NEW SOAR feature: Workflow Snippets!

The InsightConnect team is super excited to announce the launch of a new feature: Snippets! :ship: :scissors:

Snippets introduces an entirely :sparkles:new :sparkles: approach to automation at Rapid7, allowing you to move away from task based automation, where one workflow or quick action = one process, to leveraging automation holistically and strategically within your security program.

You might be wondering, what is a snippet, and how does it help me?

Snippets are reusable sequences of steps maintained in a central location, allowing you to standardize your tasks and processes in a consistent way.

  • Easily scale your automations: once published, a snippet can be added within and across workflows as a single step.
  • Simplify workflow management: manage all of your snippets from the Snippets tab of the Workflows page in InsightConnect. Updates to a snippet can be pushed to all linked workflows.
  • Reuse standard processes: use published snippets across automation use cases without having to rebuild functionality.

Screen Shot 2023-03-07 at 10.01.01 AM

Try it for yourself! Import and use the preloaded cloud enabled, connectionless snippet Enrich Domain with WHOIS from the banner on the Snippets tab of the Workflows page in InsightConnect. Follow the <2 minute tutorial in product to learn more.

→ For more information, read the Snippets Docs
→ Watch our video tutorial - build, test and publish a ticketing snippet with ServiceNow and Microsoft Teams

3 Likes

I just made a Snippet for my User Enrichment process. This is Amazing, it works just as I was hoping for!

1 Like

@brandon_mcclure That’s great to hear! Let us know if you have any feedback :slight_smile:

So far so good, working on IP Enrichment right now. This, with the copy/paste feature, is so easy. Managing Workflows and now even more consistency between them will be so much easier.

4 Likes

I really like this new feature. I also excluded our IP/URL/Hash enrichment in separate snippets. I was wondering if there will be some prebuilt snippets available in the Rapid7 extension library in the future?

3 Likes

Glad you are liking it! Snippets on the extension library is definitely something we are considering. Are there any use cases you’d be interested in seeing?

Enrichment Ideas for indicators, e.g. User, IP, URL, etc.

For my User Enrichment I take a single username and start with logic to see if one AD account was found with error handling for more than one and none. If none, I also do a chec kto see if the account was deleted. I pull out useful attributes including title, mail, pwdLastSet, and Manager DN. From the Manager DN I then pull basic info about the manager like name, title, and mail. I then run through some enrichment to see if the account would fall under any special cases that need to be accounted for. I then return all this in the output. This way, every time I see a username I run this and I pull back all the info that I could need for future runs. For future modifications, I will just make sure that the inputs don’t change and no outputs are deleted, just added, which the builder gives a good warning for before publishing.

3 Likes

Two things I noticed, but they are not stoppers.

  1. The further down a Snippet I go the more I see the original Inputs repeating when selecting a variable, I always search variables when putting them in, but I noticed this list growing.
  2. I found out you cannot have a Snippet in a Snippet, is this a planed future or are there technical reasons this isn’t allowed?

If anyone runs into an issue with deleting joins or when modifying the path before a join and it breaks the join with an error that it cannot find an input GUID.
My work around is using the manage steps and copying everything before, then delete everything before and including the join, then paste in the copied steps. then you can add back the join the way you want it.
This has worked on multiple cases, the only gotcha is make sure you know what any join output variables are for this join and any join that you recreated before and same with any Decision defaults because these do not copy over.

Thanks for all of the feedback! We are looking into the input duplication issue. Allowing a Snippet inside a Snippet is not currently planned on our roadmap due to technical complications. If the join step deletion issue continues to be a problem for you, it would be great if you could open a support ticket with more information about your specific use case so we can easily duplicate the issue. We appreciate the detail on your user enrichment use case - we’d love to support more pre-built snippets in the future.

Thanks, I’ll open a support ticket just so they are aware of the issue. It hasn’t stopped me from doing anything yet, I know that you cannot delete a decision step that has a join later on, so this works for those senecios as well.