Want to trigger custom workflow from Virus Alert in IDR

aaron_denton · April 20, 2021, 3:30pm

I want to examine additional information in the Virus Alert trigger to see if the threat was successfully removed and also pull out the name of the threat.

This would allow me to add a decision to perform some basic actions if the threat removal succeeded, or take additional actions if the threat removal failed.

Here is an example of an alert when the threat removal succeeded.
The virus PUA:Win32/Presenoker was detected at file:C:\Users\xxxxxxxx\Downloads\pijyrtyfp.exe on WorkstationName.MyDomain.local at Apr 8, 2021 11:37:24 AM. Remove failed with error 0x00000000 The operation completed successfully.

david_smith · April 22, 2021, 8:34pm

Hi Aaron,

in order to be able to do this the first step is to create a Custom Alert with an ICON Workflow (see more Custom Alerts & InsightConnect workflows | InsightIDR Documentation) as the notification type. Once this has been completed then you will be able to leverage the contents of the log line to perform a decision on the automated action.

David