Looking for some guidance. I’d like to post all my IDR alerts to a teams channel using ICON for easy mobile viewing. I’ve been able to do this with custom alerts however haven’t figured out how to do the same with the UBA Alerts. The only thing I got working for that is to take a manual action within the UBA alerts to post to teams… Can anyone give any pointers on how to automate this? FYI I am a new to these products.
Have you seen the Automation documentation of InsightIDR.
Maybe the Alert trigger page provides the information you need: Alert Triggers | InsightIDR Documentation
2 Likes
Hey @joe_delavalle, thanks for the question! We actually published a workflow to the Extension Library a few weeks ago that might help you out: IDR Alert Routing with Microsoft Teams. The workflow was designed to deliver InsightIDR Alerts to a specific Teams channel based on AD group membership, allowing you to differentiate between ‘critical’ and ‘non-critical’ users. As an example, you may set the Domain Admins group as ‘critical’, and anyone not part of that group would be considered ‘non-critical’.
The Documentation tab of that workflow listing provides all the instructions you’d need to get that activated in your environment, but let us know if you have any follow-up questions!
2 Likes
This was helpful - Thank you.
This was also helpful. Going to look at this as well thank you.
1 Like
Your suggestion worked great for the UBA alerts… Any pointers on how to accomplish the same with ABA alerts?
Hi @joe_delavalle, unfortunately we do not yet support a specific experience for running InsightConnect workflows for ABA alerts just yet. The good news though is that we are looking into this right now!
If you would be interested, we would love to chat more with you about this and maybe share some thoughts on how this experience could work and get your thoughts?
Appreciate it, I will reach out to you directly!
For anyone else who peeks into this thread, if you are also interested in having those discussions please respond here and I can reach out to you as well.
Please count me in for this feature as well. Looking to integrate all InsightIDR alerts to be sent to a Teams channel or to be handled as a trigger for InsightConnect.
I know it’s been quite some time since the last response here, but I am working on getting IDR alerts into a MS Teams group for our IT teams to be alerted on and have a central discussion location rather than send multiple emails back and forth. I have set up the IDR Alert Routing with Microsoft Teams workflow, but I get a lot of failed jobs and I’m kind of stuck. It would be helpful to understand what the Parameter configurations are specifically for as the descriptions are pretty vague in my opinion.
It would also be much simpler if there was just an outgoing webhook to integrate in, but I’m not talented enough to figure that out on my own.
Where are the jobs failing at, and are they failing the same step every time?
So I was trying a few different iterations to try and get the workflow working. It wasn’t every alert that was failing in the jobs, but the ones that were failing al had the following in the log for the users loop step:
Failed to generate custom loop output ‘Users in Group’
Error: the variable ‘Found’ wasn’t defined
Please investigate your last loop iteration.
I was unsure what user group to user and where the search base should be in our AD since our users and computer objects are all over the place. I believe I may have it working to an extent now, it was very slow to match users yesterday over 2 hours and it was around 350 decissions (group was maybe too large, 2300 users?) and I kept getting a different error that was my mistake, extra comma in the search Base.
Now, with 96 users in the current group it takes about a minute to run and the jobs are completing. So maybe I finally got it after 2 or 3 days of playing with it.
It sounds like sometimes that variable isn’t being created and it causes a failure in the custom loop output when it tries to generate the output variable. You can use an is_defined query for that variable in the loop output step in the Only Include If… section to tell ICON not to try and generate that variable if the output variable is not defined.
Format Query Language | InsightConnect Documentation
1 Like
Thanks, I’ll give that a shot.