Set Up an SIEM (InsightIDR) Attacker Behavior Analytics (ABA) Alert Trigger
Copy link

The SIEM (InsightIDR) Attacker Behavior Analytics(ABA) Alert Trigger allows Automation (InsightConnect) workflows to be created for and triggered from SIEM (InsightIDR) ABA detection rules.

In this article, we cover how to:

  1. Create a new SIEM (InsightIDR) ABA Alert Triggered Workflow
  2. Modify an existing SIEM (InsightIDR) ABA Alert Triggered Workflow
  3. Use an SIEM (InsightIDR) ABA Alert Triggered Workflow

Create a new SIEM (InsightIDR) ABA Alert Triggered Workflow
Copy link

  1. Click Add Workflow from the workflows page in Automation (InsightConnect).
  2. Select Start From Scratch and enter a name, summary, tags, and time savings for the workflow, then click Create.
  3. Choose the SIEM (InsightIDR) Attacker Behavior Analytics (ABA) Alert trigger.
  4. Select the desired event type:
    • Anomalous Data Transfer
    • Asset Auth
    • Cloud Service Activity
    • Cloud Service Admin
    • DNS
    • Firewall
    • Flow
    • IDS
    • Ingress Auth
    • Process Start Event
    • Third Party Alert
    • Virus
    • Web Proxy
    • Raw
    • Unparsed
ℹ️

Event Type

The ABA Trigger must be configured for a particular event type and will only be compatible for detection rules of that specific event type. To view what data is available for each event type, select View Details to preview available variables. Please note that depending on license, not every event type may have associated detection rules.

  1. Optionally, select Add Detection Rules to create mappings for detection rules of the selected event type. When this workflow is published, the mappings between this workflow and the selected detection rules will also be published and alerts from those detection rules will trigger the active workflow. This can also be done by editing the trigger at a later point or by creating the mappings for an active workflow from the SIEM (InsightIDR) Detection Rules page. The workflow will not execute automatically unless mappings have been created.
  • Note: You can now create custom detection rules to detect threats specific to your environment, industry, or organization. Learn more about creating custom detection rules here in SIEM (InsightIDR) documentation.
  1. Enter a name and description for the trigger and click Save Trigger.
  2. Build the workflow using the available trigger variables. If you are new to building workflows, check out Workflows 101 for instructions.
  3. Select Activate and confirm the new alert trigger mappings that will be created. There will only be mappings if you selected detection rules in step 5.

Modify an Existing SIEM (InsightIDR) ABA Alert Triggered Workflow
Copy link

  1. Within Automation (InsightConnect), navigate to the workflows page, locate the workflow you would like to edit, and click on its name to open the workflow control panel. Select Edit in Builder, then select Edit.
  2. Select the trigger step.
  3. From the trigger details page, make any desired changes to the trigger name or description.
  4. Click Previous to add or remove detection rule mappings.
ℹ️

Updating Mappings

For these updated mappings to take effect, you must save the trigger again and publish the workflow. Once published, the new mappings will be automatically reflected in both Automation (InsightConnect) and SIEM (InsightIDR).

  1. Click Previous to change the event type of the trigger.
ℹ️

Changing the Event Type

The event type of the trigger determines the data that the trigger will make available to the rest of the workflow. Changing this will impact later steps that were referencing the old variables.

  1. Save the trigger with any changes and publish your workflow for those changes to be moved into production.

Use an SIEM (InsightIDR) ABA Alert Triggered Workflow
Copy link

SIEM (InsightIDR) ABA alerts for mapped detection rules will be delivered to your Automation (InsightConnect) trigger automatically when the relevant events occur in SIEM (InsightIDR). No manual action is necessary for events to be sent from SIEM (InsightIDR) to Automation (InsightConnect). Please note that workflows leveraging the SIEM (InsightIDR) ABA trigger will not be available to run through the Take Action button from Investigations within SIEM (InsightIDR).