| priority | A comma-separated list of priorities. | Optional |
+| rrn | A comma-separated list of Rapid7 Resource Names. | Optional |
+| source | A comma-separated list of sources. | Optional |
+| status | A comma-separated list of statuses. | Optional |
+| title | A comma-separated list of titles. | Optional |
+| sort | Comma-separated list of fields to sort by. Possible values are: Created time, Priority, RRN, Alert created time, Alert detection created time. | Optional |
+| sort_direction | The sorting direction. Relevant when sort is chosen. Possible values are: asc, desc, asc,desc. Default is asc. | Optional |
+| index | The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0. Default is 0. | Optional |
+| page_size | The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000. | Optional |
+| limit | The maximum number of records to retrieve. Default is 50. | Optional |
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Rapid7InsightIDR.Investigation.responsibility | Unknown | The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection &amp; Response customers. |
+| Rapid7InsightIDR.Investigation.latest_alert_time | Date | The create time of the most recent alert belonging to this investigation \(if any\). |
+| Rapid7InsightIDR.Investigation.first_alert_time | Date | The create time of the first alert belonging to this investigation \(if any\). |
+| Rapid7InsightIDR.Investigation.assignee.email | Unknown | The email of the assigned user. |
+| Rapid7InsightIDR.Investigation.assignee.name | String | The name of the assigned user. |
+| Rapid7InsightIDR.Investigation.disposition | String | The disposition of this investigation. |
+| Rapid7InsightIDR.Investigation.created_time | Date | The time this investigation was created. |
+| Rapid7InsightIDR.Investigation.last_accessed | Date | The time this investigation was last viewed or modified. |
+| Rapid7InsightIDR.Investigation.priority | String | The priority of the investigation. |
+| Rapid7InsightIDR.Investigation.status | String | The status of the investigation. |
+| Rapid7InsightIDR.Investigation.source | String | How this investigation was generated. |
+| Rapid7InsightIDR.Investigation.title | String | The name of the investigation. |
+| Rapid7InsightIDR.Investigation.organization_id | String | The ID of the organization that owns this investigation. |
+| Rapid7InsightIDR.Investigation.rrn | String | The Rapid7 Resource Names of the investigation. |
+
+#### Command example
+```!rapid7-insight-idr-search-investigation limit=1```
+#### Context Example
+```json
+{
+    "Rapid7InsightIDR": {
+        "Investigation": {
+            "assignee": null,
+            "created_time": "2024-03-05T19:07:04.61Z",
+            "disposition": "UNDECIDED",
+            "first_alert_time": null,
+            "last_accessed": "2024-03-05T19:07:04.61Z",
+            "latest_alert_time": null,
+            "organization_id": "244e0f2e-2e23-43de-9910-da818cdf9ef8",
+            "priority": "UNMAPPED",
+            "responsibility": null,
+            "rrn": "rrn:investigation:eu:244e0f2e-2e23-43de-9910-da818cdf9ef8:investigation:U92BZEYO124T",
+            "source": "USER",
+            "status": "OPEN",
+            "title": "test"
+        }
+    }
+}
+```
+
+#### Human Readable Output
+
+>### Investigations
+>|Title|Rrn|Status|Created Time|Source|Priority|
+>|---|---|---|---|---|---|
+>| test | rrn:investigation:eu:244e0f2e-2e23-43de-9910-da818cdf9ef8:investigation:U92BZEYO124T | OPEN | 2024-03-05T19:07:04.61Z | USER | UNMAPPED |
+
+
+
+### rapid7-insight-idr-list-investigation-alerts
+
+***
+Retrieve and list all alerts associated with an investigation, with the given ID or Rapid7 Resource Names (RRN). The listed alerts are sorted in descending order by alert create time. Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs.
+
+#### Base Command
+
+`rapid7-insight-idr-list-investigation-alerts`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| investigation_id | The ID of the investigation (If api_version=V2, the ID of the investigation must be in the RRN format). | Required |
+| all_results | Whether to retrieve all results by overriding the default limit. Possible values are: true, false. Default is false. | Optional |
+| limit | The maximum number of records to retrieve. Default is 50. | Optional |
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Rapid7InsightIDR.Investigation.alert.rule_rrn | String | The Rapid7 Resource Names of the investigation. |
+| Rapid7InsightIDR.Investigation.alert.rule_name | String | The name of the detection rule. |
+| Rapid7InsightIDR.Investigation.alert.alert_source | String | The source of the alert. |
+| Rapid7InsightIDR.Investigation.alert.latest_event_time | String | The time the most recent event involved in this alert occurred. |
+| Rapid7InsightIDR.Investigation.alert.first_event_time | String | The time the first event involved in this alert occurred. |
+| Rapid7InsightIDR.Investigation.alert.created_time | String | The time the alert was created. |
+| Rapid7InsightIDR.Investigation.alert.alert_type_description | String | A description of this type of alert. |
+| Rapid7InsightIDR.Investigation.alert.alert_type | String | The alert's type. |
+| Rapid7InsightIDR.Investigation.alert.title | String | The alert's title. |
+| Rapid7InsightIDR.Investigation.alert.id | String | The alert's ID. |
+| Rapid7InsightIDR.Investigation.rrn | String | The ID of the investigation. |
+
+#### Command example
+```!rapid7-insight-idr-list-investigation-alerts investigation_id=3793645a-6484-4a7e-9228-7aeb4ba97472```
+#### Context Example
+```json
+{
+    "Rapid7InsightIDR": {
+        "Investigation": {
+            "alert": [],
+            "rrn": "3793645a-6484-4a7e-9228-7aeb4ba97472"
+        }
+    }
+}
+```
+
+#### Human Readable Output
+
+>### Investigation "3793645a-6484-4a7e-9228-7aeb4ba97472" alerts
+>**No entries.**
+
+
+### rapid7-insight-idr-list-investigation-product-alerts
+
+***
+Retrieve and list all Rapid7 product alerts associated with an investigation, with the given ID or the Rapid7 Resource Names. These alerts are generated by Rapid7 products other than InsightIDR that you have an active license for.
+
+#### Base Command
+
+`rapid7-insight-idr-list-investigation-product-alerts`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| investigation_id | The ID of the investigation (If api_version=V2, the ID of the investigation must be in the Rapid7 Resource Names format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs. | Required |
+| all_results | Whether to retrieve all results by overriding the default limit. Possible values are: true, false. Default is false. | Optional |
+| limit | The maximum number of records to retrieve. Default is 50. | Optional |
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Rapid7InsightIDR.Investigation.rrn | String | The ID of the investigation. |
+| Rapid7InsightIDR.Investigation.ProductAlert.name | String | The investigation product name |
+| Rapid7InsightIDR.Investigation.ProductAlert.Alert.name | String | The investigation product alert name. |
+| Rapid7InsightIDR.Investigation.ProductAlert.Alert.alert_id | String | The investigation product alert ID. |
+| Rapid7InsightIDR.Investigation.ProductAlert.Alert.alert_type | String | The investigation product alert type. |
+
+#### Command example
+```!rapid7-insight-idr-list-investigation-product-alerts investigation_id=3793645a-6484-4a7e-9228-7aeb4ba97472```
+#### Context Example
+```json
+{
+    "Rapid7InsightIDR": {
+        "Investigation": {
+            "ProductAlert": [
+                {
+                    "agent_action_taken": "Block",
+                    "alert_id": "972bef1b-72c9-48d2-9e33-ca9056cfe086",
+                    "alert_type": "Endpoint Prevention",
+                    "name": "THREAT_COMMAND"
+                },
+                {
+                    "alert_id": "620ba5123b2aff3303ed65f3",
+                    "alert_type": "Phishing",
+                    "applicable_close_reasons": [
+                        "ProblemSolved",
+                        "InformationalOnly",
+                        "Other"
+                    ],
+                    "name": "THREAT_COMMAND"
+                }
+            ],
+            "rrn": "3793645a-6484-4a7e-9228-7aeb4ba97472"
+        }
     }
 }
 ```
 
 #### Human Readable Output
 
+>### Investigation "3793645a-6484-4a7e-9228-7aeb4ba97472" product alerts
+>|Name|Alert Type|Alert Id|
+>|---|---|---|
+>| THREAT_COMMAND | Endpoint Prevention | 972bef1b-72c9-48d2-9e33-ca9056cfe086 |
+>| THREAT_COMMAND | Phishing | 620ba5123b2aff3303ed65f3 |
+
+
+### rapid7-insight-idr-list-users
+
+***
+List all users matching the given search/sort criteria or retrieve a user with the given RRN.
+
+#### Base Command
+
+`rapid7-insight-idr-list-users`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| rrn | The Rapid7 Resource Names (unique identifier for user.) of the user to retrieve. When using this argument, all the other irrelevant. | Optional |
+| first_name | A comma-separated list of first names. Choose search operator to define the operator type. | Optional |
+| last_name | A comma-separated list of last names. Choose search operator to define the operator type. | Optional |
+| name | A comma-separated list of names. Choose search operator to define the operator type. | Optional |
+| search_operator | The filtering operator. Relevant when first_name / last_name / is name / domain chosen. Possible values are: contains, equals. | Optional |
+| sort | Comma-separated list of fields to sort by. Possible values are: first_name, last_name, name. | Optional |
+| sort_direction | The sorting direction. Relevant when sort is chosen. Possible values are: asc, desc, asc & desc. Default is asc. | Optional |
+| index | The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0. Default is 0. | Optional |
+| page_size | The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000. | Optional |
+| limit | The maximum number of records to retrieve. Default is 50. | Optional |
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| Rapid7InsightIDR.User.domain | String | The domain this user is associated with. |
+| Rapid7InsightIDR.User.name | String | The name of this user. |
+| Rapid7InsightIDR.User.first_name | String | The first name of this user, if known. |
+| Rapid7InsightIDR.User.last_name | String | The last name of this user, if known. |
+| Rapid7InsightIDR.User.rrn | String | The unique identifier for this user. |
+
+#### Command example
+```!rapid7-insight-idr-list-users limit=1```
+#### Context Example
+```json
+{
+    "Rapid7InsightIDR": {
+        "User": {
+            "domain": "azuread",
+            "name": "nirvaron",
+            "rrn": "rrn:uba:eu:244e0f2e-2e23-43de-9910-da818cdf9ef8:user:15N2NECIYNFB"
+        }
+    }
+}
+```
+
+#### Human Readable Output
+
+>### Users
+>|Rrn|Name|Domain|
+>|---|---|---|
+>| rrn:uba:eu:244e0f2e-2e23-43de-9910-da818cdf9ef8:user:15N2NECIYNFB | nirvaron | azuread |
+
 
 
 ### rapid7-insight-idr-query-log
@@ -919,22 +1988,22 @@ Query inside a log for certain values.
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| log_id | Logentries log key | Required | 
-| query | A valid LEQL query to run against the logmore info: https://docs.rapid7.com/insightidr/build-a-query/ | Required | 
-| time_range | An optional time range string (i.e 1 week, 1 day) - While using this parameter, start_time and end_time isn't needed | Optional | 
-| start_time | Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000 | Optional | 
-| end_time | Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000 | Optional | 
-| logs_per_page | The number of log entries to return per page. Default of 50 | Optional | 
-| sequence_number | the earlier sequence number of a log entry to start searching from | Optional | 
+| log_id | Logentries log key | Required |
+| query | A valid LEQL query to run against the log. For more information: https://docs.rapid7.com/insightidr/build-a-query/ | Required |
+| time_range | An optional time range string (i.e., 1 week, 1 day). When using this parameter, start_time and end_time isn't needed | Optional |
+| start_time | Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000 | Optional |
+| end_time | Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000 | Optional |
+| logs_per_page | The number of log entries to return per page. Default of 50 | Optional |
+| sequence_number | The earlier sequence number of a log entry to start searching from. | Optional |
 
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.Event.log_id | String | Event message | 
-| Rapid7InsightIDR.Event.message | String | ID of the log the event appears in | 
-| Rapid7InsightIDR.Event.timestamp | Number | Time when the event fired | 
+| Rapid7InsightIDR.Event.log_id | String | Event message. |
+| Rapid7InsightIDR.Event.message | String | ID of the log the event appears in. |
+| Rapid7InsightIDR.Event.timestamp | Number | Time when the event fired. |
 
 
 #### Command Example
@@ -1629,22 +2698,22 @@ Query inside a log set for certain values.
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| log_set_id | log set ID | Required | 
-| query | A valid LEQL query to run against the logmore info: https://docs.rapid7.com/insightidr/build-a-query/ | Required | 
-| time_range | An optional time range string (i.e 1 week, 1 day) - While using this parameter, start_time and end_time isn't needed | Optional | 
-| start_time | Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000 | Optional | 
-| end_time | Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000 | Optional | 
-| logs_per_page | The number of log entries to return per page. Default of 50 | Optional | 
-| sequence_number | the earlier sequence number of a log entry to start searching from | Optional | 
+| log_set_id | log set ID | Required |
+| query | A valid LEQL query to run against the log. For more information: https://docs.rapid7.com/insightidr/build-a-query/ | Required |
+| time_range | An optional time range string (i.e., 1 week, 1 day). When using this parameter, start_time and end_time isn't needed | Optional |
+| start_time | Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000 | Optional |
+| end_time | Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000 | Optional |
+| logs_per_page | The number of log entries to return per page. Default of 50 | Optional |
+| sequence_number | The earlier sequence number of a log entry to start searching from. | Optional |
 
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| Rapid7InsightIDR.Event.log_id | String | Event message | 
-| Rapid7InsightIDR.Event.message | String | ID of the log the event appears in | 
-| Rapid7InsightIDR.Event.timestamp | Number | Time when the event fired | 
+| Rapid7InsightIDR.Event.log_id | String | Event message. |
+| Rapid7InsightIDR.Event.message | String | ID of the log the event appears in. |
+| Rapid7InsightIDR.Event.timestamp | Number | Time when the event fired. |
 
 
 #### Command Example
@@ -2325,4 +3394,3 @@ Query inside a log set for certain values.
 >| ab5a7594-5fde-4c5c-9ee6-e67291f0a40c | {"timestamp":"2020-11-19T08:50:50.403Z","destination_asset":"jenkinsnode.someorganiztion.co","source_asset_address":"x.x.x.x","destination_asset_address":"jenkinsnode.someorganiztion.co","destination_local_account":"someuser","logon_type":"NETWORK","result":"FAILED_OTHER","new_authentication":"false","service":"/usr/sbin/sshd","source_json":{"audit_id":1002858,"pid":23548,"uid":null,"auid":4294967295,"ses":4294967295,"subj":"system_u:system_r:sshd_t:s0-s0:c0.c1023","op":"password","acct":"someuser","addr":"x.x.x.x","terminal":"ssh","res":"failed","type":1100,"startTime":1605775839850,"cmdLine":"sshd: someuser [priv]   ","processName":"sshd","executablePath":"/usr/sbin/sshd","ppid":1131,"hashes":{"sha256":"2c6bf828ee0b4e78c49a71affd3d33b7916700cf7a288cd1a55fc4e701e50d68"},"metadata":{"creationDate":1592052866191,"lastModifiedDate":1565314847000,"lastAccessDate":1605098588968,"size":852856,"permissions":"-rwxr-xr-x","uid":0,"gid":0,"uidName":"someuser","gidName":"someuser"},"euid":0,"egid":0,"uidName":null,"euidName":"someuser","egidName":"someuser","auidName":null,"domain":"someorganiztion.co","hostname":"jenkinsnode"}} | 1605775912448 |
 >| ab5a7594-5fde-4c5c-9ee6-e67291f0a40c | {"timestamp":"2020-11-19T09:47:15.802Z","destination_asset":"jenkinsnode.someorganiztion.co","source_asset_address":"x.x.x.x","destination_asset_address":"jenkinsnode.someorganiztion.co","destination_local_account":"someuser","logon_type":"NETWORK","result":"SUCCESS","new_authentication":"false","service":"/usr/sbin/sshd","source_json":{"audit_id":1003669,"pid":27013,"uid":null,"auid":4294967295,"ses":4294967295,"subj":"system_u:system_r:sshd_t:s0-s0:c0.c1023","op":"PAM:authentication","grantors":"pam_unix","acct":"someuser","hostname":"x.x.x.x","addr":"x.x.x.x","terminal":"ssh","res":"success","type":1100,"startTime":1605779227890,"cmdLine":"sshd: someuser@pts/1    ","processName":"sshd","executablePath":"/usr/sbin/sshd","ppid":1131,"hashes":{"sha256":"2c6bf828ee0b4e78c49a71affd3d33b7916700cf7a288cd1a55fc4e701e50d68"},"metadata":{"creationDate":1592052866191,"lastModifiedDate":1565314847000,"lastAccessDate":1605098588968,"size":852856,"permissions":"-rwxr-xr-x","uid":0,"gid":0,"uidName":"someuser","gidName":"someuser"},"euid":0,"egid":0,"uidName":null,"euidName":"someuser","egidName":"someuser","auidName":null,"domain":"someorganiztion.co"}} | 1605779255422 |
 >| ab5a7594-5fde-4c5c-9ee6-e67291f0a40c | {"timestamp":"2020-11-19T09:47:15.805Z","destination_asset":"jenkinsnode.someorganiztion.co","source_asset_address":"x.x.x.x","destination_asset_address":"jenkinsnode.someorganiztion.co","destination_local_account":"someuser","logon_type":"NETWORK","result":"SUCCESS","new_authentication":"false","service":"/usr/sbin/sshd","source_json":{"audit_id":1003673,"pid":27013,"uid":null,"auid":4294967295,"ses":4294967295,"subj":"system_u:system_r:sshd_t:s0-s0:c0.c1023","op":"success","acct":"someuser","addr":"x.x.x.x","terminal":"ssh","res":"success","type":1100,"startTime":1605779227890,"cmdLine":"sshd: someuser@pts/1    ","processName":"sshd","executablePath":"/usr/sbin/sshd","ppid":1131,"hashes":{"sha256":"2c6bf828ee0b4e78c49a71affd3d33b7916700cf7a288cd1a55fc4e701e50d68"},"metadata":{"creationDate":1592052866191,"lastModifiedDate":1565314847000,"lastAccessDate":1605098588968,"size":852856,"permissions":"-rwxr-xr-x","uid":0,"gid":0,"uidName":"someuser","gidName":"someuser"},"euid":0,"egid":0,"uidName":null,"euidName":"someuser","egidName":"someuser","auidName":null,"domain":"someorganiztion.co","hostname":"jenkinsnode"}} | 1605779255422 |
-
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR.py b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR.py
index 6e5d2d62b6cc..965bbfafbeca 100644
--- a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR.py
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR.py
@@ -1,104 +1,585 @@
-import demistomock as demisto
-from CommonServerPython import *
-from CommonServerUserPython import *
+import json
+from dataclasses import dataclass
+from datetime import datetime, timedelta
+from typing import Any
 
 import dateparser
-import json
+import demistomock as demisto
 import urllib3
-from datetime import datetime, timedelta
-from typing import Dict, Tuple
+from CommonServerPython import *
+from CommonServerUserPython import *
 from requests import Response
 
+API_V1 = "V1"
+
+API_V2 = "V2"
+
+
+@dataclass
+class Constants:
+    """
+    This class contains constants for the API versions.
+    """
+
+    IS_V1 = False
+    IS_V2 = False
+    INVESTIGATIONS_HEADERS: tuple = ()
+    INVESTIGATION_KEY_FIELD = ""
+    DEFAULT_KEY_FIELD = ""
+    VERSION = ""
+
+
+@dataclass
+class ConstantsV1(Constants):
+    """
+    This class contains constants for the API version 1.
+    """
+    VERSION = API_V1
+    IS_V1 = True
+    IS_V2 = False
+    INVESTIGATIONS_HEADERS: tuple = (
+        "title",
+        "id",
+        "status",
+        "created_time",
+        "source",
+        "assignee",
+        "alerts",
+    )
+    INVESTIGATION_KEY_FIELD = "id"
+    DEFAULT_KEY_FIELD = "id"
+
+
+@dataclass
+class ConstantsV2(Constants):
+    """
+    This class contains constants for the API version 2.
+    """
+
+    IS_V1 = False
+    IS_V2 = True
+    INVESTIGATIONS_HEADERS: tuple = (
+        "title",
+        "rrn",
+        "status",
+        "created_time",
+        "source",
+        "assignee",
+        "priority",
+    )
+    DEFAULT_KEY_FIELD = "rrn"
+    VERSION = API_V2
+
+
 # Disable insecure warnings
 urllib3.disable_warnings()
 
-DATE_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ'
-
-INVESTIGATIONS_FIELDS = ['title', 'id', 'status', 'created_time', 'source', 'assignee', 'alerts']
-THREATS_FIELDS = ['name', 'note', 'indicator_count', 'published']
-LOGS_FIELDS = ['name', 'id']
-EVENTS_FIELDS = ['log_id', 'message', 'timestamp']
+DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
+
+THREATS_FIELDS = ["name", "note", "indicator_count", "published"]
+LOGS_FIELDS = ["name", "id"]
+EVENTS_FIELDS = ["log_id", "message", "timestamp"]
+DEFAULT_DISPOSITION = "Undecided"
+DEFAULT_PAGE = "0"
+INTEGRATION_PREFIX = "Rapid7InsightIDR"
+SEARCH_CONTAINS_OPERATOR = "CONTAINS"
+SEARCH_EQUALS_OPERATOR = "EQUALS"
+INVESTIGATION_SEARCH = [
+    ("actor_asset_hostname", SEARCH_CONTAINS_OPERATOR),
+    ("actor_user_name", SEARCH_CONTAINS_OPERATOR),
+    ("alert_mitre_t_codes", SEARCH_EQUALS_OPERATOR),
+    ("alert_rule_rrn", SEARCH_EQUALS_OPERATOR),
+    ("assignee_id", SEARCH_EQUALS_OPERATOR),
+    ("organization_id", SEARCH_EQUALS_OPERATOR),
+    ("priority", SEARCH_EQUALS_OPERATOR),
+    ("rrn", SEARCH_EQUALS_OPERATOR),
+    ("source", SEARCH_EQUALS_OPERATOR),
+    ("status", SEARCH_EQUALS_OPERATOR),
+    ("title", SEARCH_CONTAINS_OPERATOR),
+]
+USER_SEARCH = ["first_name", "last_name", "name"]
+ALERTS_HEADERS = ["alert_source", "created_time", "alert_type", "title", "id"]
+PRODUCT_ALERTS_HEADERS = ["name", "alert_type", "alert_id"]
+USERS_HEADERS = ["rrn", "name", "first_name", "last_name", "domain"]
 
 
 class Client(BaseClient):
     """Client for Rapid7 InsightIDR REST API."""
 
-    def __init__(self, base_url: str, headers: dict, verify: bool, proxy: bool):
+    def __init__(
+        self,
+        base_url: str,
+        headers: dict,
+        verify: bool,
+        proxy: bool,
+        is_multi_customer: bool,
+    ):
+        self.is_multi_customer = is_multi_customer
         super().__init__(base_url=base_url, verify=verify, proxy=proxy, headers=headers)
 
-    def list_investigations(self, params: dict) -> dict:
-        return self._http_request(method='GET',
-                                  url_suffix='idr/v1/investigations',
-                                  params=params)
-
-    def bulk_close_investigations(self, body: dict) -> dict:
-        return self._http_request(method='POST',
-                                  url_suffix='idr/v1/investigations/bulk_close',
-                                  headers=self._headers,
-                                  json_data=body)
-
-    def assign_user(self, investigation_id: str, body: dict) -> dict:
-        return self._http_request(method='PUT',
-                                  url_suffix=f'idr/v1/investigations/{investigation_id}/assignee',
-                                  headers=self._headers,
-                                  json_data=body)
-
-    def set_status(self, investigation_id: str, status: str) -> dict:
-        return self._http_request(method='PUT',
-                                  url_suffix=f'idr/v1/investigations/{investigation_id}'
-                                             f'/status/{status}',
-                                  headers=self._headers)
+    def list_investigations(
+        self,
+        api_version: str = API_V1,
+        investigation_id: str = None,
+        statuses: str = None,
+        start_time: str = None,
+        end_time: str = None,
+        index: str = None,
+        size: str = None,
+        sources: str = None,
+        priorities: str = None,
+        assignee_email: str = None,
+        sort_field: str = None,
+        sort_direction: str = None,
+        tags: str = None,
+    ) -> dict:
+        """
+        List investigations.
+
+        Args:
+            api_version (str, optional): The InsightIDR API version to request to. Defaults to API_V1.
+            investigation_id (str, optional): _description_. Defaults to None.
+            statuses (str, optional): A comma-separated list of investigation statuses to include in the result.
