I’m having trouble creating an InsightConnect workflow to automatically close IDR UBA investigations that have been migrated from the legacy detection method to the new one. Specifically, I want the workflow to detect when a new investigation is triggered for a UBA detection, check if the actor is part of the IT team via a ldap group or global artifact, then send an email alert to a distribution list and close the investigation. However, I can’t get the investigation RRN to pass through IDR. Any examples or recommendations would be greatly appreciated. Or even another method to tackle the constant UBA alerts triggered by our IT admins connecting to end user machines.
Can you share more details?
You said you are concerned about specific alerts that have been migrated from UBA. Are you concerned about the legacy UBA ones, or the migrated ones?
Is your trigger the Basic Detection Trigger, ABA detection trigger, Data Exporter from IDR to an API trigger, or the investigations trigger?
When you configure a net new workflow and it pops up the trigger section, if you type “Rapid7” and then scroll down you will see a step type called “Rapid7 Insight IDR”. Choose that. You have two options from there, New alerts, or New investigations.
Choose New Investigations. This will fire regardless if it is UBA, ABA, or Custom.
The Investigation RRN does pass through this trigger method.
Thanks, Derek for the response.
I’m working on migrated alerts from the legacy UBA detections.
I’ve tried a few different triggers but currently using the Data Exporter from IDR to an API trigger. I haven’t tried the New investigations trigger but will play with that today and tomorrow.
I have been using the investigation title to try and match values in a global artifact but cannot get it to match for the life of me. Attached are a few screenshot examples.
The title does contain a value from the global artifact. Just can’t get it to match. Not sure what I am doing wrong.
I’d love to get a better understanding of your Global Artifact (GA) setup to help troubleshoot this. Could you:
- Share a screenshot of the GA from the GUI? This will help clarify its structure.
- Explain what the GA is used for in your workflow?
You mentioned that the RRN isn’t going through—could you clarify what that means? I do see the RRN in your screenshot, but understanding where and how it’s being used would be helpful.
Additionally, if possible, could you provide a screenshot of the workflow builder? Seeing exactly how you’re implementing this would give more context.
For reference, I created a list of investigation titles internally and tested a search based on the first two words matching. It worked both with and without case insensitivity. Once I can see your GA structure and a specific entry you’re trying to match against, I’ll be able to provide more targeted suggestions.
Also, depending on what the GA is being used for, we may be able to achieve your goal without that step altogether.
Looking forward to your response!
Appreciate the help. I’ll grab the screenshots as soon as I can—today or tomorrow at most and respond back.
Could you not just exclude those users or groups from the detection rule to prevent an investigation being created in the first place, rather than trying to auto-close them?
If you want to only handle legacy detections you should use the Legacy Detection Rule trigger in InsightConnect, and then associate your detection rules to that workflow in IDR. With this trigger you can make sure only the legacy detections trigger the workflow. You can then lookup the actors in the investigations to make sure they do/don’t belong to the IT team. You can also see what types of workflows have been created for this trigger by searching for UBA in the extensions library. The IDR Alert Routing with Teams workflow may be of interest as it does this with Active Directory lookups instead of a GA.