Hi guys 
,
I’d like to create a workflow that triggers on a custom alert and sends out an email to specific user to verify if the alert was legitimate or not. I know, that I could use a human decision to send out the email; The problem is, not all users have access to InsightConnect and therefore, I can’t select them in the human decision configuration as email recipients. Is there a workaround for that? I was thinking of two workflows, one workflow that sends out the email to the affected user. The email would contain two unique URLs that would trigger a second workflow, which then, either closes the investigation or not.
Maybe there is a better alternative to solve this issue and I’m missing something here.
Happy to have a discussion with you!
Do you use any sort of chat app, could you use Teams/Slack to send a message to the user to confirm the activity instead of sending an email?
If you have the users name you should be able to look up their email address via some sort of user record (AD, Okta etc.) and send an automated email to the user that way.
If it has to be email, I would guess using an API call or having unique email addresses that trigger workflows based on emails being received via those addresses. I’d be really interested in hearing more about what you are trying to verify and see what we cannot figure out for you.
Yes, it would also be possible to use Teams to send a chat message to the affected user. Let me give you a specific use case: A user successfully authenticates from 2 different countries against our Office 365 environment in a short time period, which would create an alert. Instead of contacting the user myself, I’d love to have a workflow that informs the user about the alert and asks if these logons are legitimate or not. If it’s legitimate the corresponding alert will be closed, if not, I get a notification.
The part that I’m struggling with is the user decision whether it is legitimate or not and how I can send this decision back to InsightConnect. Could you give me some information what I need to do, in order to solve this user interaction issue using Teams and EMail?
How have you thought around the part of auto verification?
We have had thought around this part in our company as well.
But if a user had successful authentication from 2 or more countries and one is done by an attacker - how would you be sure that it isn’t the attacker responding to you auto message saying yes this is legit authentications.
By sending the message to both the user and the users manager or any other kind of verification?
I agree that I never contact the user via the means that I am questioning in case that communication is compromised. I usually contact the manager or co worker that I can pull from AD.
I would send the email using the SMTP plugin and set the FROM to be a mailbox that ICON monitors. The hardest part is free text forms. You can pacifically ask the user to only respond with a YES or NO and filter on that, that way you can also filter out auto-responses, but users tend to be chatty when InfoSec contacts them.
I’m always hesitant about including links in email because we are constantly telling people not to click on links. Other wise you could have two URLs one that is a YES and one that is a NO with a listener on those endpoints to trigger something.
I think, I would like to try both variants. One thing, that I’m still wondering about is, if I send out two links (one for yes and one for no), how am I able to map these urls back to the affected user / investigation? I mean, the users could click on the link from their smartphone or notebook.
The WebHook API would work if you could add the defined parameters in the URL like you do in the body of a POST.
Rapid7 Moose, Enhancement request?
@Ge72w108 Personally I would use Teams and reach out to the manger of the individual in question to verify if they are on vacation/traveling. Here is a high-level example of the logic for a workflow that stores this information in a global artifact and takes automated actions based on user input.
UBA alert triggered in IDR
Workflow looks up user in global artifact.
Found
Confirms location of alert matches global artifact record
True
Checks confirmation date for age (Automated Decision Point)
<= Allowable age
Closes alert as expected activity.
>= Allowable age
Deletes existing record
Triggers a new message to the manager to confirm activity. (Human Decision Point)
Confirmed
Adds new record to global artifact
closes alert as expected activity
Unconfirmed (Decision Timeout path)
Notification sent via message app to security team.
Quarantine User
Revoke Sessions
Create an incident ticket
False
Triggers a message to the manager to confirm activity. (Human Decision Point)
Confirmed
Adds new record to global artifact
closes alert as expected activity
Unconfirmed (Decision Timeout path)
Notification sent via message app to security team.
Quarantine User
Revoke Sessions
Create an incident ticket
Not Found
User look up in source of record (AD, Azure, Okta)
User Found
Message sent to users manager to confirm user location/activity (Human Decision Point)
Confirmed Good
User record saved in global artifact.
Confirmed Bad
Notification sent via message app to security team.
Quarantine User
Revoke Sessions
Create an incident ticket
No Response (Decision Timeout Path)
Notify the security team to contact the user directly to confirm activity.
Confirmed Good
User information saved in global artifact.
No Response / Confirmed Bad (Decision Timeout Path)
Quarantine user
Revoke sessions
Create an incident ticket
User not found
Message sent to security team, informing them that user was unable to be found via source of record.
Human decision
Expected Activity
Close alert add user information to global artifact
Unexpected Activity
Quarantine user
Revoke sessions
Create an incident ticket
I am in the process of building something like this out in house that can be downloaded via the extension library once it is completed.
Thank you for that. The only problem that I see are the Human Decision Points. The managers in our company don’t have access to InsightConnect and I believe it is not possible to complete a Human Decision without an account in InsightConnect, right? We have hundreds of managers in our company and I can’t give them access to InsightConnect. That was also something that I mentioned in my first post.
Do you have a ticking system that you could utilize? You could open a ticket for approval from the manager and if it is approved you finish workflow and if declined you would rotate the user’s password? I know most managers are familiar with a ticking system for approving onboarding and offboarding so this could minimize training on non IT people.