As someone new to InsightConnect, I want to create an automation that merges multiple rules when they are triggered and writes the assets to the first triggered rule. Where should I start to create a workflow that automatically follows and merges the rules?
Hello!
Could you provide more details on what you mean by “multiple rules”? Specifically, it would be helpful to know:
- Systems Involved:
- What systems do you need to connect to in your workflow? For example:
- SentinelOne
- InsightIDR
- Jira
- Initiating Event:
- What would be the initiating event that triggers the workflow?
If you can provide those details, I’ll be able to give you a more detailed answer on how to begin.
Hi Darrick,
We are using InsightIDR. For example, it may say 10 malicious file hash detections. An alarm is triggered after the malicious hash value is first found and then it also pops up on different hosts. I want to collect the hosts and users information of other alarms that come within 30 minutes after the first detection in the first alarm. there is a couble minute gap between each alerts.
Very sorry for the late reply.
Assuming these alerts roll up into an investigation you could leverage global artifacts.
When the investigation is first created, it would write the Time and RRN to the global artifact.
You would have a second workflow that runs every x number of minutes. It would check the global artifact list, see if the time for the alert is 30 minutes or greater, if it is it would delete that global artifact entry, use the RRN to list the alerts for the investigation, and that should give you each asset that was part of the investigation.
The considerations would be if this is an Attacker Behavior Analytics rule, or a User Behavior Analytics rule. If UBA I don’t know what kind of information would be possible to fetch.
When you configure your global artifact schema structure I would choose an object.
The object would look have three additional fields:
Enabled (boolean)
Investigation RRN (string)
Date/Time (Date)
You need the first field “Enabled” so that you have something that is constant. Your other workflow will check the Global artifact and return all fields that have “Enabled” set to true. It is essentially a way to fetch all global artifact entries. Without the constant you can’t do this.
Again sorry for the delayed response. I hope this helps.