Insights provides the ability to pull out key information for any part of a case and display it to analysts so that they can easily analyze the information without having to click to pull up information that is relevant to what they are investigating. Insights can be created as part of a Manual Action or they can also be created within a playbook.
Entity Insights are created within a manual action, playbook action or as part of an integration. They contain the entity information and its metadata. You normally use this type of insight when performing enrichment on an entity and want to show specific enrichment data to the analyst when the entity hits a threshold or has information that is important for the analyst to know.
The following image depicts Insights displayed on the Case Overview screen.
To add an Entity Action within a Playbook:
To run as an action within a playbook, drag and drop the Add Entity Insight action into the playbook at the desired location.
Click to open the Add Entity Insight Action and fill out the following fields:
Action Description: This is the text that you will see when looking at the action in the playbook designer. It is recommended to write a meaningful description so that when you review the playbook later you will be able to identify the Action at a glance.
Action Scope Select the required entity so that you only run an action on the information that you are interested in using. For example, Scan Hash by Virus total only needs to have hash information. So here, you would choose FileHash from the drop-down list because that is the information needed for the action.
Message The message field can have either static text or you can use placeholders. To use placeholders click <>. This opens the placeholders screen. The available placeholders that I can use are Alert, Case, Entity, Environment, Event, and Playbook. Note that you can also drill down to specific JSON results if required.
Select the object that you want. For example, select Entity. You can use as many placeholders (and free text) as you need in the Message.
Note that General insights can only be created within a playbook action. They give you control over identifying what triggered the insight, the title of the insight and the message of the insight.
Need more help with this?
Click here to open a Support ticket