What have you automated so far?

Still early days for us with Insight Connect, but here are a few of things I’m looking at:

  • Jira ticket updates to Teams channel. New tickets start a new conversation; for ticket updates, the Workflow attempts to update the existing Teams conversation. So that the Workflow knows which message to reply to, each message sent to Teams updates a Global Artifact which contains an Object with Jira Ticket ID and TeamsMessageID, which can then be read the next time the Workflow runs. If the reply-to-existing-conversation fails for any reason, the Workflow retries, but this time without the Thread ID.
  • DLP automation. Early days for this one, so it’s more of a concept at this point. Currently evaluating the M365 DLP event API vs. emails as a trigger. Automatic raising of Jira ticket and email chasing of users who trigger DLP alerts. If no adequate response is received, the Workflow will escalate to the user’s manager. Record stats for eventual presentation to senior management in a PowerBI dashboard. This has the potential to be a huge time-saver for us.
  • User enrichment. Work in progress. Query various sources, including internal data lake and Jira. With thousands of users, it’s handy to be able to quickly know who someone is, who their manager is (and who their manager’s manager is!), the city/timezone they work in, what department/division they belong to, what tickets they may have raised with the team in the past etc. While this information is available via various web UIs, it’s convenient to get it all delivered within a Teams Channel in response to a single !enrich-user <first last>.

I might be able to contribute the Teams-Jira Workflow in the future.

3 Likes

We have automated response for EDR alerts, phishing workflow, enabled paging for high severity alerts for a few platforms and many ad-hoc commands using the Microsoft Teams trigger.

1 Like

I look forward to seeing some of them get published!

Hey Brandon, would be interested to hear about what you are doing for user Offboarding. Is this simply disabling/resetting accounts in the event of an IR?

I’ve heard of people using InsightConnect to offboard and onboard users, but haven’t actually seen this in action.

We don’t do full offboarding for standard terms.
We have an IR workflow for emergency Terms where severance of connectivity needs to be immediate.
For standard terms we are responsible for the systems we manage.
The steps in our workflow are unique for the systems we manage, but some of the things we do are un-assign license for a user, remove user from A Security Group, or cleanup a SAML provisioned or local account.
Some of these are done directly with a Plugin, some use the HTTP Request plugin to call a RESTful API and others I had to write custom shell or tcl scripts because that was the only way to integrate with the application that i would run via the SSH or PowerShell Plugin.

1 Like
  • Automated Analysis & Response of Phishing EMails
  • Indicator Enrichment using Teams (Hashes, IPs, URLs, Domains)
  • Forwarding InsightIDR Alerts into our SOC channel
  • Creating Jira issues out of InsightIDR investigations
  • Scheduled Ingestion of IOCs into InsightIDR Community Threats using different open source databases (URLHaus, MalwareBazar, PhishTank)
  • User Containment Measures (Password Reset, Revoke User Sessions)
2 Likes

Hey Michael. In regards to your UBA (Out of country logins / 3rd party vpn users), do you have any more information on how you were able to complete this? I am looking to create a workflow for this. Right now I am getting my alerts for this from a log query involving ingress authentications.

I had a workflow that would take the alerts and look to see if the user was in a global artifact and compare the location / time information the global artifact with the alert. If the location/time matched the alert was closed if it did not match or was past the acceptable limit the new information was verified with the user or their manager and the global artifact updated. If it was an unauthorized login then the workflow would look down the user account and kick out any active users. The VPN workflow worked in a similar fashion but it stored the user and their VPN company information.

1 Like

User Onboarding and Offboarding
Moving users to in and out groups for certain travel protocols
Backing up router and switch configs on regular schedule
IR actions for suspected compromised user accounts
Asset Management for InsightVM
Tracking logins from outside the US
Some simple Cisco commands for our support team to run form teams like activating switch ports.

1 Like