Get started with automation

You can trigger an InsightConnect automation workflow to run every time a detection rule's criteria is met. These workflows can help your team mitigate manual tasks by containing assets, enriching data, and notifying you when a detection occurs.

The output of automation for detection rules does not appear in Investigations

Workflows on rules in the Detection Library are triggered at the time of detection, prior to when an investigation is created. As a result, a Rapid7 Resource Name (RRN) is not generated, which means the automation cannot be linked to relevant investigations, and workflows triggered by these detections do not appear in the investigation timeline.

Triggers for legacy detection rules are different in that they occur at the time an investigation is created, and generate an RRN. This RRN can be used to link automation with investigations. For more information on triggers, read Triggers for Legacy Detection Rules and Basic Detection Rules.

Requirements

To add automation to detection rules, you’ll need one of the following subscriptions:

  • InsightIDR Ultimate
  • InsightIDR Advanced package with an InsightConnect license

The Insight Orchestrator must be installed and activated for certain InsightConnect plugins to be able to run.

Add workflows to your detection rules

  1. Navigate to the Detection Rule Library tab on the Detection Rules page.
  2. Click into the detection rule you'd like to add automation to and navigate to the Automation tab.
  3. Click Add Workflow. InsightIDR will display a list of compatible workflows for this detection rule.
  4. Select one or more workflows to run every time a detection occurs for this rule. You can also create a custom workflow by clicking Create New Workflow in InsightConnect. Read more about creating workflows in InsightConnect.
  5. Click Save.

The workflows you added will run every time a detection occurs for that rule. View the Jobs counter next to the workflow name to get visibility into how many times the workflow has run. You can also find this information by navigating to Automation in the left menu of InsightIDR, and selecting the Jobs tab.

To view the workflow in detail in InsightConnect, click the arrow icon next to the workflow name.

Adding custom InsightConnect workflows to detection rules

When you create a custom workflow in InsightConnect, you’ll be prompted to choose an event type, which is the data model that InsightIDR uses to categorize detection rules. The workflow will automatically be added to all detection rules of that event type.

Remove workflows from detection rules

  1. Navigate to the Detection Rule Library tab on the Detection Rules page.
  2. Open the detection rule you'd like to remove a workflow from and navigate to the Automation tab.
  3. Delete the unwanted workflow.
  4. In the confirmation modal, click Remove Workflows.

Troubleshoot workflows

If a workflow warns you that there are errors, you may need to troubleshoot the errors to ensure your workflow runs smoothly. To resolve workflow issues, visit InsightConnect and navigate to the Workflows page. Here, you can view workflow details to troubleshoot errors.