Create IOC Management Rules

IOC rules are used to collect IOCs (indicators of compriomise). Like alert rules, in IOC rules you select the IOCs that match certain criteria. IOC rules are associated with IOC groups, and the detected IOCs are sent to the integrated device.

Before you begin, ensure that the device you want to send the IOCs to has been created and integrated. See Integrating Devices for guidance on how to integrate your device.

To create an IOC rule:

1. From the Automation > Policy page, click IOC.
2. Click the + sign.
3. Enter a user-defined name for the IOC rule. The name can contain letters, spaces, numbers, and underscores, up to a maximum of 13 characters.
4. On the IOC Profile tab, define the criteria for the type and severity of IOCs you want the rule to match with. Optionally, You can select a date range, IOC state, and tags that must match.
5. Click Next.
6. On the IOC Feed tab, select the feeds from which the IOCs should be matched, then click Next.
7. Click Next.
8. On the Internal Remediation tab, select the device and the IOC group you want to add this rule to. You can click the + sign under the device to create a new IOC group. To edit the group after its creation, see Manage IOC Groups.
9. Click Finish.

When the rule is added, a success message is displayed.

When the device integration is successfully synced and a rule is added to an IOC group on that device, IOCs will begin to be transferred.