+            Defaults to None.
+            start_time (str, optional): _description_. Defaults to None.
+            end_time (str, optional): _description_. Defaults to None.
+            index (str, optional): The optional 0 based index of the page to retrieve. Defaults to None.
+            size (str, optional): The optional size of the page to retrieve.
+            Must be an integer greater than 0 or less than or equal to 1000. Defaults to None.
+            sources (str, optional): A comma-separated list of investigation sources to include in the result.
+            Defaults to None.
+            priorities (str, optional): A comma-separated list of investigation priorities to include in the result.
+            assignee_email (str, optional): A user's email address. Defaults to None.
+            sort_field (str, optional): A field for investigations to be sorted by. Defaults to None.
+            sort_direction (str, optional): The sorting direction. Defaults to None.
+            tags (str, optional): A comma-separated list of tags to include in the result. Defaults to None.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        params = (
+            remove_empty_elements(
+                {
+                    "index": index,
+                    "size": size,
+                    "statuses": statuses,
+                    "start_time": start_time,
+                    "end_time": end_time,
+                    "sources": sources,
+                    "priorities": priorities,
+                    "assignee_email": assignee_email,
+                    "sort_field": sort_field,
+                    "sort_direction": sort_direction,
+                    "tags": tags,
+                    "multi-customer": self.is_multi_customer if api_version == API_V2 else None,
+                }
+            )
+            if not investigation_id
+            else {}
+        )
+        endpoint = f"idr/{api_version.lower()}/investigations"
+        url = (
+            urljoin(endpoint, investigation_id)
+            if investigation_id and api_version == API_V2
+            else endpoint
+        )
+        return self._http_request(
+            method="GET",
+            url_suffix=url,
+            params=params,
+            ok_codes=[200, 404],
+        )
+
+    def bulk_close_investigations(
+        self,
+        source: str,
+        start_time: str,
+        end_time: str,
+        alert_type: str = None,
+        disposition: str = None,
+        detection_rule_rrn: str = None,
+        max_investigations_to_close: int = None,
+    ) -> dict:
+        """
+        Close investigations.
+
+        Args:
+            source (str): The name of an investigation source.
+            start_time (str): The time investigations are to be closed from (an ISO formatted timestamp).
+            end_time (str): The time investigations are to be closed by (an ISO formatted timestamp).
+            alert_type (str, optional): The category of types of alerts that should be closed. Defaults to None.
+            disposition (str, optional): A disposition to set the investigation to. Defaults to None.
+            detection_rule_rrn (str, optional): The RRN of the detection rule. Defaults to None.
+            max_investigations_to_close (int, optional): The maximum number of alerts to close. Defaults to None.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        body = remove_empty_elements(
+            {
+                "source": source,
+                "alert_type": alert_type,
+                "disposition": disposition.replace(" ", "_") if disposition else None,
+                "detection_rule_rrn": detection_rule_rrn,
+                "from": start_time,
+                "to": end_time,
+                "max_investigations_to_close": max_investigations_to_close,
+            }
+        )
+        return self._http_request(
+            method="POST",
+            url_suffix="idr/v2/investigations/bulk_close",
+            headers=self._headers,
+            json_data=body,
+        )
+
+    def assign_user(
+        self, investigation_id: str, api_version: str, user_email_address: str
+    ) -> dict[str, Any]:
+        """
+        Assign a user by email to an investigation.
+
+        Args:
+            api_version (str): The InsightIDR API version to request to.
+            investigation_id (str): Comma-separated list of the ID or RRN.
+            user_email_address (str): The email address of the user to assign to this Investigation.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        params = remove_empty_elements(
+            {"multi-customer": self.is_multi_customer if api_version == "V2" else None}
+        )
+        return self._http_request(
+            method="PUT",
+            url_suffix=f"idr/{api_version.lower()}/investigations/{investigation_id}/assignee",
+            headers=self._headers,
+            json_data={"user_email_address": user_email_address},
+            params=params,
+        )
+
+    def set_status(
+        self,
+        api_version: str,
+        investigation_id: str,
+        status: str,
+        disposition: str = None,
+        threat_command_close_reason: str = None,
+        threat_command_free_text: str = None,
+    ) -> dict[str, Any]:
+        """
+        Set investigation status.
+
+        Args:
+            api_version (str): The InsightIDR API version to request to.
+            investigation_id (str): Comma-separated list of the ID or RRN.
+            status (str): The new status for the investigation.
+            disposition (str, optional): A disposition to set the investigation to. Defaults to None.
+            threat_command_close_reason (str, optional): The Threat Command reason for closing. Defaults to None.
+            threat_command_free_text (str, optional): Additional information. Defaults to None.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        data = remove_empty_elements(
+            {
+                "disposition": disposition,
+                "threat_command_close_reason": threat_command_close_reason,
+                "threat_command_free_text": threat_command_free_text,
+            }
+        )
+        params = remove_empty_elements(
+            {"multi-customer": self.is_multi_customer if api_version == API_V2 else None}
+        )
+        return self._http_request(
+            method="PUT",
+            url_suffix=f"idr/{api_version.lower()}/investigations/{investigation_id}/status/{status}",
+            headers=self._headers,
+            json_data=data,
+            params=params,
+        )
 
     def add_threat_indicators(self, key: str, body: dict) -> dict:
-        return self._http_request(method='POST',
-                                  url_suffix=f'idr/v1/customthreats/key/{key}/indicators/add',
-                                  headers=self._headers,
-                                  params={"format": "json"},
-                                  json_data=body)
+        return self._http_request(
+            method="POST",
+            url_suffix=f"idr/v1/customthreats/key/{key}/indicators/add",
+            headers=self._headers,
+            params={"format": "json"},
+            json_data=body,
+        )
 
     def replace_threat_indicators(self, key: str, body: dict) -> dict:
-        return self._http_request(method='POST',
-                                  url_suffix=f'idr/v1/customthreats/key/{key}/indicators/replace',
-                                  headers=self._headers,
-                                  params={"format": "json"},
-                                  json_data=body)
+        return self._http_request(
+            method="POST",
+            url_suffix=f"idr/v1/customthreats/key/{key}/indicators/replace",
+            headers=self._headers,
+            params={"format": "json"},
+            json_data=body,
+        )
 
     def list_logs(self) -> dict:
-        return self._http_request(method='GET',
-                                  url_suffix='log_search/management/logs',
-                                  headers=self._headers)
+        return self._http_request(
+            method="GET", url_suffix="log_search/management/logs", headers=self._headers
+        )
 
     def list_log_sets(self) -> dict:
-        return self._http_request(method='GET',
-                                  url_suffix='log_search/management/logsets',
-                                  headers=self._headers)
+        return self._http_request(
+            method="GET", url_suffix="log_search/management/logsets", headers=self._headers
+        )
 
     def download_logs(self, log_ids: str, params: dict) -> Response:
         headers = self._headers.copy()
-        headers['Accept-Encoding'] = ''
-        return self._http_request(method='GET',
-                                  url_suffix=f'log_search/download/logs/{log_ids}',
-                                  headers=headers,
-                                  params=params,
-                                  resp_type='response')
+        headers["Accept-Encoding"] = ""
+        return self._http_request(
+            method="GET",
+            url_suffix=f"log_search/download/logs/{log_ids}",
+            headers=headers,
+            params=params,
+            resp_type="response",
+        )
 
     def query_log(self, log_id: str, params: dict) -> dict:
-        return self._http_request(method='GET',
-                                  url_suffix=f'log_search/query/logs/{log_id}',
-                                  headers=self._headers,
-                                  params=params)
+        return self._http_request(
+            method="GET",
+            url_suffix=f"log_search/query/logs/{log_id}",
+            headers=self._headers,
+            params=params,
+        )
 
     def query_log_set(self, log_set_id: str, params: dict) -> dict:
-        return self._http_request(method='GET',
-                                  url_suffix=f'log_search/query/logsets/{log_set_id}',
-                                  headers=self._headers,
-                                  params=params)
+        return self._http_request(
+            method="GET",
+            url_suffix=f"log_search/query/logsets/{log_set_id}",
+            headers=self._headers,
+            params=params,
+        )
 
     def query_log_callback(self, url: str) -> dict:
-        return self._http_request(method='GET',
-                                  url_suffix='',
-                                  full_url=url,
-                                  headers=self._headers)
+        return self._http_request(method="GET", url_suffix="", full_url=url, headers=self._headers)
+
+    def create_investigation(
+        self,
+        title: str,
+        status: str,
+        priority: str,
+        disposition: str,
+        user_email_address: str = None,
+    ) -> dict:
+        """
+        Create an investigation.
+
+        Args:
+            title (str): The name of the investigation.
+            status (str): The status of the investigation.
+            priority (str): The priority for the investigation.
+            disposition (str): The disposition for the investigation.
+            user_email_address (str, optional): The email address of the user to assign to this Investigation.
+            Defaults to None.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        data = remove_empty_elements(
+            {
+                "assignee": {"email": user_email_address},
+                "disposition": disposition.replace(" ", "_"),
+                "priority": priority,
+                "status": status,
+                "title": title,
+            }
+        )
+        return self._http_request(
+            method="POST",
+            url_suffix="idr/v2/investigations",
+            headers=self._headers,
+            json_data=data,
+        )
+
+    def update_investigation(
+        self,
+        investigation_id: str,
+        title: str = None,
+        status: str = None,
+        priority: str = None,
+        disposition: str = None,
+        user_email_address: str = None,
+        threat_command_free_text: str = None,
+        threat_command_close_reason: str = None,
+    ) -> dict:
+        """
+        Update an investigation.
+
+        Args:
+            investigation_id (str): The ID or RRN of the investigation to to update.
+            title (str, optional): The name of the investigation. Defaults to None.
+            status (str, optional): The status of the investigation. Defaults to None.
+            priority (str, optional): The priority for the investigation. Defaults to None.
+            disposition (str, optional): The disposition for the investigation. Defaults to None.
+            user_email_address (str, optional): The email address of the user to assign to this Investigation.
+            Defaults to None.
+            threat_command_free_text (str, optional): Additional information. Defaults to None.
+            threat_command_close_reason (str, optional): The Threat Command reason for closing. Defaults to None.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        data = remove_empty_elements(
+            {
+                "assignee": {"email": user_email_address},
+                "disposition": disposition.replace(" ", "_") if disposition else None,
+                "priority": priority,
+                "status": status,
+                "title": title,
+                "threat_command_close_reason": threat_command_close_reason,
+                "threat_command_free_text": threat_command_free_text,
+            }
+        )
+        return self._http_request(
+            method="PATCH",
+            url_suffix=f"idr/v2/investigations/{investigation_id}",
+            headers=self._headers,
+            json_data=data,
+            params={
+                "multi-customer": self.is_multi_customer,
+            },
+        )
+
+    def list_investigation_alerts(
+        self,
+        investigation_id: str,
+    ) -> dict:
+        """
+        Retrieve and list all alerts associated with an investigation
+
+        Args:
+            investigation_id (str): The ID of the investigation.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        return self._http_request(
+            method="GET",
+            url_suffix=f"idr/v2/investigations/{investigation_id}/alerts",
+            params={
+                "multi-customer": self.is_multi_customer,
+            },
+        )
+
+    def list_investigation_product_alerts(
+        self,
+        investigation_id: str,
+    ) -> list[dict[str, Any]]:
+        """
+        Retrieve and list all Rapid7 product alerts associated with an investigation.
+
+        Args:
+            investigation_id (str): The ID of the investigation.
+
+        Returns:
+            list[dict[str, Any]]: API response from Insight IDR API.
+        """
+        return self._http_request(
+            method="GET",
+            url_suffix=f"idr/v2/investigations/{investigation_id}/rapid7-product-alerts",
+            params={
+                "multi-customer": self.is_multi_customer,
+            },
+        )
+
+    def get_user(
+        self,
+        rrn: str,
+    ) -> dict:
+        """
+        Get user by user RNN.
+
+        Args:
+            rrn (str): The RNN of the user.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        return self._http_request(method="GET", url_suffix=f"idr/v1/users/{rrn}")
+
+    def search_users(
+        self,
+        search: list[dict[str, Any]],
+        sort: list[dict[str, Any]],
+        index: str,
+        page_size: str,
+    ) -> dict:
+        """
+        Search for users matching the given search/sort criteria.
+
+        Args:
+            search (List[Dict[str, Any]]): Comma-separated list of search filters
+            sort (list[dict[str, Any]]): Comma-separated list of sorts.
+            index (str): The optional 0 based index of the page to retrieve.
+            page_size (str): The optional size of the page to retrieve.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        return self._http_request(
+            method="POST",
+            url_suffix="idr/v1/users/_search",
+            params={
+                "index": index,
+                "size": page_size,
+            },
+            json_data=remove_empty_elements(
+                {
+                    "search": search,
+                    "sort": sort,
+                }
+            ),
+        )
+
+    def search_investigations(
+        self,
+        search: list,
+        sort: list,
+        index: str,
+        page_size: str,
+        start_time: str = None,
+        end_time: str = None,
+    ) -> dict:
+        """
+        Search for investigations matching the given search/sort criteria.
+
+        Args:
+            search (list): Comma-separated list of search filters
+            sort (list): Comma-separated list of sorts.
+            index (str): The optional 0 based index of the page to retrieve.
+            page_size (str): The optional size of the page to retrieve.
+            start_time (str, optional):
+            An optional ISO formatted timestamp for the start of the time period to search for matching investigations.
+            Defaults to None.
+            end_time (str, optional):
+            An optional ISO formatted timestamp for the end of the time period to search for matching investigations.
+            Defaults to None.
+
+        Returns:
+            dict: API response from Insight IDR API.
+        """
+        data = remove_empty_elements(
+            {
+                "search": search,
+                "sort": sort,
+                "start_time": start_time,
+                "end_time": end_time,
+            }
+        )
+        return self._http_request(
+            method="POST",
+            url_suffix="idr/v2/investigations/_search",
+            params={
+                "index": index,
+                "size": page_size,
+                "multi-customer": self.is_multi_customer,
+            },
+            json_data=data,
+        )
 
     def validate(self) -> Response:
         """
@@ -107,236 +588,261 @@ def validate(self) -> Response:
         Returns:
             response(Response): API response from InsightIDR
         """
-        params = {'size': 1}
-        return self._http_request(method='GET',
-                                  url_suffix='idr/v1/investigations',
-                                  params=params,
-                                  resp_type='response')
-
-
-def insight_idr_list_investigations_command(client: Client, statuses: str = None,
-                                            time_range: str = None,
-                                            start_time: str = None, end_time: str = None,
-                                            index: int = 0, page_size: int = 20) -> CommandResults:
+        params = {"size": 1}
+        return self._http_request(
+            method="GET", url_suffix="idr/v1/investigations", params=params, resp_type="response"
+        )
+
+
+@logger
+def insight_idr_list_investigations_command(
+    client: Client,
+    args: dict[str, Any],
+    constants: Constants,
+) -> CommandResults:
     """
-    List investigations according to received parameters.
+    List investigations.
 
     Args:
-        client(Client): Rapid7 client
-        statuses(str): An optional comma separated set of investigation statuses
-        time_range(str): An optional relative time range in a readable format.
-        start_time(str): An optional ISO formatted timestamp
-        end_time(str): An optional ISO formatted timestamp
-        index(int): The optional 0 based index of the page to retrieve
-        page_size(int): The optional size of the page to retrieve
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
 
     Returns:
-        CommandResults with raw_response, readable_output and outputs.
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
     """
-    # start_time and end_time can come in "last 1 day" format, so we parse it
-    if time_range:
-        start_time, end_time = parse_date_range(time_range, date_format=DATE_FORMAT)
+    start_time = raise_on_invalid_time(args.get("start_time"))
+    end_time = raise_on_invalid_time(args.get("end_time"))
 
-    params = {
-        'statuses': statuses,
-        'start_time': start_time,
-        'end_time': end_time,
-        'index': index,
-        'size': page_size
-    }
+    # start_time and end_time can come in "last 1 day" format, so we parse it
 
-    results = client.list_investigations(remove_empty_elements(params))
+    if time_range := args.get("time_range"):
+        start_time, end_time = parse_date_range(date_range=time_range, date_format=DATE_FORMAT)
+
+    v2_params: dict[str, Any] = (
+        {
+            "sources": args.get("sources"),
+            "priorities": args.get("priorities"),
+            "assignee_email": args.get("assignee_email"),
+            "sort_field": to_snake_case(args.get("sort_field")),
+            "sort_direction": args.get("sort_direction"),
+            "tags": args.get("tags"),
+        }
+        if constants.IS_V2
+        else {}
+    )
 
-    data_for_output = results.get('data', [])
-    readable_output = tableToMarkdown('Requested Investigations',
-                                      data_for_output,
-                                      headers=INVESTIGATIONS_FIELDS,
-                                      removeNull=True)
+    results = client.list_investigations(
+        api_version=constants.VERSION,
+        statuses=args.get("statuses"),
+        start_time=start_time,
+        end_time=end_time,
+        index=str(arg_to_number(args["index"])),
+        size=get_pagination_size(
+            page_size=args.get("page_size"),
+            limit=args["limit"],
+        ),
+        **v2_params,
+    )
 
-    command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Investigation',
-        outputs_key_field='id',
-        raw_response=results,
+    data_for_output = results.get("data", [])
+    return generate_command_results(
+        title="Investigations",
+        outputs_prefix="Investigation",
+        outputs_key_field=constants.DEFAULT_KEY_FIELD,
+        headers=list(constants.INVESTIGATIONS_HEADERS),
         outputs=data_for_output,
-        readable_output=readable_output
+        raw_response=results,
     )
-    return command_results
 
 
-def insight_idr_get_investigation_command(client: Client, investigation_id: str) -> CommandResults:
+@logger
+def insight_idr_get_investigation_command(
+    client: Client,
+    args: dict[str, Any],
+    constants: Constants,
+) -> CommandResults:
     """
-        List investigations according to received parameters.
-
-        Args:
-            client(Client): Rapid7 client
-            investigation_id(str): Investigation ID
+    Get investigation.
 
-        Returns:
-            CommandResults with raw_response, readable_output and outputs.
-        """
-    results = client.list_investigations({})
+    Args:
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
 
-    data_for_output = results.get('data', [])
+    Returns:
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
+    """
     investigation_data = {}
+    investigation_id = args["investigation_id"]
+    api_version = constants.VERSION
+    results = client.list_investigations(api_version=api_version, investigation_id=investigation_id)
+    if constants.IS_V1:
+        demisto.debug("Find the investigation ID in list response (V1)")
+        data = results.get("data", [])
+        for investigation in data:
 
-    for investigation in data_for_output:
-        if investigation.get('id') == investigation_id:
-            investigation_data = investigation
+            if investigation.get("id") == investigation_id:
+                investigation_data = investigation
+                break
 
-    if not investigation_data:
-        return CommandResults(raw_response=None)
+        if not investigation_data:
+            return CommandResults(raw_response=None)
 
-    readable_output = tableToMarkdown(f'Investigation Information (id: {investigation_id})',
-                                      investigation_data,
-                                      headers=INVESTIGATIONS_FIELDS,
-                                      removeNull=True)
+    else:
+        # Get the investigation ID in get response (V2)
+        if not results.get("rrn"):
+            return CommandResults(raw_response=None)
 
-    command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Investigation',
-        outputs_key_field='id',
-        raw_response=investigation_data,
+        investigation_data = results
+
+    return generate_command_results(
+        title=f'Investigation "{investigation_id}" Information',
+        outputs_prefix="Investigation",
+        outputs_key_field=constants.DEFAULT_KEY_FIELD,
+        headers=list(constants.INVESTIGATIONS_HEADERS),
         outputs=investigation_data,
-        readable_output=readable_output
+        raw_response=investigation_data,
     )
-    return command_results
 
 
-def insight_idr_close_investigations_command(client: Client, start_time: str, end_time: str,
-                                             source: str, max_investigations_to_close: int = None,
-                                             alert_type: str = None) -> CommandResults:
+@logger
+def insight_idr_close_investigations_command(
+    client: Client,
+    args: dict[str, Any],
+) -> CommandResults:
     """
-    Close investigations by start_time, end_time and source.
+    Close investiagtions.
 
     Args:
-        client(Client): Rapid7 client
-        start_time(str): An ISO formatted timestamp.
-        end_time(str): An ISO formatted timestamp.
-        source(str): The name of an investigation source
-        max_investigations_to_close(int): An optional maximum number of alerts to close
-        alert_type(str): The category of alerts that should be closed
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
 
     Returns:
-        CommandResults with raw_response, readable_output and outputs.
-
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
     """
-    body = {
-        'from': start_time,
-        'to': end_time,
-        'source': source,
-        'max_investigations_to_close': max_investigations_to_close,
-        'alert_type': alert_type
-    }
-
-    results = client.bulk_close_investigations(remove_empty_elements(body))
-
-    ids = {
-        'id': results.get('ids')
-    }
-
-    data_for_outputs = []
-    for current_id in results.get('ids', []):
-        data_for_outputs.append({
-            'id': current_id,
-            'status': 'CLOSED'
-        })
+    arg_to_datetime(args["start_time"])
+    arg_to_datetime(args["end_time"])
+    results = client.bulk_close_investigations(
+        source=args["source"],
+        alert_type=args.get("alert_type"),
+        disposition=to_snake_case(args["disposition"], False),
+        detection_rule_rrn=args.get("detection_rule_rrn"),
+        start_time=args["start_time"],
+        end_time=args["end_time"],
+        max_investigations_to_close=arg_to_number(args.get("max_investigations_to_close")),
+    )
 
-    readable_output = tableToMarkdown('Closed Investigations IDs', ids, headers=['id'],
-                                      removeNull=True)
+    ids = results.get("ids", [])
+    data_for_outputs = [{"id": id, "status": "CLOSED"} for id in ids]
 
-    command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Investigation',
-        outputs_key_field='id',
-        raw_response=results,
+    return generate_command_results(
+        title=f"Investigation '{ids}' ({len(ids)}) was successfully closed.",
+        outputs_prefix="Investigation",
+        outputs_key_field=ConstantsV1.DEFAULT_KEY_FIELD,
+        headers=["id", "status"],
         outputs=data_for_outputs,
-        readable_output=readable_output
+        raw_response=results,
     )
-    return command_results
 
 
-def insight_idr_assign_user_command(client: Client, investigation_id: str,
-                                    user_email_address: str):
+@logger
+def insight_idr_assign_user_command(
+    client: Client,
+    args: dict[str, Any],
+    constants: Constants,
+) -> CommandResults:
     """
     Assigning user, by email, to investigation or investigations.
 
     Args:
-        client(Client): Rapid7 client
-        investigation_id(str): Investigation IDs, One or XSOAR list (str separated by commas)
-        user_email_address(str): The email address of the user to assign
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
 
     Returns:
-        CommandResults with raw_response, readable_output and outputs.
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
     """
-    results = []
-    data_for_readable_output = []
-
-    for investigation in argToList(investigation_id):
-        body = {
-            'user_email_address': user_email_address
-        }
-
-        result = client.assign_user(investigation, body)
-        results.append(result)
-
-        data_for_readable_output.append(result)
+    outputs: list[dict[str, Any]] = []
+    investigation_ids = args["investigation_id"]
+    user_email_address = args["user_email_address"]
+    for investigation in argToList(investigation_ids):
+
+        result = client.assign_user(
+            investigation,
+            api_version=constants.VERSION,
+            user_email_address=user_email_address,
+        )
+        outputs.append(result)
         time.sleep(0.01)
 
-    readable_output = tableToMarkdown(f'Investigation Information (id: {investigation_id})',
-                                      data_for_readable_output,
-                                      headers=INVESTIGATIONS_FIELDS,
-                                      removeNull=True)
-
-    command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Investigation',
-        outputs_key_field='id',
-        raw_response=results,
-        outputs=data_for_readable_output,
-        readable_output=readable_output
+    return generate_command_results(
+        title=f"Investigation '{investigation_ids}' was successfully assigned to {user_email_address}.",
+        outputs_prefix="Investigation",
+        outputs_key_field=constants.DEFAULT_KEY_FIELD,
+        headers=list(constants.INVESTIGATIONS_HEADERS),
+        outputs=outputs,
+        raw_response=outputs,
     )
-    return command_results
 
 
-def insight_idr_set_status_command(client: Client, investigation_id: str, status: str):
+@logger
+def insight_idr_set_status_command(
+    client: Client,
+    args: dict[str, Any],
+    constants: Constants,
+) -> CommandResults:
     """
-    Change the status of investigation or investigations to OPEN/CLOSED.
