Customize and Activate Workflows: Days 46 to 90 (and beyond!)

Building workflows allows you to automate specific tasks to reduce time to containment and save your team time.

Build Your First Workflow

Estimated Time to Complete: Depends on the workflow you choose to build!

Remember the automation use cases you mapped in the previous step? We recommend you choose a use case and build that into a workflow.

  1. Choose and configure a trigger: Think about what kicks off your security process, then decide what trigger type works best for gathering relevant data.
  2. Add and configure steps one-by-one: Steps are the “building blocks” of your workflow, and they help pass data between all parts of your process efficiently with little to no code.
    If your trigger or steps involve plugins, you’ll need to configure connections to any of your third-party security tools. After you set up new connections or use existing ones, your connection test will automatically run. You can view your connection tests in the Status page under Settings to make sure they correctly communicate with your third-party tools.
  3. Consider using automated or human decisions: The automation use case you mapped might follow different processes depending on the information you have. For example, in a phishing scenario, you might want to pause the workflow for a human team member to review the information your workflow gathered to determine if it is a phishing email before the workflow continues processing. Decision steps can be automated or human-controlled, and will split your workflow into multiple paths that each contain different steps.
  4. Consider using a template from the Extension Library: The Extension Library contains over 80 prebuilt workflows you can reference, modify, or simply use as is. If a workflow in the Extension Library does what you are trying to accomplish but uses different technologies (such as Office365 instead of Gmail), simply import the workflow and swap out the Office365 steps for Gmail steps. Leveraging the workflows in the Extension Library can be a very powerful option to jump-start your InsightConnect workflow building!

Test and activate your workflow

Estimated Time to Complete: 1 hour

After you’ve added all of the steps you need to accurately represent your security process, you should test your workflow to ensure it accomplishes exactly what it’s meant to. If all goes well, it’s time to activate the workflow and start automating!

When your workflow test passes, click on the Activate button in the workflow builder. Your trigger will now actively listen for the required behavior, and your workflow will begin to create jobs that collect information every time the workflow runs.

Please note, testing a workflow involves simulating the output of the trigger. In some situations it is more efficient to activate the workflow with a test trigger configuration, such as changing the mailbox being monitored for phishing reports, and run tests by sending actual emails into the test mailbox. This eliminates the need to construct complex test data. To Activate the workflow, reconfigure the trigger to monitor your production datasource.

Congrats, you have completed the SOC Automation Success Plan!

Now you’re ready to automate the rest of your security processes. Refer to the diagrams or maps you created when you first started using InsightConnect, and follow these instructions to make workflows for each of your use cases.