Automate Internal Remediation
Copy link

Internal remediation is the process of communicating indicators of compromise (IOCs) to user devices. Depending on the device, the IOCs are communicated either by the device pulling the relevant information from Digital Risk Protection (Threat Command) or by Digital Risk Protection (Threat Command) pushing the information to the device.

Automating internal remediation is enabled only for administrator users with a subscription to the Automation and Threat Intelligence (Intelligence Hub) modules of Digital Risk Protection (Threat Command).

  • An IOC Management rule determines which IOCs are collected and sent to IOC groups.
  • IOC groups communicate those IOCs to user devices.
  • User devices act on the IOCs they receive.

The best-practice for an internal remediation process is as follows:

  1. Integrate a user device with Digital Risk Protection (Threat Command). This process differs per device, as described in Integrating Devices.
    The following device types can be integrated:
    • On-premises devices - communicate with Digital Risk Protection (Threat Command) via the Digital Risk Protection (Threat Command) virtual appliance.
      For on-premises devices, set up the following:
      • The Digital Risk Protection (Threat Command) virtual appliance hosted on a supported hypervisor.
      • A supported on-premises device After these are configured, you integrate them together, and then you can communicate IOCs.
    • Cloud devices - Cloud devices communicate with Digital Risk Protection (Threat Command) entirely in the cloud. After creating the cloud device, integrating it with the cloud is a very simple process.
  2. Create IOC management rules and then connect those rules to an IOC group.