Today’s security teams need visibility across their modern environment for a number of reasons. Not only for compliance, but also to find, investigate, and contain unauthorized access to critical data. Automation allows teams to scale across the entire threat detection and response process.Show more Show less
Let’s look at how using Rapid7 InsightIDR and InsightConnect together can help teams save time, formalize security processes, and take action with the context and confidence they need.
We’ll begin with a common attack scenario. You’ve received an alert that a company asset is communicating with an unknown bad IP address. When you receive the alert in InsightIDR, you’ll visually see data sources flowing in. This includes threat intel from feeds you’ve subscribed to or added manually for additional context around the alert.
The user behavior analytics engine shows the users affected and any notable activity that happened around the alert. That’s InsightIDR’s main visual timeline.
Here, we see that the user account accessed a known-bad IP address. With InsightIDR’s automated enrichment workflow, the associated hashes, IP addresses, domains, and URLs are matched against multiple sources. This gives you the context you need to respond faster and more effectively, with the use of automation. Traditionally, the process of gathering additional threat intel takes an average of 20 to 25 minutes. With InsightIDR and InsightConnect working together, users can begin to build workflows such as this one to meet their own business needs and save time.
To enrich similar alerts automatically in the future, click into Alert Triggers. You can tie this enrichment workflow to any alert that highlights anomalous user behavior across your organization.
From here, the incident response process may include additional enrichment for the associated IPs in the alert, or posting your findings directly to a chatops tool like Slack to alert other teams.
By automating detection and response processes involving alert enrichment with InsightIDR and InsightConnect, you’ll save time and go beyond simple monitoring to more proactive threat hunting and simulation. To further understand how automation can be utilized, let's jump into InsightConnect.
In addition to anomalous network activity, InsightConnect supports a number of workflows that can be used to automate common security and IT processes, such as phishing and distributed alerting.
For example, let’s continue to look at the process of enriching indicators. With InsightConnect’s built-in integration to Slack, you can now type in “!investigate url _ICO_” to automatically look up URLs with even more open-source threat intelligence. From here, you can not only interact with your InsightConnect workflows, but you can have the desired results posted back into your Slack channel.
To explore where else InsightConnect can help streamline processes, check out our marketplace of over 280 plugins currently available.
To learn more about how you can leverage automation in threat detection and response, visit rapid7.com.