Investigate Threat Command Alerts
Threat Command finds and mitigates external threats that target your organization. You can ingest and investigate Threat Command alerts in InsightIDR to gain visibility across your attack surface and accelerate prioritization and response.
Enabling Threat Command alerts as an MDR customer
If you are a managed detection and response (MDR) customer, you can enable Threat Command to send alerts to InsightIDR. These Threat Command alerts will not be managed by the MDR SOC team.
Requirements
To access Threat Command Alerts in InsightIDR, you’ll need:
- An InsightIDR Ultimate or InsightIDR Advanced license
- A Threat Command license
Send Threat Command alerts to InsightIDR
To get started, you will first need to enable Threat Command to send alerts to InsightIDR.
- In InsightIDR, navigate to Settings from the left menu.
- Under the Account section, click Threat Command Alerts.
- Switch the toggle on to start sending Threat Command Alerts to InsightIDR.
Manage Threat Command detection rules
Once you have enabled Threat Command to send alerts to InsightIDR, you can manage your Threat Command rules on the Detection Rules page.
- In InsightIDR, navigate to Detection Rules from the left menu.
- In the filter panel, click the button to Show Threat Command rules.
- From here, you can manage Threat Command detection rules by changing the Rule Action and Rule Priority and adding exceptions.
Manage Threat Command investigations
Investigations created by Threat Command rules will automatically appear on the Investigations page of InsightIDR. Here, you can inspect the evidence sent from Threat Command, and use InsightIDR’s functionality to manage investigations.
Some fields will not be reflected in Threat Command
When managing Threat Command investigations in InsightIDR, you have the option to change the disposition, priority and assignee. These fields are InsightIDR-only features and will not be reflected in Threat Command.
Closing an investigation
When you close a Threat Command investigation in InsightIDR, you will be prompted to select a Reason for closing from the dropdown menu. Once closed, the Closed status and reason will be also be reflected in Threat Command.