Set Up an InsightIDR Alert Trigger

InsightConnect makes it easy to work with InsightIDR to automate incident investigation and response. There are two types of InsightIDR triggers available today:

InsightIDR UBA Alert Trigger

The InsightIDR User Behavior Analytics (UBA) Alert Trigger passes alert data from InsightIDR into an InsightConnect workflow. You can run these workflows from any InsightIDR Investigation, or you can set them to run automatically by setting up an Alert Trigger. To learn more automating InsightIDR with InsightConnect, see the Automation documentation for InsightIDR.

InsightConnect receives the following variables from the InsightIDR UBA Alert Trigger. Nested variables are indented under the parent:

  • actors - object containing the following variables:
    • assets - array of objects containing the following variables:
      • assetID - string
      • fqdn - string
      • shortname - string
    • users - array of objects containing the following variables:
      • distinguishedName - string
      • emails - array of strings
      • name -string
  • contents - object containing the following variables:
    • domains - array of strings
    • ipAddresses -- array of objects containing the following variables:
      • ip - string
      • type - string
    • processes - array of objects:
      • assetID - string
      • cmdline - string
      • hashes - array of objects containing string variables hash and type
      • name - string
      • processID - integer
    • urls - array of strings
  • description - string
  • investigation ID - string
  • link - string
  • name - string
  • timestamp - string
  • type - string

InsightIDR Custom Alert Trigger

You can also trigger an InsightConnect workflow from InsightIDR or InsightOps Custom Alerts.

InsightIDR Custom Alert triggers can be one of three types:

  • Pattern Detection
  • Inactivity Detection
  • Change Detection.

The information available in InsightConnect differs slightly based on what type of alert triggers the workflow.

Variables available only for certain types of alerts are marked below. Otherwise, variables are available for all types of alerts. To differentiate between alert types within a workflow, you can use the type variable on the alert.

InsightConnect ingests the following variables when an InsightIDR Custom Alert trigger starts a workflow:

  • alert - Object
    • id - String
    • name - String
    • type - String
    • trigger - Object
      • durationThreshold - String (Inactivity only)
      • pattern - String (Pattern Match and Inactivity only)
      • comparison - Integer (Change Detection only)
      • direction - String (Change Detection only)
      • duration - Integer (Change Detection only)
      • threshold - Number (Change Detection only)
  • correlationId - String
  • event - Object
    • entryObject - Object
    • timestamp - Integer
    • entry - String (Pattern Match only)
    • sequenceId - Integer (Pattern Match only)
    • lastMatchTimestamp - Integer (Inactivity only)
    • absoluteDiff - Number (Change Detection only)
    • queries - Object (Change Detection only)
      • comparison - Object
        • fromTimestamp - Integer
        • toTimestamp - Integer
        • query - String
        • value - Number
      • current - Object
        • fromTimestamp - Integer
        • toTimestamp - Integer
        • query - String
        • value - Number
  • logs - Array
    • id - String
    • name - String
    • logSet - Array
      • id - String
      • name - String