I noticed how Basic Detection Rules have a built in way to send a notification to PagerDuty. Why/How do I send a detection rule from the Detection Rule Library to PagerDuty? There doesn’t seem to be a built in way to do this. Specifically for a detection rule of
Rule Category: Custom and Contextual
Rule Action: Creates Alerts
Event Type:Active Directory Admin Activity
You would need to build a workflow to do this.
We have a PagerDuty Plugin. Make your connection to that. Use the detection rule trigger. From the trigger, you will send to pager duty by choosing what out of that payload you want to be sent.
Sure, I went down this path but on the Select a Trigger wizard, I choose from the section: From Insight Platform, the InsightIDR Detection Rule and continue. on the Select how to build your trigger, I do not see the the Detection Rule Types of Active Directory Admin Activity to use my detection rule in this workflow? Should I not be in the section: From Insight Platform?
Apologies for that. I didn’t realize that is missing. I created a ticket to have them added.
In the meantime if you are interested in automating this you can use the Alert Trigger or the investigation trigger. The easiest method would be to create a decision after the trigger that matches off title, to ensure whatever response you are interested in only operates for that specific rule.
If you work from an investigation trigger you have to list alerts per investigation, loop over the alerts, and for each alert fetch the evidence. Evidence is the same thing as the detection rule trigger payload.
If you work from the Alert trigger you need only one step which is Fetch Evidence.
If you get stuck along the way please continue to update this thread and I can assist you.
I have built workflow and tested manually. But now if I want this workflow to run automatically, does it need to be listed on the Detection Rule on the Automation tab? I am not sure if this is necessary to make workflow runs?
If so, the tab will only allow me to select a compatible workflow with event type of Active Directory Admin Activity. Of which the workflow I built is not because it doesn’t exist yet.
Thanks
Just depends what the trigger is.
If you did an alert trigger, as soon as you hit publish it is going to be active, and all new alerts it will capture. No additional steps are needed. The only thing that shows up in the detection rule automation tab are workflows that leverage the detection rule trigger. Since that specific detection rule hasn’t yet been configured within InsightConnect as an option that you can select, you will not see any automations at this time.
I am sorry, I thought I created an alert trigger but apparently not. Can you point me to some documentation/video on how to create an alert trigger please? I have been selecting “Add Workflow” Then on the “Select a Trigger” menu, it has the following sections: From API, From Insight Platform, From Chat Apps, From Plugins. I have been selecting From Insight Platform, InsightIDR Detection Rule. On the “Select how to build your trigger” menu, I have been selecting IDS or Ingress Auth just to make a section as I can’t Continue if I do not. On the “Configure Trigger Rules” menu, I didn’t select anything and went on to Configure Trigger Details. This shows the Available Trigger Schema that contains a lot of alert strings and objects and thus figured it was an alert trigger?
When you have your trigger selection option they are static and will always be present all the way to the Slack option. No matter what you type, you will always see API trigger through to Slack first.
To use the alert trigger you want to get to the Rapid7 InsightIDR plugin. You can do this by typing Rapid7 InsightIDR, then scroll down below Slack and you should see it as an option.
When you choose the plugin, you will then have two trigger options, one for alerts, and one for Investigations.
Previously you have been working with Detections, which is a one to one. Alerts are also a one to one, meaning an alert is created by a single detection. For automation it will be very easy, just alert trigger, then fetch the evidence.
If you choose to use an investigation trigger it is not one to one. One single investigation can have many alerts tied to it. This makes it more difficult to automate. It can still be done, but you have extra steps, and then you have to figure out what exactly you want to happen with all the extra data.
If it were my program and I had the option to choose, I would choose to utilize alerts over investigations, due to the relative ease of automating them.
Thank you for all of your assistance, I think I have it working the way I want for the moment