Automation Workflows
You can take advantage of multiple automation workflows that allow you to automatically respond to security events as they emerge on your network. Workflows are run by the Insight Agent or the Insight Orchestrator, or on the Cloud. You can configure these workflows to automate common security tasks, such as:
- Containing threats such as malware or stolen credentials and quarantining assets.
- Integrating with ticketing and case management tools including ServiceNow and JIRA.
- Enriching investigation data.
- Running custom security workflows built with InsightConnect.
NOTE
Several automation workflows offered with InsightIDR rely on third party tools and plugins to take the proper action. These workflows use the Insight Orchestrator to pass input and output between your third party tools as the workflow runs.
Before you can deploy workflows of this kind, you must install an orchestrator, configure connections to your third party tools, and activate any applicable workflow templates.
Actions You Can Perform with the Insight Orchestrator
The Insight Orchestrator drives most of the workflows that InsightIDR offers. The following workflows have dedicated configuration documents that will help you get started:
- Quarantine an Asset with Carbon Black Response
- Disable a User with Active Directory
- Suspend a User with Okta
- Create a Ticket with JIRA or ServiceNow
Actions You Can Perform with the Insight Agent
The Insight Agent can also perform its own security tasks without the need for an orchestrator. See the following articles to learn more about these agent-based workflows:
Enrichment Workflows
InsightIDR also features a variety of data enrichment workflows that can provide extensive context on data points included in each of your investigations. Some of these enrichment workflows are specialized to a single input type, such as IP addresses or URLs, but others are capable of handling multiple data points at the same time. You can read more about data enrichment on the Automated Enrichment Workflows page.
Where to use workflows for legacy detection rules in InsightIDR
You can run workflows for legacy detection rules by taking action on investigations and configuring triggers.
Take Action on Investigations
You can run automation workflows manually from any investigation by clicking the Take action button on the Investigation Details page.
Investigations trigger workflows for legacy detection rules only
You cannot trigger automation workflows on detection rules in the Detection Library at this time. Workflows can only be triggered on legacy detection rules.
Configure Triggers
If you want to run workflows automatically when an investigation is created, you can configure triggers for legacy detection rules. Trigger workflows use details from investigations that InsightIDR creates in response to user events detected in your environment.
Where to use workflows in InsightIDR
You can run workflows on detection rules from the Detection Rules page.
Add workflows to detection rules
You can trigger an automation workflow to run every time a detection occurs. Read more about how to get started with automation.
Human Decisions
Some workflows will pause to prompt the user for a required action before they can proceed to the next step. These user action prompts are known as “human decisions” and allow you to choose between multiple paths that the workflow can take. In general, human decisions are necessary in cases where the result of the workflow can vary widely depending on the available paths. Human decisions also serve as a safety measure against potentially unwanted workflow behavior by allowing you to have the final say on riskier workflow processes.
Human decisions will display as an event in the Investigation timeline, and as a banner in InsightIDR.
Click Review Decision to see the job history for the workflow in question.
NOTE
If you see the Review Decision banner, but there are no paused workflows, this indicates that someone else on your team may have taken action on the human decision prompt already. If this is the case, refresh the page to dismiss the banner.
TIP
You can read more about human decisions on the Decision Steps InsightConnect Help page.
Workflow History
When a workflow is running, paused, stopped due to failure, or successfully complete, you can see the history and details of that workflow in History tab of your “Automation” screen:
- From your InsightIDR dashboard, select Automation on the lefthand menu.
- Select the History tab. This will show you all of the current and past workflows.
- Select a workflow to see all of the available information, including:
- Job status
- Start time
- Run time
- Owner
- Available input
- Available output
- Available logs
Insight Agent History
You can also see all actions completed by the Insight Agent. In the “Automation” screen, select History > Insight Agent Actions in the “Powered By” section.
Select an Insight Agent workflow to see its Job history, including information about:
- Job status
- Start time
- Finish time
- Owner
- Summary
- Containment Status