Hi everyone,
Looking forward for your guidance.
I want to automate an investigation named “A user on asset ABC attempted authenticate to n assets with local account XYZ”. So, I talked to SOC analysts and they informed that every time they receive these kinds of investigations they will simply contact the user(majorly they are the users from client side) and get the confirmation from him/her and close the investigation. Please guide me like how can I go ahead with this automation?
You can start with a workflow like this: Rapid7 Extensions
Import that into your environment.
You can delete the Servicenow steps.
Activate it and let it capture some investigations so you can see the kind of data it gathers, how it works.
Once you have captured this specific investigation you are interested in, you can add a decision step after the trigger, and match off the title. Ensure the automation only does whatever you are looking for if the title matches. All others it can do something else entirely, or nothing.
You can create Snippets and use those for testing. If you want to explore how to send a teams message, create a snippet and have a single step where you send a teams message.
Once you have an understanding of the individual steps needed, then you can work on incorporating those into your larger workflow. As you get stuck in various places, update this thread with additional questions.
Thanks Darrick.
I will work upon that and will provide the updates you in this thread whenever I get stuck or received an improper results.