-
-        Args:
-            client(Client): Rapid7 client
-            investigation_id(str): Investigation IDs, One or XSOAR list (str separated by commas)
-            status(str): The new status for the investigation (open/closed)
+    Change the status of investigation or investigations.
 
-        Returns:
-            CommandResults with raw_response, readable_output and outputs.
-        """
+    Args:
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
 
+    Returns:
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
+    """
+    v2_params: dict[str, Any] = (
+        {
+            "disposition": args.get("disposition"),
+            "threat_command_close_reason": to_camel_case(args.get("threat_command_close_reason")),
+            "threat_command_free_text": args.get("threat_command_free_text"),
+        }
+        if constants.IS_V2
+        else {}
+    )
     results = []
     data_for_readable_output = []
-    for investigation in argToList(investigation_id):
-        result = client.set_status(investigation, status)
+    investigation_ids = args["investigation_id"]
+    status = args["status"]
+    for investigation_id in argToList(investigation_ids):
+        result = client.set_status(
+            api_version=constants.VERSION,
+            investigation_id=investigation_id,
+            status=status,
+            **v2_params,
+        )
         results.append(result)
 
         data_for_readable_output.append(result)
         time.sleep(0.01)
 
-    readable_output = tableToMarkdown(f'Investigation Information (id: {investigation_id})',
-                                      data_for_readable_output,
-                                      headers=INVESTIGATIONS_FIELDS,
-                                      removeNull=True)
-
-    command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Investigation',
-        outputs_key_field='id',
-        raw_response=results,
+    return generate_command_results(
+        title=f"Investigation '{investigation_ids}' status was successfully updated to {status}.",
+        outputs_prefix="Investigation",
+        outputs_key_field=constants.DEFAULT_KEY_FIELD,
+        headers=list(constants.INVESTIGATIONS_HEADERS),
         outputs=data_for_readable_output,
-        readable_output=readable_output
+        raw_response=results,
     )
-    return command_results
 
 
-def insight_idr_add_threat_indicators_command(client: Client, key: str,
-                                              ip_addresses: str = None,
-                                              hashes: str = None,
-                                              domain_names: str = None,
-                                              url: str = None) -> CommandResults:
+@logger
+def insight_idr_add_threat_indicators_command(
+    client: Client,
+    key: str,
+    ip_addresses: str = None,
+    hashes: str = None,
+    domain_names: str = None,
+    url: str = None,
+) -> CommandResults:
     """
     Adding threat indicators to threat (or threats) by key.
 
@@ -352,10 +858,10 @@ def insight_idr_add_threat_indicators_command(client: Client, key: str,
         CommandResults with raw_response, readable_output and outputs.
     """
     body = {
-        'ips': argToList(ip_addresses),
-        'hashes': argToList(hashes),
-        'domain_names': argToList(domain_names),
-        'urls': argToList(url)
+        "ips": argToList(ip_addresses),
+        "hashes": argToList(hashes),
+        "domain_names": argToList(domain_names),
+        "urls": argToList(url),
     }
     body = remove_empty_elements(body)
 
@@ -366,26 +872,35 @@ def insight_idr_add_threat_indicators_command(client: Client, key: str,
         result = client.add_threat_indicators(threat, body)
         results.append(result)
 
-        data_for_readable_output.append(result.get('threat'))
+        data_for_readable_output.append(result.get("threat"))
         time.sleep(0.01)
 
-    readable_output = tableToMarkdown(f'Threat Information (key: {key})', data_for_readable_output,
-                                      headers=THREATS_FIELDS, removeNull=True)
+    readable_output = tableToMarkdown(
+        f"Threat Information (key: {key})",
+        data_for_readable_output,
+        headers=THREATS_FIELDS,
+        removeNull=True,
+    )
 
     command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Threat',
-        outputs_key_field='name',
+        outputs_prefix="Rapid7InsightIDR.Threat",
+        outputs_key_field="name",
         raw_response=results,
         outputs=data_for_readable_output,
-        readable_output=readable_output
+        readable_output=readable_output,
     )
     return command_results
 
 
-def insight_idr_replace_threat_indicators_command(client: Client, key: str,
-                                                  ip_addresses: str = None, hashes: str = None,
-                                                  domain_names: str = None,
-                                                  url: str = None) -> CommandResults:
+@logger
+def insight_idr_replace_threat_indicators_command(
+    client: Client,
+    key: str,
+    ip_addresses: str = None,
+    hashes: str = None,
+    domain_names: str = None,
+    url: str = None,
+) -> CommandResults:
     """
     Replace threat indicators to threat (or threats) by key.
 
@@ -401,10 +916,10 @@ def insight_idr_replace_threat_indicators_command(client: Client, key: str,
         CommandResults with raw_response, readable_output and outputs.
     """
     body = {
-        'ips': argToList(ip_addresses),
-        'hashes': argToList(hashes),
-        'domain_names': argToList(domain_names),
-        'urls': argToList(url)
+        "ips": argToList(ip_addresses),
+        "hashes": argToList(hashes),
+        "domain_names": argToList(domain_names),
+        "urls": argToList(url),
     }
     body = remove_empty_elements(body)
 
@@ -415,22 +930,27 @@ def insight_idr_replace_threat_indicators_command(client: Client, key: str,
         result = client.replace_threat_indicators(threat, body)
         results.append(result)
 
-        data_for_readable_output.append(result.get('threat'))
+        data_for_readable_output.append(result.get("threat"))
         time.sleep(0.01)
 
-    readable_output = tableToMarkdown(f'Threat Information (key: {key})', data_for_readable_output,
-                                      headers=THREATS_FIELDS, removeNull=True)
+    readable_output = tableToMarkdown(
+        f"Threat Information (key: {key})",
+        data_for_readable_output,
+        headers=THREATS_FIELDS,
+        removeNull=True,
+    )
 
     command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Threat',
-        outputs_key_field='name',
+        outputs_prefix="Rapid7InsightIDR.Threat",
+        outputs_key_field="name",
         raw_response=results,
         outputs=data_for_readable_output,
-        readable_output=readable_output
+        readable_output=readable_output,
     )
     return command_results
 
 
+@logger
 def insight_idr_list_logs_command(client: Client) -> CommandResults:
     """
     List all logs.
@@ -443,25 +963,27 @@ def insight_idr_list_logs_command(client: Client) -> CommandResults:
     """
     results = client.list_logs()
 
-    logs = results.get('logs', {})
+    logs = results.get("logs", {})
     data_for_readable_output = []
 
     for log in logs:
         data_for_readable_output.append(log)
 
-    readable_output = tableToMarkdown('List Logs', data_for_readable_output, headers=LOGS_FIELDS,
-                                      removeNull=True)
+    readable_output = tableToMarkdown(
+        "List Logs", data_for_readable_output, headers=LOGS_FIELDS, removeNull=True
+    )
 
     command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Log',
-        outputs_key_field='id',
+        outputs_prefix="Rapid7InsightIDR.Log",
+        outputs_key_field="id",
         raw_response=results,
         outputs=data_for_readable_output,
-        readable_output=readable_output
+        readable_output=readable_output,
     )
     return command_results
 
 
+@logger
 def insight_idr_list_log_sets_command(client: Client) -> CommandResults:
     """
     List all log sets.
@@ -474,28 +996,36 @@ def insight_idr_list_log_sets_command(client: Client) -> CommandResults:
     """
     results = client.list_log_sets()
 
-    logs = results.get('logsets', {})
+    logs = results.get("logsets", {})
     data_for_readable_output = []
 
     for log in logs:
         data_for_readable_output.append(log)
 
-    readable_output = tableToMarkdown('List Log Sets', data_for_readable_output,
-                                      headers=LOGS_FIELDS, removeNull=True)
+    readable_output = tableToMarkdown(
+        "List Log Sets", data_for_readable_output, headers=LOGS_FIELDS, removeNull=True
+    )
 
     command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.LogSet',
-        outputs_key_field='id',
+        outputs_prefix="Rapid7InsightIDR.LogSet",
+        outputs_key_field="id",
         raw_response=results,
         outputs=data_for_readable_output,
-        readable_output=readable_output
+        readable_output=readable_output,
     )
     return command_results
 
 
-def insight_idr_download_logs_command(client: Client, log_ids: str, time_range: str = None,
-                                      start_time: str = None, end_time: str = None,
-                                      query: str = None, limit: str = None):
+@logger
+def insight_idr_download_logs_command(
+    client: Client,
+    log_ids: str,
+    time_range: str = None,
+    start_time: str = None,
+    end_time: str = None,
+    query: str = None,
+    limit: str = None,
+):
     """
     Download logs to .log file based on time and query (query - optional)
 
@@ -512,30 +1042,37 @@ def insight_idr_download_logs_command(client: Client, log_ids: str, time_range:
         CommandResults with raw_response, readable_output and outputs.
     """
     if not (start_time or end_time or time_range):
-        time_range = 'Last 3 days'
+        time_range = "Last 3 days"
 
     params = {
-        'from': start_time,
-        'to': end_time,
-        'time_range': time_range,
-        'query': query,
-        'limit': limit
+        "from": start_time,
+        "to": end_time,
+        "time_range": time_range,
+        "query": query,
+        "limit": limit,
     }
-    response = client.download_logs(log_ids.replace(',', ':'), remove_empty_elements(params))
-    content_disposition = response.headers.get('Content-Disposition')
+    response = client.download_logs(log_ids.replace(",", ":"), remove_empty_elements(params))
+    content_disposition = response.headers.get("Content-Disposition")
     try:
-        filename = content_disposition.split(';')[1].split('=')[1].replace(' ', '')  # type: ignore
+        filename = content_disposition.split(";")[1].split("=")[1].replace(" ", "")  # type: ignore
     except AttributeError:
-        filename = datetime.now().strftime(DATE_FORMAT) + '.log'
+        filename = datetime.now().strftime(DATE_FORMAT) + ".log"
 
-    file_type = entryTypes['entryInfoFile']
+    file_type = entryTypes["entryInfoFile"]
     return fileResult(filename, response.content, file_type)
 
 
-def insight_idr_query_log_command(client: Client, log_id: str, query: str, time_range: str = None,
-                                  start_time: str = None, end_time: str = None,
-                                  logs_per_page: int = None,
-                                  sequence_number: int = None) -> CommandResults:
+@logger
+def insight_idr_query_log_command(
+    client: Client,
+    log_id: str,
+    query: str,
+    time_range: str = None,
+    start_time: str = None,
+    end_time: str = None,
+    logs_per_page: int = None,
+    sequence_number: int = None,
+) -> CommandResults:
     """
     Search a log by Query.
 
@@ -556,11 +1093,11 @@ def insight_idr_query_log_command(client: Client, log_id: str, query: str, time_
         start_time, end_time = parse_date_range(time_range, to_timestamp=True)
 
     params = {
-        'query': query,
-        'from': start_time,
-        'to': end_time,
-        'per_page': logs_per_page,
-        'sequence_number': sequence_number
+        "query": query,
+        "from": start_time,
+        "to": end_time,
+        "per_page": logs_per_page,
+        "sequence_number": sequence_number,
     }
 
     params = remove_empty_elements(params)
@@ -569,23 +1106,30 @@ def insight_idr_query_log_command(client: Client, log_id: str, query: str, time_
 
     data_for_readable_output, raw_response = handle_query_log_results(client, results)
 
-    readable_output = tableToMarkdown('Query Results', data_for_readable_output,
-                                      headers=EVENTS_FIELDS, removeNull=True)
+    readable_output = tableToMarkdown(
+        "Query Results", data_for_readable_output, headers=EVENTS_FIELDS, removeNull=True
+    )
     command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Event',
-        outputs_key_field='message',
+        outputs_prefix="Rapid7InsightIDR.Event",
+        outputs_key_field="message",
         raw_response=raw_response,
         outputs=data_for_readable_output,
-        readable_output=readable_output
+        readable_output=readable_output,
     )
     return command_results
 
 
-def insight_idr_query_log_set_command(client: Client, log_set_id: str, query: str,
-                                      time_range: str = None,
-                                      start_time: str = None, end_time: str = None,
-                                      logs_per_page: int = None,
-                                      sequence_number: int = None) -> CommandResults:
+@logger
+def insight_idr_query_log_set_command(
+    client: Client,
+    log_set_id: str,
+    query: str,
+    time_range: str = None,
+    start_time: str = None,
+    end_time: str = None,
+    logs_per_page: int = None,
+    sequence_number: int = None,
+) -> CommandResults:
     """
     Search a log set by Query.
 
@@ -606,11 +1150,11 @@ def insight_idr_query_log_set_command(client: Client, log_set_id: str, query: st
         start_time, end_time = parse_date_range(time_range, to_timestamp=True)
 
     params = {
-        'query': query,
-        'from': start_time,
-        'to': end_time,
-        'per_page': logs_per_page,
-        'sequence_number': sequence_number
+        "query": query,
+        "from": start_time,
+        "to": end_time,
+        "per_page": logs_per_page,
+        "sequence_number": sequence_number,
     }
 
     params = remove_empty_elements(params)
@@ -619,20 +1163,23 @@ def insight_idr_query_log_set_command(client: Client, log_set_id: str, query: st
 
     data_for_readable_output, raw_response = handle_query_log_results(client, results)
 
-    readable_output = tableToMarkdown('Query Results', data_for_readable_output,
-                                      headers=EVENTS_FIELDS, removeNull=True)
+    readable_output = tableToMarkdown(
+        "Query Results", data_for_readable_output, headers=EVENTS_FIELDS, removeNull=True
+    )
     command_results = CommandResults(
-        outputs_prefix='Rapid7InsightIDR.Event',
-        outputs_key_field='message',
+        outputs_prefix="Rapid7InsightIDR.Event",
+        outputs_key_field="message",
         raw_response=raw_response,
         outputs=data_for_readable_output,
-        readable_output=readable_output
+        readable_output=readable_output,
     )
     return command_results
 
 
-def handle_query_log_results(client: Client, result: dict) -> Tuple[list, list]:
-    """This function get the first result of the query, then handles if the query is still in progress, and handle pagination.
+def handle_query_log_results(client: Client, result: dict) -> tuple[list, list]:
+    """
+    This function get the first result of the query,
+    then handles if the query is still in progress, and handle pagination.
 
     Args:
         client (Client): Rapid7 Client
@@ -650,22 +1197,270 @@ def handle_query_log_results(client: Client, result: dict) -> Tuple[list, list]:
     while results_list:
         results = results_list.pop(0)
 
-        if events := results.get('events', []):
+        if events := results.get("events", []):
             data_for_readable_output.extend(events)
             raw_responcse.append(results)
 
-        if links := results.get('links', []):
+        if links := results.get("links", []):
             for link in links:
-                url = link.get('href')
+                url = link.get("href")
                 new_results = client.query_log_callback(url)
                 results_list.append(new_results)
 
-                progress = results.get('progress')
-                demisto.debug(f'Events length: {len(events)}, progress: {progress}')
+                progress = results.get("progress")
+                demisto.debug(f"Events length: {len(events)}, progress: {progress}")
 
     return data_for_readable_output, raw_responcse
 
 
+@logger
+def insight_idr_create_investigation_command(
+    client: Client,
+    args: dict[str, Any],
+) -> CommandResults:
+    """
+    Create an new investigation manually.
+
+    Args:
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
+
+    Returns:
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
+    """
+    results = client.create_investigation(
+        title=args["title"],
+        status=args["status"],
+        priority=args["priority"],
+        disposition=to_snake_case(args["disposition"], False) or DEFAULT_DISPOSITION,
+        user_email_address=args.get("user_email_address"),
+    )
+    investigation_id = results["rrn"]
+    return generate_command_results(
+        title=f"Investigation '{investigation_id}' was successfully created.",
+        outputs_prefix="Investigation",
+        outputs_key_field=ConstantsV2.DEFAULT_KEY_FIELD,
+        headers=list(ConstantsV2.INVESTIGATIONS_HEADERS),
+        outputs=results,
+        raw_response=results,
+    )
+
+
+@logger
+def insight_idr_update_investigation_command(
+    client: Client,
+    args: dict[str, Any],
+) -> CommandResults:
+    """
+    Update an exsiting investigation.
+
+    Args:
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
+
+    Returns:
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
+    """
+    investigation_id = args["investigation_id"]
+    results = client.update_investigation(
+        investigation_id=investigation_id,
+        title=args.get("title"),
+        status=args.get("status"),
+        priority=args.get("priority"),
+        disposition=to_snake_case(args.get("disposition"), False),
+        user_email_address=args.get("user_email_address"),
+        threat_command_free_text=args.get("threat_command_free_text"),
+        threat_command_close_reason=to_camel_case(args.get("threat_command_close_reason")),
+    )
+
+    return generate_command_results(
+        title=f"Investigation '{investigation_id}' was successfully updated.",
+        outputs_prefix="Investigation",
+        outputs_key_field=ConstantsV2.DEFAULT_KEY_FIELD,
+        headers=list(ConstantsV2.INVESTIGATIONS_HEADERS),
+        outputs=results,
+        raw_response=results,
+    )
+
+
+@logger
+def insight_idr_list_investigation_alerts_command(
+    client: Client,
+    args: dict[str, Any],
+) -> CommandResults:
+    """
+    List all alerts associated with an investigation.
+
+    Args:
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
+
+    Returns:
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
+    """
+    investigation_id = args["investigation_id"]
+    results = client.list_investigation_alerts(
+        investigation_id=investigation_id,
+    )
+    data = results.get("data", [])
+    data_for_output = {
+        "rrn": investigation_id,
+        "alert": (
+            data if argToBoolean(args["all_results"]) else data[: arg_to_number(args["limit"])]
+        ),
+    }
+    return generate_command_results(
+        title=f'Investigation "{investigation_id}" alerts:',
+        outputs_prefix="Investigation",
+        outputs_key_field=ConstantsV2.DEFAULT_KEY_FIELD,
+        headers=ALERTS_HEADERS,
+        outputs=data_for_output,
+        raw_response=results,
+        readable_outputs=data_for_output.get("alert", []),
+    )
+
+
+@logger
+def insight_idr_list_investigation_product_alerts_command(
+    client: Client,
+    args: dict[str, Any],
+) -> CommandResults:
+    """
+    List all Rapid7 product alerts associated with an investigation.
+
+    Args:
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
+
+    Returns:
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
+    """
+    investigation_id = args["investigation_id"]
+    results = client.list_investigation_product_alerts(
+        investigation_id=investigation_id,
+    )
+    data = generate_product_alerts_readable(results)
+    data_for_output = {
+        "rrn": investigation_id,
+        "ProductAlert": (
+            data if argToBoolean(args["all_results"]) else data[: arg_to_number(args["limit"])]
+        ),
+    }
+    return generate_command_results(
+        title=f'Investigation "{investigation_id}" product alerts',
+        outputs_prefix="Investigation",
+        outputs_key_field=ConstantsV2.DEFAULT_KEY_FIELD,
+        headers=PRODUCT_ALERTS_HEADERS,
+        outputs=data_for_output,
+        raw_response=results,
+        readable_outputs=data_for_output.get("ProductAlert", []),
+    )
+
+
+def generate_product_alerts_readable(response: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    """
+    Generate product alerts readable outputs.
+
+    Args:
+        response (dict[str, Any]): The product alerts response.
+
+    Returns:
+        list[dict[str, Any]]: Readable outputs.
+    """
+    data = []
+    for result in response:
+        for product_name in list(result.keys()):
+            if isinstance(result[product_name], list):
+                for threat in result[product_name]:
+                    data.append(threat | {"name": result["type"]})
+            elif isinstance(result[product_name], dict):
+                data.append(result[product_name] | {"name": result["type"]})
+    return data
+
+
+@logger
+def insight_idr_list_users_command(
+    client: Client,
+    args: dict[str, Any],
+) -> CommandResults:
+    """
+    Search for users or retrieve a user with the given RRN.
+
+    Args:
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
+
+    Returns:
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
+    """
+    if rrn := args.get("rrn"):
+        results = client.get_user(
+            rrn=rrn,
+        )
+    else:
+        results = client.search_users(
+            search=handle_user_search(args=args, filter=USER_SEARCH),
+            sort=handle_sort(args=args),
+            index=str(arg_to_number(args["index"])) or DEFAULT_PAGE,
+            page_size=get_pagination_size(
+                page_size=args.get("page_size"),
+                limit=args["limit"],
+            ),
+        ).get("data", [])
+
+    return generate_command_results(
+        title="Users",
+        outputs_prefix="User",
+        outputs_key_field=ConstantsV2.DEFAULT_KEY_FIELD,
+        headers=USERS_HEADERS,
+        outputs=results,
+        raw_response=results,
+    )
+
+
+@logger
+def insight_idr_search_investigation_command(
+    client: Client,
+    args: dict[str, Any],
+) -> CommandResults:
+    """
+    Search for investigations matching the given search/sort criteria..
+
+    Args:
+        client (Client): Rapid7 Insight IDR API client.
+        args (dict[str, Any]): Command arguments from XSOAR.
+
+    Returns:
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
+    """
+    search = handle_investigation_search(args, INVESTIGATION_SEARCH)
+    sort = handle_sort(args)
+    start_time = raise_on_invalid_time(time_str=args.get("start_time"))
+    end_time = raise_on_invalid_time(args.get("end_time"))
+
+    results = client.search_investigations(
+        search=search,
+        sort=sort,
+        start_time=start_time,
+        end_time=end_time,
+        index=str(arg_to_number(args["index"])),
+        page_size=get_pagination_size(
+            page_size=args.get("page_size"),
+            limit=args["limit"],
+        ),
+    )
+
+    return generate_command_results(
+        title="Investigations",
+        outputs_prefix="Investigation",
+        outputs_key_field=ConstantsV2.DEFAULT_KEY_FIELD,
+        headers=list(ConstantsV2.INVESTIGATIONS_HEADERS),
+        outputs=results.get("data", []),
+        raw_response=results,
+    )
+
+
+@logger
 def test_module(client: Client) -> str:
     """
     Returning 'ok' indicates that the integration works like it is supposed to.
@@ -683,23 +1478,23 @@ def test_module(client: Client) -> str:
         response = client.validate()
         status_code = response.status_code
         if status_code == 200:
-            return 'ok'
+            return "ok"
 
         if status_code == 401:
-            return 'API key is not valid.'
+            return "API key is not valid."
 
         if status_code == 500:
-            return 'This isn\'t your account region.'
+            return "This isn't your account region."
 
-        return 'Something went wrong...'
+        return "Something went wrong..."
     except DemistoException:
-        return 'Connection error. Check your region.'
+        return "Connection error. Check your region or your Credentials."
 
 
-def fetch_incidents(client: Client,
-                    last_run: Dict,
-                    first_fetch_time: str,
-                    max_fetch: str) -> Tuple[Dict[str, int], List[dict]]:
+@logger
+def fetch_incidents(
+    client: Client, last_run: dict, first_fetch_time: str, max_fetch: str
+) -> tuple[dict[str, int], list[dict]]:
     """
     Fetch incidents (investigations) each minute (by default).
 
@@ -712,7 +1507,7 @@ def fetch_incidents(client: Client,
     Returns:
         Tuple of next_run (millisecond timestamp) and the incidents list
     """
-    last_fetch_timestamp = last_run.get('last_fetch', None)
+    last_fetch_timestamp = last_run.get("last_fetch", None)
 
     if last_fetch_timestamp:
         last_fetch = datetime.fromtimestamp(last_fetch_timestamp / 1000)
@@ -722,20 +1517,21 @@ def fetch_incidents(client: Client,
     incidents = []
     next_run = last_fetch
 
-    size = int(max_fetch) if max_fetch else 50
-    params = {'start_time': last_fetch.strftime(DATE_FORMAT),
-              'size': size}
+    size = max_fetch or "50"
 
-    investigations = client.list_investigations(remove_empty_elements(params))
-    for investigation in investigations.get('data', []):
-        investigation_created_time = investigation.get('created_time')
-        created_time = dateparser.parse(investigation_created_time,
-                                        settings={'RETURN_AS_TIMEZONE_AWARE': False})
+    investigations = client.list_investigations(
+        start_time=last_fetch.strftime(DATE_FORMAT), size=size
+    )
+    for investigation in investigations.get("data", []):
+        investigation_created_time = investigation.get("created_time")
+        created_time = dateparser.parse(
+            investigation_created_time, settings={"RETURN_AS_TIMEZONE_AWARE": False}
+        )
         assert created_time is not None, f"could not parse {investigation_created_time}"
         incident = {
-            'name': investigation.get('title'),
-            'occurred': created_time.strftime(DATE_FORMAT)[:-4] + "Z",
-            'rawJSON': json.dumps(investigation)
+            "name": investigation.get("title"),
+            "occurred": created_time.strftime(DATE_FORMAT)[:-4] + "Z",
+            "rawJSON": json.dumps(investigation),
         }
         incidents.append(incident)
         if created_time > next_run:
@@ -745,91 +1541,376 @@ def fetch_incidents(client: Client,
     next_run = next_run + timedelta(milliseconds=1)
     next_run_timestamp = int(datetime.timestamp(next_run) * 1000)
 
-    return {'last_fetch': next_run_timestamp}, incidents
+    return {"last_fetch": next_run_timestamp}, incidents
+
+
+def handle_investigation_search(
+    args: dict[str, Any], filter: list[tuple[str, str]]
+) -> list[dict[str, Any]]:
+    """
+    Handle search for investigations - from user input to API input.
