Hi there, I’d like to setup a workflow that runs every time an investigation is being created (without any manual interaction by the analyst). The workflow should use the involved users / assets and search for any previous investigations where these users / assets were also involved. The result of the search should be sent back to the investigation in a nicely formatted markdown. The part of searching for previous investigations should be straightforward. I’m wondering about the part of triggering the workflow every time an investigation is created. Can someone give me a hint?
Hi 312312! Thanks for posting – I believe what you are looking for is a UBA Alert Trigger. We currently support running a workflow automatically from any UBA detections that create investigations in InsightIDR. Once your workflow is built, navigate to the
Automation page in InsightIDR >
UBA Alert Triggers tab >
Create Alert Trigger. Then, find your custom workflow and attach it to one or more alert rules!
Here are some IDR Help Docs on Alert Triggers: Alert Triggers for UBA Detection Rules and Custom Alerts | InsightIDR Documentation
We are actively working with our IDR product team to improve this integration and would love to hear your feedback on this!