Get started with automation
You can trigger an Automation (InsightConnect) automation workflow to run every time a detection rule’s criteria is met. These workflows can help your team mitigate manual tasks by containing assets, enriching data, and notifying you when a detection occurs.
The output of automation for detection rules does not appear in Investigations
Workflows on rules in the Detection Library are triggered at the time of detection, prior to when an investigation is created. As a result, a Rapid7 Resource Name (RRN) is not generated, which means the automation cannot be linked to relevant investigations, and workflows triggered by these detections do not appear in the investigation timeline.
Triggers for legacy detection rules are different in that they occur at the time an investigation is created, and generate an RRN. This RRN can be used to link automation with investigations. For more information on triggers, read Triggers for Legacy Detection Rules and Basic Detection Rules.
Requirements
To add automation to detection rules, you’ll need one of the following subscriptions:
- SIEM (InsightIDR) Ultimate
- SIEM (InsightIDR) Advanced package with an Automation (InsightConnect) license
The Insight Orchestrator must be installed and activated for certain Automation (InsightConnect) plugins to be able to run.
Add workflows to your detection rules
- Navigate to the Detection Rule Library tab on the Detection Rules page.
- Click into the detection rule you’d like to add automation to and navigate to the Automation tab.
- Click Add Workflow. SIEM (InsightIDR) will display a list of compatible workflows for this detection rule.
- Select one or more workflows to run every time a detection occurs for this rule. You can also create a custom workflow by clicking Create New Workflow in Automation (InsightConnect). Read more about creating workflows in Automation (InsightConnect).
- Click Save.
The workflows you added will run every time a detection occurs for that rule. View the Jobs counter next to the workflow name to get visibility into how many times the workflow has run. You can also find this information by navigating to Automation in the left menu of SIEM (InsightIDR), and selecting the Jobs tab.
To view the workflow in detail in Automation (InsightConnect), click the arrow icon next to the workflow name.
Remove workflows from detection rules
- Navigate to the Detection Rule Library tab on the Detection Rules page.
- Open the detection rule you’d like to remove a workflow from and navigate to the Automation tab.
- Delete the unwanted workflow.
- In the confirmation modal, click Remove Workflows.
Troubleshoot workflows
If a workflow warns you that there are errors, you may need to troubleshoot the errors to ensure your workflow runs smoothly. To resolve workflow issues, visit Automation (InsightConnect) and navigate to the Workflows page. Here, you can view workflow details to troubleshoot errors.