So recently I have built some automations that have evolved over time, naturally.
I had began with an ingress alert to trigger a workflow to reset the passwords.
This is still working like expected, but the client has requested I find a way to automate a response to a comment of an investigation. I said sure, no problem… Little did I know..
So I understand the differences between alerts and investigations. How multiple alerts can be assigned to an investigation. So I have started to identify some ways around this.
We came up with a simple trigger, that identifies the title of the investigation. Then it runs a pattern match for successful ingress. By doing this it gives me the investigation ID. That I can use freely.
I was wondering what other solutions or similar problems and solutions everyone has used. There has to be a better and more consistent method then the one we have deployed.
When I look at the alert payload, it seems like an alert has the investigation RRN in the trigger payload. You shouldn’t have any issue adding a comment to an investigation if an alert is your trigger.
Thanks for responding, so no. I did not use the IDR extension. I used the IDR detection rule types and selected ingress auth. From there I selected the detection rule Successful Ingress - Outside Australia. The pre built one that rapid7 offers. The Trigger Schema within that suggested it was an alert, and that schema was missing the RRN.
Either way its looking like we will have to remake this automation to start getting the RNN in there. I will look to see if I can use that extension and go from there.
I would like to trigger automatically a workflow that can extract specific information from a Legacy UBA Third Party Detection Rule and put those informations inside an artifact (to get a clickable URL among others). Later I will need to run action on associated asset but let’s start “simple”
First I tried to create a “new?” Detection Rule so I can trigger a workflow using the trigger" InsightIDR Detection Rule" (because I din’t find the detection rule under InsightIDR Legacy Detection Rule). Then I couldn’t find a simple way to get the investigation ID directly inside this job.
So… @Moose looks like what you suggested would fit my need. However, here is the alert payload that I got from this trigger associated to a brand new Basic Detection Rule with a log pattern:
At the end @Dayze36 what path did you choose ? In my case I think I understood what are the differences between alerts and investigation but I’m still confused between all the different kind of alert/detection rules/triggers that offers the products !
Maybe you could share your icon file ?
You create the trigger, then you activate the workflow. Next you go to InsightIDR under the automation tab, and you tie that workflow you created to specific UBA investigations. It can be one investigation type, or many.
Additionally if you use the legacy detection trigger, you can also manually run workflows from an InsightIDR investigation using the take action button.
Detection rules are not a good path forward if you want to tie them to an investigation or an alert.
You can work backwards from investigation, to alert(s), to detections.
You can work backwards from alert to evidence.
You just can’t reliably and consistently work forwards from detection to alert or investigation.
If you want the URL to come natively from the trigger payload rather than you combining different variables to make a URL, the data exporter is the best method for you to use. Here is a workflow that works backwards from Investigation to evidence.
Thanks for your answer. The thing is that I can’t tie that workflow to my specific UBA as there is no “Third Party Alert - xxx” inside automation tab of insightIDR :
The URL that I need to put inside an artifact cames from the Third Party Alert itself and can be retrieved in the souce_json. It is related to the product sending the alert, not insightIDR
So I don’t want to run manually the workflow as the objective is to get this information available quickly rather than going through the evidence and looking for this field
I can’t find the Third Party’s UBA under the automation tab to tie a workflow with a Legacy Detection Trigger.
When I created a custom Detection Rule (so an ABA, which I am totally open to it) I can run a workflow with a InsightIDR Detection Rule trigger which run. But I haven’t the associated investigation id and the artifact are not showing inside the investigation so even if I get it (by running a search for ex), it will be useless.
I’m kind of lost of the correct path to achieve this.
