In this edition of Workflow Wednesday, we wanted to help our new and trial users get started with some quick and easy workflows that will introduce users to key concepts in InsightConnect.
The four workflows described in this post can be found in the Discover tab, found on the Home page, of the product:
Hello World
A beginner workflow that does not require any deployment. Simply import the workflow, edit the draft, and click the big blue Test button. Enter a message like, “Hello World!” into the text box and click Test Workflow:
Hello IDR Alert
Another no-deployment-required workflow, this one uses the InsightIDR UBA Alert Trigger and shows a user all the different data points that can be passed from an IDR Investigation into an InsightConnect workflow. In order to use this workflow, import and activate it – note, you can activate on the last step of the Import Wizard – and then open an Investigation in InsightIDR. Click on the blue Take Action button and select the last, Custom InsightConnect Workflows option. Select the Hello IDR Alert workflow from the next dropdown, and finally select any/all Users, Assets, and/or IOCs. You may have different options based on the actors and indicators in your investigation.
Then you can click the Take Action button to see a summary of what was passed into your InsightConnect workflow! The result will show up as an Artifact in your Investigation Timeline:
And you can click on the View Details button to see details about the workflow and the output.
Now, this workflow does not actually “do” anything, it simply prints the details of the IDR alert to an Artifact card. However, it is structured to help users who may go on to build their own workflows an idea of all the different variables available for use in InsightConnect when using the InsightIDR UBA Alert trigger.
Enrich Hash with Threat Intelligence from Threat Crowd
Now, we’re getting somewhere! This workflow uses a newly cloud-enabled plugin, ThreatCrowd, to lookup a hash and report back some information about whether or not it has been reported as malicious in ThreatCrowd’s open-source threat database. The API trigger is easy to Test, just as we did with the Hello World workflow:
Note that, with an API trigger and a cloud-enabled plugin, this workflow also requires no deployment!
- Sample Hash for Testing:
02914C82CDFC5504242B4C47B09FCEC1
Enrich InsightIDR Alerts with Threat Intelligence from VirusTotal
Last, but certainly not least, this workflow is one we’ve found countless InsightIDR users building on their own, so we decided to include it as the final “Getting Started” workflow here on the Discover tab. This workflow does require an Orchestrator and a VirusTotal API key. Don’t worry, you can sign up for a free VirusTotal account and use your API token with this workflow!
To use this workflow, just import it, create a connection to VirusTotal, and activate it. You can then run the workflow just as you did the Hello IDR Alert workflow from the Take Action menu in InsightIDR!
You can also set this workflow up to run automatically when certain alerts fire by setting up an Alert Trigger in InsightIDR.