Hello - we’ve been migrating legacy rules when we can, but we’ve been having some issues with some of the event types not being available to create workflows with. A lot of the User Behavior ones have event types like asset authentication and AD Admin Activity - and I’m not seeing any of those options when choosing a trigger. Maybe I’m blind, or it’s not possible yet - figured I’d ask and perhaps see if there’s an alternative.
I asked a very similar question in “Discuss” just yesterday :-). Glad you asked as well.
. . . no replies to your question or mine so I am opening a support case.
Hi @bdroege you would select IDR Detection Rule, and then Asset Auth as the type and then within the ruleset you should be able to find the rules
However I see there is no trigger currently for AD Admin activity, we will need to address this with Engineering
David
That must be new - I could’ve sworn I checked everywhere!
Thank you - this does answer my question, and thing you for touching on the AD Admin activity and talking on that.
Hello,
Is there any update to this? I’ve been asked to develop an automated workflow based on AD Admin activity related investigations being raised; however, I can’t (well I can, but not cleanly.)
At this time not all detection rule categories are part of InsightConnect detection rule triggers.
You can instead use the InsightIDR plugin and trigger when new Alerts or new Investigations are created. Both of those options will allow you to work backwards and get the same evidence payload that the detection rule would’ve provided.