Looking to automate network isolation for a device that experiencing IOC(specifically around encryption). What are some ways folks deployed this workflow using CS plugins?
Hello George.
This is a great question! To provide the best guidance, I’d need a bit more context on your specific use case.
With InsightConnect, the first step is determining the trigger—what event will initiate this workflow?
Here are some options:
-
InsightIDR Plugin: Use the New Investigation Trigger or New Alert Trigger to kick off the workflow when an IOC is detected. Rapid7 Extensions
-
CrowdStrike Plugin: Supports Get New Detections and Get New Incidents triggers to respond to threats directly from CrowdStrike. Rapid7 Extensions
Once you’ve selected a trigger, you’ll need to decide whether all incidents should initiate isolation or only specific ones based on certain criteria. You can use decision or filter steps to ensure the workflow only proceeds when needed. Format Query Language | InsightConnect Documentation
Next, the workflow should look up the asset you want to isolate. Best practice is to first confirm the asset exists before proceeding with the isolation step.
If you can provide more details on your specific requirements, I’d be happy to suggest a more tailored approach or even a starter workflow to help you get up and running!