Automate Actions on Alerts

Automating enables you to create rules (or “policies”) that perform actions on specific groups of alerts.

You can create the following kinds of policies:

• Global - General rules that apply to all, or a set of all alert types.
• ** Digital Risk Protection (Threat Command)](doc:threat-command-policy-rules)** - Specific rules that apply to smaller sets of alerts.
• IOC Management - Rules that integrate with on-premises or cloud-based security devices.

This section describes how to automate global and Digital Risk Protection (Threat Command) alerts.
IOC Management is described in Automate Internal Remediation.

The following tables show the differences between global and Digital Risk Protection (Threat Command) rules:

You can manage polices on the Automation > Policy page.

Example uses of a policy

The following example can be used for Global or Digital Risk Protection (Threat Command) policies:

• Company A has different security teams (1, 2, and 3) that manage the alerts related to different company assets. Using asset tagging and a policy, they can automatically notify the right team about alerts from their appropriate assets.

Step 1 : Use the Asset Management page to add tags to assets. We can tag certain assets with 1, 2, or 3 to correspond with the relevant security team.

Step 2 : Create a policy that sends an email to each team when alerts regarding their assets are triggered. Use the same tags that were added in the previous step.

The following Digital Risk Protection (Threat Command) policy is enabled, by default, for Phishing domain alerts:

Step 1 : The alert profile of the rule is configured to detect any suspected phishing domains of any severity that were not registered in the last 365 days.

Step 2 : Alerts that match this profile have been configured to close automatically.