Quick Actions are pre-configured automation actions you can run within InsightIDR to get the answers you need fast. Utilize Quick Actions to make the Investigative process more efficient and improve confidence in analyst decision-making while remaining in the context of the Investigation. You can leverage Quick Actions with no configuration required, without deploying an orchestrator or creating a single connection. You can configure and add more additional connection based Quick Actions from the InsightConnect Quick Actions library.
To use Quick Actions, you’ll need an InsightConnect license, which is included at all tiers of the Managed Threat Complete package.
How to use Quick Actions
Quick actions can be run from any page within InsightIDR by clicking the Quick Action icon located in the top navigation bar. To run a Quick Action, select a pre-configured Quick Action from the dropdown, provide the action input and click Run. Each action expects a certain input, such as an IP Address, Email Address, File Hash, Domain, Vulnerability, or some similar indicator.
Available connectionless actions
Quick Actions currently supports the following actions out of the box:
- Look Up IP Address with WHOIS
- Look Up Domain with WHOIS
- Reverse Look Up IP Address with DNS
- Forward Look Up Domain with DNS
- Look Up IP Address with RDAP
- Look Up Domain with RDAP
- Look Up File Hash with Team Cymru Malware Hash Repository
- Look Up Vulnerability with Rapid7 Vulnerability and Exploit Database
- Look Up Exploit with Rapid7 Vulnerability and Exploit Database
Review Quick Action results
When your action completes, the results display within the Quick Action panel. From here, the results can be copied, downloaded, and toggled between formatted and raw JSON views. If you want to take additional actions from here, simply copy any relevant data to your clipboard for use as input in your next action.
You can view your InsightIDR Quick Action history through InsightConnect. To view the results of previously run actions, navigate to the History tab of the Quick Actions page. From here, you can view a record of each action that has been run, the date and time of when it was run, the user who ran the action, and the status of the action. To see the inputs and outputs of the action, click the action name.
Add more Quick Actions
Quick Actions that require connections to run can be added and configured on the Quick Actions page in InsightConnect from the Add More tab.
After clicking the tile of the Quick Action that you would like to add, the action will be available on the Your Actions tab. You can choose to configure the action when adding it or you can come back to it at any time. You will also have the options to delete any added Quick Actions and to rename or update the details of any. Once a Quick Action has been configured it will be available to run from the Actions tab and from the spotlight in InsightConnect, InsightIDR, and InsightVM.
Available connection-based actions
Quick Actions currently supports the following actions that require connections:
- IP Address Look Up with VirusTotal
- Look Up Domain with VirusTotal
- Look Up URL with VirusTotal
- Look Up File Hash with VirusTotal
- Look Up Domain with URL Scan
- Look Up URL with URL Scan
- Look Up IP Address with Alien Vault OTX
- Look Up IPv6 Address with Alien Vault OTX
- Look Up Domain with Alien Vault OTX
- Look Up URL with Alien Vault OTX
- Look Up URL with CheckPhish
- Look Up IP Address with Shodan
- Look Up IP Address with GreyNoise
- Look Up IP Address with AbuseIPDB
- Look Up File Hash with Hybrid Analysis
- Create Issue with Jira
- Create Incident with ServiceNow
- Look Up Agent with Rapid7 Insight Agent
- Search Vulnerabilities with AttackerKB
- Send Message with Microsoft Teams
- Get Indicator by Value with Threat Command TIP