InsightConnect Questions

rpivm · February 7, 2024, 10:18am

Hi all,
A few questions on InsightConnect:

Is there an easy way to push all alerts into an InsightConnect workflow other than having multiple workflows, one for a UBA Trigger and one for an ABA Trigger? I just want one workflow that will send all the relevant information such as IP/Domain/URL/etc which i can then perform enrichment on.
In IDR Automation, is there a quick way to replace the workflow associated with a trigger? There is ALOT of clicking required to setup for each detection rule.

brandon_mcclure · February 7, 2024, 2:14pm

You could have one Workflow that has a decision based on the alert title, then have a path to enrich. Or if there are multiple of the same type you can send it as an array and loop through it (Microsoft 365 Defender will send multiple alerts for one incident)

One thing to consider with one Workflow verses Multiple specific to an Alert type is the size of the workflow. There is a max number of Steps that sadly I reached multiple times and had to split up the Workflow to handle this. Also, If you send a large array, the performance and restartability will be affected. E.g. I originally had a Workflow of User Management that had a field of Enable/Disable/Reset Password/ or run The Termination steps. This got too large so I split it up to three Workflows, Enable/Disable, Reset Password, and Termination. I used Snippets for redundant steps that all three have for manageability of steps.

I cannot answer the IDR part.

rpivm · February 7, 2024, 2:30pm

Thanks Brandon.
The problem for the first point, is that i cant see a way to just get IC to ingest any alert.
When i setup the workflow, if i select InsightIDR Detection Rule, i then have to pick only one of the categories, for example, Cloud Service Admin and then add all the rules under that category.
It doesnt look like i can add Cloud Service Admin AND Firewall for example.
Unless im missing something here, i would need to build out 15+ workflows with each category as a trigger?

brandon_mcclure · February 7, 2024, 2:48pm

understood, I’ve never worked with that trigger.

darrick_hall1 · February 7, 2024, 2:52pm

With the ABA triggers, you need one workflow per category, that workflow can ingest all alerts for that specific category.

Then you have the data exporter. That will fire upon investigation being created. This is nice because you receive all alerts in one trigger, but the information that both triggers send is different. You can try the data exporter to see if that provides what you need in the single workflow.

If you would like to learn more: Universal Webhook | InsightIDR Documentation

The trigger in InsightConnect for this would be the API trigger. After saving the API trigger it will provide a URL for you, that you would then provide to the data exporter in IDR.

If you choose to create a new data exporter, at the bottom of the screen you will see a “Show Example” button. Click that, copy the request body, and paste that into the api trigger setup where it says “enter JSON”. This will create all the variables for you.

WebhookExamplePayload1

EnterJSON

darrick_hall1 · February 7, 2024, 3:11pm

Here are some workflows recently created that utilize the Universal Data Exporter, and then gather the investigation information, to then retrieve the alert payload.

rpivm · February 7, 2024, 3:24pm

Thanks Darrick, ill have a play around!