Automate Internal Remediation

Internal remediation is the process of communicating IOCs with a customer device. Depending on the device, the IOCs are communicated either by the device pulling the relevant information from Threat Command or by Threat Command pushing the information to the device.

Automating internal remediation is enabled only for administrator users with a subscription to the Automation and TIP modules of Threat Command.

Here are how the parts work together:

  • IOC Management rule determines which IOCs are collected and sent to IOC groups.
  • IOC groups communicate those IOCs to user devices.
  • User device does something with the IOCs that it gets.

Integration is the process of configuring a customer device so that it can communicate with Threat Command.

The best-practice internal remediation process is as follows:

  1. Integrate a user device with Threat Command. This process differs per device, as described in Integrating Devices.
    The following device types can be integrated:
    • On-premises devices- On-premises devices communicate with Threat Command via the Threat Command virtual appliance (“appliance”).
      For on-premises devices, set up the following:
      • The Threat Command virtual appliance hosted on a supported hypervisor.
      • A supported on-premises device After these are configured, you integrate them together, and then you can communicate IOCs.
    • Cloud devices - Cloud devices communicate with Threat Command entirely in the cloud. After creating the cloud device, integrating it with the cloud is a very simple process.
  2. Create IOC management rules, and then connect those rules to an IOC group.

This topic describes how to create the IOC management rules and IOC groups.

Device definition and integration is described in Integrating Devices. Do that first.

After completing device definition, you can create IOC rules and groups, by which to communicate IOCs to the devices.