I am trying to create a workflow that performs actions on certain innvestigations based on details of the evidence in the alerts in the investigation. However I don’t see that this is being brought in by the IDR connection in InsightConnect. Is this possible and I am not using the right plugin, if not are there plans to make it possible?
Depending on the investigation alerts you are trying to trigger on you will need to use either the UBA / ABA alert triggers. If you let me know what you are trying to trigger on and what you are wanting to do with the alert I can help you get something up and running.
We are getting a lot of UBA alerts for remote code execution for Screenconnect, since we can’t currently create an exception for these because they are UBA alerts I was hoping to create a workflow in InsightConnect that would update the investigations and close them for us. I was trying to use the IDR connection in Connect to list the investigations then close them based on the evidence within the alert/investigation.
What is the alert type it is triggering off of in IDR?
UBA Alert
Okay I will take a look and see what I can come up with that might help you.
Any feedback, in another thread you mention searching logs for Alerts or using global artifacts to get this information, can you expand on this as I can’t seem to find any logs that hold this info, as this seems to come straight from the agents.
There is a ‘restricted’ API available in insightIDR to get all evidence data from an investigation but you must ask Rapid7 to enable it for you AFAIK. Once you have this you can use an HTTP request via insightConnect.
Example:
https://us.api.insight.rapid7.com/idr/v1/restricted/investigations/{investigation-rrn}/evidence