I have one question that maybe could sound stupid:
Can I create an alert trigger that when the antivirus generates an alert on a particular asset, the orchestrator just quarantine that asset?
I just saw in the workflow just quarantine via CB-Response and not R7 Agent.
In this case can I make it work without using InsightConnect ?
automated quarantine without any human interaction is not possible with just IDR today, you would require InsightConnect to build this workflow. See here for the InsightConnect Plugin Rapid7 Extensions
Thank you for your reply. Since there was no mention to the R7 Agent, I just wanted to be sure.
If any ICON PM’s are reading this can we get ABA triggers for the Insight agent and workflows? You currently can’t trigger on ABA alerts, only UBA!
@ben_cuthbert thanks for the feedback. You’re right, today we support UBA and Custom Alerts. However, we have plans and will be adding ABA support soon, it’s a much-anticipated feature that we would like to support by EOY.
@davide_piccolo1 You can do this with InsightConnect as mentioned using the InsightAgent plugin. We also have a few pre-built workflows to quarantine with the Agent too: Rapid7 Extensions
@ben_cuthbert Jon’s spot on! In fact, the team is currently digging into phase 1 scope. We’d love to talk to you more in-depth about your needs and uses cases. Are you interested?
Hey @gwen_betts_idr yes please! I don’t know if there’s the concept of a private message here but if so shoot me a message and i’ll bring my devops guys along too.
@ben_cuthbert We don’t have DMs but our Senior Manager of User Experience should be reaching out to you via email soon (if she hasn’t already!).