Workflows are automated procedures executed by InsightConnect. I am sure you already know that. They essentially mimic the manual process. But how do you know what actions to take? There is a ton of functionality within the Extension Library (plugins which are utilities to increase the capabilities of your workflow and connections which are credential-based parameters for APIs and other supported integrations into InsightConnect). How can you turn a blank canvas into a Monet or Van Gogh? (I’m into Impressionism and Post-Impressionism)
As a security practitioner, I am very keen on making sure there is a playbook for almost everything. A playbook is a step-by-step guide to a process which must be performed consistently and uniformly every time (i.e., responding to a phishing email, processing a newly onboarded employee, building a new server securely, etc.). As an incident responder, I can’t do my job effectively without a plan or playbook. These playbooks are essentially a series of tasks that I need to take to resolve an issue. I feel like I am building this up a bit. Let’s get to how to leverage those tasks within InsightConnect, which we call “Action Steps.”
Before I start a workflow, I look at all the actions I, or my team, take and see which ones are taking up the majority of our time. I then use that playbook to determine the actions that can be automated (hopefully all of them). Using a playbook that has already been written, tested and consistently used as a workflow to automate is an excellent start. If you don’t have a written playbook to use, that’s okay! Think of something that you and your team do on a consistent basis (daily, hourly, even weekly). Write those tasks down and start to determine how these tasks need to be completed. Once the action steps are determined, set your trigger (great post on that here), and go on ahead and select that plus sign to select a type of step you want (we’re talking about action steps, so pick that one).
Select to add a step after the Trigger.
Select Action
Select your desired plugin, tool, or connection you have set up. For instance, let’s say I want to get additional info from a phishing email. I’m going to select the ExtractIt plugin so I can extract that data. What can make this easier is if you set your tool stack up through Tech Stack Wizard (here’s how). This will populate all of your tools you have added to help you out.
Select the action you want this step to take. I want to extract the domains from the email. I am going to use the Domain Extractor from ExtractIt.
You can keep your head in the cloud as well as certain action steps by running on the Rapid7 Cloud! Or you can use your own on-premise Orchestrator.
Put in the necessary parameters for your action step to run. Name the Action. Input your strings. I chose the trigger and the URL parameters. The trigger is what this workflow will listen for. So, if the trigger is an email that would be the parameter for this action step. Likewise, the output would be to extract all of the URLs in the email that set off the trigger. Finally, you can edit your output. It is in Markdown so you can edit it however you like. I left mine as is. Make sure you save the step!
Boom! You created your action step!
You can combine a bunch of action steps together in a workflow. For instance, if I wanted to create an action step that would send me a Slack message with all of the URLs that were extracted from the phishing email, You would do the same process we did for ExtractIt above, but just use the Slack plugin.
There are a ton of plugins (323 InsightConnect-related plugins at the time of this writing and it’s growing), to choose from. This is where your playbooks and the processes you and your team use on a frequent basis will come in handy. Identify the first action needed after the trigger. Do you need more investigation data from a phishing email? Check out ExtractIt, which has many capabilities to extract domains, URLs, IP Addresses, and so much more! What about grabbing the hash value of a file by using HashIt? This is where it can get daunting, but by using your existing playbooks you can make creating action steps much easier.
Finally, here are some ideas to get you started if you have InsightVM or InsightIDR:
- Suspicious User Login with IDR and Slack Chatops
- Forward Alerts from InsightIDR to Slack
- Add Asset Criticality Tag with InsightVM from Slack
- Alert on New Unknown Assets Discovered by InsightVM with Slack
Here are some things to think about:
- Using existing processes and written playbooks to create your workflows.
- Find plugins that match your tech stack.
- If there is a plugin and action that can increase the effectiveness of your playbook, use it! Just be sure to update your playbook.
- If you have a new workflow that you built, write it into a playbook. If something were to happen and you didn’t have automation capabilities, you will need a backup.
- Have fun with the plugins! There are so many that can help you increase the effectiveness of your workflows.
Here’s to the next Monet of workflows.