Getting Started with InsightIDR + InsightConnect

If you’re looking to get started with InsightIDR and InsightConnect, you’ve come to the right place. I want to walk through the setup of a simple InsightConnect workflow to show you a couple things:

  1. How to setup and use an InsightConnect workflow within InsightIDR
  2. What data is available from InsightIDR for automation purposes

This starter workflow is tied to the user behavior analytics (UBA) component in InsightIDR. UBA enables you to identify threats or compromises on your network by establishing patterns of typical user behavior and noting deviations from those patterns.

What this means is that our workflow will be triggered (meaning it starts executing) when a UBA alert occurs in InsightIDR. It will then proceed to execute each of the steps configured in the workflow, using the info from the UBA alert along the way. This is how you can begin to automate processes in the realm of InsightIDR.

With that in mind, let’s get this workflow setup in our environment.

  1. Login to the Insight platform
  2. Navigate to the Hello IDR workflow in our Extension Library
  3. Click Import (this will take you to InsightConnect)
  4. Follow the prompts to import and activate the workflow
  5. Navigate to the Documentation tab in the above workflow page
  6. Follow the steps under Setup to launch the workflow

Note: Make sure the workflow is activated in InsightConnect. Otherwise you won’t see it listed as an option when configuring it in InsightIDR.

Now that we’ve configured it, what we have is an InsightConnect workflow that will be triggered by a UBA alert in InsightIDR. This is triggered via the InsightIDR investigation that we’ve taken action on.

The workflow should quickly complete, and its results will appear as an artifact in the InsightIDR investigation timeline. You can click View Details to see its output and should see something like this:

post1

There’s a lot of information here. But what exactly happened with this workflow? The workflow itself only contains two steps:

  1. An InsightIDR UBA alert trigger. In this case we triggered the workflow by taking action in the InsightIDR investigation.
  2. Workflow output, called an artifact or a markdown card. It’s essentially just a nicely formatted artifact that contains all the info extracted from the UBA alert.

This info from step #2 can help us figure out what we might want to automate. You may or may not see 100% of the information filled in on the artifact, since that depends on the investigation options you chose, but we can still see the range of possibilities.

For instance, there’s information on users that may’ve been involved in the alert. This opens the door to automating things related to user containment, like password resets and disabling accounts. There’s also information surrounding assets and additional indicators of compromise (IOCs), which can allow for anything from alert enrichment to asset quarantines.

So as you review this InsightIDR data from the workflow output (the above is by no means an exhaustive collection), you can start to consider what you want to automate. Try to think about your own current processes - in particular, when/why those processes take place, and what steps are required to complete them. From there you can begin to plan for automations that handle the steps within those processes that you’ve identified.

If you’re looking to learn more about what you can do with InsightIDR and InsightConnect automation, check out our automation playbook where we detail a variety of use cases and highlight some of our pre-built workflows. And if you have any questions or ideas of your own, feel free to share here!