I have a workflow triggered by IDR ABA and I want to prompt the user for custom input.
I haven’t found a way to do that yet. I’m hoping someone else has discovered a way to do this.
My workflow is an incident response playbook and I want to basically just prompt for text so hashes, IPs, and domains can be added in the workflow and dumped into a Jira ticket.
Are you getting the additional IOCs outside of Rapid7 / Plugins? If so, you would need to have a secondary workflow that took those IOCs and added them to the Jira ticket. If they are coming from Rapid7 / Plugins they could possibly be added to the ticket during its creation within the workflow.
Yes, IOCs could be outside Rapid7 plugins.
For a secondary workflow, how would that work?
Could I trigger the secondary workflow from the primary workflow?
Let me see if I can build out an example workflow to illustrate how it would work, easiest way to trigger would be via chat command from Slack/Teams that way you could add the IOCs to the trigger command.
1 Like
Been playing around with this and came up with a simple Teams triggered workflow that can be used to add IOCs as a comment to any Jira issue.
- Create a Teams step at the END of your Jira ticket creation workflow that has your command and ticket id to trigger the second workflow.
Example Message:
- Create a workflow that has a Teams trigger looking for your trigger message, and adds comments to a Jira file.
Example Trigger Message
- In that workflow use an artifact to gather all IOCs from the Teams message into a single string.
Example Artifact
- Use the 2nd word in the Teams message as the Jira ID
{{["Trigger - 1"].[message].[words].[1]}} - Use the artifact content as the comment.
{{["IOCTemplate"].[content]}}
Example Jira Comment
- Create a Teams confirmation message after Jira update.
1 Like
I have an enhancement request that would allow the user to comment on a Human Decision.
There are multiple use cases for this that I think would also work for you.
2 Likes
That is great, I’ll give that a try.
Currently, my Teams plugin seems to be broken, so once I get that working again, I’ll give this a try.
1 Like
Great, let me know if you need anymore help.
I created a case to get some help getting Teams working again.
I’m still trying to get the Team plugin working again.
It worked great until a couple months ago.
I have a case open, but we haven’t gotten this working yet.
I’ve deleted all of my Teams workflows and deleted the plugin connection.
I’ve recreated the connection and recreated the workflow using the latest plugin version.
Teams is still broken for me. Running the Test is successful, my workflows just don’t ever run.
What is your pseudo workflow that isn’t working?
Are you posting a message to Teams and the user responds?
Does the Post to Teams work?
Are you responding in a thread?
Is your response kicking off a new Workflow or are you trying to continue a paused one?
I was able to get Teams working again with some help.Teams Integration Broken
We had removed a license about a year ago and integration decided to stop working about a month ago.
Not sure why it didn’t break before, but now I’m back on track and will try out the solution you suggested.
Just a quick update. I’ve been reworking my workflow to utilize Teams a lot more to prompt the user for each step of the incident response playbook. The way you outlined adding IOCs works great too.
Is there a way to trigger off replies within a Teams thread?
Right now it appears Connect can only trigger off a New Conversation.
Not with the current version