UBA / ABA Workflows Triggered via IDR Alerts

With the upcoming release of ABA triggered workflows and existing UBA triggered within InsightConnect and InsightIDR we wanted to develop a process that could be used as a guide to build workflows based on these types of alerts. This diagram illustrates a high-level overview of an end-to-end process taking into account the Investigative phase, Containment phase, and Reporting phase of remediating a security event.

The goal with this is to show what can be done with InsightConnect and help to generate ideas on how to automate your investigative processes with IDR alerts and Connect. If you have any questions or comments please feel free to add them.

Workflow Design Flow (2).pdf (2.0 MB)

3 Likes

Looks great! I have one question about the ABA alert trigger though. I have several workflows that use the UBA trigger. For example: One workflow uses the UBA trigger and creates an issue on Jira for documentation. Do I need to create the exact same workflow that uses the ABA trigger in order to get the information that exist in the ABA alert?

2 Likes

They will be different triggers so you would need to have separate workflows to handle each type of alert, if the workflows are the same steps with a different trigger you can export / import the workflow and replace the trigger with the new trigger and duplicate the workflow that way.

This is excellent! The one issue I am having (and maybe its just my methodology) is that I can not execute a workflow from the IDR investigation interface for an ABA alert as I can for a UBA alert. I tend to do that when testing my workflows to see how the workflow interacts with the data from an investigation, but right now it seems I am restricted to only using the Test Workflow button and manually entering the workflow data. Am I missing something or is that just the way it is for now with ABA alerts?

1 Like

When you are configuring ABA workflows are you adding the detection rules for the trigger? If you don’t it won’t be selectable in IDR as an option for those alerts; I missed that step myself when I was first setting up ABA workflows.

Screen Shot 2022-08-01 at 1.28.52 PM
Screen Shot 2022-08-01 at 1.30.13 PM

Yeah I have the workflow configured with the detection rule, with an extremely basic workflow.

image
image

I took that particular alert to test since it is generally relatively easy to analyze and happens fairly rarely. Unfortunately, since it does rarely happen it’s not triggering =). My normal troubleshooting routine is to go to the investigation (closed or open) and click “Take Action” in the upper right but that method doesn’t bring up the ABA workflow. It looks like this is intentional, at least for now. I will probably just choose a more common alert to do my initial testing.

1 Like