Think Fast! Using Decision Steps in InsightConnect

Some sources estimate the average adult makes over 35,000 decisions each day. For a SOC analyst, that number is probably a lot higher!

When navigating daily security tasks, many of these decisions likely involve consolidating information from various sources to inform an outcome. “Based on the results from my analysis tools, should I block this suspicious email address?” “I’ve received a User Behavior Analytics (UBA) alert that someone has logged in from an unknown location. Should I disable this user’s account?”

While InsightConnect probably can’t help you decide what to eat for breakfast, automating processes using decision steps can streamline some of those information based security decisions you might make on a daily basis.

What is a decision step and when should I use it?

Think about a manual security process you might perform every day - say, triaging suspicious login alerts. Think about the end result of that process. Are there multiple possible outcomes? If so, you probably need a decision step!

In a workflow, decision steps create branches from the main path based on parameters you set. Decisions can be fully automated or human-dependent.

Human decisions :writing_hand:

Are you worried about your workflow automatically running a potentially destructive action based on a decision made earlier? Add in a human decision step!

Human decision steps pause the workflow during execution and require a human to manually choose a response path. By default, human decisions are executed on the “Jobs” page, where the job will be paused until a user provides human input. You can configure a human decision to execute in other integrations, like in Slack. Additionally, you can configure timeout settings or choose to include artifacts in your decision to provide context!

Automated decisions :checkered_flag:

Do not pass go, do not collect $200. Automated decisions do not pause your workflow execution - instead, the step analyzes inputs from previous steps and determines which configured branch to follow automatically.

To properly configure an automated decision step, use conditional logic to create branching workflow paths. Both automated decisions and filters use Format Query Language to generate queries and control the flow of a workflow.

Setting up both human and automated decisions can be super simple - let’s look at an example of both used in a workflow!

Prebuilt workflows with decisions :pinched_fingers:

This Asset Management workflow uses both an automated decision and a human decision in order to delete inactive assets from InsightVM with Microsoft Teams.

The workflow kicks off by listening for a !delete inactive assets command from your instance of Teams. It then calls your instance of InsightVM, gets the hostnames of any inactive assets you may have, and lists them in an artifact card.

Screen Shot 2022-09-20 at 4.28.11 PM

At this point, we reach an automated decision point. There are two possible outcomes:

  1. There were no inactive assets, so the workflow ends.
  2. There were inactive assets, in which case the workflow would continue on.

We’re using an automated decision here because neither outcome results in a destructive action but instead relies on previous input to determine the correct path.

The configuration of the automated decision step is shown below. Format Query Language is used here to ask if the asset count within the Get Hostnames loop is defined (aka is > 0).

Screen Shot 2022-09-20 at 4.19.09 PM

If inactive assets were found, the workflow continues on. It posts all of the inactive assets in a Teams message back to the end user. We then arrive at a human decision point. There are two possible outcomes:

  1. The inactive assets should not be deleted.
  2. The inactive assets should be deleted.

Here, we’re using a human decision step because deleting assets in InsightVM is a potentially destructive action and we want to double check with human eyes.

The configuration of the human decision step is shown below. In this case, there is a time limit of 2 hours for a human to make the decision to delete or save the assets. If the decision is not made in time, the workflow will automatically take the default path of “No” (do not delete the assets). There is also an option to send an email notification with the decision every time the workflow generates a job.

Screen Shot 2022-09-20 at 4.20.02 PM

Hopefully this post helps you effectively decide between human and automated decision steps when building out your workflows! Let us know if you have any feedback or questions :slight_smile:

3 Likes