Get Started with On Demand Response Actions

On demand response actions are simple containment automations that can be run on individual actors (users or assets) from an investigation. These actions are limited to disable users, and quarantine assets.

Configuring a response action

Response actions need to be configured before they can be run. Response actions are powered by InsightConnect snippets. A snippet is a group of steps that can be run standalone as a response action, or reused in workflows within InsightConnect. More information on snippets can be found here.

To configure an action, follow these steps:

Find an investigation with at least one actor.
Click on the blue automation icon next to an actor’s name (either a user or an asset).
Click on the action you wish to perform in the context menu, e.g. Quarantine Asset.
A peek panel with a list of snippets will open on the right side of the screen. Click on the snippet that best suits your needs. For example, if you normally use the Rapid7 Insight Agent to quarantine assets, click on that snippet.
You will see a message on screen that asks you to configure the snippet in InsightConnect. Click the button labeled ‘Configure in InsightConnect’.
InsightConnect will open in a new browser window. The snippet you have chosen will automatically download into your environment, and you will see the snippet control panel.
The snippet control panel will list out all of the plugins that require connections. Work your way through each plugin by clicking on the row to expand. Fill out connection details for each plugin. More information on plugin connections can be found here, and setup guides for specific connections can be found here. Please note: all quarantine asset response actions can be configured to run in the cloud, without deploying an InsightConnect orchestrator. You can configure this while setting up your connection for your selected quarantine tool.
When you have worked your way through configuring all connections, each row should display a green dot to indicate it has a connection. Once your snippet is fully set up you should click the button labeled ‘Publish Changes’ on the top right of the screen. If you need to make further changes to your snippet you can come back to the snippet control panel at any time.
Once your snippet is published return to InsightIDR. You should land back to the peek panel mentioned in point 5 in this walk-through. From here, click on the button labeled ‘Check Configuration’.
The peek panel will have moved on to a new screen titled ‘inputs’. This means your action is ready to use.

Testing response actions

Response actions can be tested out of InsightIDR.

Add a asset or user you'd like to test with to an investigation in InsightIDR. To do this, click the 'Explore Contextual Data' button on the top of the investigation. Select 'Inspect Actor Activity' to add actors to your investigation. Please note: testing will perform the quarantine or disable action on the user. You may want to choose a test asset or user for this.
Refresh the investigation to ensure the actor has been added.
Select the blue automation icon next to your test actor's name (either a user or an asset).
From here, you should see the automation you had previously configured with a green dot next to the name, indicating the automation is active. Click on the automation card.
The input field should pre-populate with the asset name or the user RRN (Rapid7 Resource Name) of the actor you selected from your investigation.
Click 'Run' at the bottom of the peek panel. The Job State will be Running while the automation is in progress.
When the automation has completed, you will see the Job State update. It will say that the automation has either finished or failed.
1. A finished job means your response action is working and ready to use. Look under the Results object in the output to see if the automation correctly contained or un-contained the specified actor.
2. If it has failed there is likely a problem with your snippet or the asset/user that you have tried to test with. Click 'View Full Job' to get more information on the job details page of InsightConnect. Look through the error logs in the output to help pinpoint the exact problem.

Running a response action

Actions can be run on any investigation that contains users or assets. Initially these will be limited to containment actions on users and assets.

To run an action, follow these steps:

Find an investigation with at least one actor.
Click on the blue automation icon before an actor (either a user or an asset).
Click on the action you wish to perform in the context menu, e.g. Quarantine Asset.
A peek panel with a list of snippets will open on the right side of the screen. Click on the snippet that best suits your needs. For example, if you normally use the Rapid7 Insight Agent to quarantine assets, click on that snippet. Snippets that have already been configured will appear at the top of the list and will be labeled as ‘Configured’.
Note: This walk-through assumes that you have already configured your actions. If you haven’t done this yet, please read the above walk-through for ‘Configuring 1. actions’.
You will have progressed to the ‘Inputs’ peek panel. Check that the correct actor is listed in the input.
Click the button labeled ‘Run’ at the bottom of the peek panel.
You will be navigated to a job details peek panel. This will update you on the status of your automation. When the automation has completed a JSON object will be displayed. You will also have the option to view the full job on InsightConnect. More information on jobs can be found here.

Disable user response actions

The following plugin is supported for disable user:

Active Directory LDAP

Quarantine asset response actions

The following plugins are supported for quarantine asset:

Requirements

You must have an InsightIDR or MDR license and an InsightConnect license to use this feature.

Did this page help you?

Automation

Enrich Alert Data with Open Source Plugins

Automation

Automation Troubleshooting