Get Started with UBA and Custom Alert Automation
You can apply automation to User Behavior Analytics (UBA) detection rules and Custom Alerts to reduce the number of manual security tasks that you have to perform and streamline your security processes. These features allow you to automate tasks like containing threats, alerting your team when there’s suspicious activity, and tracking the progress of an investigation.
To help you get started with Automation for UBA detection rules and Custom Alerts, you’ll need to complete the following tasks:
- Task 1: Install and activate the Insight Orchestrator
- Task 2: Add connections to your third-party tools
- Task 3: Activate a Workflow Template
- Task 4: Take action using a Workflow
Task 1: Install and Activate the Insight Orchestrator
In order to connect InsightIDR to the products, services, and tools you use in your environment, you’ll need to set up and activate the Insight Orchestrator. The Insight Orchestrator is a component installed on your network that gives InsightIDR the access it needs to automate security processes. You must have an orchestrator if you want to take advantage of the Automation features available in InsightIDR.
Ready to get started?
Learn how to set up and activate the Insight Orchestrator.
Task 2: Add Connections to Your Third-Party Tools
InsightIDR includes several out-of-the-box Workflow Templates built for third-party tools that you can leverage for your security needs. In order to use these templates, you’ll need to set up Automation Connections. A connection comprises the credentials and required parameters, such as the application URL, that InsightIDR needs to access and authenticate to a third-party tool.
The out-of-the-box Workflows currently support the following third-party integrations:
- Active Directory
- Cb Response
Want to automatically create a JIRA or ServiceNow ticket when there is unusual activity an a restricted asset? You’ll need to add a connection.
Learn how to add connections to your tools.
Task 3: Activate Workflow Templates
You can use out-of-the-box Workflow Templates to set up Workflows that do things like quarantine an asset, suspend a user account from within an investigation, and create JIRA tickets. These Workflows are based on Workflow Templates. These templates are workflows that do not have configured connections and are handy when you need to reuse Workflow steps with different connections.
Workflows are available for you to kick off when there is something in your investigation that requires you to take action. Need to disable a user who is accessing a restricted asset? You can use an Okta workflow to suspend the user.
Are your connections all set up?
Learn how to activate and use workflow templates.
Task 4: Take Action Using a Workflow
Now that you’ve set up the orchestrator, added connections, and activated some Workflow Templates, your Workflows are ready to use. You can automate some tasks directly from an investigation using the available actions and workflows within InsightIDR.
Ready to kick off a workflow?