Triggers for Legacy Detection Rules and Basic Detection Rules

Custom Alerts have been renamed to Basic Detection Rules

Starting in May 2023, we will begin rolling out detection terminology changes to better reflect the functions of the Custom Alerts feature:

  • Custom Alerts are now called Basic Detection Rules
  • Pattern Detection Alerts are now called Log Pattern Detection Rules
  • Inactivity Detection Alerts are now called Log Inactivity Detection Rules
  • Change Detection Alerts are now called Log Change Detection Rules

The functions of these features remains the same. These terminology changes will be implemented throughout the documentation and in InsightIDR.

You can configure a trigger to automatically initiate a workflow in response to a security incident. Automated triggers help you mitigate and resolve issues quickly, saving you time. Triggers can only be configured for legacy detection rules and basic detection rules (formerly known as custom alerts). To automate ABA detection rules, read how to get started with ABA automation.

To get started with triggers:

Install and activate an orchestrator

If you haven’t already, make sure that you have installed and activated an orchestrator before starting the trigger configuration process. Triggers are designed to initiate automation workflows, so an active orchestrator must be present at the time of configuration.

If you already have installed and activated an orchestrator in your environment, proceed to the next section.

Configure legacy detection rules and basic detection rules

Triggers rely on investigations that InsightIDR creates in response to user actions on your network. InsightIDR determines whether or not to create these investigations for each action according to the options specified in your settings for legacy detection rules and basic detection rules. Before you configure a trigger, verify that all desired legacy detection rules and basic detection rules for which you want to run a workflow are set to Creates Investigations to ensure that InsightIDR creates an investigation when they occur.

NOTE

Detection rules that are set to Tracks Notable Events or Off will not generate an investigation if InsightIDR detects them.

To verify that your legacy detection rules are set to Creates Investigations:

  1. Sign in to InsightIDR.
  2. On the left menu, select Detection Rules > Legacy UBA Detection Rules tab.
  3. Browse through the user action categories listed in the Detection Rule column. Make sure that all desired detection rules are set to Creates Investigations in the Rule Action column.
  4. If you made any changes, click Save when finished.

Configure triggers for legacy detection rules

Now that you’ve verified that your detection rules are set to generate investigations, you’re ready to create your first trigger.

To create a trigger:

  1. Click the Automation tab on the InsightIDR left menu. The Automation screen displays.
  2. Click the Triggers tab.
  3. Click Create Trigger in the upper right corner. The Create Trigger panel appears.
  4. Select an action category from the dropdown list. This allows you to focus your list of selectable workflows according to the kind of action that you want to take. Click Continue.
    • If you want to select from all available workflows, select All Workflows.
  5. Select a workflow from the dropdown list. A color-coded tag on the right side of the workflow name indicates the object that the workflow accepts as input.
    • Workflows that accept multiple objects appear with gray-colored tags. Hover over this tag to see what objects this workflow accepts as input.
    • If you are configuring a new workflow, make sure you select the template version of the workflow you want to run. Templates are indicated by a small Rapid7 logo next to the workflow name.
  6. After selecting your workflow, InsightIDR will detail the steps that the workflow will move through as it executes. Click Continue when ready.
  7. Select one or more legacy UBA detection rules from the dropdown list. Your workflow will trigger when InsightIDR creates an investigation based on any of these selected detection rules.
  8. If you are configuring a new workflow from a template, configure any required connections as necessary.
    • If you selected an existing workflow from the dropdown list (one that does not have a Rapid7 logo next to its name), then InsightIDR will automatically use the orchestrators and connections that were specified in the previously existing workflow.
  9. Verify that your configuration options are correct. Click Add Trigger to save your new trigger.

Your new trigger will be enabled by default and will now appear in the Triggers table.

Manage triggers

After you configure one or more triggers, you can manage them on the Triggers tab of the Automation page.

Trigger status

By default, all newly created triggers are enabled and active as soon as you save them. If you want to disable a trigger for any reason, toggle the workflow switch to the Off position in the Status column. To enable a disabled trigger, toggle the switch again to the On position.

Triggers with the N/A status

Short for Not Applicable, a trigger will assume this status if a change to one of its dependencies prevents the workflow from running. Triggers with the N/A status will not run and cannot be enabled until the underlying issue is addressed. Reasons for a trigger assuming the N/A status include:

  • Deletion of the workflow that the trigger is configured to run: This is often the result of a custom workflow being deleted from InsightConnect. Triggers with this condition cannot be enabled again, so you must create a new trigger after you recreate the workflow in InsightConnect.
  • Modification of the trigger's detection rule Rule Action to a value other than Creates Investigations: Triggers can kick off their attached workflows only based on investigations that InsightIDR creates in response to user actions. A trigger will assume the N/A status if the detection rule value is changed from Creates Investigations to something else. To enable an N/A workflow of this type again, verify that the detection rule is configured properly.