Product Video:

Disabling Users in InsightIDR

September 27, 2018


Automation has come to the Rapid7 Insight platform, bringing new incident detection and response capabilities to InsightIDR. In this short video, we show you how to seamlessly disable users directly from an investigation in InsightIDR.

Want to learn more? Start your free trial today.


Video Transcript

For years, Rapid7 InsightIDR has been providing best-of-breed detection capabilities to security operations centers and professionals. Whenever you get an alert, notable user and asset behavior is shown on a visual investigation timeline.

Show more Show less

For example, this alert fired because Levi Allison authenticated to an asset tagged as ‘restricted’ in InsightIDR. From our User Behavior Analytics, which baseline normal authentications, we know that “l-allison’s” login is anomalous. Since the user’s credentials have also authenticated to new assets, it’s a sign the password might be compromised.

Now, not only do you have the necessary context to make a decision regarding “l-allison”,  but you can take action directly from an investigation to contain the threat. In this case, let’s look at deprovisioning Levi’s accounts from within InsightIDR. Choose from our list of supported vendors, which include Active Directory and Okta for user-level containment.

Setup is simple. Test the connection with the integration partner once, and you’re off to the races. Set up a response workflow, and use the Take Action feature to select which user accounts to suspend. You’ll receive real-time updates as the containment progresses.

InsightIDR doesn’t stop there. Designate decision points to let your team weigh in when it’s most critical. You’ll receive notifications when workflows have been paused and need input, ensuring you stay on top of critical processes.

When taking action, you’ll see the real-time progress of the ongoing workflow, including an audit log of all tasks involved with automation. You’ll also receive a notification letting you know that the action successfully completed.

The Automation module shows a lifetime history of all automated workflows and actions that have run on behalf of your team directly within InsightIDR, and it will notify you as plugin updates are released.

In addition to taking action on user accounts, InsightIDR supports workflows for endpoint containment through Carbon Black Response and VLAN quarantine with Cisco ISE. Looking for further customization? Any custom workflows created in Rapid7 InsightConnect can also be triggered from InsightIDR.

Bring your existing security tools together, so your team can respond to incidents faster. See what other incident detection and response tasks you can automate. Start a free trial of InsightIDR today.