Get Started with InsightConnect

In your first few days with InsightConnect, we’ll help you install and activate your orchestrator, show you how to get in touch with us, and learn how to map InsightConnect’s capabilities to your organization’s needs. After you complete your initial setup, you’ll learn how to import tools to fit your organization’s needs and build workflows for your security processes. To get started with InsightConnect, complete the following milestones:

Explore InsightConnect Documentation

Visit the resources below to familiarize yourself with the InsightConnect Help pages:

  • To learn more about InsightConnect features and understand automation concepts, visit the Concepts and Usage section of this site.
  • For step-by-step guidance for tasks in InsightConnect, visit the How-To section of this site.
  • For plugin-specific help, visit the Plugins section of this site. The most popular plugins have configuration instructions and troubleshooting suggestions on these pages.
  • If you run into any problems, try the suggestions in the Troubleshoot section of this site. Common issues and solutions are provided for you. If you need more help, our Support Team is always happy to help.

Install and Activate Your First Orchestrator

The Insight Orchestrator is an on-premises component that gives the Insight platform the power to automate services, tools, and other Rapid7 products. If you have different networks in your organization, you’ll need to install an orchestrator in each network to gain access to specific tools on that network and process your security data.

Learn more about orchestrators with these resources:

If your network requires further configuration, visit these pages for instructions:

Map your Automation Use Cases

Before you dive into building a workflow, review your current security processes to identify specific use cases where automation can make an impact. These use cases help you determine the workflows that you should build, but also help you discover what plugins and connections you’ll add to InsightConnect.

Where can you find your security process information?

You may have already documented your security processes in places like policy documentation, threat maps, response maps, or playbooks.

  • Think about any of your processes that might:
  • Eat into your security team’s time
  • Take up too much manpower or computing power
  • Be completed manually or individually when you wish they could be done in bulk
  • Be repetitive, tedious, or constantly running

Once you have a specific process in mind, take note of the following:

  • What information starts this process?
    • This will be your workflow’s “trigger” in InsightConnect. For example, you may routinely scan for phishing attempts. A malicious attachment could be a “trigger” that kicks off your security process to respond to this incident.
  • Where does this data come from?
    • This information helps you determine what kind of trigger you may need. In a phishing case, you could use a plugin trigger configured for Gmail, Office365, Microsoft Exchange, or IMAP – or an API trigger for more unique cases.
  • What do you do with this data?
    • The things you do with this data are your “steps” in InsightConnect. For example, in a phishing incident response process, you might move the email to spam, forward it to your security team, block or flag the sender’s IP, or take other actions. You would add a workflow step to perform each of these tasks.
    • If you need your team to make the final call on what to do with specific information, you can create human decision steps to include your team’s expertise in your security processes.
  • What tools help you carry out these actions?
    • The tools that help you carry out the actions in your workflow steps are your “plugins” in InsightConnect. For example, do you use ticketing software like JIRA or ServiceNow to track your team’s work? What about patching tools for your network, like IBM BigFix or Microsoft SCCM?
  • What kind of login, account, or configuration information do you use with those tools?
    • This information helps you configure “connections” for each plugin. These connections are how InsightConnect will be able to bring information from those products into your workflow. For example, if you use Gmail, you likely have a few administrative accounts that manage your organization’s communications.

Your responses to these questions will inform how you build your first InsightConnect workflow. Keep track of your list of security tools! You’ll import plugins for those tools into InsightConnect next.

Import Plugins for Your Security Tools

InsightConnect supports over 270 plugins to effectively automate your security processes.

We recommend focusing on one automation use case from your mapping activity to start with. Import any plugins you will need to execute this security process. After you import a plugin into your InsightConnect account, the plugin will be available for you to use in any workflows you build.

If you don’t find the tool you need in our available plugins, don’t worry! In many cases, your security needs can be addressed by configuring other plugins, or you can reach out to InsightConnect through UserVoice to request a new plugin.

Set Up Connections for Each Plugin

After importing plugins, you need to set up individual connections for each plugin to authenticate InsightConnect to third-party tools and accounts. You can have multiple connections per plugin to cover your needs.

Connections typically include credentials, like API keys or other sensitive information, and other parameters, like IP addresses or port numbers. Visit the resources below to learn how to:

Build Your First Security Workflow

Once you’ve completed the previous steps, start building your organization’s first security workflow. We recommend trying to build one of the tedious automation use cases you mapped earlier.

To start:

  • Choose and configure a trigger: Think about what kicks off your security process, then decide what trigger type works best for gathering relevant data.
  • Add and configure steps one-by-one: Steps are the “building blocks” of your workflow, and they help pass data between all parts of your process efficiently with little to no code.
  • Consider using decision steps: The automation use case you mapped might follow different processes depending on the information you have. Going back to our phishing scenario - you might want to pause the workflow for a human team member to review the information your workflow gathered to determine if it is a phishing email before the workflow continues processing. Decision steps can be automated or human-controlled, and will split your workflow into multiple paths that each contain different steps.

A general step-by-step workflow building guide is available at the Build a Workflow page.

Test and Activate Your Workflow

After you’ve added all of the steps you need in a workflow, test your workflow to catch any issues. Finally, activate the workflow to start automating your security processes.

To test your workflow, follow the instructions on the Test a Workflow page. If your workflow test fails, figure out why at the Troubleshoot a Workflow page.

When your workflow test passes, click on the Activate button in the workflow builder. Your trigger will now actively listen for the required behavior, and your workflow will begin to create a job that collects information every time the workflow runs.

What’s Next?

Congratulations! If you’re wondering what’s next, you’ve successfully built two workflows (a tutorial workflow and your organization’s first workflow) and reviewed the jobs your workflow created. Now you’re ready to automate the rest of your security processes. Refer to the diagrams or maps you created when you first started using InsightConnect, and refer back to the workflow building instructions as needed. Additional help is always available through this help site or our Support Team.