Multi Country Authentications Workflow

Multi Country Authentications for Staff members.

I would like help or advice on how to create a new workflow in InsightConnect using a preconfigured alert in IDR.

The alert in IDR will trigger when a staff members account has been logged into from 2 or more countries within a short period of time. (We currently have staff and students in our AD tree. At the moment, we have an IDR alert for students which just deletes the IDR alert as we don’t want to do anything with these alerts).

what I would like to do is:

When an alert comes in for a STAFF member (using AD authentication), I would like the workflow to trigger, use a templated email then add the staff members name, the IP addresses in the alert and the countries listed in the alert.
Then either automatically send it from a specific email address (a centralised security mailbox) to the staff member or ask for human intervention to check and send the email.

Does anyone have any idea if something like this is possible and how I could go about creating the workflow? I am a complete beginner with this system and have had no formal training so I am winging it!!

Hi @sfallon, thanks for reaching out. Our team is working on providing you a sample workflow that you can use. As a quick answer to your question: yes, this is possible. Off the top of my head, I know that your workflow would need an Insight IDR User Behavior Analytics Alert Trigger. Additionally, you can find the IP addresses with a few plugins from the Insight Platform including IPStack. It is also possible to automatically send the templated email or to instead ask for human intervention by creating a “decision step” and selecting the tab “human” and then configuring the path details from there. We will write back soon with a link to the sample workflow that you can use.