Set Up an InsightIDR Attacker Behavior Analytics (ABA) Alert Trigger
The InsightIDR Attacker Behavior Analytics(ABA) Alert Trigger allows InsightConnect workflows to be created for and triggered from InsightIDR ABA detection rules.
In this article, we cover how to:
- Create a new InsightIDR ABA Alert Triggered Workflow
- Modify an existing InsightIDR ABA Alert Triggered Workflow
- Use an InsightIDR ABA Alert Triggered Workflow
Create a new InsightIDR ABA Alert Triggered Workflow
- Click Add Workflow from the workflows page in InsightConnect.
- Select Start From Scratch and enter a name, summary, tags, and time savings for the workflow, then click Create.
- Choose the InsightIDR Attacker Behavior Analytics (ABA) Alert trigger.
- Select the desired event type:
- Anomalous Data Transfer
- Asset Auth
- Cloud Service Activity
- Cloud Service Admin
- DNS
- Firewall
- Flow
- IDS
- Ingress Auth
- Process Start Event
- Third Party Alert
- Virus
- Web Proxy
- Raw
- Unparsed
Event Type
The ABA Trigger must be configured for a particular event type and will only be compatible for detection rules of that specific event type. To view what data is available for each event type, select View Details to preview available variables. Please note that depending on license, not every event type may have associated detection rules.
- Optionally, select Add Detection Rules to create mappings for detection rules of the selected event type. When this workflow is published, the mappings between this workflow and the selected detection rules will also be published and alerts from those detection rules will trigger the active workflow. This can also be done by editing the trigger at a later point or by creating the mappings for an active workflow from the InsightIDR Detection Rules page. The workflow will not execute automatically unless mappings have been created.
- Note: You can now create custom detection rules to detect threats specific to your environment, industry, or organization. Learn more about creating custom detection rules here in InsightIDR documentation.
- Enter a name and description for the trigger and click Save Trigger.
- Build the workflow using the available trigger variables. If you are new to building workflows, check out Workflows 101 for instructions.
- Select Activate and confirm the new alert trigger mappings that will be created. There will only be mappings if you selected detection rules in step 5.
Modify an Existing InsightIDR ABA Alert Triggered Workflow
- Within InsightConnect, navigate to the workflows page, locate the workflow you would like to edit, and click on its name to open the workflow control panel. Select Edit in Builder, then select Edit.
- Select the trigger step.
- From the trigger details page, make any desired changes to the trigger name or description.
- Click Previous to add or remove detection rule mappings.
Updating Mappings
For these updated mappings to take effect, you must save the trigger again and publish the workflow. Once published, the new mappings will be automatically reflected in both InsightConnect and InsightIDR.
- Click Previous to change the event type of the trigger.
Changing the Event Type
The event type of the trigger determines the data that the trigger will make available to the rest of the workflow. Changing this will impact later steps that were referencing the old variables.
- Save the trigger with any changes and publish your workflow for those changes to be moved into production.
Use an InsightIDR ABA Alert Triggered Workflow
InsightIDR ABA alerts for mapped detection rules will be delivered to your InsightConnect trigger automatically when the relevant events occur in InsightIDR. No manual action is necessary for events to be sent from InsightIDR to InsightConnect. Please note that workflows leveraging the InsightIDR ABA trigger will not be available to run through the Take Action button from Investigations within InsightIDR.