Automate Actions on Alerts

Automating enables you to create rules (or "policies") that perform actions on specific groups of alerts.

You can create the following kinds of policies:

  • Global - General rules that apply to all, or a set of all alert types.
  • Threat Command - Specific rules that apply to smaller sets of alerts.
  • IOC Management - Rules that integrate with on-premises or cloud-based security devices.

This section describes how to automate global and Threat Command alerts.
IOC Management is described in Automate Internal Remediation.

Automating actions on alerts is enabled only for users with a subscription to the Automation module of the Rapid7 Threat Command.

The following tables show the differences between global and Threat Command rules:

Rule typeAlert typeSearch criteriaActions
GlobalApplies equally to all alert typesLimitedLimited (no internal or external remediation)
Threat CommandAlert types can be specifiedCompleteComplete

You manage policies in the Automation > Policy page.

Example uses of a policy

The following example can be used for Global or Threat Command policies:

  • Company A has different security teams (1, 2, and 3) manage the alerts related to different company assets. Using asset tagging and a policy, they can automatically notify the right team about alerts from their appropriate assets.

Step 1 : Use the Asset Management page to add tags to assets
We can tag certain assets with "1," certain assets with "2," and certain assets with "3."

Step 2 : Create a policy that sends an email to each group when alerts regarding their assets are triggered.
Use the same tags that were added in the previous step. For example:
temporary placeholder

The following example can be used for a Threat Command policy:

  • The following policy would initiate a remediation for high severity phishing websites, then close those alerts that were successfully remediated (taken down):
    temporary placeholder

The following Threat Command policy is enabled, by default, for Phishing domain alerts:
Step 1 : The alert profile is a suspected phishing domain (1) of any severity (2) that was not registered in the last 365 days (3).

Step 2 : Alerts that match this profile will be closed (4).
temporary placeholder