Getting Started with SOC Automation: Days 1 to 15
During your first 15 days of using SOC Automation, you will learn the fundamentals of how InsightIDR and InsightConnect work together alongside the Insight Orchestrator and Cloud plugins to power workflows. Follow these steps to get started:
- Before you begin
- Rapid7 Automation
- Utilize a Pre-Build Workflow with InsightConnect
- Launch a Workflow From an Investigation
- Set Up an Orchestrator and Plugins
Before you begin
Review the Ransomware Toolkit to find recommended processes that have been frequently asked for by our SOC Automation customers. We recommend you implement all workflows that are relevant to your environment. Most of these workflows are designed to provide greater operational efficacy to your incident response program and can be extended through Slack or Microsoft Teams to expand the visibility of your program outside the security team.
Rapid7 Automation
Estimated Time to Complete: 30 seconds
- From the Home page, click the Quick Action button in the upper right hand corner. Quick actions don’t require an orchestrator or the workflow to be imported or managed.
- Select a use case and begin using these zero deployment use cases at any point when you’re signed into the Insight Platform!
- Learn about more InsightConnect plugins and workflows that you can begin to import and customize by accessing the Rapid7 Extensions Library with the icon next to the gear in the upper right corner of your insight platform (the black bar at the top).
Utilize a Pre-Built Workflow with InsightConnect
Estimated Time to Complete: 1 min
Prebuilt workflows allow you to quickly automate common tasks with InsightConnect.
- Log into InsightConnect.
- Navigate to the Home page and switch the toggle from Dashboard to the Discover view at the top.
- Underneath Recommended Workflows for Threat Detection & Response will be a workflow template named “Hello IDR Alert“. Select the options to Import the template and review the workflow details.
- Press Activate in the upper right hand corner of the Control Panel view to finish deploying your first workflow.
Congratulations! You have successfully imported and deployed your first workflow template into InsightConnect
Check out more workflow recommendations with the InsightConnect Discover Experience when you’re ready to expand your automation usage across your security program! *
Launch a Workflow From an Investigation
Estimated Time to Complete: 5 minutes
- Log in to InsightIDR.
- Once you’ve configured your foundational event sources, click Investigations in the left navigation bar.
- Click on the name of any investigation that’s been generated and once the investigation has opened click the Take Action button in the upper right hand corner.
- Click the dropdown menu titled Select an Action Category, select All Workflows and Agent Actions then click the Continue button.
- Click the dropdown menu titled Select an Automation Action, then click Hide Disabled Workflows for All Sections to hide any workflows you are not able to utilize with this investigation. Select the “Hello IDR Alert” workflow and then click the Continue button.
- If there are any details to configure, they will be shown in the Configuration Details section. Otherwise a message will state that “No configuration details are available for this particular action.
- Click the Take Action button on the bottom of your screen and you will be taken back to the investigation.
On the Investigations page, a pop up banner will state “The workflow action requested has started processing. We will notify you when this action completes.” Once the action is complete a message will state “The requested workflow activity has been completed.”
Congratulations! You have successfully launched a workflow from an InsightIDR investigation
Set Up an Orchestrator and Plugins
Estimated Time to Complete: 1 hour
To get the most out of SOC Automation capabilities, you will need to install an Insight Orchestrator, install plugins and set up plugin connections.
Install and Activate the Insight Orchestrator
The Insight Orchestrator is an on-premise component that gives the Insight platform the power to automate services, tools, and other Rapid7 products from inside your environment.
- Install and activate the Insight Orchestrator with these instructions. You’ll need to meet these system and network requirements to do so.
- Troubleshoot your orchestrator with these instructions.
Learn more about the Insight Orchestrators and how you can use it across Rapid7 products by visiting the “Insight Orchestrator Overview” section of the help documentation.
Import Plugins for Your Organization
InsightConnect supports over 300 plugins to effectively automate your security processes.
To import a plugin, follow the steps under Use Plugins.
If you don’t find the tool you need in our available plugins, don’t worry! In many cases, your security needs can be addressed with other plugins, or you can reach out to us through the Discuss Forum to request a new plugin.
Set Up Connections for Each Plugin
After importing plugins, you need to set up individual connections for each plugin to authenticate InsightConnect to third-party tools and accounts. You can have multiple connections per plugin to cover your needs.
Connections typically include credentials, like API keys or other sensitive information, and parameters, like IP addresses or port numbers.
- Find connection information and add new connections to InsightConnect
- Test that each connection works properly
You can also read about cloud plugins to deploy automation without an Insight Orchestrator required. More cloud options can be found in extensions under: Cloud Enabled.
Congratulations!
You’ve used a pre-built workflow, launched a workflow from an investigation and set up your environment. Next, Create alerts and define use cases.