Workflow Ideas

:light_bulb: What Workflows Would You Like to See in the Extension Library?

Hi everyone! :waving_hand:

We’re looking to expand the Extension Library and would love to hear your ideas.

Workflows in the library are designed to be high-level templates that can be easily ingested and customized to fit any environment. Whether it’s something brand new or an enhancement to an existing workflow, your input can help us make these resources even more valuable to the community.

:woman_raising_hand: We’d love to know:

  • Are there specific use cases or integrations you’d like to see?
  • Any workflows you feel could be improved or made more versatile?
  • Gaps you’ve noticed when building or searching for workflows?

Drop your thoughts below—we’re excited to hear what would make your day-to-day easier and more efficient! :rocket:

1 Like

I have a few pieces of feedback on this.

  1. Insider Threat Toolkit - utilizing InsightIDR UEBA and either third party ITDR’s like Okta/Crowdstrike/EntraID/Sailpoint/CyberArk/etc to enrich/surface this, alert on it, and implement some form of automated or decision in the middle response. If this already exists, highlight it, because it’s a big topic especially after North Korean operatives were found inside networks over the last 12 months.

  2. Integrations
    a. Skyhigh Cloud WebGateway, SSE, UCE, CASB (this is the cloud version of McAfee, now Trellix, that you already support). Visibility into DLP events and Cloud solutions with the SWG and CASB could be a huge boon for security teams when paired with IDR.
    b. CyberArk Privilege Cloud (this is the cloud version of the CyberArk vaults you support for on-prem). Understanding privilege escalation and access via either their vault or their remove access solution, known was SIA or Alero, would be a great visibility point.
    c. Lansweeper - They recently, in the last year, did a big cloud push. Their APIs are pretty robust and the product has historically been used in a lot of SMBs due to functionality and price point. It would give a great point to pull in data about assets for InsightVM, InsightIDR, and potentially Connect.
    d. Tanium - They could be a strong integration partner for you to enrich their patching and vulnerability management as well as surface vulnerability information for InsightIDR and to do enrichment. If you could automate using their Question system to pull further endpoint data that could be combined with automated actions to create a very powerful enrichment automation.
    e. OpenCTI - pull and parse threat intelligence data to use with other responses like blocking on the palo alto or creating a block list inside the McAfee proxies.
    f. Meraki - Pull in Access Point information including Air Marshall (Wireless IDS alerts) to give further context and potentially build out workflows to help isolate systems that are connected to Rogue APs.

1 Like

Hey John. Thanks for sharing those ideas. I did some testing with Okta as it has an outbound webhook. I was able to configure it. Seems like you can send many different types of events to InsightConnect using the webhook in Okta and the API trigger in InsightConnect. Risk events are an option. I think I found webhook under the automation tab. Might be something for you to check out and give it a try.

None of those workflows exist in your bullet point 1, but they all seem pretty straight forward to build out. If the alerts are within the external systems and not being fed into IDR we would have to look at how to surface them into InsightConnect. Feel free to email me and we can plan it out more and see what can be done.

If you want to use any of the systems and you do not see that we have an existing plugin you can always leverage one of our other plugins such as the python plugin. It doesn’t take much effort in todays world of AI to get quick python scripts to perform single or many actions at once. As long as you have access to the API documentation, it is generally a question away from being an action within InsightConnect. I like to create Snippets that are single python steps. This way I can leverage it the same as I would with a regular action. Configure the inputs just like a regular plugin action has, and you are good to go. The Snippet isn’t necessary as you can always just copy and paste the step into a workflow, but it is an option.

Let me know if you would like help getting started with any of it. I can’t build them out as I don’t have access to most of the systems you listed, but I am happy to get you started if need assistance.

Darrick_Hall@rapid7.com

This is awesome @Darrick_Hall!

My 0.02$ here (sorry for the late response:
The “Alert on New High Risk Vulnerability…” workflow is a rather heavy beast to run so for sure this can be adjusted. Also I would like to see a list of assets vulnerable instead of just per asset?

Receive CISA Alerts in Slack workflow; here it would be nice to extend a lists of assets. What would be better would be an automatic remediation project but I know that is not possible :frowning:

New IDR workflow to sent investigations (similar to alerts) to Slack.

Update the quarantine asset workflow to allow Crowdstrike, Defender etc.

Add a snippet to give engineers an overview of their running job through the ICON API: https://eu.api.insight.rapid7.com/connect/v1/jobs/ that sends the summary to a specific Slack or teams channel.