Set Up an SIEM (InsightIDR) Alert Trigger

Automation (InsightConnect) makes it easy to work with SIEM (InsightIDR) to automate incident investigation and response. There are two types of SIEM (InsightIDR) triggers available today:

• SIEM (InsightIDR) UBA Alert Trigger
• SIEM (InsightIDR) Custom Alert Trigger

SIEM (InsightIDR) UBA Alert Trigger

The SIEM (InsightIDR) User Behavior Analytics (UBA) Alert Trigger passes alert data from SIEM (InsightIDR) into an Automation (InsightConnect) workflow. You can run these workflows from any SIEM (InsightIDR) Investigation, or you can set them to run automatically by setting up an Alert Trigger. To learn more automating SIEM (InsightIDR) with Automation (InsightConnect), see the Automation documentation for SIEM (InsightIDR).

Automation (InsightConnect) receives the following variables from the SIEM (InsightIDR) UBA Alert Trigger. Nested variables are indented under the parent:

• actors - object containing the following variables:
  • assets - array of objects containing the following variables:
    • assetID - string
    • fqdn - string
    • shortname - string
  • users - array of objects containing the following variables:
    • distinguishedName - string
    • emails - array of strings
    • name -string
• contents - object containing the following variables:
  • domains - array of strings
  • ipAddresses — array of objects containing the following variables:
    • ip - string
    • type - string
  • processes - array of objects:
    • assetID - string
    • cmdline - string
    • hashes - array of objects containing string variables hash and type
    • name - string
    • processID - integer
  • urls - array of strings
• description - string
• investigation ID - string
• link - string
• name - string
• timestamp - string
• type - string

SIEM (InsightIDR) Custom Alert Trigger

You can also trigger an Automation (InsightConnect) workflow from SIEM (InsightIDR) or Log Management (InsightOps) Custom Alerts.

SIEM (InsightIDR) Custom Alert triggers can be one of three types:

• Pattern Detection
• Inactivity Detection
• Change Detection.

The information available in Automation (InsightConnect) differs slightly based on what type of alert triggers the workflow.

Variables available only for certain types of alerts are marked below. Otherwise, variables are available for all types of alerts. To differentiate between alert types within a workflow, you can use the type variable on the alert.

Automation (InsightConnect) ingests the following variables when an SIEM (InsightIDR) Custom Alert trigger starts a workflow:

• alert - Object
  • id - String
  • name - String
  • type - String
  • trigger - Object
    • durationThreshold - String (Inactivity only)
    • pattern - String (Pattern Match and Inactivity only)
    • comparison - Integer (Change Detection only)
    • direction - String (Change Detection only)
    • duration - Integer (Change Detection only)
    • threshold - Number (Change Detection only)
• correlationId - String
• event - Object
  • entryObject - Object
  • timestamp - Integer
  • entry - String (Pattern Match only)
  • sequenceId - Integer (Pattern Match only)
  • lastMatchTimestamp - Integer (Inactivity only)
  • absoluteDiff - Number (Change Detection only)
  • queries - Object (Change Detection only)
    • comparison - Object
      • fromTimestamp - Integer
      • toTimestamp - Integer
      • query - String
      • value - Number
    • current - Object
      • fromTimestamp - Integer
      • toTimestamp - Integer
      • query - String
      • value - Number
• logs - Array
  • id - String
  • name - String
  • logSet - Array
    • id - String
    • name - String