Create IOC Management Rules

This topic describes how to create the IOC management rules and IOC groups.

Device definition and integration is described in Integrating Devices. Do that first.

IOC rules are used to collect IOCs. Like alert rules, in IOC rules, you select the IOCs that match certain criteria, then you associate the IOC rules with IOC groups, which then send the IOCS to the device.

Note: Email address IOCs are not sent to devices.

Before you begin, ensure that the device to which you want to send the IOCs has been created and integrated.

To create an IOC rule:

1. From the Automation > Policy page, click IOC.
2. Click the + sign.
3. Enter a user-defined name for the IOC rule.
   The name can contain a maximum of thirteen letters, spaces, numbers, and underscores.
   The IOC Profile tab enables you to define on which alerts to perform an action. Only alerts that match the selected criteria will match this rule.
4. Select the IOC severity and IOC types to be included.
5. (Optional) You can select a date range, IOC state, and tags that must match.
6. Click Next.
7. On the IOC Feed tab, select the feeds from which the IOCs should be matched, then click Next.
8. On the Internal Remediation tab, select the device and the IOC group where you want to add this rule.
   If the group does not exist, click the + sign under the device to create a new group on-the-fly. Assign a name and a group limit to the new group.
   At this point, some options are not available, such as setting priorities to feeds. To edit the group after its creation, see Manage IOC Groups.
9. Click Finish.

When the policy is added, a success message is displayed.

When the device integration is successfully synched and a policy is added to an IOC group on that device, IOCs will begin to be transferred.