Link Alerts and Define Use Cases: Days 16-45
Once you understand the basics of SOC Automation and have the Insight Orchestrator and plugins installed, you can start to automate processes using alerts. During this stage, we also recommend you identify specific use cases where automation can make an impact for your team’s needs:
Pair a Workflow with an Alert
Estimated Time to Complete: 5 minutes
To pair a workflow with an alert, you can use what is called an “Alert Trigger.” This trigger will automatically run the selected workflow in response to an alert being created. To learn more about how to create an alert trigger, visit the Alert Triggers page.
Link Alert Triggers to Custom Alerts
Estimated Time to Complete: 30 to 45 minutes
Link an alert trigger to a custom alert to kick off a workflow, automating predefined actions associated with a threat. Visit Custom Alerts & InsightConnect workflows to set up automation for Custom Alerts.
Map Use Cases
Estimated Time to Complete: As much time as you need
Before you dive into Customizing and Activating Workflows, we recommend you review your current security processes and identify specific use cases where automation can make an impact. For inspiration on processes to consider with SOC Automation, check out Rapid7’s SOC Automation Playbook. These use cases will help you determine the workflows that you should build as well as help you discover additional plugins and connections you can add to InsightConnect.
Check for Existing Documentation
You may have already documented your security processes in places like policy documentation, threat maps, or response maps.
Think about any of your processes that might:
- Eat into your security team’s time.
- Take up too much manpower or computing power.
- Be completed manually or individually when you wish they could be done in bulk.
- Be repetitive, tedious, or constantly running.
- Are highly sensitive to human error or timing.
A few common examples other InsightConnect customers have found value immediate value include:
- Lookup user, asset, vulnerability, and indicator geolocation or reputation data.
- Confirm true and false positive alerts with context provided by lookups.
- Update tickets in ITSM technologies or expand team visibility by posting alerts to Chatops.
- Containment and management of user accounts, assets, and firewall policies.
Once you have a specific process in mind, consider these questions:
What information starts this process?
- This will be your workflow’s trigger in InsightConnect. For example, you may solicit reports from your users of phishing attempts. A potential phishing report could be a “trigger” that kicks off your security process to respond to this incident.
Where does this data come from?
- This information helps you determine what kind of trigger you may need. In a phishing case, you could use a plugin trigger configured for Gmail, Office365, Microsoft Exchange, or IMAP – or an API trigger for more unique cases.
What are the potential outcomes of your process?
- This is the goal or goals your workflow is building toward. For example, a phishing workflow could contain multiple paths - a malicious path that performs remediation after the message is determined to be malicious, and a benign path that notifies the reporter that the message appears safe.
What do you do with that information?
- The things you do with security information are your workflow steps in InsightConnect. For example, in a phishing incident response process, you might move the email to spam, forward it to your security team, block or flag the sender’s IP, or take other actions. You would add a workflow step to perform each of these tasks.
Which tools help you carry out these actions?
- The tools that help you carry out the actions in the previous step are your plugins in InsightConnect. For example, do you use ticketing software like JIRA or ServiceNow to track your team’s work? What about patching tools for your network, like IBM BigFix or Microsoft SCCM?
What kind of login, account, or configuration information do you use with those tools?
This information helps you configure connections for each plugin. These connections are how InsightConnect brings information from those products into your workflow. For example, if you use Gmail, you likely have a few administrative accounts that manage your organization’s communications.
Your responses to these questions will help you understand how to build your InsightConnect workflow. Keep track of your list of security tools! You’ll import plugins for those tools into InsightConnect next.
You’ve paired a workflow with an alert, linked alert triggers to custom alerts, and mapped use cases. Next, Customize and activate workflows!