Alert Triggers for UBA Detection Rules and Basic Detection Rules

Custom Alerts have been renamed to Basic Detection Rules

Starting in May 2023, we will begin rolling out detection terminology changes to better reflect the functions of the Custom Alerts feature:

  • Custom Alerts are now called Basic Detection Rules
  • Pattern Detection Alerts are now called Log Pattern Detection Rules
  • Inactivity Detection Alerts are now called Log Inactivity Detection Rules
  • Change Detection Alerts are now called Log Change Detection Rules

The functions of these features remains the same. These terminology changes will be implemented throughout the documentation and in InsightIDR.

You can configure an Alert Trigger to automatically initiate a workflow in response to a security incident. Automated Alert Triggers help you mitigate and resolve issues quickly, saving you time. Alert Triggers can only be configured for User Behavior Analytics detection rules and basic detection rules (formerly known as custom alerts). To automate ABA detection rules, read how to get started with ABA automation.

To get started with Alert Triggers:

Install and Activate an Orchestrator

If you haven’t already, make sure that you have installed and activated an orchestrator before starting the Alert Trigger configuration process. Alert Triggers are designed to initiate automation workflows, so an active orchestrator must be present at the time of configuration.

If you already have installed and activated an orchestrator in your environment, proceed to the next section.

Configure UBA Detection Rules and Basic Detection Rules

Alert Triggers rely on investigations that InsightIDR creates in response to user actions on your network. InsightIDR determines whether or not to create these investigations for each action according to the options specified in your settings for User Behavior Analytics detection rules and basic detection rules. Before you configure an Alert Trigger, verify that all desired UBA detection rules and basic detection rules for which you want to run a workflow are set to Creates Investigations to ensure that InsightIDR creates an investigation when they occur.

NOTE

UBA detection rules that are set to Tracks Notable Events or Off will not generate an investigation if InsightIDR detects them.

To verify that your UBA detection rules are set to Creates Investigations:

  1. Sign in to InsightIDR.
  2. On the left menu, select Detection Rules > User Behavior Analytics tab.
  3. Browse through the user action categories listed in the “Detection Rule” column. Make sure that all desired detection rules are set to Creates Investigations in the “Rule Action” column.
  4. If you made any changes, click Save when finished.

User Behavior Analytics tab

Configure Alert Triggers

Now that you’ve verified that your alert types are set to generate investigations, you’re ready to create your first Alert Trigger.

To create an Alert Trigger:

  1. Click the Automation tab on your left menu. The “Automation” screen displays.
  2. Click the UBA Alert Triggers tab. UBA Alert Triggers
  3. Click Create Alert Trigger in the upper right corner. The “Create Alert Trigger” panel appears.
  4. Select an action category from the dropdown list. This allows you to focus your list of selectable workflows according to the kind of action that you want to take. Click Continue.
    • If you want to select from all available workflows, select All Workflows.
  5. Select a workflow from the dropdown list. A color-coded tag on the right side of the workflow name indicates the object that the workflow accepts as input.
    • Workflows that accept multiple objects appear with gray-colored tags. Hover over this tag to see what objects this workflow accepts as input.
    • If you are configuring a new workflow, make sure you select the template version of the workflow you want to run. Templates are indicated by a small Rapid7 logo next to the workflow name.
  6. After selecting your workflow, InsightIDR will detail the steps that the workflow will move through as it executes. Click Continue when ready.
  7. Select one or more alert types from the dropdown list. Your workflow will trigger when InsightIDR creates an investigation based on any of these selected alert types.
  8. If you are configuring a new workflow from a template, configure any required connections as necessary.
    • If you selected an existing workflow from the dropdown list (one that does not have a Rapid7 logo next to its name), then InsightIDR will automatically use the orchestrators and connections that were specified in the previously existing workflow.
  9. Verify that your configuration options are correct. Click Add Alert Trigger to save your new Alert Trigger.

Your new Alert Trigger will be enabled by default and will now appear in the Alert Triggers table.

Manage Alert Triggers

After you configure one or more Alert Triggers, you can manage them on the Alert Triggers tab of the “Automation” page.

Alert Trigger Status

By default, all newly created Alert Triggers are enabled and active as soon as you save them. If you want to disable an Alert Trigger for any reason, toggle the workflow switch to the Off position in the “Status” column. To enable a disabled Alert Trigger, toggle the switch again to the On position.

Alert Triggers with the “N/A” Status

Short for “Not Applicable”, an Alert Trigger will assume this status if a change to one of its dependencies prevents the workflow from running. Alert Triggers with the “N/A” status will not run and cannot be enabled until the underlying issue is addressed. Reasons for an Alert Trigger assuming the “N/A” status include:

  • Deletion of the workflow that the Alert Trigger is configured to run
  • This is often the result of a custom workflow being deleted from InsightConnect. Alert Triggers with this condition cannot be enabled again, so you must create a new Alert Trigger after you recreate the workflow in InsightConnect.
  • Modification of the Alert Trigger’s alert type to a value other than Alert
  • Alert Triggers can only kick off their attached workflows based on investigations that InsightIDR creates in response to user actions. An Alert Trigger will assume the “N/A” status if the alert type value is changed from Alert to something else. To enable an “N/A” workflow of this type again, verify that your alert type is set properly.