InsightIDR customers can take advantage of multiple automation workflows that allow you to automatically respond to security events as they emerge on your network. Driven by either the Insight Agent or the Insight Orchestrator, you can configure these workflows to automate common security tasks that fall under these categories:
- Reduce noise from alerts.
- Directly contain threats, such as malware or stolen credentials.
- Integrate with ticketing and case management tools.
- Run custom security workflows built with InsightConnect
- Enrich investigation data
Several automation workflows offered with InsightIDR rely on third party tools and plugins to take the proper action. These workflows use the Insight Orchestrator to pass input and output between your third party tools as the workflow runs.
Take Action on Your Investigations
All automation workflows are designed to use details from investigations that InsightIDR creates in response to user events detected in your environment. You can run these workflows manually from each investigation, or configure Alert Triggers to run them automatically according to your own conditions.
Actions You Can Perform with the Insight Orchestrator
The Insight Orchestrator drives most of the workflows that InsightIDR offers. The following workflows have dedicated configuration documents that will help you get started:
- Quarantine an Asset with Carbon Black Response
- Disable a User with Active Directory
- Suspend a User with Okta
- Create a Ticket with JIRA or ServiceNow
Actions You Can Perform with the Insight Agent
The Insight Agent can also perform its own security tasks without the need for an orchestrator. See the following articles to learn more about these agent-based workflows:
InsightIDR also features a variety of data enrichment workflows that can provide extensive context on data points included in each of your investigations. Some of these enrichment workflows are specialized to a single input type, such as IP addresses or URLs, but others are capable of handling multiple data points at the same time. You can read more about data enrichment on the Automated Enrichment Workflows page.
Some workflows will pause to prompt the user for a required action before they can proceed to the next step. These user action prompts are known as “human decisions” and allow you to choose between multiple paths that the workflow can take. In general, human decisions are necessary in cases where the result of the workflow can vary widely depending on the available paths. Human decisions also serve as a safety measure against potentially unwanted workflow behavior by allowing you to have the final say on riskier workflow processes.
Human decisions will display as an event in the Investigation timeline, and as a banner in InsightIDR.
Click Review Decision to see the job history for the workflow in question.
If you see the Review Decision banner, but there are no paused workflows, this indicates that someone else on your team may have taken action on the human decision prompt already. If this is the case, refresh the page to dismiss the banner.
You can read more about human decisions on the Decision Steps InsightConnect Help page.
When a workflow is running, paused, stopped due to failure, or successfully complete, you can see the history and details of that workflow in History tab of your “Automation” screen:
- From your InsightIDR dashboard, select Automation on the lefthand menu.
- Select the History tab. This will show you all of the current and past workflows.
- Select a workflow to see all of the available information, including:
- Job status
- Start time
- Run time
- Available input
- Available output
- Available logs
Insight Agent History
You can also see all actions completed by the Insight Agent. In the “Automation” screen, select History > Insight Agent Actions in the “Powered By” section.
Select an Insight Agent workflow to see its Job history, including information about:
- Job status
- Start time
- Finish time
- Containment Status