Hello,
I am currently trying to build a workflow, that resets the password of a user. I will be running it on legacy detection rule so that analysts can run that from investigations console. How may I prompt the analyst to provide the username as an input to reset the password? Is there a method to custom input? Do analysts need to have access to InsightConnect(jobs) to provide input or take human decisions?
The legacy trigger has variables for Asset, and Users. If you use those variables in your workflow, and your investigation has one of those items in it, then you will be given the option to add a target from your investigation into the input field.
If your investigation does not have any users or assets by default, then you can add them with the Add Actors button as seen in the screenshot below.
Thanks Darrick for the response!
This sounds good to me. Apart from this, if we need to provide any inputs like, IP addresses, URLs, Domains to get the reputation analysis from third parties using workflows, do we have any capabilities as of now in rapid7 except utilizing the teams chat or channel?
Natively within IDR there is not a any automation to perform this lookup in a manual fashion if the intent is to directly provide the specific IOC you are interested in targeting.
Ok, no problem! Thank You!!
This is ironically something I’m trying to develop myself. It’d be awesome to have this native, but for now I’m working on some ideas for how to extract specific key-values for each event type…then running a take action to pull these for analysis.
The extraction I feel like is the easy part - the challenge is making sure you extract the logs since sometimes you want other events, such as contextual data or notable events, and those aren’t accessible from API. Then…if you’re planning to post results as comments in an investigation making sure that you don’t duplicate analysis results (which may just be a tolerable issue with the process).
