Quick Actions are preconfigured automation actions you can run within InsightConnect to get the answers you need fast. You can leverage Quick Actions with no, or very little, configuration required.
Quick Actions are currently available in InsightConnect and InsightIDR. To gain access to Quick Actions in InsightIDR you will need either of the following:
- The InsightIDR Ultimate package
- The InsightIDR Advanced package with an InsightConnect license
To learn more about using Quick Actions in InsightIDR please view our InsightIDR documentation.
How to use Quick Actions
Quick Actions are available on the Quick Actions page, which can be found on the left hand navigation menu. Quick Actions that are available to run can be found on the Actions tab. To run a Quick Action, select the card of the Quick Action, provide the action input and click the Run button. Each action expects a certain input, such as an IP Address, Email Address, File Hash, Domain, Vulnerability, or some similar indicator.
Quick Actions can also be run from any page within InsightConnect using the Quick Actions shortcut that is present in the top bar next to the Feedback button.
Available connectionless actions
Quick Actions currently supports the following actions out of the box:
- IP Address Look Up with WHOIS
- Domain Look Up with WHOIS
- IP Address Look Up with Threat Crowd
- Domain Look Up with Threat Crowd
- File Hash Look Up with Threat Crowd
- Email Address Look Up with Threat Crowd
- Vulnerability Look Up with Rapid7 Vulnerability and Exploit Database
- Exploit Look Up with Rapid7 Vulnerability and Exploit Database
- IP Address Reverse Look Up with DNS
- Domain Forward Look Up with DNS
- File Hash Look Up with Team Cymru Malware Hash Repository
- IP Address Look Up with RDAP
- Domain Look Up with RDAP
Review Quick Action results
When your action completes, the results display within the Quick Action panel. From here, the results can be copied, downloaded, and toggled between formatted and raw JSON views. If you want to take additional actions from here, simply copy any relevant data to your clipboard for use as input in your next action.
To view the results of previously run actions, navigate to the History tab of the Quick Actions page. From here, you can view a record of each action that has been run, the date and time of when it was run, the user who ran the action, and the status of the action. To see the inputs and outputs of the action, click the action name.
Add more Quick Actions
Quick Actions that require connections to run can be added and configured from the Add More tab.
After clicking the tile of the Quick Action that you would like to add, the action will be available on the Your Actions tab. You can choose to configure the action when adding it or you can come back to it at any time. You will also have the options to delete any added Quick Actions and to rename or update the details of any. Once a Quick Action has been configured it will be available to run just as all other Quick Actions are.
Available connection-based actions
Quick Actions currently supports the following actions that require connections:
- IP Address Look Up with VirusTotal
- Domain Look Up with VirusTotal
- URL Look Up with VirusTotal
- File Hash Look Up with VirusTotal
- Domain Look Up with URL Scan
- URL Look Up with URL Scan
- IP Address Look Up with Alien Vault OTX
- IPv6 Address Look Up with Alien Vault OTX
- Domain Look Up with Alien Vault OTX
- URL Look Up with Alien Vault OTX
- URL Look Up with CheckPhish
- IP Address Look Up with Shodan
- IP Address Look Up with GreyNoise
- IP Address Look Up with AbuseIPDB
- File Hash Look Up with Hybrid Analysis
- Create Issue with Jira
- Create Incident with ServiceNow
- Agent Look Up with Rapid7 Insight Agent
- Search Vulnerabilities with AttackerKB
- Send Message with Microsoft Teams
- Get Indicator by Value with Threat Command TIP