+
+    Args:
+        args (dict[str, Any]): Command arguments from XSOAR.
+        filter (list[tuple[str, str]]): Search settings.
+
+    Returns:
+        list: List of API search inputs.
+    """
+    search = []
+
+    for filter_field, filter_operator in filter:
+        search.extend(
+            [
+                {"field": filter_field, "operator": filter_operator, "value": value}
+                for value in argToList(args.get(filter_field, [])) or []
+            ]
+        )
+
+    return search
+
+
+def handle_user_search(args: dict[str, Any], filter: list[str]) -> list[dict[str, Any]]:
+    """
+    Handle search for users - from user input to API input.
+
+    Args:
+        args (dict[str, Any]): Command arguments from XSOAR.
+        filter (list[tuple]): Search settings.
+
+    Returns:
+        list: List of API search inputs.
+    """
+    search = []
+    for filter_field in filter:
+        values = argToList(args.get(filter_field, [])) or []
+        if len(values) > 0 and not args.get("search_operator"):
+            raise ValueError("Please insert search_operator in order to use filters.")
+        search.extend(
+            [
+                {
+                    "field": filter_field,
+                    "operator": args["search_operator"].upper(),
+                    "value": value,
+                }
+                for value in values
+            ]
+        )
+    return search
+
+
+def handle_sort(args: dict[str, Any]) -> list[dict[str, Any]]:
+    """
+    Handle sort criteria - from user input to API input.
+    For example, for the input:
+        args = {"sort": "Priority,Created time", "sort_direction": "ASC"}
+    The output will be
+        [{
+            "field": "priority",
+            "order": "ASC"
+        },{
+            "field": "created_time",
+            "order": "ASC"
+        }]
+
+    Args:
+        args (dict[str, Any]): Command arguments from XSOAR.
+
+    Returns:
+        list: List of API search inputs.
+    """
+    mapper = {
+        "Alert created time": "created_time",
+        "Created time": "created_time",
+        "Priority": "priority",
+        "RRN Last Created Alert": "alerts_most_recent_created_time",
+        "Last Detection Alert": "alerts_most_recent_detection_created_time",
+    }
+    return [
+        {
+            "field": mapper.get(field) or field,
+            "order": args["sort_direction"].upper(),
+        }
+        for field in argToList(args.get("sort")) or []
+    ]
+
+
+def generate_command_results(
+    title: str,
+    outputs_prefix: str,
+    outputs_key_field: str,
+    headers: list[str],
+    outputs: list[dict[str, Any]] | dict[str, Any],
+    raw_response: list[dict[str, Any]] | dict[str, Any],
+    readable_outputs: dict[str, Any] = None,
+) -> CommandResults:
+    """
+    Generates Command Results object.
+
+    Args:
+        title (str): The readable output title.
+        outputs_prefix (str): The output prefix.
+        outputs_key_field (str): The output key field.
+        headers (list): The readable output headers.
+        outputs (list[dict[str, Any]] | dict[str, Any]): The outputs.
+        raw_response (dict[str, Any]): The raw response.
+        readable_outputs (dict[str, Any], optional): Readable outputs data. Defaults to None.
+
+    Returns:
+        CommandResults: outputs, readable outputs and raw response for XSOAR.
+    """
+    return CommandResults(
+        outputs_prefix=f"{INTEGRATION_PREFIX}.{outputs_prefix}",
+        outputs_key_field=outputs_key_field,
+        raw_response=raw_response,
+        outputs=outputs,
+        readable_output=tableToMarkdown(
+            title,
+            readable_outputs or outputs,
+            headers=headers,
+            removeNull=True,
+            headerTransform=string_to_table_header,
+        ),
+    )
+
+
+def to_snake_case(text: str | None, is_lower: bool = True) -> str | None:
+    """
+    Convert text to snake case.
+
+    Args:
+        text (str, optional): The text to be converted.
+        is_lower (bool, optional): Wether to return in lower case or upper case. Defaults to True.
+
+    Returns:
+        str | None: Converted text.
+    """
+    return (text.lower() if is_lower else text.upper()).replace(" ", "_") if text else None
+
+
+def to_camel_case(text: str | None) -> str | None:
+    """
+    Convert text to camel case.
+
+
+    Args:
+        text (str | None): The text to be converted.
+
+    Returns:
+        str | None: Converted text.
+    """
+    return camelize_string(text, " ") if text else None
+
+
+def raise_on_invalid_time(time_str: str | None) -> str | None:
+    """
+    Validate a time string is a correct time.
+
+    Args:
+        time_str (str | None): Time string to be checked.
+
+    Raises:
+        ValueError: Time string is wrong.
+
+    Returns:
+        str | None: The time string.
+    """
+    if time_str:
+        arg_to_datetime(time_str)
+    return time_str
+
+
+def get_pagination_size(page_size: str | None, limit: str) -> str:
+    """
+    Get pagination API size argument in case of using size and limit.
+
+    Args:
+        page_size (str | None): The page size.
+        limit (str): The limit.
+
+    Returns:
+        int: API size input.
+    """
+    if (lmt := arg_to_number(limit)) and lmt > 100:
+        raise ValueError("The maximum limit is 100.")
+    if (pgz := arg_to_number(page_size)) and pgz > 100:
+        raise ValueError("The maximum page_size is 100.")
+
+    return str(arg_to_number(page_size) or arg_to_number(limit) or 50)
 
 
 def main():
     """PARSE AND VALIDATE INTEGRATION PARAMS"""
 
     params = demisto.params()
-    region = params.get('region', {})
-    api_key = params.get('apikey_creds', {}).get('password') or params.get('apiKey', {})
-    max_fetch = params.get('max_fetch', '50')
+    region = params.get("region", {})
+    api_key = params.get("apikey_creds", {}).get("password") or params.get("apiKey", {})
+    is_multi_customer = argToBoolean(params["is_multi_customer"])
+    max_fetch = params.get("max_fetch", "50")
 
-    base_url = f'https://{region}.api.insight.rapid7.com/'
+    base_url = f"https://{region}.api.insight.rapid7.com/"
 
-    verify_certificate = not params.get('insecure', False)
-    proxy = params.get('proxy', False)
+    verify_certificate = not params.get("insecure", False)
+    proxy = params.get("proxy", False)
 
-    headers = {
-        'X-Api-Key': api_key,
-        'content-type': 'application/json'
-    }
+    headers = {"X-Api-Key": api_key, "content-type": "application/json"}
 
     # How much time before the first fetch to retrieve incidents
-    first_fetch_time = params.get('fetch_time', '3 days').strip()
+    first_fetch_time = params.get("fetch_time", "3 days").strip()
 
     command = demisto.command()
-    demisto.info(f'Command being called is {command}')
+    demisto.info(f"Command being called is {command}")
 
     try:
         client = Client(
             base_url=base_url,
             headers=headers,
             verify=verify_certificate,
-            proxy=proxy)
-        if command == 'test-module':
+            proxy=proxy,
+            is_multi_customer=is_multi_customer,
+        )
+        if demisto.args().get("api_version") == API_V1:
+            api_version = API_V1
+        elif demisto.args().get("api_version") == API_V2:
+            api_version = API_V2
+        else:
+            api_version = API_V2 if argToBoolean(demisto.params().get("is_v2")) else API_V1
+
+        api_version_constants: Constants = {
+            API_V1: ConstantsV1,
+            API_V2: ConstantsV2,
+        }.get(api_version, ConstantsV1)()
+        if command == "test-module":
             # This is the call made when pressing the integration Test button.
             return_results(test_module(client))
 
-        elif command == 'fetch-incidents':
-            next_run, incidents = fetch_incidents(client=client,
-                                                  last_run=demisto.getLastRun(),
-                                                  first_fetch_time=first_fetch_time,
-                                                  max_fetch=max_fetch)
+        elif command == "fetch-incidents":
+            next_run, incidents = fetch_incidents(
+                client=client,
+                last_run=demisto.getLastRun(),
+                first_fetch_time=first_fetch_time,
+                max_fetch=max_fetch,
+            )
             demisto.setLastRun(next_run)
             demisto.incidents(incidents)
 
-        elif command == 'rapid7-insight-idr-list-investigations':
-            return_results(insight_idr_list_investigations_command(client, **demisto.args()))
-
-        elif command == 'rapid7-insight-idr-get-investigation':
-            return_results(insight_idr_get_investigation_command(client, **demisto.args()))
-
-        elif command == 'rapid7-insight-idr-close-investigations':
-            return_results(insight_idr_close_investigations_command(client, **demisto.args()))
-
-        elif command == 'rapid7-insight-idr-assign-user':
-            return_results(insight_idr_assign_user_command(client, **demisto.args()))
-
-        elif command == 'rapid7-insight-idr-set-status':
-            return_results(insight_idr_set_status_command(client, **demisto.args()))
-
-        elif command == 'rapid7-insight-idr-add-threat-indicators':
+        elif command == "rapid7-insight-idr-list-investigations":
+            return_results(
+                insight_idr_list_investigations_command(
+                    client=client,
+                    args=demisto.args(),
+                    constants=api_version_constants,
+                )
+            )
+
+        elif command == "rapid7-insight-idr-get-investigation":
+            return_results(
+                insight_idr_get_investigation_command(
+                    client,
+                    demisto.args(),
+                    constants=api_version_constants,
+                )
+            )
+
+        elif command == "rapid7-insight-idr-close-investigations":
+            return_results(
+                insight_idr_close_investigations_command(
+                    client,
+                    demisto.args(),
+                )
+            )
+
+        elif command == "rapid7-insight-idr-assign-user":
+            return_results(
+                insight_idr_assign_user_command(
+                    client=client,
+                    args=demisto.args(),
+                    constants=api_version_constants,
+                )
+            )
+
+        elif command == "rapid7-insight-idr-set-status":
+            return_results(
+                insight_idr_set_status_command(
+                    client=client,
+                    args=demisto.args(),
+                    constants=api_version_constants,
+                )
+            )
+
+        elif command == "rapid7-insight-idr-add-threat-indicators":
             return_results(insight_idr_add_threat_indicators_command(client, **demisto.args()))
 
-        elif command == 'rapid7-insight-idr-replace-threat-indicators':
+        elif command == "rapid7-insight-idr-replace-threat-indicators":
             return_results(insight_idr_replace_threat_indicators_command(client, **demisto.args()))
 
-        elif command == 'rapid7-insight-idr-list-logs':
+        elif command == "rapid7-insight-idr-list-logs":
             return_results(insight_idr_list_logs_command(client))
 
-        elif command == 'rapid7-insight-idr-list-log-sets':
+        elif command == "rapid7-insight-idr-list-log-sets":
             return_results(insight_idr_list_log_sets_command(client))
 
-        elif command == 'rapid7-insight-idr-download-logs':
+        elif command == "rapid7-insight-idr-download-logs":
             return_results(insight_idr_download_logs_command(client, **demisto.args()))
 
-        elif command == 'rapid7-insight-idr-query-log':
+        elif command == "rapid7-insight-idr-query-log":
             return_results(insight_idr_query_log_command(client, **demisto.args()))
 
-        elif command == 'rapid7-insight-idr-query-log-set':
+        elif command == "rapid7-insight-idr-query-log-set":
             return_results(insight_idr_query_log_set_command(client, **demisto.args()))
 
+        elif command == "rapid7-insight-idr-create-investigation":
+            return_results(
+                insight_idr_create_investigation_command(
+                    client=client,
+                    args=demisto.args(),
+                )
+            )
+
+        elif command == "rapid7-insight-idr-update-investigation":
+            return_results(
+                insight_idr_update_investigation_command(
+                    client=client,
+                    args=demisto.args(),
+                )
+            )
+
+        elif command == "rapid7-insight-idr-list-investigation-alerts":
+            return_results(
+                insight_idr_list_investigation_alerts_command(
+                    client=client,
+                    args=demisto.args(),
+                )
+            )
+
+        elif command == "rapid7-insight-idr-list-investigation-product-alerts":
+            return_results(
+                insight_idr_list_investigation_product_alerts_command(
+                    client=client,
+                    args=demisto.args(),
+                )
+            )
+
+        elif command == "rapid7-insight-idr-list-users":
+            return_results(
+                insight_idr_list_users_command(
+                    client=client,
+                    args=demisto.args(),
+                )
+            )
+
+        elif command == "rapid7-insight-idr-search-investigation":
+            return_results(
+                insight_idr_search_investigation_command(
+                    client=client,
+                    args=demisto.args(),
+                )
+            )
+
     # Log exceptions
     except Exception as error:
-        return_error(f'Failed to execute {command} command. Error: {str(error)}')
+        return_error(f"Failed to execute {command} command. Error: {str(error)}")
 
 
-if __name__ in ('__main__', '__builtin__', 'builtins'):
+if __name__ in ("__main__", "__builtin__", "builtins"):
     main()
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR.yml b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR.yml
index 1e99ac77b1cd..5f2dd072e31e 100644
--- a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR.yml
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR.yml
@@ -1,435 +1,1085 @@
 category: Analytics & SIEM
 sectionOrder:
-- Connect
-- Collect
+  - Connect
+  - Collect
 commonfields:
   id: Rapid7 InsightIDR
   version: -1
 configuration:
-- display: Insight cloud server region
-  name: region
-  options:
-  - US
-  - EU
-  - CA
-  - AU
-  - AP
-  required: true
-  type: 15
-  section: Connect
-- display: InsightIDR API key
-  name: apiKey
-  type: 4
-  section: Connect
-  hidden: true
-  required: false
-- name: apikey_creds
-  type: 9
-  section: Connect
-  displaypassword: InsightIDR API key
-  hiddenusername: true
-  required: false
-- display: Fetch incidents
-  name: isFetch
-  type: 8
-  section: Collect
-  required: false
-- display: Incident type
-  name: incidentType
-  type: 13
-  section: Connect
-  required: false
-- defaultvalue: '7 days'
-  display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
-  name: first_fetch
-  type: 0
-  section: Collect
-  required: false
-- display: Fetch Limit
-  name: max_fetch
-  type: 0
-  section: Collect
-  additionalinfo: Max number of alerts per fetch. Default is 50.
-  defaultvalue: '50'
-  required: false
-- display: Trust any certificate (not secure)
-  name: insecure
-  type: 8
-  section: Connect
-  advanced: true
-  required: false
-- advanced: true
-  display: Use system proxy settings
-  name: proxy
-  section: Connect
-  type: 8
-
-  required: false
-description: 'Rapid7 InsightIDR is a Cloud-Based SIEM that detect and respond to security incidents.'
+  - display: Insight cloud server region
+    name: region
+    options:
+      - US
+      - EU
+      - CA
+      - AU
+      - AP
+    required: true
+    type: 15
+    section: Connect
+  - display: InsightIDR API key
+    name: apiKey
+    type: 4
+    section: Connect
+    hidden: true
+    required: false
+  - name: apikey_creds
+    type: 9
+    section: Connect
+    displaypassword: InsightIDR API key
+    hiddenusername: true
+    required: false
+  - display: Fetch incidents
+    name: isFetch
+    type: 8
+    section: Collect
+    required: false
+  - display: Incident type
+    name: incidentType
+    type: 13
+    section: Connect
+    required: false
+  - defaultvalue: "7 days"
+    display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
+    name: first_fetch
+    type: 0
+    section: Collect
+    required: false
+  - display: Fetch Limit
+    name: max_fetch
+    type: 0
+    section: Collect
+    additionalinfo: Max number of alerts per fetch. Default is 50.
+    defaultvalue: "50"
+    required: false
+  - display: Multi customer
+    name: is_multi_customer
+    type: 8
+    required: false
+    additionalinfo: Indicates whether the requester has multi-customer access.
+  - display: Use API Version 2 by default
+    name: is_v2
+    type: 8
+    required: false
+    additionalinfo: Whether to use API version 2 by default for investigation commands (Can be overriden by passing the api_version argument).
+  - display: Trust any certificate (not secure)
+    name: insecure
+    type: 8
+    section: Connect
+    advanced: true
+    required: false
+  - advanced: true
+    display: Use system proxy settings
+    name: proxy
+    section: Connect
+    type: 8
+    required: false
+description: "Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. Together, these form Extended Detection and Response (XDR). InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to weed through thousands of data streams."
 display: Rapid7 InsightIDR
 name: Rapid7 InsightIDR
 script:
   commands:
-  - arguments:
-    - description: An optional time range string (i.e 1 week, 1 day).
-      name: time_range
-    - description: "Only investigations whose createTime is after this date will be returned. If this argument is omitted, investigations with any create_time may be returned. Use ISO time format (e.g., 2018-07-01T00:00:00Z)."
-      name: start_time
-    - description: "Only investigations whose createTime is before this date will be returned. If this argument is omitted, investigations with any create_time may be returned. Use ISO time format (e.g., 2018-07-01T00:00:00Z)."
-      name: end_time
-    - auto: PREDEFINED
-      description: Only investigations whose status matches one of the entries in the list will be returned. If this argument is omitted, all investigations will be returned.
-      name: statuses
-      predefined:
-      - open
-      - closed
-    - description: The optional 0-based index of the page to retrieve. Must be an integer greater than or equal to 0.
-      name: index
-    - description: The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000.
-      name: page_size
-    description: List all open/closed investigations. You can filter results by time range and investigation status.
-    name: rapid7-insight-idr-list-investigations
-    outputs:
-    - contextPath: Rapid7InsightIDR.Investigation.title
-      description: Title of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.id
-      description: ID of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.status
-      description: Status of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.created_time
-      description: Time the investigation was created.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.source
-      description: Source of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.assignee.email
-      description: Email address of the investigation assignee.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.assignee.name
-      description: Name of the investigation assignee.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert.type
-      description: Type of alert in the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert.type_description
-      description: Description of the type of the alert in the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
-      description: First event time of the alert in the investigation.
-      type: String
-  - arguments:
-    - description: ID of the investigation to get.
-      name: investigation_id
-      required: true
-    description: Gets a single investigation (open or closed).
-    name: rapid7-insight-idr-get-investigation
-    outputs:
-    - contextPath: Rapid7InsightIDR.Investigation.title
-      description: Title of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.id
-      description: ID of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.status
-      description: Status of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.created_time
-      description: Time the investigation was created.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.source
-      description: Source of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.assignee.email
-      description: Email address of the investigation assignee.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.assignee.name
-      description: Name of the investigation assignee.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert.type
-      description: Type of alert in the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert.type_description
-      description: Description of the type of the alert in the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
-      description: First event time of the alert in the investigation.
-      type: String
-  - arguments:
-    - description: "Only investigations whose createTime is before this date will be returned. If this argument is omitted, investigations with any create_time may be returned - Use ISO time format (e.g., 2018-07-01T00:00:00Z)."
-      name: start_time
-      required: true
-    - description: "AOnly investigations whose createTime is before this date will be returned. If this argument is omitted, investigations with any create_time may be returned. Use ISO time format (e.g., 2018-07-01T00:00:00Z)."
-      name: end_time
-      required: true
-    - auto: PREDEFINED
-      description: The name of an investigation source. Only investigations from this source will be closed. If the source is ALERT, an alert type must be specified as well. Can be "ALERT", "MANUAL", or "HUNT""The LEQL query to match desired log events. Do not use a calculation.more
-      name: source
-      predefined:
-      - ALERT
-      - MANUAL
-      - HUNT
-      required: true
-    - description: The category of alerts to closed. This argument is required if the source is ALERT and ignored for other sources. This value must be an exact match of the alert type returned by the List Investigations response.
-      isArray: true
-      name: alert_type
-    - description: The maximum number of alerts to close with this request. If this argument is not specified then there is no maximum. If this limit is exceeded, then a 400 error response is returned. The minimum value is 0.
-      name: max_investigations_to_close
-    description: Bulk closes investigations according to the specified investigation create-time date range. You can specify the maximum number of alerts to close per call. If that maximum is exceeded a 400 error response is returned.
-    name: rapid7-insight-idr-close-investigations
-    outputs:
-    - contextPath: Rapid7InsightIDR.Investigation.id
-      description: ID of the investigation.
-      type: String
-  - arguments:
-    - description: ID of the investigation to assign the user to.
-      isArray: true
-      name: investigation_id
-      required: true
-    - description: The email address of the user to assign to this investigation. This must be the same email address used to log in to the Insight platform.
-      name: user_email_address
-      required: true
-    description: Assigns a user to an investigation according to the specified user email  address.
-    name: rapid7-insight-idr-assign-user
-    outputs:
-    - contextPath: Rapid7InsightIDR.Investigation.title
-      description: Title of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.id
-      description: ID of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.status
-      description: Status of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.created_time
-      description: Time the investigation was created.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.source
-      description: Source of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.assignee.email
-      description: Email address of the investigation assignee.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.assignee.name
-      description: Name of the investigation assignee.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert.type
-      description: Type of alert in the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert.type_description
-      description: Description of the type of the alert in the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
-      description: First event time of the alert in the investigation.
-      type: String
-  - arguments:
-    - description: ID of the investigation to set the status of.
-      isArray: true
-      name: investigation_id
-      required: true
-    - auto: PREDEFINED
-      description: The new status for the investigation. Can be "open" or "closed".
-      name: status
-      predefined:
-      - open
-      - closed
-      required: true
-    description: Sets the investigation status to either open or closed.
-    name: rapid7-insight-idr-set-status
-    outputs:
-    - contextPath: Rapid7InsightIDR.Investigation.title
-      description: Title of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.id
-      description: ID of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.status
-      description: Status of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.created_time
-      description: Time the investigation was created.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.source
-      description: Source of the investigation.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.assignee_email
-      description: Email address of the investigation assignee.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.assignee_name
-      description: Name of the investigation assignee.
-      type: String
-    - contextPath: Rapid7InsightIDR.Investigation.alert_type
-      description: Type of alert in the investigation.
-      type: String
-  - arguments:
-    - description: Key of the threat (or threats) to add indicators to.
-      isArray: true
-      name: key
-      required: true
-    - description: IP address indicators to add.
-      isArray: true
-      name: ip_addresses
-    - description: "Hash indicators to add."
-      isArray: true
-      name: hashes
-    - description: Domain indicators to add.
-      isArray: true
-      name: domain_names
-    - description: URL indicators to add.
-      isArray: true
-      name: url
-    description: Adds new indicators to a threat (IP addresses, hashes, domains, and URLs).
-    name: rapid7-insight-idr-add-threat-indicators
-    outputs:
-    - contextPath: Rapid7InsightIDR.Threat.name
-      description: Name of the threat.
-      type: String
-    - contextPath: Rapid7InsightIDR.Threat.note
-      description: Notes for the threat.
-      type: String
-    - contextPath: Rapid7InsightIDR.Threat.indicator_count
-      description: How many indicators the threat has.
-      type: Number
-    - contextPath: Rapid7InsightIDR.Threat.published
-      description: Whether or not the threat is published.
-      type: Boolean
-  - arguments:
-    - description: Key of the threat (or threats) to replace indicators for.
-      isArray: true
-      name: key
-      required: true
-    - description: IP address indicators to add.
-      isArray: true
-      name: ip_addresses
-    - description: "Hash indicators to add."
-      isArray: true
-      name: hashes
-    - description: Domain indicators to add.
-      isArray: true
-      name: domain_names
-    - description: URL indicators to add.
-      isArray: true
-      name: url
-    description: Deletes existing indicators from a threat and adds new indicators to the threat.
-    name: rapid7-insight-idr-replace-threat-indicators
-    outputs:
-    - contextPath: Rapid7InsightIDR.Threat.name
-      description: Name of the threat.
-      type: String
-    - contextPath: Rapid7InsightIDR.Threat.note
-      description: Notes for the threat.
-      type: String
-    - contextPath: Rapid7InsightIDR.Threat.indicator_count
-      description: How many indicators the threat has.
-      type: Number
-    - contextPath: Rapid7InsightIDR.Threat.published
-      description: Whether or not the threat is published.
