There’s a lot of possibilities in the realm of security and automation, and a lot of different technologies to pair with it. With that in mind, I thought it’d be nice to have a place where we can share how we’ve been using InsightConnect in our environments. So in short, what have you automated so far? What kinds of tools are you using most often in your workflows?
Alternatively, if you’re looking for inspiration on what to automate next, post your questions/ideas here and we can help figure out the best way to make it happen.
We use workflows internally in several different places. One team uses them to triage and respond to incoming alerts from InsightIDR. We also have a few Jira-related workflows to make life easier. One of them posts reminder messages to Slack for a particular type of ticket. Another allows you to super easily query and update Jira tickets from Slack.
So, back to the original question - what have you automated so far? Or what are you looking to automate next? (Side note, if you share here there may also be a shiny new badge in it for you )
Some trivial AD Incident Response Actions
Blocking URLs in Proxy
Phishing Analysis & Remediation
Starting Content Searches
Not sure if ICON is part of the solution yet, but looking to do more around reporting / PowerBI.
Create Intelligence Parity across technology stack
Other Intelligence based uses cases that vary by stakeholder.
Enhance phishing workflows to use other sandboxes that are at our disposal
There may be some opportunity around the R7 Open Data data set.
Hi Mauricio - We would love to have all the items you mentioned automated in our environment as well. Can you please share us your experience or Is there a way to directly contact you?
Hi @ayele_sorri, Most of our workflows are tailored to suit our needs specifically, so it depends on your data sources and your company stack.
I can give you some ideas how to start for each workflow but I believe your goal might be different than ours so our idea was to automate investigation and reporting as much as we could, we use Slack for comms and Jira for issue tracking.
Phishing Analysis and response. - We have Gmail/GWorkspace and every user reports suspicious to a dedicated inbox (Trigger), from there we use headers, links and attachments to report to our incident response team to decide to act/reply or investigate more.
Basic AD user abnormal activity. - We have Splunk as SIEM, AD activity is sent to Splunk then alerts trigger a workflow in the SOAR which checks validity and also asks the user in Slack if they ack the unusual activity, if no response we step in.
AWS misconfiguration on SecGroups (Mostly bothering the owner of the account) - We have a tailored solution to check for SecGroups, if the SecGroup has * or 0.0.0.0/0 we start asking the owner of the account for reconfiguration or resolution. AWS SQS Trigger → Slack comms
AWS Guardduty findings response. Similar to above, except it goes first to us to check criticality. AWS SQS Trigger → Slack comms
IP Address enrichment - Basic enrichment workflow to investigate a particular IP address (against AbuseIPDB, WhoIs, IP Stack…) Slack request → Slack response
URL Analysis - Same as above tailored to URL (Virustotal, Whois, etc…) Slack request → Slack response
Domain enrichment - Same as above tailored for domain (Whois, Threatcrowd, domain score, etc…) Slack request → Slack response
Hope this was helpful for you and others!
Very useful summaries of your workflows!
I love seeing all these ideas and use cases being shared! Thank you all!
On a related note, we’re working towards opening up contributions to the Extension Library so that we can securely receive, review, document, and publish workflows contributed by our amazing InsightConnect customers. Stay tuned!
Thank you @mauricio_amaya for the summary of your workflow. We are using Rapid7 InsightIDR as SIEM and JIRA for workflow of the alerts (or investigations). I always want to integrate automation on our work process for efficiency and effectiveness. Thanks again
How did you go about setting up the admin activity alerting?
The actual alert comes from our SIEM usually in the form of an event code on the domain controller. We then use InsightConnect to do checks to see if a Change Control matches the activity and that there wasn’t other suspicious activity around the event. Alerts are then sent based on decision paths using different methods.
Now that “Contribute an Extension” is now live. How about contributing your favorite InsightConnect workflow to the community!
Off the top of my head…
Phishing Workflow (contributed to library)
TAP alert triage and response
UBA (Out of country logins / 3rd party vpn users) use global artifacts to make list and lookup users to respond
Azure AD actions
Add / Delete URLs from blocklist
Automove notification emails
Alert on specific vuln types being detected in IVM and take action to quarantine based on those alerts
Slack triggered search and purge of emails
TAP IDR event response actions
Any of these worth contributing back to the community?
Most of mine are specific to the way we do things that wouldn’t work for most people or I would
I have contributed some of them already. There are a few others that I think would be worth contributing I just need to get them ready.
That’s great. And much appreciated. I think the community benefits a lot even from just seeing how others handle certain security processes/incidents, even if they don’t literally install the contributed workflow.