(Remotely) Escalate User Containment with InsightIDR and Slack

In the spirit of working from home I wanted to share one way to improve daily operations to be remote-friendly between Insight offerings, InsightIDR & InsightConnect :computer:!

How to (Remotely) Escalate User Containment with InsightIDR and Slack

Today’s reality is a new adjustment for most of the working world and we’re all doing the best that we can. This workflow demonstrates how to scale your teams operations by posting alerts to your Slack workspace for true orchestration between your toolsets.

The Slack integration includes the ability to post interactive messages to dedicated team members, groups, or users associated to suspicious activity.

I’m going to walk through how to transform the built in Disable User workflow to include the InsightConnect Slack Chatops features.

Let’s begin within InsightIDR

  1. First, lets start by jumping over to the Automation tab in InsightIDR

  2. Click on the Create a Workflow from Template option in the upper right corner

  3. Select Containment Workflows, then the Disable User template

  4. Name your new template and remember it for later, we will be continuing to edit this workflow within InsightConnect.

  5. WARNING: Active Directory credentials will be required, continue through the configuration wizard until completing your workflow template.

Time to move on to InsightConnect!

  1. First, lets make sure to Install & Configure the Rapid7 InsightConnect App to your Slack Workspace Slack Configuration Guide

  2. Once your Slack Admin has approved the App and the workspace is configured in InsightConnect, we can continue by navigating to the Workflow tab and find your workflow template.

  3. Click the edit button in the upper right corner of the workflow builder canvas, then click on the Users Loop once in edit mode.

  4. Click the trash can icon next to the Disable User Human Decision Step to delete it

    • Confirm the Keep Path 2: Yes OptionScreen Shot 2020-04-13 at 10.03.28 AM
  5. Configure the Slack User Response Prompt by selecting the + above the Disable User Step with Active Directory and choose the Chatops option in the Workflow Builder menu.

    • Select the workspace the bot will be active within

    • Select Post Interactive Message action

    • Configure the step name and #channel or @person you would like to bot to post the prompt to.

    • In the "Message"* variable, configure it to say How would you like to respond?".

    • In the "Response Question"* variable, choose the blue + and select {{[“Disable User Artifact?”].[content]}} variaible.

    • Configure the Disable User button to align with the Disable User Action and a Dismiss Alert button.

:tada: CONGRATULATIONS! :tada:

You have completed the How to (Remotely) Escalate User Containment with InsightIDR and Slack tutorial! Now, you have a workflow that will escalate InsightIDR Alerts to Slack before disabling the associated user within Active Directory.

Skills Learned

  • How to configure InsightIDR Workflow Template
  • How to configure Slack Response Prompt

Continue Learning

  • How to create an Alert Trigger for automated execution of workflows from InsightIDR Alerts
  • How to create a Slack thread with InsightConnect

:wave: We Want To Hear From You :wave:

Like, Share, or Comment to give the Rapid7 team feedback on how we can continue to help!