SOC Automation with InsightIDR and InsightConnect: Three Key Use Cases to Explore to Optimize Your Security Operations

You probably already know that SOC automation with InsightIDR and InsightConnect can decrease your #MeanTimeToResponse. It may not be a surprise that automating your security operations will augment your team’s skills and expertise to detect and respond to threats with super speed. You can even expect that automation will translate to big wins for your team, such as increased productivity, job satisfaction, and huge returns on investment.

You may believe you can take your security operations to the next level with automation, but you may not know where to start. And that’s okay! There are many pathways to automation, and no two journeys will be the same. So in this blog post, we will outline some of the most popular and innovative experiences to earn some quick wins in automation. Whether this is the first time you log in to InsightConnect or you’ve already browsed all of our welcome resources, we have some options for you to keep it moving.

Brand new? Try the “Discover” Experience.

If you’re an InsightConnect user who also subscribes to InsightIDR or InsightVM, the very first thing we recommend is checking out the “Discover” tab within their InsightConnect homepage. There, you’ll find some easy and useful workflows to get you up and running with automating threat detection and response. Workflows are the bread and butter of the Rapid7 experience, and the sooner you get your hands dirty, the sooner you’re on your way to major ROI. Try the following easy instructions for some of the quickest wins.

Hello IDR Alert

This is what we call a “zero deployment” workflow—it’s as easy as it gets! It displays all of the different data points that can be passed from an IDR Investigation into an InsightConnect workflow. In order to use this workflow, simply import it, activate it, open an investigation in InsightIDR, click on the blue “Take Action” button, and select the last option: “Custom InsightConnect Workflows.” Select the “Hello IDR Alert” workflow from the next dropdown. Select any/all Users, Assets, and/or IoCs (you may have different options based on the actors and indicators in your investigation). Finally, click the “Take Action” button to see a summary of what was passed into your InsightConnect workflow!

Now, keep in mind that this workflow does not actually “do” anything—it simply prints the details of the IDR alert to an Artifact card. However, it will help any user who may go on to build their own workflows by providing an idea of all the different variables available for use in InsightConnect with this specific Alert Trigger.

InsightConnect users who own neither InsightIDR nor InsightVM will not have these workflow recommendations. For those users, we recommend checking out Toolkits in the Rapid7 extension library—the toolkit workflows are product-agnostic, so they work regardless of the platform you use.

Enrich hash with threat intelligence from Threat Crowd

This workflow takes an input hash and looks up information in Threat Crowd, a free threat intelligence service. It’s easy to use and can provide some real value with little to no effort. Note that with an API trigger and a cloud-enabled plugin, this workflow also requires zero deployment!

How easy is it? Simply import the workflow, import the Threat Crowd plugin, set the plugin to Run on Cloud, and activate the workflow in InsightConnect! No additional setup is required.

Enrich InsightIDR alerts with threat intelligence from VirusTotal

This workflow is one we’ve found countless InsightIDR users building on their own. It does require an Orchestrator and a VirusTotal API key, so it’s a bit of a step up. But don’t worry—the learning curve is small. We highly recommend trying this out, specifically for an introduction to the Orchestrator and more advanced and powerful workflow automations.

First, sign up for a free VirusTotal account and take note of your API token. Then, navigate back to InsightConnect to import the workflow. Create a connection to VirusTotal, and activate it. You can then run the workflow just as you did the Hello IDR Alert workflow, from the “Take Action” menu in InsightIDR.

You can also set this workflow up to run automatically when certain alerts fire by setting up an Alert Trigger in InsightIDR.

Extra credit: Getting started with InsightVM

If you’re an InsightConnect subscriber as well as an InsightVM subscriber, there are some clutch workflows you should dig into as part of your Discover Experience to get a feel for both sides of that alliance. They include the following:

• Lookup Vulnerability with Rapid7 Vulnerability Database: This workflow allows you to look up a vulnerability to receive an overview, including CVSS score, publish date, alternate identifiers, a description, and solutions.
• Get Asset Details and Scan Asset with InsightVM: This workflow uses an API trigger to lookup an asset by its IP address in InsightVM and scan the target IP. This form of ad hoc scanning can help quickly identify and collect vulnerability data about a given device.
• Automate Vulnerability Exception Management in InsightVM: This workflow helps automate vulnerability exception management in InsightVM by approving exception requests for low-risk, low-scope vulnerabilities.

User Behavior Analytics

Traditional incident detection solutions only alert on IP addresses, which makes it really hard to retrace the users and activity behind the alert. Attackers are compromising assets not only via malware, but by moving laterally between them using credentials stolen by traffic manipulation, hash extraction, and other techniques. InsightIDR’s User Behavior Analytics (UBA) provides the insight and context you need to detect intruder compromise, insider threats, and risky behavior.

So, if you’re a subscriber of both InsightConnect and InsightIDR and you’re looking to get up and running with your first UBA wins, look no further than the following related workflows:

• Disable Domain User with Active Directory from InsightIDR UBA Alert: Disabling a compromised user account can limit the scope of an attack and buy valuable time to investigate and contain the threat. This workflow triggers on an InsightIDR UBA to disable a domain user with Active Directory. Examples of UBAs you might use it for include Harvested Credentials, Multi-Country Authentication Alerts, Ingress From Community Threat, Account Leaked, and Brute Force – Domain Account.
• Quarantine Asset with Insight Agent from InsightIDR UBA Alert: Quarantining a compromised asset can also limit the scope of an attack and buy valuable time to investigate and contain the threat. This workflow triggers on an InsightIDR UBA, to quarantine an asset with the Insight Agent. This workflow can be used with Brute Force – Local Account, Flagged Hash on Asset, and Flagged Process on Asset alerts.

To explore more threat detection and response-centric workflows, check out our Phishing Toolkit.

Advanced use-case: Custom alerts

When the built-in alerts that ship with InsightIDR don’t suit your needs, you have the option to create your own custom alerts. If you’ve successfully navigated the Discover experience and become fluent in User Behavior Analytics, it’s time for your next challenge. Custom alerts are your next big milestone in your SOC automation journey—and will be your biggest win yet.

InsightConnect uses the InsightIDR Custom Alert Trigger to listen for behavior that your alert has detected. When a custom alert identifies a threat, the trigger sends that data to your workflow, which kicks off any predefined actions associated with the workflow. For example, you can configure workflows to post notifications to a Slack channel when an alert threshold is reached, or send email notifications to your security team when someone signed onto the VPN violates a company policy. There are three kinds of custom alerts:

1. Inactivity Detection Alerts: Also known as “Up Down Monitoring,” inactivity alerts can be used to notify you when an entire log, log group, or particular pattern becomes inactive for a given time period. Inactivity alerting is useful for system assets that must be running constantly (such as a critical server). The ability to set the time window of inactivity gives you control over your data, your environment, and your assets, and allows for damage control and prevention of data loss.
2. Pattern Detection Alerts: In order for an alert to trigger, a log must match the exact pattern you enter as a search term. Alerting on patterns can be useful in situations such as monitoring server errors, critical exceptions, and general performance, and allows you to only monitor events that are important to you.
3. Change Detection Alerts: Change detection alerts will notify you when a condition changes, such as HTTP 500 errors in your web access logs. They are based off calculations that you apply to log(s) or logset(s). Change detections will help you stay on top of critical conditions when something is broken and must be immediately addressed, or occurring errors that must be escalated. This alert will minimize your time to investigate and resolve any errors.

   Rapid7’s Custom Alert documentation provides in-depth instructions for each of these alerts – allowing you to create, modify, and benefit from their specific abilities as needed.