Automation Workflows

You can take advantage of multiple automation workflows that allow you to automatically respond to security events as they emerge on your network. Workflows are run by the Insight Agent or the Insight Orchestrator, or on the Cloud. You can configure these workflows to automate common security tasks, such as:

  • Containing threats such as malware or stolen credentials and quarantining assets.
  • Integrating with ticketing and case management tools including ServiceNow and JIRA.
  • Enriching investigation data.
  • Running custom security workflows built with InsightConnect.

NOTE

Several automation workflows offered with InsightIDR rely on third party tools and plugins to take the proper action. These workflows use the Insight Orchestrator to pass input and output between your third party tools as the workflow runs.

Before you can deploy workflows of this kind, you must install an orchestrator, configure connections to your third party tools, and activate any applicable workflow templates.

Actions You Can Perform with the Insight Orchestrator

The Insight Orchestrator drives most of the workflows that InsightIDR offers. The following workflows have dedicated configuration documents that will help you get started:

Actions You Can Perform with the Insight Agent

The Insight Agent can also perform its own security tasks without the need for an orchestrator. See the following articles to learn more about these agent-based workflows:

Enrichment Workflows

InsightIDR also features a variety of data enrichment workflows that can provide extensive context on data points included in each of your investigations. Some of these enrichment workflows are specialized to a single input type, such as IP addresses or URLs, but others are capable of handling multiple data points at the same time. You can read more about data enrichment on the Automated Enrichment Workflows page.

Where to use UBA workflows in InsightIDR

You can run User Behavior Analytics (UBA) workflows by taking action on investigations and configuring UBA Alert Triggers.

Take Action on Investigations

Take Action button in Investigations Run UBA automation workflows manually from any investigation by clicking the Take action button. You cannot take action with ABA-triggered workflows at this time.

Configure UBA Alert Triggers

If you want to run workflows automatically when an investigation is created, you can configure UBA Alert Triggers for UBA alerts. UBA Alert Trigger workflows use details from investigations that InsightIDR creates in response to user events detected in your environment.

Where to use ABA workflows in InsightIDR

You can run Attacker Behavior Analytics (ABA) workflows from the Detection Rules page.

Add workflows to ABA detection rules

You can trigger an automation workflow to run every time a detection occurs for Attacker Behavior Analytics (ABA) detection rules. Read more about how to get started with ABA automation.

Human Decisions

Some workflows will pause to prompt the user for a required action before they can proceed to the next step. These user action prompts are known as “human decisions” and allow you to choose between multiple paths that the workflow can take. In general, human decisions are necessary in cases where the result of the workflow can vary widely depending on the available paths. Human decisions also serve as a safety measure against potentially unwanted workflow behavior by allowing you to have the final say on riskier workflow processes.

Human decisions will display as an event in the Investigation timeline, and as a banner in InsightIDR.

Click Review Decision to see the job history for the workflow in question.

NOTE

If you see the Review Decision banner, but there are no paused workflows, this indicates that someone else on your team may have taken action on the human decision prompt already. If this is the case, refresh the page to dismiss the banner.

TIP

You can read more about human decisions on the Decision Steps InsightConnect Help page.

Workflow History

When a workflow is running, paused, stopped due to failure, or successfully complete, you can see the history and details of that workflow in History tab of your “Automation” screen:

  1. From your InsightIDR dashboard, select Automation on the lefthand menu.
  2. Select the History tab. This will show you all of the current and past workflows.
  1. Select a workflow to see all of the available information, including:
    • Job status
    • Start time
    • Run time
    • Owner
    • Available input
    • Available output
    • Available logs

Insight Agent History

You can also see all actions completed by the Insight Agent. In the “Automation” screen, select History > Insight Agent Actions in the “Powered By” section.

Select an Insight Agent workflow to see its Job history, including information about:

  • Job status
  • Start time
  • Finish time
  • Owner
  • Summary
  • Containment Status