Get Started with Automation for Legacy Detection Rules and Basic Detection Rules

Custom Alerts have been renamed to Basic Detection Rules

Starting in May 2023, we will begin rolling out detection terminology changes to better reflect the functions of the Custom Alerts feature:

  • Custom Alerts are now called Basic Detection Rules
  • Pattern Detection Alerts are now called Log Pattern Detection Rules
  • Inactivity Detection Alerts are now called Log Inactivity Detection Rules
  • Change Detection Alerts are now called Log Change Detection Rules

The functions of these features remains the same. These terminology changes will be implemented throughout the documentation and in InsightIDR.

You can apply automation to legacy detection rules and basic detection rules (formerly known as custom alerts) to reduce the number of manual security tasks that you have to perform and streamline your security processes. These features allow you to automate tasks like containing threats, notifying your team when there’s suspicious activity, and tracking the progress of an investigation.

To help you get started with Automation for legacy detection rules and basic detection rules, you’ll need to complete the following tasks:

Task 1: Install and Activate the Insight Orchestrator

In order to connect InsightIDR to the products, services, and tools you use in your environment, you’ll need to set up and activate the Insight Orchestrator. The Insight Orchestrator is a component installed on your network that gives InsightIDR the access it needs to automate security processes. You must have an orchestrator if you want to take advantage of the Automation features available in InsightIDR.

Ready to get started?

Learn how to set up and activate the Insight Orchestrator.

Task 2: Add Connections to Your Third-Party Tools

InsightIDR includes several out-of-the-box Workflow Templates built for third-party tools that you can leverage for your security needs. In order to use these templates, you’ll need to set up Automation Connections. A connection comprises the credentials and required parameters, such as the application URL, that InsightIDR needs to access and authenticate to a third-party tool.

The out-of-the-box Workflows currently support the following third-party integrations:

  • Active Directory
  • Cb Response
  • JIRA
  • Okta
  • ServiceNow

Want to automatically create a JIRA or ServiceNow ticket when there is unusual activity an a restricted asset? You’ll need to add a connection.

Learn how to add connections to your tools.

Task 3: Activate Workflow Templates

You can use out-of-the-box Workflow Templates to set up Workflows that do things like quarantine an asset, suspend a user account from within an investigation, and create JIRA tickets. These Workflows are based on Workflow Templates. These templates are workflows that do not have configured connections and are handy when you need to reuse Workflow steps with different connections.

Workflows are available for you to kick off when there is something in your investigation that requires you to take action. Need to disable a user who is accessing a restricted asset? You can use an Okta workflow to suspend the user.

Are your connections all set up?

Learn how to activate and use workflow templates.

Task 4: Take Action Using a Workflow

Now that you’ve set up the orchestrator, added connections, and activated some Workflow Templates, your Workflows are ready to use. You can automate some tasks directly from an investigation using the available actions and workflows within InsightIDR.

Ready to kick off a workflow?

Learn how to take action with your workflows.