Set Up an SIEM (InsightIDR) Alert Trigger
Automation (InsightConnect) makes it easy to work with SIEM (InsightIDR) to automate incident investigation and response. There are two types of SIEM (InsightIDR) triggers available today:
SIEM (InsightIDR) UBA Alert Trigger
The SIEM (InsightIDR) User Behavior Analytics (UBA) Alert Trigger passes alert data from SIEM (InsightIDR) into an Automation (InsightConnect) workflow. You can run these workflows from any SIEM (InsightIDR) Investigation, or you can set them to run automatically by setting up an Alert Trigger. To learn more automating SIEM (InsightIDR) with Automation (InsightConnect), see the Automation documentation for SIEM (InsightIDR).
Automation (InsightConnect) receives the following variables from the SIEM (InsightIDR) UBA Alert Trigger. Nested variables are indented under the parent:
actors
- object containing the following variables:assets
- array of objects containing the following variables:assetID
- stringfqdn
- stringshortname
- string
users
- array of objects containing the following variables:distinguishedName
- stringemails
- array of stringsname
-string
contents
- object containing the following variables:domains
- array of stringsipAddresses
— array of objects containing the following variables:ip
- stringtype
- string
processes
- array of objects:assetID
- stringcmdline
- stringhashes
- array of objects containing string variableshash
andtype
name
- stringprocessID
- integer
urls
- array of strings
description
- stringinvestigation ID
- stringlink
- stringname
- stringtimestamp
- stringtype
- string
SIEM (InsightIDR) Custom Alert Trigger
You can also trigger an Automation (InsightConnect) workflow from SIEM (InsightIDR) or Log Management (InsightOps) Custom Alerts.
SIEM (InsightIDR) Custom Alert triggers can be one of three types:
- Pattern Detection
- Inactivity Detection
- Change Detection.
The information available in Automation (InsightConnect) differs slightly based on what type of alert triggers the workflow.
Variables available only for certain types of alerts are marked below. Otherwise, variables are available for all types of alerts. To differentiate between alert types within a workflow, you can use the type
variable on the alert
.
Automation (InsightConnect) ingests the following variables when an SIEM (InsightIDR) Custom Alert trigger starts a workflow:
alert
- Objectid
- Stringname
- Stringtype
- Stringtrigger
- ObjectdurationThreshold
- String (Inactivity only)pattern
- String (Pattern Match and Inactivity only)comparison
- Integer (Change Detection only)direction
- String (Change Detection only)duration
- Integer (Change Detection only)threshold
- Number (Change Detection only)
correlationId
- Stringevent
- ObjectentryObject
- Objecttimestamp
- Integerentry
- String (Pattern Match only)sequenceId
- Integer (Pattern Match only)lastMatchTimestamp
- Integer (Inactivity only)absoluteDiff
- Number (Change Detection only)queries
- Object (Change Detection only)comparison
- ObjectfromTimestamp
- IntegertoTimestamp
- Integerquery
- Stringvalue
- Number
current
- ObjectfromTimestamp
- IntegertoTimestamp
- Integerquery
- Stringvalue
- Number
logs
- Arrayid
- Stringname
- StringlogSet
- Arrayid
- Stringname
- String