The Threat Command Automation module enables threat management and mitigation to be performed in a smart, automated way. Automation is based on user-created rules that perform actions on alerts or IOCs that meet specified criteria.
For example, you can protect employees and customers by automatically eliminating fake mobile apps and taking down malicious domains.
Note: The Automation module is enabled for users with administrator rights only.
Other potential use cases:
- Receipt of high or medium severity potential phishing domains with MX record. These could be automatically sent to marketing for verification of authenticity or to the company mail gateway for blocking.
- Receipt of malicious mobile applications not from a trusted source. This could trigger an automatic takedown request.
- All IOCs received in the last six months. These could be sent to SIEM.
- Leaked credentials, where username is not valid. These could be automatically closed.
- Leaked credentials, where username and password are valid. These could be sent for a forced password reset or an account disabling.
Automation can be used to perform the following:
- Automating actions on alerts
Create rules that perform actions (such as changing severity, sending an email, or requesting external remediation) for alerts that meet defined criteria.
- Automating internal remediation by sending indicators of compromise (IOCs) to security devices
Create IOC management rules to send IOCs to supported on-premises or cloud security device so that the device can block the IOCs.