I have one question that maybe could sound stupid:
Can I create an alert trigger that when the antivirus generates an alert on a particular asset, the orchestrator just quarantine that asset?
I just saw in the workflow just quarantine via CB-Response and not R7 Agent.
In this case can I make it work without using InsightConnect ?
automated quarantine without any human interaction is not possible with just IDR today, you would require InsightConnect to build this workflow. See here for the InsightConnect Plugin Rapid7 Extensions
@ben_cuthbert thanks for the feedback. You’re right, today we support UBA and Custom Alerts. However, we have plans and will be adding ABA support soon, it’s a much-anticipated feature that we would like to support by EOY.
@davide_piccolo1 You can do this with InsightConnect as mentioned using the InsightAgent plugin. We also have a few pre-built workflows to quarantine with the Agent too: Rapid7 Extensions
@ben_cuthbert Jon’s spot on! In fact, the team is currently digging into phase 1 scope. We’d love to talk to you more in-depth about your needs and uses cases. Are you interested?
Hey @gwen_betts_idr yes please! I don’t know if there’s the concept of a private message here but if so shoot me a message and i’ll bring my devops guys along too.