A few questions on InsightConnect:
- Is there an easy way to push all alerts into an InsightConnect workflow other than having multiple workflows, one for a UBA Trigger and one for an ABA Trigger? I just want one workflow that will send all the relevant information such as IP/Domain/URL/etc which i can then perform enrichment on.
- In IDR Automation, is there a quick way to replace the workflow associated with a trigger? There is ALOT of clicking required to setup for each detection rule.
You could have one Workflow that has a decision based on the alert title, then have a path to enrich. Or if there are multiple of the same type you can send it as an array and loop through it (Microsoft 365 Defender will send multiple alerts for one incident)
One thing to consider with one Workflow verses Multiple specific to an Alert type is the size of the workflow. There is a max number of Steps that sadly I reached multiple times and had to split up the Workflow to handle this. Also, If you send a large array, the performance and restartability will be affected. E.g. I originally had a Workflow of User Management that had a field of Enable/Disable/Reset Password/ or run The Termination steps. This got too large so I split it up to three Workflows, Enable/Disable, Reset Password, and Termination. I used Snippets for redundant steps that all three have for manageability of steps.
I cannot answer the IDR part.
The problem for the first point, is that i cant see a way to just get IC to ingest any alert.
When i setup the workflow, if i select
InsightIDR Detection Rule, i then have to pick only one of the categories, for example,
Cloud Service Admin and then add all the rules under that category.
It doesnt look like i can add
Cloud Service Admin AND
Firewall for example.
Unless im missing something here, i would need to build out 15+ workflows with each category as a trigger?
understood, I’ve never worked with that trigger.
With the ABA triggers, you need one workflow per category, that workflow can ingest all alerts for that specific category.
Then you have the data exporter. That will fire upon investigation being created. This is nice because you receive all alerts in one trigger, but the information that both triggers send is different. You can try the data exporter to see if that provides what you need in the single workflow.
If you would like to learn more: Universal Webhook | InsightIDR Documentation
The trigger in InsightConnect for this would be the API trigger. After saving the API trigger it will provide a URL for you, that you would then provide to the data exporter in IDR.
If you choose to create a new data exporter, at the bottom of the screen you will see a “Show Example” button. Click that, copy the request body, and paste that into the api trigger setup where it says “enter JSON”. This will create all the variables for you.
Here are some workflows recently created that utilize the Universal Data Exporter, and then gather the investigation information, to then retrieve the alert payload.
Thanks Darrick, ill have a play around!