-      type: Boolean
-  - arguments: []
-    description: Lists all existing logs for an account.
-    name: rapid7-insight-idr-list-logs
-    outputs:
-    - contextPath: Rapid7InsightIDR.Log.name
-      description: Log name.
-      type: String
-    - contextPath: Rapid7InsightIDR.Log.id
-      description: Log ID.
-      type: String
-  - arguments: []
-    description: Lists all existing log sets for your InsightsIDR instance.
-    name: rapid7-insight-idr-list-log-sets
-    outputs:
-    - contextPath: Rapid7InsightIDR.LogSet.name
-      description: Log name.
-      type: String
-    - contextPath: Rapid7InsightIDR.LogSet.id
-      description: Log ID.
-      type: String
-  - arguments:
-    - description: IDs of the logs to download - up to 10 logs allowed.
-      isArray: true
-      name: log_ids
-      required: true
-    - description: "Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. This is optional if time_range is supplied."
-      name: start_time
-    - description: 'Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds.'
-      name: end_time
-    - description: 'The relative time range in a readable format. Optional if "from" \ is supplied. For example: Last 4 Days. Note that if start_time, end_time and\ \ time_range is not provided the default will be Last 3 days.'
-      name: time_range
-    - description: "The LEQL query to match desired log events. Do not use a calculation.more info: https://docs.rapid7.com/insightidr/build-a-query/"
-      name: query
-    - description: 'The maximum number of log events to download; cannot exceed 20 million. The default is 20 million. The argument value should be written like this: "10 thousand" or "2 million").'
-      name: limit
-    description: Downloads logs for from your InsightsIDR instance. The maximum number of logs per call is 10.
-    name: rapid7-insight-idr-download-logs
-    outputs: []
-  - arguments:
-    - description: Logentries log key.
-      name: log_id
-      required: true
-    - description: "A valid LEQL query to run against the logmore info: https://docs.rapid7.com/insightidr/build-a-query/"
-      name: query
-      required: true
-    - description: A time range string (i.e 1 week, 1 day) - While using this parameter, start_time and end_time isn't needed.
-      name: time_range
-    - description: 'Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000.'
-      name: start_time
-    - description: 'Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000.'
-      name: end_time
-    - description: The maximum number of log entries to return per page. Default of 50.
-      name: logs_per_page
-    - description: The earlier sequence number of a log entry to start searching from.
-      name: sequence_number
-    description: Queries within a log for certain values.
-    name: rapid7-insight-idr-query-log
-    outputs:
-    - contextPath: Rapid7InsightIDR.Event.log_id
-      description: ID of the log the event appears in.
-      type: String
-    - contextPath: Rapid7InsightIDR.Event.message
-      description: Event message.
-      type: String
-    - contextPath: Rapid7InsightIDR.Event.timestamp
-      description: Time when the event was triggered.
-      type: Number
-  - arguments:
-    - description: ID of the log set.
-      isArray: true
-      name: log_set_id
-      required: true
-    - description: "A valid LEQL query to run against the logmore info: https://docs.rapid7.com/insightidr/build-a-query/"
-      name: query
-      required: true
-    - description: A time range string (e.g., 1 week, 1 day) - While using this parameter, start_time and end_time isn't needed.
-      name: time_range
-    - description: 'Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000.'
-      name: start_time
-    - description: 'Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000.'
-      name: end_time
-    - description: The maximum number of log entries to return per page. Default of 50.
-      name: logs_per_page
-    - description: The earlier sequence number of a log entry to start searching from.
-      name: sequence_number
-    description: Queries within a log set for certain values.
-    name: rapid7-insight-idr-query-log-set
-    outputs:
-    - contextPath: Rapid7InsightIDR.Event.log_id
-      description: ID of the log the event appears in.
-      type: String
-    - contextPath: Rapid7InsightIDR.Event.message
-      description: Event message.
-      type: String
-    - contextPath: Rapid7InsightIDR.Event.timestamp
-      description: Time when the event was triggered.
-      type: Number
-  dockerimage: demisto/python3:3.10.13.87159
+    - arguments:
+        - description: The InsightIDR API version to request to.
+          name: api_version
+          defaultValue: Default
+          auto: PREDEFINED
+          predefined:
+            - V1
+            - V2
+            - Default
+          required: false
+        - description: "The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0."
+          name: index
+          defaultValue: "0"
+        - description: "The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000."
+          name: page_size
+        - description: The maximum number of records to retrieve.
+          name: limit
+          defaultValue: "50"
+        - description: A comma-separated list of investigation statuses to include in the result. For example, Open,Closed.
+          name: statuses
+          auto: PREDEFINED
+          predefined:
+            - open
+            - investigating
+            - closed
+          isArray: true
+        - description: A comma-separated list of investigation sources to include in the result. For example, User,Alert. Relevant when api_version is V2 only.
+          name: sources
+          auto: PREDEFINED
+          predefined:
+            - User
+            - Alert
+          isArray: true
+        - name: priorities
+          description: A comma-separated list of investigation priorities to include in the result. For example, Low,Medium. Relevant when api_version is V2 only.
+          auto: PREDEFINED
+          predefined:
+            - Unspecified
+            - Low
+            - Medium
+            - High
+            - Critical
+          isArray: true
+        - name: assignee_email
+          description: A user's email address. Only investigations assigned to that user will be included. For example, test@test.com.
+        - name: time_range
+          description: An optional time range string (i.e., 1 week, 1 day).
+        - name: start_time
+          description: The time an investigation is opened. Only investigations whose created_time is after this date will be returned by the API. Must be an ISO-formatted timestamp. For example, 2018-07-01T00:00:00Z. Default is 28 days prior. Relevant when api_version is V2 only.
+        - name: end_time
+          description: The time an investigation is closed. Only investigations whose created_time is before this date will be returned by the API. Must be an ISO-formatted timestamp. For example, 2018-07-28T23:59:00Z. Default is the current time. Relevant when api_version is V2 only.
+        - name: sort_field
+          description: A field for investigations to be sorted by. Relevant when api_version is V2 only.
+          defaultValue: Created time
+          auto: PREDEFINED
+          predefined:
+            - Created time
+            - Priority
+            - RRN Last Created Alert
+            - Last Detection Alert
+        - name: sort_direction
+          description: The sorting direction. Relevant when api_version is V2 only.
+          defaultValue: DESC
+          auto: PREDEFINED
+          predefined:
+            - ASC
+            - DESC
+        - name: tags
+          description: A comma-separated list of tags to include in the result. Only investigations who have all specified tags will be included. For example, my_teg,test_tag. Relevant when api_version is V2 only.
+          isArray: true
+      description: List all investigations. Retrieve a list of investigations matching the given request parameters. The investigations are sorted by investigation created_time in descending order. Investigations are an aggregate of the applicable alert data in a single place and are closely tied to Alerts and Detection Rules.
+      name: rapid7-insight-idr-list-investigations
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.responsibility
+          description: The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection & Response customers.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.first_alert_time
+          description: The create time of the first alert belonging to this investigation (if any). Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.latest_alert_time
+          description: The create time of the most recent alert belonging to this investigation (if any). Relevant when api_version is V2 only.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.email
+          description: The email of the assigned user (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.name
+          description: The name of the assigned user (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.disposition
+          description: The disposition of this investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.created_time
+          description: The time this investigation was created.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.last_accessed
+          description: The time this investigation was last viewed or modified. Relevant when api_version is V2 only.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.priority
+          description: The priority of the investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.status
+          description: The status of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.source
+          description: How this investigation was generated.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.title
+          description: The name of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.organization_id
+          description: The ID of the organization that owns this investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.rrn
+          description: The Rapid7 Resource Names of the investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.id
+          description: The ID of the investigation. Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.type
+          description: Type of alert in the investigation. Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.type_description
+          description: First event time of the alert in the investigation. Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
+          description: First event time of the alert in the investigation. Relevant when api_version is V1 only.
+          type: String
+    - arguments:
+        - description: The InsightIDR API version to request to.
+          name: api_version
+          defaultValue: Default
+          auto: PREDEFINED
+          predefined:
+            - V1
+            - V2
+            - Default
+        - name: investigation_id
+          description: The ID or Rapid7 Resource Names (RRN) of the investigation to retrieve. (If api_version=V2, the ID of the investigation must be in the RRN format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs.
+          required: false
+          default: true
+      description: Get a specific investigation. This investigation is specified by either ID or Rapid7 Resource Names (RRN). (If multi-customer is set to true, the investigation_id must be in the RRN format).
+      name: rapid7-insight-idr-get-investigation
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.responsibility
+          description: The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection & Response customers.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.first_alert_time
+          description: The create time of the first alert belonging to this investigation (if any). Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.latest_alert_time
+          description: The create time of the most recent alert belonging to this investigation (if any). Relevant when api_version is V2 only.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.email
+          description: The email of the assigned user (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.name
+          description: The name of the assigned user (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.disposition
+          description: The disposition of this investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.created_time
+          description: The time this investigation was created.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.last_accessed
+          description: The time this investigation was last viewed or modified. Relevant when api_version is V2 only.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.priority
+          description: The priority of the investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.status
+          description: The status of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.source
+          description: How this investigation was generated.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.title
+          description: The name of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.organization_id
+          description: The ID of the organization that owns this investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.rrn
+          description: The Rapid7 Resource Names of the investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.id
+          description: The ID of the investigation. Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.type
+          description: Type of alert in the investigation. Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.type_description
+          description: The description of the alert type in the investigation. Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
+          description: First event time of alert in the investigation. Relevant when api_version is V1 only.
+          type: String
+    - arguments:
+        - description: "The name of an investigation source. Only investigations from this source will be closed. If the source is ALERT, an alert type or a detection rule RRN must be specified as well."
+          name: source
+          required: true
+          auto: PREDEFINED
+          predefined:
+            - ALERT
+            - MANUAL
+            - HUNT
+        - description: "An ISO formatted timestamp. Only investigations whose createTime is before this date will be returned by the API. For example, 2018-07-28T23:59:00Z. Default is the current time."
+          name: end_time
+          required: true
+        - description: An ISO formatted timestamp. Only investigations whose createTime is after this date will be returned by the API. For example, 2018-07-01T00:00:00Z.
+          name: start_time
+          required: true
+        - description: The category of types of alerts that should be closed. Use rapid7-insight-idr-list-investigations or rapid7-insight-idr-list-investigation-alerts to get the alert types. Required when sourceis ALERT.
+          name: alert_type
+        - description: A disposition to set the investigation to.
+          name: disposition
+          defaultValue: Not Applicable
+          auto: PREDEFINED
+          predefined:
+            - Undecided
+            - Benign
+            - Malicious
+            - Not Applicable
+        - name: detection_rule_rrn
+          description: The Rapid7 Resource Names (RRN) of the detection rule. Only investigations that are associated with this detection rule will be closed. If a detection rule RRN is given, the alert_type is required to be 'Attacker Behavior Detected'. Use rapid7-insight-idr-get-investigation to retrieve the investigation detection_rule_rrn.
+        - name: max_investigations_to_close
+          description: The maximum number of alerts to close. If this parameter is not specified then there is no maximum. The minimum description is 0.
+      description: Close all investigations that match the provided request parameters. If there are any investigations found associated with Threat Command alerts within the given request parameters, they will be closed in Threat Command with the close reason, "Other".
+      name: rapid7-insight-idr-close-investigations
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.id
+          description: The ID of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.status
+          description: The new status (Closed) of the investigation.
+          type: String
+    - arguments:
+        - description: The InsightIDR API version to request to.
+          name: api_version
+          defaultValue: Default
+          auto: PREDEFINED
+          predefined:
+            - V1
+            - V2
+            - Default
+        - description: Comma-separated list of the ID or Rapid7 Resource Names (RRN) of the investigation to assign the user to. (If api_version=V2, the ID of the investigation must be in the RRN format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs.
+          name: investigation_id
+          required: false
+          default: true
+        - name: user_email_address
+          required: true
+          description: The email address of the user to assign to this investigation. This is the same email used to log into the insight platform. For example, test@test.com.
+      description: Assign a user by email to an investigation. Users will receive an email whenever they are assigned to a new investigation.
+      name: rapid7-insight-idr-assign-user
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.responsibility
+          description: The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection & Response customers. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.latest_alert_time
+          description: The create time of the most recent alert belonging to this investigation (if any). Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.email
+          description: The email of the assigned user.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.name
+          description: The name of the assigned user.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.disposition
+          description: The disposition of this investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.created_time
+          description: The time this investigation was created.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.last_accessed
+          description: The time this investigation was last viewed or modified. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.priority
+          description: The investigations priority. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.status
+          description: The status of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.source
+          description: How this investigation was generated.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.title
+          description: The name of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.organization_id
+          description: The ID of the organization that owns this investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.rrn
+          description: The Rapid7 Resource Names of the investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.id
+          description: The ID of the investigation. Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.type_description
+          description: The description of this type of alert (if any). Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.type
+          description: The alert's type. Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
+          description: The create time of the first alert belonging to this investigation (if any). Relevant when api_version is V1 only.
+          type: String
+    - arguments:
+        - description: The InsightIDR API version to request to.
+          name: api_version
+          defaultValue: Default
+          auto: PREDEFINED
+          predefined:
+            - V1
+            - V2
+            - Default
+        - description: Comma-separated list of the ID or Rapid7 Resource Names (RRN) of the investigation to be changed.  (If api_version=V2, the ID of the investigation must be in the RRN format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs.
+          name: investigation_id
+          required: false
+          default: true
+        - name: status
+          description: The new status for the investigation.  Open - The default status for all new investigations. Investigating - The investigation is in progress. Waiting - Progress on the investigation has paused while more information is gathered. Closed - The investigation has ended. A disposition must be selected to set this status.
+          auto: PREDEFINED
+          predefined:
+            - open
+            - closed
+            - investigating
+            - waiting
+          required: true
+        - name: threat_command_free_text
+          description: Additional information provided by the user when closing a Threat Command alert. Relevant when status=closed and api_version is V2 only.
+        - name: threat_command_close_reason
+          description: The Threat Command reason for closing, applicable only if the investigation being closed has an associated alert in Threat Command. The Close Reason description depends on the Threat Command alert type. Relevant when status=closed and api_version is V2 only.
+          auto: PREDEFINED
+          predefined:
+            - Problem Solved
+            - Informational Only
+            - Problem We Are Already Aware Of
+            - Not Related To My Company
+            - False Positive
+            - Legitimate Application/ Profile
+            - Company Owned Domain
+            - Other
+        - name: disposition
+          description: A disposition to set the investigation to. Relevant when status=closed and api_version is V2 only.
+          auto: PREDEFINED
+          predefined:
+            - benign
+            - malicious
+            - not_applicable
+      description: Set the status of the investigation, which is specified by ID or Rapid7 Resource Names.
+      name: rapid7-insight-idr-set-status
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.responsibility
+          description: The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection & Response customers. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.latest_alert_time
+          description: The create time of the most recent alert belonging to this investigation (if any). Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.email
+          description: The email of the assigned user. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee_email
+          description: Email address of the investigation assignee Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee_name
+          description: Name of the investigation assignee Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert_type
+          description: Type of alert in the investigation Relevant when api_version is V1 only.
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.name
+          description: The name of the assigned user. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.disposition
+          description: The disposition of this investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.created_time
+          description: The time this investigation was created.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.last_accessed
+          description: The time this investigation was last viewed or modified. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.priority
+          description: The investigations priority. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.status
+          description: The status of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.source
+          description: How this investigation was generated.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.title
+          description: The name of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.organization_id
+          description: The ID of the organization that owns this investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.rrn
+          description: The Rapid7 Resource Names of the investigation. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.id
+          description: The ID of the investigation. Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.type_description
+          description: The description of this type of alert (if any). Relevant when api_version is V1 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.type
+          description: The alert's type. Relevant when api_version is V2 only.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
+          description: The create time of the first alert belonging to this investigation (if any). Relevant when api_version is V1 only.
+          type: String
+    - arguments:
+        - description: Key of the threat (or threats) to add indicators to.
+          isArray: true
+          name: key
+          required: true
+        - description: IP address indicators to add.
+          isArray: true
+          name: ip_addresses
+        - description: "Hash indicators to add."
+          isArray: true
+          name: hashes
+        - description: Domain indicators to add.
+          isArray: true
+          name: domain_names
+        - description: URL indicators to add.
+          isArray: true
+          name: url
+      description: Adds new indicators to a threat (IP addresses, hashes, domains, and URLs).
+      name: rapid7-insight-idr-add-threat-indicators
+      outputs:
+        - contextPath: Rapid7InsightIDR.Threat.name
+          description: Name of the threat.
+          type: String
+        - contextPath: Rapid7InsightIDR.Threat.note
+          description: Notes for the threat.
+          type: String
+        - contextPath: Rapid7InsightIDR.Threat.indicator_count
+          description: How many indicators the threat has.
+          type: Number
+        - contextPath: Rapid7InsightIDR.Threat.published
+          description: Whether or not the threat is published.
+          type: Boolean
+    - arguments:
+        - description: Key of the threat (or threats) to replace indicators for.
+          isArray: true
+          name: key
+          required: true
+        - description: IP address indicators to add.
+          isArray: true
+          name: ip_addresses
+        - description: "Hash indicators to add."
+          isArray: true
+          name: hashes
+        - description: Domain indicators to add.
+          isArray: true
+          name: domain_names
+        - description: URL indicators to add.
+          isArray: true
+          name: url
+      description: Deletes existing indicators from a threat and adds new indicators to the threat.
+      name: rapid7-insight-idr-replace-threat-indicators
+      outputs:
+        - contextPath: Rapid7InsightIDR.Threat.name
+          description: Name of the threat.
+          type: String
+        - contextPath: Rapid7InsightIDR.Threat.note
+          description: Notes for the threat.
+          type: String
+        - contextPath: Rapid7InsightIDR.Threat.indicator_count
+          description: How many indicators the threat has.
+          type: Number
+        - contextPath: Rapid7InsightIDR.Threat.published
+          description: Whether or not the threat is published.
+          type: Boolean
+    - arguments: []
+      description: Lists all existing logs for an account.
+      name: rapid7-insight-idr-list-logs
+      outputs:
+        - contextPath: Rapid7InsightIDR.Log.name
+          description: Log name.
+          type: String
+        - contextPath: Rapid7InsightIDR.Log.id
+          description: Log ID.
+          type: String
+    - arguments: []
+      description: Lists all existing log sets for your InsightsIDR instance.
+      name: rapid7-insight-idr-list-log-sets
+      outputs:
+        - contextPath: Rapid7InsightIDR.LogSet.name
+          description: Log name.
+          type: String
+        - contextPath: Rapid7InsightIDR.LogSet.id
+          description: Log ID.
+          type: String
+    - arguments:
+        - description: IDs of the logs to download - up to 10 logs allowed.
+          isArray: true
+          name: log_ids
+          required: true
+        - description: "Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. This is optional if time_range is supplied."
+          name: start_time
+        - description: "Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds."
+          name: end_time
+        - description: 'The relative time range in a readable format. Optional if "from" \ is supplied. For example: Last 4 Days. Note that if start_time, end_time and\ \ time_range is not provided the default will be Last 3 days.'
+          name: time_range
+        - description: "The LEQL query to match desired log events. Do not use a calculation. For more information: https://docs.rapid7.com/insightidr/build-a-query/"
+          name: query
+        - description: 'The maximum number of log events to download; cannot exceed 20 million. The default is 20 million. The argument value should be written like this: "10 thousand" or "2 million").'
+          name: limit
+      description: Downloads logs from your InsightsIDR instance. The maximum number of logs per call is 10.
+      name: rapid7-insight-idr-download-logs
+      outputs: []
+    - arguments:
+        - description: Log entries log key.
+          name: log_id
+          required: true
+        - description: "A valid LEQL query to run against the log. For more information: https://docs.rapid7.com/insightidr/build-a-query/"
+          name: query
+          required: true
+        - description: A time range string (i.e., 1 week, 1 day). When using this parameter, start_time and end_time isn't needed.
+          name: time_range
+        - description: "Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000."
+          name: start_time
+        - description: "Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000."
+          name: end_time
+        - description: The maximum number of log entries to return per page. Default of 50.
+          name: logs_per_page
+        - description: The earlier sequence number of a log entry to start searching from.
+          name: sequence_number
+      description: Queries within a log for certain values.
+      name: rapid7-insight-idr-query-log
+      outputs:
+        - contextPath: Rapid7InsightIDR.Event.log_id
+          description: ID of the log the event appears in.
+          type: String
+        - contextPath: Rapid7InsightIDR.Event.message
+          description: Event message.
+          type: String
+        - contextPath: Rapid7InsightIDR.Event.timestamp
+          description: Time when the event was triggered.
+          type: Number
+    - arguments:
+        - description: ID of the log set.
+          isArray: true
+          name: log_set_id
+          required: true
+        - description: "A valid LEQL query to run against the log. For more information: https://docs.rapid7.com/insightidr/build-a-query/"
+          name: query
+          required: true
+        - description: A time range string (e.g., 1 week, 1 day) - While using this parameter, start_time and end_time isn't needed.
+          name: time_range
+        - description: "Lower bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1450557004000."
+          name: start_time
+        - description: "Upper bound of the time range you want to query against. Format: UNIX timestamp in milliseconds. Example:1460557604000."
+          name: end_time
+        - description: The maximum number of log entries to return per page. Default of 50.
+          name: logs_per_page
+        - description: The earlier sequence number of a log entry to start searching from.
+          name: sequence_number
+      description: Queries within a log set for certain values.
+      name: rapid7-insight-idr-query-log-set
+      outputs:
+        - contextPath: Rapid7InsightIDR.Event.log_id
+          description: ID of the log the event appears in.
+          type: String
+        - contextPath: Rapid7InsightIDR.Event.message
+          description: Event message.
+          type: String
+        - contextPath: Rapid7InsightIDR.Event.timestamp
+          description: Time when the event was triggered.
+          type: Number
+    - name: rapid7-insight-idr-create-investigation
+      description: Create a new investigation manually.
+      arguments:
+        - name: title
+          description: The name of the investigation.
+          required: true
+        - name: status
+          description: The status of the investigation. Open - The default status for all new investigations. Investigating - The investigation is in progress. Closed - The investigation has ended. A disposition must be selected to set this status.
+          defaultValue: Open
+          auto: PREDEFINED
+          predefined:
+            - Open
+            - Investigating
+            - Closed
+        - name: priority
+          description: The priority for the investigation. Investigation priority is the scale given to an investigation based on the impact and urgency of the detections and assets associated with it.
+          defaultValue: Unspecified
+          auto: PREDEFINED
+          predefined:
+            - Unspecified
+            - Low
+            - Medium
+            - High
+            - Critical
+        - name: disposition
+          description: The disposition for the investigation. Select a disposition to indicate whether the investigation represented a legitimate threat.
+          defaultValue: Undecided
+          auto: PREDEFINED
+          predefined:
+            - Undecided
+            - Benign
+            - Malicious
+            - Not Applicable
+        - name: user_email_address
+          description: The email address of the user to assign to this investigation. This is the same email used to log into the insight platform. Use rapid7-insight-idr-list-users to retrieve the user email list.
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.responsibility
+          description: The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection & Response customers.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.latest_alert_time
+          description: The create time of the most recent alert belonging to this investigation (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.first_alert_time
+          description: The create time of the first alert belonging to this investigation (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.email
+          description: The email of the assigned user (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.name
+          description: The name of the assigned user (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.disposition
+          description: The disposition of this investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.created_time
+          description: The time this investigation was created.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.last_accessed
+          description: The time this investigation was last viewed or modified.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.priority
+          description: The priority of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.status
+          description: The status of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.source
+          description: How this investigation was generated.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.title
+          description: The name of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.organization_id
+          description: The ID of the organization that owns this investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.rrn
+          description: The Rapid7 Resource Names of the investigation.
+          type: String
+    - name: rapid7-insight-idr-update-investigation
+      description: Updates multiple fields in a single operation for an investigation, specified by ID or Rapid7 Resource Names (RRN). (If multi-customer set to true, the investigation_id must be in the RRN format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs.
+      arguments:
+        - name: investigation_id
+          description: The ID or Rapid7 Resource Names (RRN) of the investigation to to update. (If api_version=V2, the ID of the investigation must be in the RRN format).
+          required: true
+          default: true
+        - name: title
+          description: The name of the investigation.
+        - name: status
+          description: The status of the investigation.  Open - The default status for all new investigations. Investigating - The investigation is in progress. Closed - The investigation has ended. A disposition must be selected to set this status.
+          auto: PREDEFINED
+          predefined:
+            - Open
+            - Investigating
+            - Closed
+        - name: priority
+          description: The priority for the investigation. Investigation priority is the scale given to an investigation based on the impact and urgency of the detections and assets associated with it.
