VM Triggers and Extending VM Use Cases: Days 16-45
Once you understand the basics of VM Automation and have the Insight Orchestrator and plugins installed, you can start to automate processes using events. During this stage, we also recommend you identify specific use cases where automation can make an impact for your team’s needs:
- Extending Automation with Vulnerability Management
- Launching a Workflow from InsightVM Trigger Events
- Map Use Cases
Extending Automation in Vulnerability Management
Estimated Time to Complete: 30 to 45 minutes
You learned the basics of integrating InsightVM and InsightConnect, now it’s time to take it farther! You’ve got the guitar, but now we need to add the bass, drums, and vocals to your band!
The InsightVM Automation Toolkit contains the missing pieces of your Vulnerability Management band—review the different categories and implement as many of them as you can. Most of these workflows are designed to provide greater operational efficacy to your vulnerability management program and can be extended through Slack or Microsoft Teams to expand the visibility of your program outside the security team!
Launching a Workflow from an InsightVM Trigger Event
Estimated Time to Complete: 10 minutes
- Log in to the Insight Platform and browse to My Account. Then click on the key on the left and create a new User API Key.
- In the Extension Library, search for Alert on New High Risk Vulnerability in InsightVM with Slack or Alert on New High Risk Vulnerability in InsightVM with Microsoft Teams. Import the workflow into InsightConnect.
- At the end of the wizard, you’ll be directed to configure the trigger. Paste in the API key and then run the command provided on your local computer. You should see a 200 response in the command line. Only run this command once -- otherwise, you will create a duplicate webhook event subscription.
- Configure the workflow in the SETTINGS step to tell the workflow where to post the alerts.
- Click the Activate button! The workflow sends a message with enhanced vulnerability details when a new vulnerability with a CVSS higher than 7 is detected by InsightVM! For more details, check out the supported documentation for InsightVM Event Triggers
Map Use Cases
Estimated Time to Complete: As much time as you need
Before you dive into Customizing and Activating Workflows, we recommend you review your current security processes and identify specific use cases where automation can make an impact. For inspiration on processes to consider with VM Automation, check out Rapid7's VM Automation Toolkit. These use cases will help you determine the workflows that you should build as well as help you discover additional plugins and connections you can add to InsightConnect.
Check for Existing Documentation
You may have already documented your security processes in places like policy documentation or remediation procedures.
Think about any of your processes that might:
- Eat into your security team’s time.
- Take up too much manpower or computing power.
- Be completed manually or individually when you wish they could be done in bulk.
- Be repetitive, tedious, or constantly running.
- Are highly sensitive to human error or timing.
A few common examples other InsightConnect customers have found value immediate value include:
- Tag assets in InsightVM with metadata from ActiveDirectory, ServiceNow CMDB, and other SAM solutions.
- Confirm true and false positive alerts with context provided by lookups.
- Create and/or update tickets in ITSM technologies or expand team visibility by posting alerts to Chatops.
- Containment and management of user accounts, assets, and firewall policies for critically vulnerable devices.
Once you have a specific process in mind, consider these questions:
What information starts this process?
- This will be your workflow’s trigger in InsightConnect. For example, you may trigger a workflow when the status of a remediation ticket changes or when an asset is discovered for the first time by InsightVM.
Where does this data come from?
- This information helps you determine what kind of trigger you may need. In a phishing case, you could use a plugin trigger configured for Gmail, Office365, Microsoft Exchange, or IMAP – or an API trigger for more unique cases.
What are the potential outcomes of your process?
- This is the goal or goals your workflow is building toward. For example, a phishing workflow could contain multiple paths - a malicious path that performs remediation after the message is determined to be malicious, and a benign path that notifies the reporter that the message appears safe.
What do you do with that information?
- The things you do with security information are your workflow steps in InsightConnect. For example, in a phishing incident response process, you might move the email to spam, forward it to your security team, block or flag the sender’s IP, or take other actions. You would add a workflow step to perform each of these tasks.
Which tools help you carry out these actions?
- The tools that help you carry out the actions in the previous step are your plugins in InsightConnect. For example, do you use ticketing software like JIRA or ServiceNow to track your team’s work? What about patching tools for your network, like IBM BigFix or Microsoft SCCM?
What kind of login, account, or configuration information do you use with those tools?
This information helps you configure connections for each plugin. These connections are how InsightConnect brings information from those products into your workflow. For example, if you use Gmail, you likely have a few administrative accounts that manage your organization’s communications.
Your responses to these questions will help you understand how to build your InsightConnect workflow. Keep track of your list of security tools! You’ll import plugins for those tools into InsightConnect next.
You’ve paired a workflow with a chatops trigger, linked VM events to InsightConnect workflows, and mapped use cases. Next, Customize and activate workflows!