Welcome

Setup and Deploy an Orchestrator

Plugin Development

Troubleshoot

Release Notes

Support

Community

Automating Cases

Early Access

Rapid7 Case Management is currently in Early Access and is not yet available to all customers. If you're interested in trying it out, contact your Customer Success Manager.

Rapid7 Case Management was designed from the ground up to be fully automatable. You can use any of InsightConnect's 300+ integrations to help gather, enrich, or collaborate around cases of any kind.

The Case Automation Philosophy

The approach we recommend when thinking about setting up automation around your cases is:

Start with a manual process. Don't try to automate everything end-to-end from the start. You can start with a simple workflow with only two steps, by retrieving events from a trigger or integration, and creating a case for the event.
Refine the process as you learn. As your team begins to handle cases created by the integration, you'll begin to learn about what works and what doesn't. Maybe you always need a particular piece of information, or maybe there are too many cases created that aren't required. In small iterations, you can make adjustments to your workflow to improve your process. For example, automatically reaching out to a 3rd party service to gather more information, or placing a Decision step prior to creating a case.
Solidify and document. Once you're confident about what your team needs from the process, we recommend mapping and documenting it as a standard playbook. Ensure you have protections on the workflow to email if there are failures to improve reliability, and add your documentation to the Workflow Notes in InsightConnect for future reference.

Just because you're confident about your process does not mean the iteration stops. Continue to refine and update your Case Management processes as you learn and your process and environment changes. This adaptability is what makes SOAR a powerful tool for your team.

Case Automation Capabilities

The Case Management automation capabilities are accessible from the InsightConnect product. Visit InsightConnect and go to Workflows, and create or edit a workflow or snippet to get started. For more information about building workflows, try the Learn to Build Workflows tutorial first.

Adding a Case Management Step

Once in the Workflow Builder, to add a Case Management step, find the point in your workflow where you'd like to take action, and click the "+" plus button in the workflow graph.

Select "Case Management" from the step type grid. You'll be presented with several kinds of Case Manageement actions you can take.

Using Variables in Cases

You can use information from other steps in your workflow—such as the workflow trigger, decision steps, and third party integration steps—to supply data for your case. To do so, click the blue "+" icon within a field and select the step and data you'd like to use.

Create Case

Make a new case.

You can supply as much information as you like as you create the case, but only the case Name and Priority are required. Usually, users add a comprehensive description containing all the information needed to review the case, generally inserted from the data the steps in the workflow provide.

Outputs: After the step inputs, you can see a list of outputs: data which you can pass to future steps and use. The most important output is the "RRN" or Rapid7 Resource Name: this is an identifier that you can use in the workflow following a Create Case step to take further action on that case, such as adding comments or attachments.

List Cases

Returns all cases matching the given criteria.

This step is useful for several purposes, such as finding all cases assigned to a particular owner to send them reminders, finding cases above a certain priority level, or synchronizing data between two systems.

The only required input is the list of statuses. You can ask for all statuses to get all cases, but in most cases you'll want to leave out "CLOSED", for example ["OPEN", "IN PROGRESS", "WAITING"].

You can also add additional criteria, such as the assigned owner or the number of cases to send back.

The primary output is data: an array (list) of Case objects, containing all the basic information available for each case.

Usually, once retrieving a list of cases, the next step in the workflow would be a Loop step, to take action for each case in the list, such as doing further checks on the case data, and making changes if appropriate.

Get Case

Retrieve a single case.

While the List Cases action returns several cases, Get Case gives you back all the details for a single case, based on its RRN (Rapid7 Resource Name). The RRN is the only input, and the output includes all the information about the case.

Update Case

Makes changes to a particular case.

Given a particular case's RRN, this step updates any information on the case. You can update any field that a case stores.

First, give this step the case RRN, for example from the output of a Create Case step or List Cases step. Then, you can add any number of field updates by selecting the thing you'd like to update, then entering a Variable or Value that contains the new value.

This step is highly flexible, as you can imagine. You can automatically set the priority of a case, automatically assign an owner, add information to the description, and more.

Create Comment

Create a new comment on the given case.

Again, send this step the case RRN, for example from the output of a Create Case step or List Cases step.

Then you can enter or select a variable that contains the value of a comment you'd like to add to the case. This might come from a 3rd party data enrichment action, for example, after looking up an indicator related to the case.

You can optionally select to include an Attachment, or you can upload an attachment by itself using the Upload Attachment step.

Upload Attachment

Attach a file to the given case.

Once again, send this step the case RRN, for example from the output of a Create Case step or List Cases step.

Select a file to upload to the case, which will usually be the output of another step in the workflow, as opposed to a file you upload directly. The way InsightConnect references files within a workflow is through Base64 encoded text, which is output by most steps that deal with files.

You can also choose to include a comment with your file attachment if you wish.

Assign Case Owner

Assign an owner to a case.

Send this step the case RRN, for example from the output of a Create Case step or List Cases step.

Choose the case owner from the list using the list icon within the field, or choose a variable that contains the email address of the Rapid7 user to whom the case should be assigned.

This step is useful for automatically assigning cases based on rules or logic, such as assigning all cases of a particular type to a given person, or for assigning a case within a group in a round-robin sequence.

Note: the assignee must be a Rapid7 InsightConnect user.

Close Case

Close the given case.

Changes the status of the case to Closed, and prevents future changes to the case (unless the case is reopened).

Send this step the case RRN, for example from the output of a Create Case step or List Cases step.

Examples

Automating cases can be as simple as two steps. See the following examples for a quick start.

Creating a Case from a Plugin Trigger (Coming Soon)
Updating a Case within a Workflow (Coming Soon)

Did this page help you?

Concepts and Usage

Add Details to a Case

Plugins and Connections

Plugins