+          auto: PREDEFINED
+          predefined:
+            - Unspecified
+            - Low
+            - Medium
+            - High
+            - Critical
+        - name: disposition
+          description: The disposition for the investigation. Select a disposition to indicate whether the investigation represented a legitimate threat.
+          auto: PREDEFINED
+          predefined:
+            - Undecided
+            - Benign
+            - Malicious
+            - Not Applicable
+        - name: user_email_address
+          description: The email address of the user to assign to this investigation. This is the same email used to log into the insight platform.
+        - name: threat_command_free_text
+          description: Additional information provided by the user when closing a Threat Command alert. Relevant when status=Closed.
+        - name: threat_command_close_reason
+          description: The Threat Command reason for closing, applicable only if the investigation being closed has an associated alert in Threat Command. The Close Reason description depends on the Threat Command alert type. Relevant when status=Closed.
+          auto: PREDEFINED
+          predefined:
+            - Problem Solved
+            - Informational Only
+            - Problem We Are Already Aware Of
+            - Not Related To My Company
+            - False Positive
+            - Legitimate Application/ Profile
+            - Company Owned Domain
+            - Other
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.responsibility
+          description: The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection & Response customers.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.latest_alert_time
+          description: The create time of the most recent alert belonging to this investigation (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.first_alert_time
+          description: The create time of the first alert belonging to this investigation (if any).
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee_email
+          description: The email of the assigned user.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.assignee_name
+          description: The name of the assigned user.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.disposition
+          description: The disposition of this investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.created_time
+          description: The time this investigation was created.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.last_accessed
+          description: The time this investigation was last viewed or modified.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.priority
+          description: The priority of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.status
+          description: The status of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.source
+          description: How this investigation was generated.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.title
+          description: The name of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.organization_id
+          description: The ID of the organization that owns this investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.rrn
+          description: The Rapid7 Resource Names of the investigation.
+          type: String
+    - name: rapid7-insight-idr-search-investigation
+      description: Search for investigations matching the given search/sort criteria.
+      arguments:
+        - name: start_time
+          description: An optional ISO formatted timestamp for the start of the time period to search for matching investigations. Only investigations whose created_time is after this date will be returned. For example, 2018-07-01T00:00:00Z. Default is 28 days ago.
+        - name: end_time
+          description: An optional ISO formatted timestamp for the end of the time period to search for matching investigations. Only investigations whose created_time is before this date will be returned. For example, 2018-07-28T23:59:00Z. Default is the current time.
+        - name: actor_asset_hostname
+          description: Filter investigations by comma-separated values to include only those containing the specified values in the 'actor_asset_hostname' field.
+          isArray: true
+        - name: actor_user_name
+          description: Filter investigations by comma-separated values to include only those containing the specified values in the 'actor_user_name' field.
+          isArray: true
+        - name: alert_mitre_t_codes
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'alert_mitre_t_codes' field.
+          isArray: true
+        - name: alert_rule_rrn
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'alert_rule_rrn' field.
+          isArray: true
+        - name: assignee_id
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'assignee_id' field.
+          isArray: true
+        - name: organization_id
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'organization_id' field.
+          isArray: true
+        - name: priority
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'priority' field. Valid values - UNSPECIFIED, LOW, MEDIUM, HIGH, CRITICAL.
+          isArray: true
+        - name: rrn
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'rrn' field.
+          isArray: true
+        - name: source
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'source' field. Valid values - USER, ALERT.
+          isArray: true
+        - name: status
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'status' field. Valid values - OPEN, CLOSED, INVESTIGATING, WAITING.
+          isArray: true
+        - name: title
+          description: Filter investigations by comma-separated values to include only those containing the specified values in the 'title' field.
+          isArray: true
+        - name: sort
+          description: Comma-separated list of fields to sort by.
+          auto: PREDEFINED
+          predefined:
+            - Created time
+            - Priority
+            - RRN
+            - Alert created time
+            - Alert detection created time
+          isArray: true
+        - name: sort_direction
+          description: The sorting direction. Relevant when sort is chosen.
+          auto: PREDEFINED
+          predefined:
+            - asc
+            - desc
+            - asc,desc
+          defaultValue: asc
+        - name: index
+          description: The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0.
+          defaultValue: "0"
+        - name: page_size
+          description: The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000.
+        - name: limit
+          description: The maximum number of records to retrieve.
+          defaultValue: "50"
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.responsibility
+          description: The responsibility of the investigation, which denotes who is responsible for performing the investigation. This field will only appear for Managed Detection & Response customers.
+          type: Unknown
+        - contextPath: Rapid7InsightIDR.Investigation.latest_alert_time
+          description: The create time of the most recent alert belonging to this investigation (if any).
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.first_alert_time
+          description: The create time of the first alert belonging to this investigation (if any).
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.email
+          description: The email of the assigned user.
+          type: Unknown
+        - contextPath: Rapid7InsightIDR.Investigation.assignee.name
+          description: The name of the assigned user.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.disposition
+          description: The disposition of this investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.created_time
+          description: The time this investigation was created.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.last_accessed
+          description: The time this investigation was last viewed or modified.
+          type: Date
+        - contextPath: Rapid7InsightIDR.Investigation.priority
+          description: The priority of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.status
+          description: The status of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.source
+          description: How this investigation was generated.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.title
+          description: The name of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.organization_id
+          description: The ID of the organization that owns this investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.rrn
+          description: The Rapid7 Resource Names of the investigation.
+          type: String
+    - name: rapid7-insight-idr-list-investigation-alerts
+      description: Retrieve and list all alerts associated with an investigation, with the given ID or Rapid7 Resource Names (RRN). The listed alerts are sorted in descending order by alert create time. Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs.
+      arguments:
+        - name: investigation_id
+          description: The ID of the investigation (If api_version=V2, the ID of the investigation must be in the RRN format).
+          required: true
+          default: true
+        - name: all_results
+          description: Whether to retrieve all results by overriding the default limit.
+          defaultValue: "false"
+          auto: PREDEFINED
+          predefined:
+            - "true"
+            - "false"
+        - name: limit
+          description: The maximum number of records to retrieve.
+          defaultValue: "50"
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.alert.rule_rrn
+          description: The Rapid7 Resource Names of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.rule_name
+          description: The name of the detection rule.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.alert_source
+          description: The source of the alert.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.latest_event_time
+          description: The time the most recent event involved in this alert occurred.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.first_event_time
+          description: The time the first event involved in this alert occurred.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.created_time
+          description: The time the alert was created.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.alert_type_description
+          description: A description of this type of alert.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.alert_type
+          description: The alert's type.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.title
+          description: The alert's title.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.alert.id
+          description: The alert's ID.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.rrn
+          description: The ID of the investigation.
+          type: String
+    - name: rapid7-insight-idr-list-investigation-product-alerts
+      description: Retrieve and list all Rapid7 product alerts associated with an investigation, with the given ID or the Rapid7 Resource Names. These alerts are generated by Rapid7 products other than InsightIDR that you have an active license for.
+      arguments:
+        - name: investigation_id
+          description: The ID of the investigation (If api_version=V2, the ID of the investigation must be in the RRN format). Use rapid7-insight-idr-list-investigations to retrieve all investigation IDs.
+          required: true
+          default: true
+        - name: all_results
+          description: Whether to retrieve all results by overriding the default limit.
+          defaultValue: "false"
+          auto: PREDEFINED
+          predefined:
+            - "true"
+            - "false"
+        - name: limit
+          description: The maximum number of records to retrieve.
+          defaultValue: "50"
+      outputs:
+        - contextPath: Rapid7InsightIDR.Investigation.rrn
+          description: The ID of the investigation.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.ProductAlert.name
+          description: The investigation product name.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.ProductAlert.Alert.name
+          description: The investigation product alert name.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.ProductAlert.Alert.alert_id
+          description: The investigation product alert ID.
+          type: String
+        - contextPath: Rapid7InsightIDR.Investigation.ProductAlert.Alert.alert_type
+          description: The investigation product alert type.
+          type: String
+    - name: rapid7-insight-idr-list-users
+      description: List all users matching the given search/sort criteria or retrieve a user with the given RRN.
+      arguments:
+        - name: rrn
+          description: The Rapid7 Resource Names (unique identifier for user) of the user to retrieve. When using this argument, all the other irrelevant.
+        - name: first_name
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'first_name' field. Choose search operator to define the operator type.
+          isArray: true
+        - name: last_name
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'last_name' field. Choose search operator to define the operator type.
+          isArray: true
+        - name: name
+          description: Filter investigations by comma-separated values to include only those equals the specified values in the 'name' field. Choose search operator to define the operator type.
+          isArray: true
+        - name: search_operator
+          description: The filtering operator. Relevant when first_name / last_name / is name / domain chosen.
+          auto: PREDEFINED
+          predefined:
+            - contains
+            - equals
+        - name: sort
+          description: Comma-separated list of fields to sort by.
+          auto: PREDEFINED
+          predefined:
+            - first_name
+            - last_name
+            - name
+          isArray: true
+        - name: sort_direction
+          description: The sorting direction. Relevant when sort is chosen.
+          auto: PREDEFINED
+          predefined:
+            - asc
+            - desc
+            - asc,desc
+          defaultValue: asc
+        - name: index
+          description: The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0.
+          defaultValue: "0"
+        - name: page_size
+          description: The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000.
+        - name: limit
+          description: The maximum number of records to retrieve.
+          defaultValue: "50"
+      outputs:
+        - contextPath: Rapid7InsightIDR.User.domain
+          description: The domain this user is associated with.
+          type: String
+        - contextPath: Rapid7InsightIDR.User.name
+          description: The name of this user.
+          type: String
+        - contextPath: Rapid7InsightIDR.User.first_name
+          description: The first name of this user, if known.
+          type: String
+        - contextPath: Rapid7InsightIDR.User.last_name
+          description: The last name of this user, if known.
+          type: String
+        - contextPath: Rapid7InsightIDR.User.rrn
+          description: The unique identifier for this user.
+          type: String
+  dockerimage: demisto/python3:3.10.13.89873
   isfetch: true
   runonce: false
-  script: '-'
+  script: "-"
   subtype: python3
   type: python
 tests:
-- No tests
+  - No tests
 fromversion: 5.0.0
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_description.md b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_description.md
index 1ba61ab71950..67205a37e85d 100644
--- a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_description.md
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_description.md
@@ -1,7 +1,8 @@
-## Authentication
-In order to use the Rapid7 InsightIDR integration, you need to get an API key with Read/Write privileges.
+## Basic Information
+When using Cortex XSOAR credentials, insert your API key as the credential password. Otherwise, insert your API key into the relevant required parameters.
 
-### Generate an API Key
-1. Log in to Rapid7 InsightIDR.
+### Get a Rapid7 AppSec API Key
+In order to use the Rapid7 InsightIDR integration, you need to get an API key with Read/Write privileges.
+1. Create an account in Rapid7.
 2. Click **Settings > API Keys**.
-3. Generate a new API key with Read/Write privileges.
+3. Generate your API key.
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_image.png b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_image.png
index be11069abe13..053cd10bdb38 100644
Binary files a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_image.png and b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_image.png differ
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_test.py b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_test.py
index f7a4e3d514c6..b19ae99da3e1 100644
--- a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_test.py
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/Rapid7_InsightIDR_test.py
@@ -1,25 +1,53 @@
 """InsightIDR Integration for Cortex XSOAR - Unit Tests file"""
-import io
+
 import json
 
 import pytest
-
 from CommonServerPython import *
+from Rapid7_InsightIDR import Client, ConstantsV1, ConstantsV2
+
+REGION = "us"
+
+
+@pytest.fixture(autouse=True)
+def mock_client() -> Client:
+    """Create a test client for V1/V2.
 
-REGION = 'us'
+    Args:
+        version (str): Version (V1/V2).
+
+    Returns:
+        Client: Fortieweb VM Client.
+    """
+    return Client(
+        base_url=f"https://{REGION}.api.insight.rapid7.com/",
+        verify=False,
+        headers={"Authentication": "apikey"},
+        proxy=False,
+        is_multi_customer=False,
+    )
 
 
 def util_load_json(path) -> dict:
-    with io.open(path, mode='r', encoding='utf-8') as file:
+    with open(path, encoding="utf-8") as file:
         return json.loads(file.read())
 
 
 def util_load_file(path) -> str:
-    with io.open(path, mode='r', encoding='utf-8') as file:
+    with open(path, encoding="utf-8") as file:
         return file.read()
 
 
-def test_insight_idr_list_investigations(requests_mock) -> None:
+@pytest.mark.parametrize(
+    ("api_version", "data_path", "constants", "outputs_key_field"),
+    [
+        ("V1", "list_investigations.json", ConstantsV1, "id"),
+        ("V2", "list_investigations_v2.json", ConstantsV2, "rrn"),
+    ],
+)
+def test_insight_idr_list_investigations(
+    mock_client: Client, requests_mock, api_version, data_path, constants, outputs_key_field
+) -> None:
     """
     Scenario: test list investigations
     Given:
@@ -31,32 +59,75 @@ def test_insight_idr_list_investigations(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure output is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_list_investigations_command
+    from Rapid7_InsightIDR import insight_idr_list_investigations_command
 
-    mock_response = util_load_json('test_data/list_investigations.json')
+    mock_response = util_load_json(f"test_data/{data_path}")
     requests_mock.get(
-        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations', json=mock_response)
+        f"https://{REGION}.api.insight.rapid7.com/idr/{api_version.lower()}/investigations",
+        json=mock_response,
+    )
 
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
+    response = insight_idr_list_investigations_command(
+        client=mock_client,
+        args={
+            "api_version": api_version,
+            "index": 0,
+            "page_size": 2,
+            "limit": 50,
+            "time_range": "1 day",
         },
-        proxy=False
+        constants=constants,
     )
-    response = insight_idr_list_investigations_command(client)
 
     outputs = []
-    for investigation in response.raw_response.get('data', []):
+    assert isinstance(response.raw_response, dict)
+    for investigation in response.raw_response.get("data", []):
         outputs.append(investigation)
 
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Investigation'
-    assert response.outputs_key_field == 'id'
+    assert response.outputs_prefix == "Rapid7InsightIDR.Investigation"
+    assert response.outputs_key_field == outputs_key_field
     assert response.outputs == outputs
 
 
-def test_insight_idr_get_investigation(requests_mock) -> None:
+@pytest.mark.parametrize(
+    ("api_version", "data_path", "constants", "outputs_key_field", "endpoint", "outputs_prefix"),
+    [
+        (
+            "V1",
+            "get_investigation.json",
+            ConstantsV1,
+            "id",
+            "idr/v1/investigations",
+            "Rapid7InsightIDR.Investigation",
+        ),
+        (
+            "V1",
+            "empty_get_investigation.json",
+            ConstantsV1,
+            None,
+            "idr/v1/investigations",
+            None,
+        ),
+        (
+            "V2",
+            "get_investigation_v2.json",
+            ConstantsV2,
+            "rrn",
+            "idr/v2/investigations/test",
+            "Rapid7InsightIDR.Investigation",
+        ),
+    ],
+)
+def test_insight_idr_get_investigation(
+    mock_client: Client,
+    requests_mock,
+    api_version,
+    data_path,
+    constants,
+    outputs_key_field,
+    endpoint,
+    outputs_prefix,
+) -> None:
     """
     Scenario: test get investigation
     Given:
@@ -68,29 +139,23 @@ def test_insight_idr_get_investigation(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure output is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_get_investigation_command
+    from Rapid7_InsightIDR import insight_idr_get_investigation_command
 
-    mock_response = util_load_json('test_data/get_investigation.json')
-    requests_mock.get(
-        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations', json=mock_response)
+    mock_response = util_load_json(f"test_data/{data_path}")
+    requests_mock.get(f"https://{REGION}.api.insight.rapid7.com/{endpoint}", json=mock_response)
 
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+    response = insight_idr_get_investigation_command(
+        client=mock_client,
+        args={"api_version": api_version, "investigation_id": "test"},
+        constants=constants,
     )
 
-    response = insight_idr_get_investigation_command(client, '174e4f99-2ac7-4481-9301-4d24c34baf06')
-
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Investigation'
-    assert response.outputs_key_field == 'id'
+    assert response.outputs_prefix == outputs_prefix
+    assert response.outputs_key_field == outputs_key_field
     assert response.outputs == response.raw_response
 
 
-def test_close_investigation(requests_mock) -> None:
+def test_close_investigation(mock_client: Client, requests_mock) -> None:
     """
     Scenario: test close investigations
     Given:
@@ -103,30 +168,49 @@ def test_close_investigation(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure the amount of ids that were closed
     """
-    from Rapid7_InsightIDR import Client, insight_idr_close_investigations_command
+    from Rapid7_InsightIDR import insight_idr_close_investigations_command
 
-    mock_response = util_load_json('test_data/close_investigations.json')
+    mock_response = util_load_json("test_data/close_investigations_v2.json")
     requests_mock.post(
-        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations/bulk_close',
-        json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/idr/v2/investigations/bulk_close",
+        json=mock_response,
     )
 
-    response = insight_idr_close_investigations_command(client, 'start_time', 'end_time', 'MANUAL')
-
-    assert response.raw_response.get('num_closed', -1) == len(response.raw_response.get('ids', []))
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Investigation'
-    assert response.outputs_key_field == 'id'
-
-
-def test_assign_user(requests_mock) -> None:
+    args = {
+        "start_time": "2018-06-06T16:56:42Z",
+        "end_time": "2018-06-06T16:56:42Z",
+        "source": "MANUAL",
+        "disposition": "Undecided",
+    }
+    response = insight_idr_close_investigations_command(client=mock_client, args=args)
+    assert isinstance(response.raw_response, dict)
+    assert response.raw_response.get("num_closed", -1) == len(response.raw_response.get("ids", []))
+    assert response.outputs_prefix == "Rapid7InsightIDR.Investigation"
+    assert response.outputs_key_field == "id"
+
+
+@pytest.mark.parametrize(
+    ("api_version", "data_path", "constants", "outputs_key_field", "endpoint"),
+    [
+        ("V1", "assign_user.json", ConstantsV1, "id", "idr/v1/investigations/test/assignee"),
+        (
+            "V2",
+            "get_investigation_v2.json",
+            ConstantsV2,
+            "rrn",
+            "idr/v2/investigations/test/assignee",
+        ),
+    ],
+)
+def test_assign_user(
+    mock_client: Client,
+    requests_mock,
+    api_version,
+    data_path,
+    constants,
+    outputs_key_field,
+    endpoint,
+) -> None:
     """
     Scenario: test assign user to investigations
     Given:
@@ -139,36 +223,55 @@ def test_assign_user(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure email field is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_assign_user_command
+    from Rapid7_InsightIDR import insight_idr_assign_user_command
 
-    investigation_id = '174e4f99-2ac7-4481-9301-4d24c34baf06'
-    email = 'example@test.com'
+    investigation_id = "test"
+    email = "test@test.com"
 
-    mock_response = util_load_json('test_data/assign_user.json')
+    mock_response = util_load_json(f"test_data/{data_path}")
     requests_mock.put(
-        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations/'
-        f'{investigation_id}/assignee', json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/{endpoint}",
+        json=mock_response,
     )
 
-    response = insight_idr_assign_user_command(client, investigation_id, email)
+    args = {
+        "api_version": api_version,
+        "investigation_id": investigation_id,
+        "user_email_address": email,
+    }
+    response = insight_idr_assign_user_command(client=mock_client, args=args, constants=constants)
+    assert isinstance(response.raw_response, list)
     if response.raw_response:
         for data in response.raw_response:
-            for obj in data.get('data', []):
-                assert obj.get('assignee', {}).get('email', '') == email
-
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Investigation'
-    assert response.outputs_key_field == 'id'
-
-
-def test_set_status(requests_mock) -> None:
+            for obj in data.get("data", []):
+                assert obj.get("assignee", {}).get("email", "") == email
+
+    assert response.outputs_prefix == "Rapid7InsightIDR.Investigation"
+    assert response.outputs_key_field == outputs_key_field
+
+
+@pytest.mark.parametrize(
+    ("api_version", "data_path", "constants", "outputs_key_field", "endpoint"),
+    [
+        ("V1", "set_status.json", ConstantsV1, "id", "idr/v1/investigations/test/status/OPEN"),
+        (
+            "V2",
+            "get_investigation_v2.json",
+            ConstantsV2,
+            "rrn",
+            "idr/v2/investigations/test/status/OPEN",
+        ),
+    ],
+)
+def test_set_status(
+    mock_client: Client,
+    requests_mock,
+    api_version,
+    data_path,
+    constants,
+    outputs_key_field,
+    endpoint,
+) -> None:
     """
     Scenario: test set status to investigations
     Given:
@@ -181,37 +284,31 @@ def test_set_status(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure status field is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_set_status_command
+    from Rapid7_InsightIDR import insight_idr_set_status_command
 
-    investigation_id = '174e4f99-2ac7-4481-9301-4d24c34baf06'
-    status = 'OPEN'
+    investigation_id = "test"
+    status = "OPEN"
 
-    mock_response = util_load_json('test_data/set_status.json')
+    mock_response = util_load_json(f"test_data/{data_path}")
     requests_mock.put(
-        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations/{investigation_id}'
-        f'/status/{status}', json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/{endpoint}",
+        json=mock_response,
     )
 
-    response = insight_idr_set_status_command(client, investigation_id, status)
+    args = {"api_version": api_version, "investigation_id": investigation_id, "status": status}
