Investigate Threat Command Alerts

Threat Command finds and mitigates external threats that target your organization. You can ingest and investigate Threat Command alerts in InsightIDR to gain visibility across your attack surface and accelerate prioritization and response.

Enabling Threat Command alerts as an MDR customer

If you are a managed detection and response (MDR) customer, you can enable Threat Command to send alerts to InsightIDR. These Threat Command alerts will not managed by the MDR SOC team.

Requirements

To access Threat Command Alerts in InsightIDR, you’ll need:

Send Threat Command alerts to InsightIDR

To get started, you will first need to enable Threat Command to send alerts to InsightIDR.

  1. In InsightIDR, navigate to Settings from the left menu.
  2. Under the Account section, click Insights Threat Command Alerts.
  3. Switch the toggle on to start sending Threat Command Alerts to InsightIDR.

Manage Threat Command detection rules

Once you have enabled Threat Command to send alerts to InsightIDR, you can manage your Threat Command rules on the Detection Rules page.

  1. In InsightIDR, navigate to Detection Rules from the left menu.
  2. In the filter panel, click the button to Show Threat Command rules.
  3. From here, you can manage Threat Command detection rules by changing the Rule Action and Rule Priority and adding exceptions.

Manage Threat Command investigations

Investigations created by Threat Command rules will automatically appear on the Investigations page of InsightIDR. Here, you can inspect the evidence sent from Threat Command, and use InsightIDR’s functionality to manage investigations.

Some fields will not be reflected in Threat Command

When managing Threat Command investigations in InsightIDR, you have the option to change the disposition, priority and assignee. These fields are InsightIDR-only features and will not be reflected in Threat Command.

Closing an investigation

When you close a Threat Command investigation in InsightIDR, you will be prompted to select a Reason for closing from the dropdown menu. Once closed, the Closed status and reason will be also be reflected in Threat Command.