Key Concepts

Learn the key concepts and terminology you'll need to know in order to use InsightConnect.


Workflows are automated procedures executed by InsightConnect. Workflows follow a user-defined sequence of steps, starting with a trigger. For example, when a new indicator of compromise is detected by your SIEM, a workflow may automatically lookup the file or process hash in a threat intelligence platform like VirusTotal or Palo Alto Wildfire.

When a workflow is activated, it will run in the background anytime the trigger event occurs. When a workflow is deactivated, then it will stop looking for trigger events. If the workflow is later reactivated, then it will resume looking for trigger events and will again run in the background for any new trigger events. The workflow will not run for any trigger events that occurred while the workflow was deactivated.

Every time a workflow runs, it creates a job. Read more about jobs below.

In addition to the active or inactive state, a workflow may also have unpublished changes. This allows InsightConnect users to modify or extend workflow functionality without needing to deactivate the current workflow version. Once your changes are ready, you may publish them, thereby replacing the current active or inactive workflow with your modified workflow. You may then edit the workflow again and repeat the process.

View and manage your workflows from the Workflows page in InsightConnect.


Snippets are reusable sequences of steps maintained in a central location. Snippets allow you to standardize tasks and processes in a consistent and repeatable way. For example, build and publish one snippet for ticketing, and use that snippet as a step in any workflow that requires ticketing.

When a snippet is published, it can be used as a step in and across all of your workflows. Any updates made to the snippet can be pushed to linked workflows where the snippet is in use. When a snippet runs within a workflow, the execution details of each step within the snippet will appear in the job.

View and manage your snippets from the Snippets tab on the Workflows page in InsightConnect.


Triggers listen for specific events to start the execution of a workflow.

Trigger events can be set off from plugins (eg, Microsoft Teams, ServiceNow) when a specified event occurs (eg, new message in channel, change in ticket status), from InsightVM when a change is detected (eg, a new vulnerability was found), from an InsightIDR investigation (eg, a user chooses to run a workflow from the Take Action menu), on a scheduled basis with the Timers plugin, etc.

Depending on the technology, triggers may receive events in real-time or they may regularly poll an API to detect the occurrence of a specific event.

Learn more about triggers and how to use them.


Plugins are integrations and utilities that provide functionality in the form of triggers and actions for workflows.

Explore and import all the plugins available in InsightConnect in the Extension Library

Learn more about plugins and how to use them, or learn how to build and contribute your own plugins.


Actions are individual operations performed by a plugin. Actions generally have inputs and outputs, which can be seen in detail in the job that is generated each time a workflow runs.


A job is one instance of a workflow execution. Jobs contain all the information about what happened when the workflow ran, including the state of each step (even steps contained within snippets), which path was taken for each decision, and any pending human decisions that need to be made.

View your jobs on the Jobs page in InsightConnect, or learn more about Jobs.


Many plugins require a connection in order to communicate with and execute actions against a system. Connections are not tied to a specific workflow, but they are associated with where the plugin runs, for example on which orchestrator the plugin runs on.

Authentication and authorization usually occur in the following ways:

  • Basic authentication with a credential pair (username and password)
  • API key or secret

Connection-specific details, such as a URL or port number, are unique to each plugin. See the plugin documentation for more. Learn more about configuring connections with common plugins.

When a new connection is saved, a connection test is automatically run in the background. To see the status of your connections and troubleshoot connection issues, visit the Connections page under the Settings > Plugins & Tools menu.


The Insight Orchestrator is a server in your network or cloud environment that integrates your tools and systems with InsightConnect.

When a workflow is running, the Insight Cloud keeps the overall workflow logic and data that is generated from each step. When a step is set to run on an Orchestrator, the Insight Cloud delivers the input data and action instructions to the Orchestrator. The Orchestrator executes the action and passes the data output back up to the Insight Cloud. The Insight Cloud then proceeds to the next step in the workflow.

You can find Orchestrators either under Settings in InsightConnect or under Data Collection on the Platform Home Page. Learn more about Orchestrators.