+    response = insight_idr_set_status_command(client=mock_client, args=args, constants=constants)
+    assert isinstance(response.raw_response, list)
 
     if response.raw_response:
         for data in response.raw_response:
-            for obj in data.get('data', []):
-                assert obj.get('status', '') == status
+            for obj in data.get("data", []):
+                assert obj.get("status", "") == status
 
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Investigation'
-    assert response.outputs_key_field == 'id'
+    assert response.outputs_prefix == "Rapid7InsightIDR.Investigation"
+    assert response.outputs_key_field == outputs_key_field
 
 
-def test_insight_idr_add_threat_indicators(requests_mock) -> None:
+def test_insight_idr_add_threat_indicators(mock_client: Client, requests_mock) -> None:
     """
     Scenario: test add indiactors to threat
     Given:
@@ -224,33 +321,28 @@ def test_insight_idr_add_threat_indicators(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure output is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_add_threat_indicators_command
+    from Rapid7_InsightIDR import insight_idr_add_threat_indicators_command
 
-    mock_response = util_load_json('test_data/add_threat_indicators.json')
+    mock_response = util_load_json("test_data/add_threat_indicators.json")
     requests_mock.post(
-        f'https://{REGION}.api.insight.rapid7.com/idr/v1/customthreats/key/x/indicators/add',
-        json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/idr/v1/customthreats/key/x/indicators/add",
+        json=mock_response,
     )
-    response = insight_idr_add_threat_indicators_command(client, 'x')
+
+    response = insight_idr_add_threat_indicators_command(mock_client, "x")
 
     outputs = []
+    assert isinstance(response.raw_response, list)
+
     for threat in response.raw_response:
-        outputs.append(threat.get('threat'))
+        outputs.append(threat.get("threat"))
 
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Threat'
-    assert response.outputs_key_field == 'name'
+    assert response.outputs_prefix == "Rapid7InsightIDR.Threat"
+    assert response.outputs_key_field == "name"
     assert response.outputs == outputs
 
 
-def test_insight_idr_replace_threat_indicators(requests_mock) -> None:
+def test_insight_idr_replace_threat_indicators(mock_client: Client, requests_mock) -> None:
     """
     Scenario: test replace indiactors to threat
     Given:
@@ -263,33 +355,27 @@ def test_insight_idr_replace_threat_indicators(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure output is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_replace_threat_indicators_command
+    from Rapid7_InsightIDR import insight_idr_replace_threat_indicators_command
 
-    mock_response = util_load_json('test_data/replace_threat_indicators.json')
+    mock_response = util_load_json("test_data/replace_threat_indicators.json")
     requests_mock.post(
-        f'https://{REGION}.api.insight.rapid7.com/idr/v1/customthreats/key/x/indicators/replace',
-        json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/idr/v1/customthreats/key/x/indicators/replace",
+        json=mock_response,
     )
-    response = insight_idr_replace_threat_indicators_command(client, 'x')
+
+    response = insight_idr_replace_threat_indicators_command(mock_client, "x")
+    assert isinstance(response.raw_response, list)
 
     outputs = []
     for threat in response.raw_response:
-        outputs.append(threat.get('threat'))
+        outputs.append(threat.get("threat"))
 
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Threat'
-    assert response.outputs_key_field == 'name'
+    assert response.outputs_prefix == "Rapid7InsightIDR.Threat"
+    assert response.outputs_key_field == "name"
     assert response.outputs == outputs
 
 
-def test_insight_idr_list_logs(requests_mock) -> None:
+def test_insight_idr_list_logs(mock_client: Client, requests_mock) -> None:
     """
     Scenario: test list logs
     Given:
@@ -301,32 +387,26 @@ def test_insight_idr_list_logs(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure output is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_list_logs_command
+    from Rapid7_InsightIDR import insight_idr_list_logs_command
 
-    mock_response = util_load_json('test_data/list_logs.json')
+    mock_response = util_load_json("test_data/list_logs.json")
     requests_mock.get(
-        f'https://{REGION}.api.insight.rapid7.com/log_search/management/logs', json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/log_search/management/logs", json=mock_response
     )
-    response = insight_idr_list_logs_command(client)
+
+    response = insight_idr_list_logs_command(mock_client)
 
     outputs = []
-    for log in response.raw_response.get('logs', []):
+    assert isinstance(response.raw_response, dict)
+    for log in response.raw_response.get("logs", []):
         outputs.append(log)
 
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Log'
-    assert response.outputs_key_field == 'id'
+    assert response.outputs_prefix == "Rapid7InsightIDR.Log"
+    assert response.outputs_key_field == "id"
     assert response.outputs == outputs
 
 
-def test_insight_idr_list_log_sets(requests_mock) -> None:
+def test_insight_idr_list_log_sets(mock_client: Client, requests_mock) -> None:
     """
     Scenario: test list log sets
     Given:
@@ -338,33 +418,26 @@ def test_insight_idr_list_log_sets(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure output is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_list_log_sets_command
+    from Rapid7_InsightIDR import insight_idr_list_log_sets_command
 
-    mock_response = util_load_json('test_data/list_log_sets.json')
+    mock_response = util_load_json("test_data/list_log_sets.json")
     requests_mock.get(
-        f'https://{REGION}.api.insight.rapid7.com/log_search/management/logsets',
-        json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/log_search/management/logsets", json=mock_response
     )
-    response = insight_idr_list_log_sets_command(client)
+
+    response = insight_idr_list_log_sets_command(mock_client)
+    assert isinstance(response.raw_response, dict)
 
     outputs = []
-    for log in response.raw_response.get('logsets', []):
+    for log in response.raw_response.get("logsets", []):
         outputs.append(log)
 
-    assert response.outputs_prefix == 'Rapid7InsightIDR.LogSet'
-    assert response.outputs_key_field == 'id'
+    assert response.outputs_prefix == "Rapid7InsightIDR.LogSet"
+    assert response.outputs_key_field == "id"
     assert response.outputs == outputs
 
 
-def test_insight_idr_download_logs(requests_mock) -> None:
+def test_insight_idr_download_logs(mock_client: Client, requests_mock) -> None:
     """
     Scenario: test download logs
     Given:
@@ -375,26 +448,19 @@ def test_insight_idr_download_logs(requests_mock) -> None:
     Then:
      - Ensure file type
     """
-    from Rapid7_InsightIDR import Client, insight_idr_download_logs_command
+    from Rapid7_InsightIDR import insight_idr_download_logs_command
 
-    mock_response = util_load_file('test_data/download_logs.txt')
+    mock_response = util_load_file("test_data/download_logs.txt")
     requests_mock.get(
-        f'https://{REGION}.api.insight.rapid7.com/log_search/download/logs/x:y', text=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/log_search/download/logs/x:y", text=mock_response
     )
-    response = insight_idr_download_logs_command(client, 'x:y')
 
-    assert (response.get('File', '')[-4:]) == '.log'
+    response = insight_idr_download_logs_command(mock_client, "x:y")
 
+    assert (response.get("File", "")[-4:]) == ".log"
 
-def test_insight_idr_query_log(requests_mock) -> None:
+
+def test_insight_idr_query_log(mock_client: Client, requests_mock) -> None:
     """
     Scenario: test query log
     Given:
@@ -407,31 +473,24 @@ def test_insight_idr_query_log(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure output is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_query_log_command
+    from Rapid7_InsightIDR import insight_idr_query_log_command
 
-    mock_response = util_load_json('test_data/query_log_set.json')
+    mock_response = util_load_json("test_data/query_log_set.json")
     requests_mock.get(
-        f'https://{REGION}.api.insight.rapid7.com/log_search/query/logs/x', json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/log_search/query/logs/x", json=mock_response
     )
-    response = insight_idr_query_log_command(client, 'x', '', '', '')
 
-    outputs = [event for result in response.raw_response for event in result.get('events', [])]
+    response = insight_idr_query_log_command(mock_client, "x", "", "", "")
+    assert isinstance(response.raw_response, list)
+    outputs = [event for result in response.raw_response for event in result.get("events", [])]
 
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Event'
-    assert response.outputs_key_field == 'message'
+    assert response.outputs_prefix == "Rapid7InsightIDR.Event"
+    assert response.outputs_key_field == "message"
     assert response.outputs == outputs
     assert len(outputs) == 1
 
 
-def test_insight_idr_query_log_set(requests_mock) -> None:
+def test_insight_idr_query_log_set(mock_client: Client, requests_mock) -> None:
     """
     Scenario: test query log set
     Given:
@@ -444,35 +503,34 @@ def test_insight_idr_query_log_set(requests_mock) -> None:
      - Ensure key field is correct
      - Ensure output is as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_query_log_set_command
+    from Rapid7_InsightIDR import insight_idr_query_log_set_command
 
-    mock_response = util_load_json('test_data/query_log_set.json')
+    mock_response = util_load_json("test_data/query_log_set.json")
     requests_mock.get(
-        f'https://{REGION}.api.insight.rapid7.com/log_search/query/logsets/x', json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/log_search/query/logsets/x", json=mock_response
     )
-    response = insight_idr_query_log_set_command(client, 'x', '', '', '')
 
-    outputs = [event for result in response.raw_response for event in result.get('events', [])]
+    response = insight_idr_query_log_set_command(mock_client, "x", "", "", "")
+    assert isinstance(response.raw_response, list)
 
-    assert response.outputs_prefix == 'Rapid7InsightIDR.Event'
-    assert response.outputs_key_field == 'message'
+    outputs = [event for result in response.raw_response for event in result.get("events", [])]
+
+    assert response.outputs_prefix == "Rapid7InsightIDR.Event"
+    assert response.outputs_key_field == "message"
     assert response.outputs == outputs
     assert len(outputs) == 1
 
 
-@pytest.mark.parametrize('end_point', [
-    ('logsets'),
-    ('logs'),
-])
-def test_insight_idr_query_log_with_pagination(requests_mock, end_point) -> None:
+@pytest.mark.parametrize(
+    "end_point",
+    [
+        ("logsets"),
+        ("logs"),
+    ],
+)
+def test_insight_idr_query_log_with_pagination(
+    mock_client: Client, requests_mock, end_point
+) -> None:
     """
     Given:
         - User has provided logs_per_page argument
@@ -481,48 +539,43 @@ def test_insight_idr_query_log_with_pagination(requests_mock, end_point) -> None
     Then:
         - Ensure pagination is working as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_query_log_command, insight_idr_query_log_set_command
+    from Rapid7_InsightIDR import insight_idr_query_log_command, insight_idr_query_log_set_command
 
-    commands = {
-        "logsets": insight_idr_query_log_set_command,
-        "logs": insight_idr_query_log_command
-    }
-    mock_response_callback = util_load_json('test_data/query_log_set_callback_with_pagination.json')
-    mock_response_page_1 = util_load_json('test_data/query_log_set_page_1.json')
-    mock_response_page_2 = util_load_json('test_data/query_log_set_page_2.json')
-    mock_response_page_3 = util_load_json('test_data/query_log_set_page_3.json')
+    commands = {"logsets": insight_idr_query_log_set_command, "logs": insight_idr_query_log_command}
+    mock_response_callback = util_load_json("test_data/query_log_set_callback_with_pagination.json")
+    mock_response_page_1 = util_load_json("test_data/query_log_set_page_1.json")
+    mock_response_page_2 = util_load_json("test_data/query_log_set_page_2.json")
+    mock_response_page_3 = util_load_json("test_data/query_log_set_page_3.json")
 
-    base_url = f'https://{REGION}.api.insight.rapid7.com'
+    base_url = f"https://{REGION}.api.insight.rapid7.com"
 
+    requests_mock.get(f"{base_url}/log_search/query/{end_point}/x", json=mock_response_callback)
     requests_mock.get(
-        f'{base_url}/log_search/query/{end_point}/x', json=mock_response_callback)
-    requests_mock.get(
-        f'{base_url}/query/logs/123?per_page=1&sequence_number=1', json=mock_response_page_1)
+        f"{base_url}/query/logs/123?per_page=1&sequence_number=1", json=mock_response_page_1
+    )
     requests_mock.get(
-        f'{base_url}/query/logs/123?per_page=1&sequence_number=2', json=mock_response_page_2)
+        f"{base_url}/query/logs/123?per_page=1&sequence_number=2", json=mock_response_page_2
+    )
     requests_mock.get(
-        f'{base_url}/query/logs/123?per_page=1&sequence_number=3', json=mock_response_page_3)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"{base_url}/query/logs/123?per_page=1&sequence_number=3", json=mock_response_page_3
     )
-    response = commands[end_point](client, 'x', '', logs_per_page=1)
 
-    outputs = [event for result in response.raw_response for event in result.get('events', [])]
+    response = commands[end_point](mock_client, "x", "", logs_per_page=1)
+    assert isinstance(response.raw_response, list)
+
+    outputs = [event for result in response.raw_response for event in result.get("events", [])]
 
     assert len(outputs) == 3
     assert response.outputs == outputs
 
 
-@pytest.mark.parametrize('end_point', [
-    ('logsets'),
-    ('logs'),
-])
+@pytest.mark.parametrize(
+    "end_point",
+    [
+        ("logsets"),
+        ("logs"),
+    ],
+)
 def test_insight_idr_query_log_with_callback(mocker, requests_mock, end_point) -> None:
     """
     Given:
@@ -533,37 +586,41 @@ def test_insight_idr_query_log_with_callback(mocker, requests_mock, end_point) -
     Then:
         - Ensure callback is working as expected
     """
-    from Rapid7_InsightIDR import Client, insight_idr_query_log_command, insight_idr_query_log_set_command
+    from Rapid7_InsightIDR import (
+        Client,
+        insight_idr_query_log_command,
+        insight_idr_query_log_set_command,
+    )
 
-    commands = {
-        "logsets": insight_idr_query_log_set_command,
-        "logs": insight_idr_query_log_command
-    }
-    mock_response_callback = util_load_json('test_data/query_log_set_callback.json')
-    mock_response_callback_1 = util_load_json('test_data/query_log_set_callback_1.json')
-    mock_response = util_load_json('test_data/query_log_set.json')
+    commands = {"logsets": insight_idr_query_log_set_command, "logs": insight_idr_query_log_command}
+    mock_response_callback = util_load_json("test_data/query_log_set_callback.json")
+    mock_response_callback_1 = util_load_json("test_data/query_log_set_callback_1.json")
+    mock_response = util_load_json("test_data/query_log_set.json")
 
     requests_mock.get(
-        f'https://{REGION}.api.insight.rapid7.com/log_search/query/{end_point}/x', json=mock_response_callback)
-    mocker.patch.object(Client, 'query_log_callback', side_effect=[mock_response_callback_1, mock_response])
+        f"https://{REGION}.api.insight.rapid7.com/log_search/query/{end_point}/x",
+        json=mock_response_callback,
+    )
+    mocker.patch.object(
+        Client, "query_log_callback", side_effect=[mock_response_callback_1, mock_response]
+    )
 
     client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
+        base_url=f"https://{REGION}.api.insight.rapid7.com/",
         verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        headers={"Authentication": "apikey"},
+        proxy=False,
+        is_multi_customer=False,
     )
-    response = commands[end_point](client, 'x', '')
-
-    outputs = [event for result in response.raw_response for event in result.get('events', [])]
+    response = commands[end_point](client, "x", "")
+    assert isinstance(response.raw_response, list)
+    outputs = [event for result in response.raw_response for event in result.get("events", [])]
 
     assert len(outputs) == 1
     assert response.outputs == outputs
 
 
-def test_fetch_incidents(requests_mock) -> None:
+def test_fetch_incidents(mock_client: Client, requests_mock) -> None:
     """
     Scenario: test fetch incidents
     Given:
@@ -576,42 +633,470 @@ def test_fetch_incidents(requests_mock) -> None:
      - Ensure output is as expected
      - Ensure timestamp is as expected (+1 Miliseconds)
     """
-    from Rapid7_InsightIDR import Client, fetch_incidents
+    from Rapid7_InsightIDR import fetch_incidents
 
-    mock_response = util_load_json('test_data/list_investigations.json')
+    mock_response = util_load_json("test_data/list_investigations.json")
     requests_mock.get(
-        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations', json=mock_response)
-
-    client = Client(
-        base_url=f'https://{REGION}.api.insight.rapid7.com/',
-        verify=False,
-        headers={
-            'Authentication': 'apikey'
-        },
-        proxy=False
+        f"https://{REGION}.api.insight.rapid7.com/idr/v1/investigations", json=mock_response
     )
 
-    last_fetch_timestamp = parse_date_range('1 day', to_timestamp=True)[0]
-    last_run = {'last_fetch': last_fetch_timestamp}
+    last_fetch_timestamp = parse_date_range("1 day", to_timestamp=True)[0]
+    last_run = {"last_fetch": last_fetch_timestamp}
 
-    response = fetch_incidents(client=client,
-                               max_fetch='1',
-                               last_run=last_run,
-                               first_fetch_time='1 day')
+    response = fetch_incidents(
+        client=mock_client, max_fetch="1", last_run=last_run, first_fetch_time="1 day"
+    )
     outputs = []
     for investigation in response[1]:
         outputs.append(investigation)
 
-    assert last_fetch_timestamp + 1 == response[0]['last_fetch']
+    assert last_fetch_timestamp + 1 == response[0]["last_fetch"]
     assert response[1] == [
         {
-            'name': 'Joe enabled account Joebob',
-            'occurred': '2018-06-06T16:56:42.000Z',
-            'rawJSON': outputs[0]['rawJSON'],
+            "name": "Joe enabled account Joebob",
+            "occurred": "2018-06-06T16:56:42.000Z",
+            "rawJSON": outputs[0]["rawJSON"],
         },
         {
-            'name': 'Hello',
-            'occurred': '2018-06-06T16:56:43.000Z',
-            'rawJSON': outputs[1]['rawJSON'],
-        }
+            "name": "Hello",
+            "occurred": "2018-06-06T16:56:43.000Z",
+            "rawJSON": outputs[1]["rawJSON"],
+        },
+    ]
+
+
+def test_create_investigation(mock_client: Client, requests_mock) -> None:
+    """
+    Scenario: Test create investigation
+    Given:
+     - User has provided valid credentials
+     - User has provided valid inputs
+    When:
+     - insight_idr_create_investigation_command is called
+    Then:
+     - Ensure prefix is correct
+     - Ensure key field is correct
+     - Ensure the outputs data
+    """
+    from Rapid7_InsightIDR import insight_idr_create_investigation_command
+
+    mock_response = util_load_json("test_data/get_investigation_v2.json")
+    requests_mock.post(
+        f"https://{REGION}.api.insight.rapid7.com/idr/v2/investigations", json=mock_response
+    )
+
+    args = {
+        "title": "test",
+        "status": "CLOSED",
+        "priority": "Unspecified",
+        "disposition": "disposition",
+    }
+    response = insight_idr_create_investigation_command(client=mock_client, args=args)
+
+    assert response.outputs_prefix == "Rapid7InsightIDR.Investigation"
+    assert response.outputs_key_field == "rrn"
+    assert isinstance(response.outputs, dict)
+    assert response.outputs.get("status") == "CLOSED"
+    assert response.outputs.get("priority") == "UNSPECIFIED"
+
+
+def test_update_investigation(mock_client: Client, requests_mock) -> None:
+    """
+    Scenario: Test update investigation
+    Given:
+     - User has provided valid credentials
+     - User has provided valid inputs
+    When:
+     - insight_idr_update_investigation_command is called
+    Then:
+     - Ensure prefix is correct
+     - Ensure key field is correct
+     - Ensure the outputs data
+    """
+    from Rapid7_InsightIDR import insight_idr_update_investigation_command
+
+    mock_response = util_load_json("test_data/get_investigation_v2.json")
+    requests_mock.patch(
+        f"https://{REGION}.api.insight.rapid7.com/idr/v2/investigations/test", json=mock_response
+    )
+
+    args = {
+        "investigation_id": "test",
+        "title": "test",
+        "status": "Closed",
+        "priority": "Unspecified",
+        "disposition": "disposition",
+    }
+    response = insight_idr_update_investigation_command(client=mock_client, args=args)
+
+    assert response.outputs_prefix == "Rapid7InsightIDR.Investigation"
+    assert response.outputs_key_field == "rrn"
+    assert isinstance(response.outputs, dict)
+    assert response.outputs.get("status") == "CLOSED"
+    assert response.outputs.get("priority") == "UNSPECIFIED"
+
+
+@pytest.mark.parametrize(
+    ("args", "expected_len"),
+    [
+        ({"investigation_id": "test", "limit": "1", "all_results": "false"}, 1),
+        ({"investigation_id": "test", "limit": "50", "all_results": "true"}, 4),
+    ],
+)
+def test_insight_idr_get_investigation_alerts(
+    requests_mock, mock_client: Client, args: dict[str, Any], expected_len: int
+) -> None:
+    """
+    Scenario: Test get investigation alerts
+    Given:
+     - User has provided valid credentials
+     - User has provided exist investigation ID
+    When:
+     - insight_idr_list_investigation_alerts_command is called
+    Then:
+     - Ensure prefix is correct
+     - Ensure key field is correct
+     - Ensure output length is as expected
+    """
+    from Rapid7_InsightIDR import insight_idr_list_investigation_alerts_command
+
+    mock_response = util_load_json("test_data/get_investigation_alerts.json")
+    requests_mock.get(
+        f"https://{REGION}.api.insight.rapid7.com/idr/v2/investigations/test/alerts",
+        json=mock_response,
+    )
+
+    response = insight_idr_list_investigation_alerts_command(
+        client=mock_client,
+        args=args,
+    )
+
+    assert response.outputs_prefix == "Rapid7InsightIDR.Investigation"
+    assert response.outputs_key_field == "rrn"
+    assert isinstance(response.outputs, dict)
+    alert_list = response.outputs["alert"]
+    assert isinstance(alert_list, list)
+    assert len(alert_list) == expected_len
+
+
+def test_insight_idr_get_investigation_product_alerts(mock_client: Client, requests_mock) -> None:
+    """
+    Scenario: Test get investigation product alerts.
+    Given:
+     - User has provided valid credentials
+     - User has provided exist investigation ID
+    When:
+     - insight_idr_list_investigation_product_alerts_command is called
+    Then:
+     - Ensure prefix is correct
+     - Ensure key field is correct
+    """
+    from Rapid7_InsightIDR import insight_idr_list_investigation_product_alerts_command
+
+    mock_response = util_load_json("test_data/get_investigation_product_alerts.json")
+    requests_mock.get(
+        f"https://{REGION}.api.insight.rapid7.com/idr/v2/investigations/test/rapid7-product-alerts",
+        json=mock_response,
+    )
+
+    response = insight_idr_list_investigation_product_alerts_command(
+        client=mock_client,
+        args={"investigation_id": "test", "limit": "50", "all_results": "false"},
+    )
+
+    assert response.outputs_prefix == "Rapid7InsightIDR.Investigation"
+    assert response.outputs_key_field == "rrn"
+
+
+@pytest.mark.parametrize(
+    ("args", "endpoint", "data_path"),
+    [
+        ({"rrn": "test"}, "idr/v1/users/test", "get_user.json"),
+        (
+            {"index": "0", "page_size": "2", "limit": "50"},
+            "idr/v1/users/_search",
+            "search_users.json",
+        ),
+    ],
+)
+def test_insight_idr_list_user(
+    requests_mock, mock_client: Client, args: dict[str, Any], endpoint: str, data_path: str
+) -> None:
+    """
+    Scenario: Test list users
+    Given:
+     - User has provided valid credentials
+    When:
+     - insight_idr_list_users_command is called
+    Then:
+     - Ensure prefix is correct
+     - Ensure key field is correct
+    """
+    from Rapid7_InsightIDR import insight_idr_list_users_command
+
+    mock_response = util_load_json(f"test_data/{data_path}")
+    requests_mock.get(f"https://{REGION}.api.insight.rapid7.com/{endpoint}", json=mock_response)
+    requests_mock.post(f"https://{REGION}.api.insight.rapid7.com/{endpoint}", json=mock_response)
+
+    response = insight_idr_list_users_command(
+        client=mock_client,
+        args=args,
+    )
+
+    assert response.outputs_prefix == "Rapid7InsightIDR.User"
+    assert response.outputs_key_field == "rrn"
+
+
+def test_insight_idr_search_investigation(mock_client: Client, requests_mock) -> None:
+    """
+    Scenario: Test search investigation
+    Given:
+     - User has provided valid credentials
+    When:
+     - insight_idr_search_investigation_command is called
+    Then:
+     - Ensure prefix is correct
+     - Ensure key field is correct
+    """
+    from Rapid7_InsightIDR import insight_idr_search_investigation_command
+
+    mock_response = util_load_json("test_data/search_investigation.json")
+    requests_mock.post(
+        f"https://{REGION}.api.insight.rapid7.com/idr/v2/investigations/_search", json=mock_response
+    )
+
+    response = insight_idr_search_investigation_command(
+        client=mock_client,
+        args={"index": "0", "page_size": "2", "limit": "50"},
+    )
+
+    assert response.outputs_prefix == "Rapid7InsightIDR.Investigation"
+    assert response.outputs_key_field == "rrn"
+
+
+def test_handle_sort():
+    """
+    Scenario: Test handle sort.
+    Given:
+     - User has provided correct input.
+    When:
+     - handle_sort is called
+    Then:
+     - Ensure return values correct.
+    """
+    from Rapid7_InsightIDR import handle_sort
+
+    result = handle_sort(args={"sort": "test,test2", "sort_direction": "asc"})
+    assert len(result) == 2
+    assert list(result[0].keys()) == ["field", "order"]
+    assert result[0]["field"] == "test"
+    assert result[0]["order"] == "ASC"
+
+
+def test_handle_user_search():
+    """
+    Scenario: Test handle user search.
+    Given:
+     - User has provided wrong input (didn't insert search_operator).
+    When:
+     - handle_user_search is called
+    Then:
+     - Ensure return values correct.
+    """
+    from Rapid7_InsightIDR import USER_SEARCH, handle_user_search
+
+    with pytest.raises(ValueError) as error_info:
+        handle_user_search(
+            args={"first_name": "test,test2"},
+            filter=USER_SEARCH,
+        )
+
+    assert str(object=error_info.value) == "Please insert search_operator in order to use filters."
+
+
+def test_handle_investigation_search():
+    """
+    Scenario: Test handle investigation search.
+    Given:
+     - investigation has provided correct input.
+    When:
+     - handle_investigation_search is called
+    Then:
+     - Ensure return values correct.
+    """
+    from Rapid7_InsightIDR import INVESTIGATION_SEARCH, handle_investigation_search
+
+    result = handle_investigation_search(
+        args={"priority": "test,test2", "actor_asset_hostname": "test,test2"},
+        filter=INVESTIGATION_SEARCH,
+    )
+    assert len(result) == 4
+    assert list(result[0].keys()) == ["field", "operator", "value"]
+    assert result[0]["field"] == "actor_asset_hostname"
+    assert result[0]["operator"] == "CONTAINS"
+    assert result[3]["field"] == "priority"
+    assert result[3]["operator"] == "EQUALS"
+    assert result[0]["value"] == "test"
+
+
+@pytest.mark.parametrize(
+    ("text", "is_lower", "expected"),
+    [
+        ("aaa aa bb", True, "aaa_aa_bb"),
+        ("A a Aa", True, "a_a_aa"),
+        ("aaa aa", False, "AAA_AA"),
+    ],
+)
+def test_to_snake_case(text, is_lower, expected):
+    """
+    Scenario: Test to_snake_case.
+    Given:
+     - User has provided correct input.
+    When:
+     - to_snake_case is called
+    Then:
+     - Ensure return values correct.
