When I am creating triggers in IDR I do not see any custom detections rules I’ve created. Further, the list of detection rules to choose from is relatively short compared to everything seen in the Detection Rules tab. I’m fairly new to IDR/Connect Automation so there must be something I’m missing or not understanding?
Thanks,
Craig
Hi Craig,
when creating a trigger you would select IDR Detection Rule
Then you would select the data type for which your rule applies to, such as Raw Log
The you would find your Custom Rule in the List, you may need to search for it or skip to the final page - mine is called Testing Webhook
Once you select your Rule you can continue with the trigger details
David
I have not found anything that looks like the screenshots above. Where in the R7 platform are these taken?
Those screenshots are from InsightConnect. This is what pops up if you choose a basic detection as the trigger to your workflow.
I would recommend using an Alert Trigger, or an Investigation Trigger, as opposed to a detection rule as a trigger.
Detection rules are great for automation as they contain every piece of evidence that is relative to the event, but they lack a Rapid7 Resource Number (RRN) that is needed for updating an investigation or alert.
So you can automate to your hearts content, but your visibility into what automated actions you have taken would not be easily tied and referenced within the GUI of IDR.
I’ve attached a workflow that leverages the investigation trigger. It is just a base template, but could be expanded upon to do whatever you want.
IDR New Investigations Template.icon (52.5 KB)
Thank you very much, Darrick. Your answer helped me realize my mind was stuck on tying automations to detection rules instead of alerts or investigations. I’m making progress now.
