Get started with ABA Automation

You can trigger an InsightConnect automation workflow to run every time a detection occurs for Attacker Behavior Analytics (ABA) detection rules. These workflows can help your team mitigate manual tasks by containing assets, enriching data and notifying you when a detection occurs.

Requirements

To add automation to ABA detection rules, you’ll need one of the following subscriptions:

  • InsightIDR Ultimate
  • InsightIDR Advanced package with an InsightConnect license

The Insight Orchestrator must be installed and activated for certain InsightConnect plugins to be able to run.

Add workflows to your ABA detection rules

  1. Navigate to the Attacker Behavior Analytics tab on the Detection Rules page.
  2. Click into the detection rule you'd like to add automation to and navigate to the Automation tab.
  3. Click Add Workflow. InsightIDR will display a list of compatible workflows for this detection rule.
  4. Select one or more workflows to run every time a detection occurs for this rule. You can also create a custom workflow by clicking Create New Workflow in InsightConnect. Read more about creating ABA workflows in InsightConnect.
  5. Click Save.

The workflows you added will run every time a detection occurs for that rule. View the Jobs counter next to the workflow name to get visibility into how many times the workflow has run. You can also find this information by navigating to Automation in the left menu of InsightIDR, and selecting the Jobs tab.

To view the workflow in detail in InsightConnect, click the arrow icon next to the workflow name.

Adding custom InsightConnect workflows to ABA detection rules

When you create a custom workflow in InsightConnect, you’ll be prompted to choose an event type, which is the data model that InsightIDR uses to categorize detection rules. The workflow will automatically be added to all ABA detection rules of that event type.

Remove workflows from ABA detection rules

  1. Navigate to the Attacker Behavior Analytics tab on the Detection Rules page.
  2. Open the detection rule you'd like to remove a workflow from and navigate to the Automation tab.
  3. Delete the unwanted workflow.
  4. In the confirmation modal, click Remove Workflows.

Troubleshoot workflows

If a workflow warns you that there are errors, you may need to troubleshoot the errors to ensure your workflow runs smoothly. To resolve workflow issues, visit InsightConnect and navigate to the Workflows page. Here, you can view workflow details to troubleshoot errors.