Why is Microsoft Defender ATP plugin ONLY available in InsightConnect NOT InsightIDR?

Why the heck is the Defender plugin that would allow coming from IDR and submitting ATP virus scans and other ATP functions ONLY available in InsightConnect?

Hi @thomas_morris! I am a Product Manager here @ Rapid7.

Thank you for the feedback! We are looking into this internally and will reach out to you to capture more information on your use case and needs.

The Defender plugin was designed to work with our SOAR platform, InsightConnect, and we want to ensure our users can create workflows and automations that allow customizations based on a user’s specific security operation flows. We want to avoid delivering a super restrictive experience that doesn’t meet your needs.

We will be in touch very very soon around the feedback above and the other insights you have shared! Thanks again for the candor and welcome to the community :slight_smile:

Thank you @aniket_menon the InsightIDR product includes automation, which uses a limited version of the InsightConnect platform engine, as I understand it. SO limited in fact that there is NO capability to create or edit workflows. InsightIDR processes incoming alerts from ATP, but then we have to move between several different windows to do what it looks like this plugin would enable.

WHen the InsightIDR platform claims to have automation, it is horribly limited.

I have to agree with @thomas_morris big time. It feels like the IDR automation is just enough to force you to have to buy in to Connect. It has felt like the whole SOAR portion should have been apart of IDR not yet another tool, charged per workflow. Been very frustrating for our team

To be entirely fair, I don’t recall exactly which marketing material I referred to when we were doing a trial with IDR. The trial was very helpful, but during that time we could not even begin to try all integrations.

The current documentation at Rapid7 site makes it very clear that the “automation” in IDR is by design very limited. IF that existed at the time, I obviously missed it.

I’d still say it is “nice” to have the starting point of the existing workflows, BUT we ought to be able to customize SOME, at least to add in “human decision points” and things of that sort.

I understand that a very limited number of customers are going to be willing or able to build IR playbooks from a blank slate. But this still feels unnecessarily limited, out of the box.