+    """
+    from Rapid7_InsightIDR import to_snake_case
+
+    result = to_snake_case(text=text, is_lower=is_lower)
+    assert result == expected
+
+
+@pytest.mark.parametrize(
+    ("text", "expected"),
+    [
+        ("aaa aa bb", "AaaAaBb"),
+        ("A a Aa", "AAAa"),
+    ],
+)
+def test_to_camel_case(text, expected):
+    """
+    Scenario: Test to_camel_case.
+    Given:
+     - User has provided correct input.
+    When:
+     - to_camel_case is called
+    Then:
+     - Ensure return values correct.
+    """
+    from Rapid7_InsightIDR import to_camel_case
+
+    result = to_camel_case(text=text)
+    assert result == expected
+
+
+@pytest.mark.parametrize(
+    ("text"),
+    [
+        ("2018-06-06T16:56:42Z"),
+        ("2001-12-06T16:56:42Z"),
+    ],
+)
+def test_raise_on_invalid_time(text):
+    """
+    Scenario: Test raise_on_invalid_time.
+    Given:
+     - User has provided correct input.
+    When:
+     - raise_on_invalid_time is called
+    Then:
+     - Ensure return values correct.
+    """
+    from Rapid7_InsightIDR import raise_on_invalid_time
+
+    result = raise_on_invalid_time(time_str=text)
+    assert result
+
+
+@pytest.mark.parametrize(
+    ("text"),
+    [
+        ("2018-06-06T16:5611:42Z"),
+    ],
+)
+def test_fail_raise_on_invalid_time(text):
+    """
+    Scenario: Test raise_on_invalid_time failed.
+    Given:
+     - User has provided wrong input.
+    When:
+     - raise_on_invalid_time is called
+    Then:
+     - Ensure return values correct.
+    """
+    from Rapid7_InsightIDR import raise_on_invalid_time
+
+    with pytest.raises(ValueError) as error_info:
+        raise_on_invalid_time(time_str=text)
+    assert f'"{text}" is not a valid date' in str(object=error_info.value)
+
+
+@pytest.mark.parametrize(
+    ("page_size", "limit"),
+    [
+        ("10", "20"),
+        (None, "10"),
+    ],
+)
+def test_get_pagination_size(page_size, limit):
+    """
+    Scenario: Test get_pagination_size.
+    Given:
+     - User has provided correct input.
+    When:
+     - get_pagination_size is called
+    Then:
+     - Ensure return values correct.
+    """
+    from Rapid7_InsightIDR import get_pagination_size
+
+    result = get_pagination_size(page_size=page_size, limit=limit)
+    assert result == "10"
+
+
+def test_generate_product_alerts_readable():
+    """
+    Scenario: Test generate_product_alerts_readable.
+    Given:
+     - User has provided correct input.
+    When:
+     - generate_product_alerts_readable is called
+    Then:
+     - Ensure return values correct.
+    """
+    from Rapid7_InsightIDR import generate_product_alerts_readable
+
+    response = [
+        {
+            "insight_agent_details": [
+                {
+                    "agent_action_taken": "Block",
+                    "alert_id": "972bef1b-72c9-48d2-9e33-ca9056cfe086",
+                    "alert_type": "Endpoint Prevention",
+                }
+            ],
+            "threat_command_details": {
+                "alert_id": "620ba5123b2aff3303ed65f3",
+                "alert_type": "Phishing",
+                "applicable_close_reasons": ["ProblemSolved", "InformationalOnly", "Other"],
+            },
+            "type": "THREAT_COMMAND",
+        },
+    ]
+    results = [
+        {
+            "agent_action_taken": "Block",
+            "alert_id": "972bef1b-72c9-48d2-9e33-ca9056cfe086",
+            "alert_type": "Endpoint Prevention",
+            "name": "THREAT_COMMAND",
+        },
+        {
+            "alert_id": "620ba5123b2aff3303ed65f3",
+            "alert_type": "Phishing",
+            "applicable_close_reasons": ["ProblemSolved", "InformationalOnly", "Other"],
+            "name": "THREAT_COMMAND",
+        },
     ]
+    result = generate_product_alerts_readable(response=response)
+    assert result == results
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/assign_user.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/assign_user.json
index cc379db3669f..fbd765005a36 100644
--- a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/assign_user.json
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/assign_user.json
@@ -9,14 +9,14 @@
                 }
             ],
             "assignee": {
-                "email": "example@test.com",
+                "email": "test@test.com",
                 "name": "Ellen Example"
             },
             "created_time": "2018-06-06T16:56:42Z",
-            "id": "174e4f99-2ac7-4481-9301-4d24c34baf06",
+            "id": "test",
             "source": "ALERT",
             "status": "OPEN",
             "title": "Joe enabled account Joebob"
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/close_investigations_v2.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/close_investigations_v2.json
new file mode 100644
index 000000000000..17df1b634389
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/close_investigations_v2.json
@@ -0,0 +1,7 @@
+{
+    "ids": [
+        "581134c9-2510-4010-865c-7ae81761315b",
+        "114c706d-e64a-4731-997b-9115beef3026"
+    ],
+    "num_closed": 2
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/empty_get_investigation.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/empty_get_investigation.json
new file mode 100644
index 000000000000..61718b2ee22b
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/empty_get_investigation.json
@@ -0,0 +1,9 @@
+{
+  "data": [],
+  "metadata": {
+    "index": 0,
+    "size": 20,
+    "total_data": 15,
+    "total_pages": 1
+  }
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation.json
index 95728369b0b4..04716bf732fb 100644
--- a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation.json
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation.json
@@ -9,11 +9,11 @@
         }
       ],
       "assignee": {
-        "email": "example@test.com",
+        "email": "test@test.com",
         "name": "Ellen Example"
       },
       "created_time": "2018-06-06T16:56:42.000Z",
-      "id": "174e4f99-2ac7-4481-9301-4d24c34baf06",
+      "id": "test",
       "source": "ALERT",
       "status": "OPEN",
       "title": "Joe enabled account Joebob"
@@ -25,4 +25,4 @@
     "total_data": 15,
     "total_pages": 1
   }
-}
\ No newline at end of file
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation_alerts.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation_alerts.json
new file mode 100644
index 000000000000..720c6f322134
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation_alerts.json
@@ -0,0 +1,66 @@
+{
+    "data": [
+        {
+            "id": "rrn0",
+            "title": "title0",
+            "alert_type": "Suspicious Process - Execution From Root of ProgramData",
+            "alert_type_description": "Activity that resembles attacker behavior has been observed in the network.",
+            "created_time": "2024-01-09T12:28:26.820Z",
+            "first_event_time": null,
+            "latest_event_time": null,
+            "alert_source": "Attacker Behavior Analytics",
+            "detection_rule_rrn": {
+                "rule_name": "Suspicious Process - Execution From Root of ProgramData",
+                "rule_rrn": "rrn"
+            }
+        },
+        {
+            "id": "rrn1",
+            "title": "title1",
+            "alert_type": "Suspicious Process - Execution From Root of ProgramData",
+            "alert_type_description": "Activity that resembles attacker behavior has been observed in the network.",
+            "created_time": "2024-01-09T09:20:05.793Z",
+            "first_event_time": null,
+            "latest_event_time": null,
+            "alert_source": "Attacker Behavior Analytics",
+            "detection_rule_rrn": {
+                "rule_name": "Suspicious Process - Execution From Root of ProgramData",
+                "rule_rrn": "rrn"
+            }
+        },
+        {
+            "id": "rrn2",
+            "title": "title2",
+            "alert_type": "Suspicious Process - Execution From Root of ProgramData",
+            "alert_type_description": "Activity that resembles attacker behavior has been observed in the network.",
+            "created_time": "2024-01-09T09:20:05.793Z",
+            "first_event_time": null,
+            "latest_event_time": null,
+            "alert_source": "Attacker Behavior Analytics",
+            "detection_rule_rrn": {
+                "rule_name": "Suspicious Process - Execution From Root of ProgramData",
+                "rule_rrn": "rrn"
+            }
+        },
+        {
+            "id": "rrn3",
+            "title": "title3",
+            "alert_type": "Suspicious Process - Execution From Root of ProgramData",
+            "alert_type_description": "Activity that resembles attacker behavior has been observed in the network.",
+            "created_time": "2024-01-09T09:20:05.793Z",
+            "first_event_time": null,
+            "latest_event_time": null,
+            "alert_source": "Attacker Behavior Analytics",
+            "detection_rule_rrn": {
+                "rule_name": "Suspicious Process - Execution From Root of ProgramData",
+                "rule_rrn": "rrn"
+            }
+        }
+    ],
+    "metadata": {
+        "index": 0,
+        "size": 20,
+        "total_pages": 1,
+        "total_data": 4
+    }
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation_product_alerts.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation_product_alerts.json
new file mode 100644
index 000000000000..916453f6ab78
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation_product_alerts.json
@@ -0,0 +1,21 @@
+[
+    {
+        "type": "THREAT_COMMAND",
+        "threat_command_details": {
+            "alert_id": "id",
+            "alert_type": "Phishing",
+            "applicable_close_reasons": [
+                "ProblemSolved",
+                "InformationalOnly",
+                "Other"
+            ]
+        },
+        "insight_agent_details": [
+            {
+                "alert_id": "id",
+                "alert_type": "Endpoint Prevention",
+                "agent_action_taken": "Block"
+            }
+        ]
+    }
+]
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation_v2.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation_v2.json
new file mode 100644
index 000000000000..b958916161c7
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_investigation_v2.json
@@ -0,0 +1,15 @@
+{
+  "rrn": "rrn",
+  "organization_id": "id",
+  "title": "jsmith enabled account rroe",
+  "source": "USER",
+  "status": "CLOSED",
+  "priority": "UNSPECIFIED",
+  "last_accessed": "2024-01-17T10:04:21.892Z",
+  "created_time": "2024-01-17T10:00:09.957Z",
+  "disposition": "UNDECIDED",
+  "assignee": null,
+  "first_alert_time": null,
+  "latest_alert_time": null,
+  "responsibility": null
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_user.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_user.json
new file mode 100644
index 000000000000..0844d61f7cc1
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/get_user.json
@@ -0,0 +1,5 @@
+{
+    "rrn": "rrn",
+    "name": "test test",
+    "domain": "test.co"
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/list_investigations.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/list_investigations.json
index 58dac98c6025..3288a30a0ed9 100644
--- a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/list_investigations.json
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/list_investigations.json
@@ -9,7 +9,7 @@
       }
     ],
     "assignee": {
-      "email": "example@test.com",
+      "email": "test@test.com",
       "name": "Ellen Example"
     },
     "created_time": "2018-06-06T16:56:42Z",
@@ -27,7 +27,7 @@
       }
     ],
     "assignee": {
-      "email": "example@test.com",
+      "email": "test@test.com",
       "name": "Ellen Example"
     },
     "created_time": "2018-06-06T16:56:43.000Z",
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/list_investigations_v2.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/list_investigations_v2.json
new file mode 100644
index 000000000000..e78d5be251e6
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/list_investigations_v2.json
@@ -0,0 +1,43 @@
+{
+  "data": [
+    {
+      "rrn": "rrn",
+      "organization_id": "123-123-123",
+      "title": "Suspicious Process - Execution From Root of ProgramData",
+      "source": "ALERT",
+      "status": "WAITING",
+      "priority": "MEDIUM",
+      "last_accessed": "2024-01-16T09:54:08.932Z",
+      "created_time": "2024-01-09T09:20:06.714Z",
+      "disposition": "UNDECIDED",
+      "assignee": null,
+      "first_alert_time": "2024-01-09T09:20:05.793Z",
+      "latest_alert_time": "2024-01-09T12:28:26.82Z",
+      "responsibility": null
+    },
+    {
+      "rrn": "rrn",
+      "organization_id": "id",
+      "title": "test",
+      "source": "USER",
+      "status": "CLOSED",
+      "priority": "UNMAPPED",
+      "last_accessed": "2024-01-28T08:10:52.62Z",
+      "created_time": "2024-01-28T08:10:52.62Z",
+      "disposition": "UNDECIDED",
+      "assignee": {
+        "name": "test",
+        "email": "test@test.com"
+      },
+      "first_alert_time": null,
+      "latest_alert_time": null,
+      "responsibility": null
+    }
+  ],
+  "metadata": {
+    "index": 0,
+    "size": 2,
+    "total_pages": 2,
+    "total_data": 3
+  }
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/search_investigation.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/search_investigation.json
new file mode 100644
index 000000000000..cccfc27df658
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/search_investigation.json
@@ -0,0 +1,40 @@
+{
+    "data": [
+        {
+            "rrn": "rrn",
+            "organization_id": "123-123-123",
+            "title": "Suspicious Process - Renamed WinRAR",
+            "source": "ALERT",
+            "status": "OPEN",
+            "priority": "LOW",
+            "last_accessed": "2022-08-18T12:07:51.87Z",
+            "created_time": "2022-08-18T12:06:46.212Z",
+            "disposition": "UNDECIDED",
+            "assignee": null,
+            "first_alert_time": "2022-08-18T12:06:46.207Z",
+            "latest_alert_time": "2022-11-14T15:36:08.066Z",
+            "responsibility": null
+        },
+        {
+            "rrn": "rrn",
+            "organization_id": "123-123-123",
+            "title": "Password reset for account yishais by yishais",
+            "source": "ALERT",
+            "status": "OPEN",
+            "priority": "MEDIUM",
+            "last_accessed": "2022-10-18T14:52:40.746Z",
+            "created_time": "2022-10-18T14:52:40.746Z",
+            "disposition": "UNDECIDED",
+            "assignee": null,
+            "first_alert_time": "2022-10-18T14:52:40.745Z",
+            "latest_alert_time": "2022-12-06T12:57:30.359Z",
+            "responsibility": null
+        }
+    ],
+    "metadata": {
+        "index": 0,
+        "size": 2,
+        "total_pages": 14,
+        "total_data": 27
+    }
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/search_users.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/search_users.json
new file mode 100644
index 000000000000..9db9a7ef9b1d
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/search_users.json
@@ -0,0 +1,15 @@
+{
+    "data": [
+        {
+            "rrn": "rrn",
+            "name": "test test",
+            "domain": "test.co"
+        }
+    ],
+    "metadata": {
+        "index": 0,
+        "size": 1,
+        "total_pages": 1,
+        "total_data": 1
+    }
+}
diff --git a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/set_status.json b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/set_status.json
index ae8319dfa95f..14c37d8078f3 100644
--- a/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/set_status.json
+++ b/Packs/Rapid7_InsightIDR/Integrations/Rapid7_InsightIDR/test_data/set_status.json
@@ -9,7 +9,7 @@
           }
         ],
         "assignee": {
-          "email": "example@test.com",
+          "email": "test@test.com",
           "name": "Ellen Example"
         },
         "created_time": "2018-06-06T16:56:42Z",
@@ -19,4 +19,4 @@
         "title": "Joe enabled account Joebob"
       }
     ]
-  }
\ No newline at end of file
+  }
diff --git a/Packs/Rapid7_InsightIDR/ReleaseNotes/2_0_0.md b/Packs/Rapid7_InsightIDR/ReleaseNotes/2_0_0.md
new file mode 100644
index 000000000000..97a94d3d9c83
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/ReleaseNotes/2_0_0.md
@@ -0,0 +1,8 @@
+
+#### Integrations
+
+##### Rapid7 InsightIDR
+
+- Updated investigation existing commands.
+- Added new investigation commands.
+- Updated the Docker image to: *demisto/python3:3.10.13.89873*.
diff --git a/Packs/Rapid7_InsightIDR/TestPlaybooks/InsightIDREnhancement-TestPlaybook.yml b/Packs/Rapid7_InsightIDR/TestPlaybooks/InsightIDREnhancement-TestPlaybook.yml
new file mode 100644
index 000000000000..a401c194bd5b
--- /dev/null
+++ b/Packs/Rapid7_InsightIDR/TestPlaybooks/InsightIDREnhancement-TestPlaybook.yml
@@ -0,0 +1,963 @@
+id: InsightIDREnhancement
+name: InsightIDREnhancement
+version: -1
+fromversion: 5.0.0
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca00"
+    type: start
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca00"
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ""
+    nexttasks:
+      "#none#":
+        - "1"
+    separatecontext: false
+    view: '{"position":{"x":50,"y":50}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+  "1":
+    id: 1
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca01"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca01"
+      version: -1
+      name: DeleteContext
+      description: ""
+      script: DeleteContext
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "2"
+    scriptarguments:
+      all:
+        simple: yes
+    separatecontext: false
+    view: '{"position":{"x":50,"y":200}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "2":
+    id: 2
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca02"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca02"
+      version: -1
+      name: rapid7-insight-idr-list-investigations
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-list-investigations
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "3"
+    scriptarguments:
+      time_range:
+        simple: 27 days
+      limit:
+        simple: 1
+      api_version:
+        simple: V2
+    separatecontext: false
+    view: '{"position":{"x":50,"y":400}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "3":
+    id: "3"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca03"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca03"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "201"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.disposition
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.created_time
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.last_accessed
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.priority
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.status
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.source
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.title
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.organization_id
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.rrn
+                iscontext: true
+    view: '{"position":{"x":50,"y":600}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "201":
+    id: 201
+    taskid: "85400c83-8664-4380-a027-e2b5e434c201"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434c201"
+      version: -1
+      name: rapid7-insight-idr-list-users
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-list-users
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "202"
+    scriptarguments:
+      limit:
+        simple: 1
+    separatecontext: false
+    view: '{"position":{"x":650,"y":400}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "202":
+    id: "202"
+    taskid: "85400c83-8664-4380-a027-e2b5e434c202"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434c202"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "4"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.User.name
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.User.rrn
+                iscontext: true
+    view: '{"position":{"x":650,"y":600}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "4":
+    id: 4
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca04"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca04"
+      version: -1
+      name: rapid7-insight-idr-get-investigation
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-get-investigation
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "5"
+    scriptarguments:
+      investigation_id:
+        simple: ${Rapid7InsightIDR.Investigation.rrn}
+      api_version:
+        simple: V2
+    separatecontext: false
+    view: '{"position":{"x":50,"y":800}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "5":
+    id: "5"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca05"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca05"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "6"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.disposition
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.created_time
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.last_accessed
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.priority
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.status
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.source
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.title
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.organization_id
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.rrn
+                iscontext: true
+    view: '{"position":{"x":50,"y":1000}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "6":
+    id: 6
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca06"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca06"
+      version: -1
+      name: rapid7-insight-idr-close-investigations
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-close-investigations
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "7"
+    scriptarguments:
+      source:
+        simple: HUNT
+      start_time:
+        simple: "2020-12-04T10:00:00.515Z"
+      end_time:
+        simple: "2020-12-29T10:00:00.526Z"
+    separatecontext: false
+    view: '{"position":{"x":50,"y":1200}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "7":
+    id: 7
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca07"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca07"
+      version: -1
+      name: rapid7-insight-idr-assign-user
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-assign-user
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "8"
+    scriptarguments:
+      investigation_id:
+        simple: ${Rapid7InsightIDR.Investigation.rrn}
+      user_email_address:
+        simple: test@test.com
+      api_version:
+        simple: V2
+    separatecontext: false
+    view: '{"position":{"x":50,"y":1400}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "8":
+    id: "8"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca08"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca08"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "9"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.assignee.email
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.assignee.name
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.disposition
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.created_time
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.last_accessed
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.priority
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.status
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.source
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.title
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.organization_id
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.rrn
+                iscontext: true
+    view: '{"position":{"x":50,"y":1600}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "9":
+    id: 9
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca09"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca09"
+      version: -1
+      name: rapid7-insight-idr-set-status
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-set-status
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "10"
+    scriptarguments:
+      status:
+        simple: open
+      investigation_id:
+        simple: ${Rapid7InsightIDR.Investigation.rrn}
+      api_version:
+        simple: V2
+    separatecontext: false
+    view: '{"position":{"x":50,"y":1800}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "10":
+    id: "10"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca10"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca10"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "11"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.disposition
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.created_time
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.last_accessed
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.priority
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.status
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.source
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.title
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.organization_id
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.rrn
+                iscontext: true
+    view: '{"position":{"x":50,"y":2000}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "11":
+    id: 11
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca11"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca11"
+      version: -1
+      name: rapid7-insight-idr-create-investigation
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-create-investigation
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "12"
+    scriptarguments:
+      title:
+        simple: test
+      limit:
+        simple: "1"
+    separatecontext: false
+    view: '{"position":{"x":50,"y":2200}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "12":
+    id: "12"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca12"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca12"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "13"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.disposition
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.created_time
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.last_accessed
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.priority
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.status
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.source
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.title
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.organization_id
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.rrn
+                iscontext: true
+    view: '{"position":{"x":50,"y":2400}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "13":
+    id: 13
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca13"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca13"
+      version: -1
+      name: rapid7-insight-idr-update-investigation
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-update-investigation
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "14"
+    scriptarguments:
+      investigation_id:
+        simple: ${Rapid7InsightIDR.Investigation.rrn}
+      title:
+        simple: test1
+    separatecontext: false
+    view: '{"position":{"x":50,"y":2600}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "14":
+    id: "14"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca14"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca14"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "15"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.disposition
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.created_time
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.last_accessed
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.priority
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.status
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.source
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.title
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.organization_id
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.rrn
+                iscontext: true
+    view: '{"position":{"x":50,"y":2800}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "15":
+    id: 15
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca15"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca15"
+      version: -1
+      name: rapid7-insight-idr-search-investigation
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-search-investigation
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "16"
+    scriptarguments:
+      limit:
+        simple: "1"
+    separatecontext: false
+    view: '{"position":{"x":50,"y":3000}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "16":
+    id: "16"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca16"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca16"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "17"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.disposition
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.created_time
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.last_accessed
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.priority
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.status
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.source
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.title
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.organization_id
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.rrn
+                iscontext: true
+    view: '{"position":{"x":50,"y":3200}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "17":
+    id: 17
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca17"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca17"
+      version: -1
+      name: rapid7-insight-idr-list-investigation-alerts
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-list-investigation-alerts
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "18"
+    scriptarguments:
+      investigation_id:
+        simple: ${Rapid7InsightIDR.Investigation.rrn}
+    separatecontext: false
+    view: '{"position":{"x":50,"y":3400}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "18":
+    id: "18"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca18"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca18"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "19"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isExists
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.alert
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.rrn
+                iscontext: true
+    view: '{"position":{"x":50,"y":3600}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "19":
+    id: 19
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca19"
+    type: regular
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca19"
+      version: -1
+      name: rapid7-insight-idr-list-investigation-product-alerts
+      description: ""
+      script: Rapid7 InsightIDR|||rapid7-insight-idr-list-investigation-product-alerts
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      "#none#":
+        - "20"
+    scriptarguments:
+      investigation_id:
+        simple: ${Rapid7InsightIDR.Investigation.rrn}
+    separatecontext: false
+    view: '{"position":{"x":50,"y":3800}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "20":
+    id: "20"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca20"
+    type: condition
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca20"
+      version: -1
+      name: Verify Outputs
+      type: condition
+      iscommand: false
+      description: ""
+      brand: ""
+    nexttasks:
+      yes:
+        - "21"
+    separatecontext: false
+    conditions:
+      - label: yes
+        condition:
+          - - operator: isExists
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.[0].alert
+                iscontext: true
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: Rapid7InsightIDR.Investigation.[0].rrn
+                iscontext: true
+    view: '{"position":{"x":50,"y":4000}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+  "21":
+    id: "21"
+    taskid: "85400c83-8664-4380-a027-e2b5e434ca21"
+    type: title
+    task:
+      id: "85400c83-8664-4380-a027-e2b5e434ca21"
+      version: -1
+      name: Test Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ""
+    separatecontext: false
+    view: '{"position":{"x":50,"y":4200}}'
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+view: '{"linkLabelsPosition":{},"paper":{"dimensions":{"height":200,"width":380,"x":50,"y":50}}}'
+inputs: []
+outputs: []
diff --git a/Packs/Rapid7_InsightIDR/pack_metadata.json b/Packs/Rapid7_InsightIDR/pack_metadata.json
index 3e6b09a29c11..1c3252f3796b 100644
--- a/Packs/Rapid7_InsightIDR/pack_metadata.json
+++ b/Packs/Rapid7_InsightIDR/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Rapid7 InsightIDR",
     "description": "Rapid7 InsightIDR is a Cloud-Based SIEM that detect and respond to security incidents.",
     "support": "xsoar",
-    "currentVersion": "1.0.29",
+    "currentVersion": "2.0.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",