Platform
- TECHNOLOGY
  The Rapid7 Command Platform
  AI-Powered Cybersecurity Platform
  Start Trial
Products
- NEW!
  Surface Command
  Unlock a continuous 360° view of your attack surface
  FREE TRIAL
- DETECTION & RESPONSE
- Next-Gen SIEM
  INSIGHTIDR
- Threat Intelligence
  THREAT COMMAND
Services
- MXDR
  Managed Threat Complete
  24x7 MXDR to secure your extended ecosystem
  Request Demo
- DETECTION & RESPONSE
- Managed XDR
  MANAGED THREAT COMPLETE
- Incident Response Services
  EXPERIENCING A BREACH?
Resources
- NEW
  The Take Command Summit is back!
  Our largest virtual event returns Apr. 9
  Register
Company
Partners
Sign In

Threat Command

Platform
- TECHNOLOGY
  The Rapid7 Command Platform
  AI-Powered Cybersecurity Platform
  Start Trial
Products
- NEW!
  Surface Command
  Unlock a continuous 360° view of your attack surface
  FREE TRIAL
- DETECTION & RESPONSE
- Next-Gen SIEM
  INSIGHTIDR
- Threat Intelligence
  THREAT COMMAND
Services
- MXDR
  Managed Threat Complete
  24x7 MXDR to secure your extended ecosystem
  Request Demo
- DETECTION & RESPONSE
- Managed XDR
  MANAGED THREAT COMPLETE
- Incident Response Services
  EXPERIENCING A BREACH?
Resources
- NEW
  The Take Command Summit is back!
  Our largest virtual event returns Apr. 9
  Register
Company
Partners

Sign In

Documentation
Threat Command
Release Notes

Docs Menu

Welcome

Welcome to Threat Command
Register to Threat Command
Log in to Threat Command
Multi Tenant Threat Management
Rapid7 Product Connections
Customer Support

Threat Command

Threat Command
Architecture Overview
Threat Command Quick Start
Threat Summary
Manage Alerts
Remediate an Alert
Threats
Strategic Intelligence
IntelliFind
Create Reports
Configure Assets
- Asset Types and Formats
- Alerts from Assets
Asset Management
Configurations

Intelligence Hub

Overview
Quick Start
IOC Summary
IOCs
Investigation
- View Investigation Map and Overview
- View Investigation Additional Enrichment Data
Threat Library
- Threat Library Related Information
Sources
Integrations

Vulnerabilty Risk Analyzer (VRA)

Vulnerability Risk Analyzer
Manage Vulnerabilities
- CVE Details
- Export CVEs to a CSV
Vulnerability Alerts

Threat Third-Party

Threat Third Party
Risk Assessment

Automation

Automation
Automate Actions on Alerts
Automate Internal Remediation
- Create IOC Management Rules
- Manage IOC Groups
Alert Profiler

Integrate Devices

Integrate Devices
The Threat Command Virtual Appliance
Integrate Cloud Devices
Integrate On-Premises Devices
Automate Leaked Credentials with Active Directory
- Integrate an Azure Active Directory Device
- Integrate a Microsoft Active Directory
InsightIDR Integration
IntSights App for Splunk
- Splunk App Install, Configure, and Upgrade
IntSights Splunk App for Splunk SOAR (Phantom)
- IntSights Splunk App for Splunk SOAR Installation and Configuration
- IntSights Splunk App for Splunk SOAR Activities
Rapid7 Threat Command App for Elastic SIEM
ServiceNow Security App
ServiceNow ITSM App
IntSights App for IBM QRadar
- IBM QRadar App Installation and Configuration
Integration Appendix

Settings

Update User Profiles
Configure Users
Configure Customers
Subscription Settings, Keys, and API
Authentication Options

IntSights Extend Browser Extension

IntSights Extend Browser Extension
Install and Configure Rapid7 Extend
Manage and Configure Rapid7 Extend
View IOCs and CVEs with Rapid7 Extend

Phishing Watch

Phishing Watch
Website Clone Detection
Website Redirect Detection
IFrame Detection
Phishing Watch Frequently Asked Questions

Welcome

Welcome to Threat Command
Register to Threat Command
Log in to Threat Command
Multi Tenant Threat Management
Rapid7 Product Connections
Customer Support

Threat Command

Threat Command
Architecture Overview
Threat Command Quick Start
Threat Summary
Manage Alerts
Remediate an Alert
Threats
Strategic Intelligence
IntelliFind
Create Reports
Configure Assets
- Asset Types and Formats
- Alerts from Assets
Asset Management
Configurations

Intelligence Hub

Overview
Quick Start
IOC Summary
IOCs
Investigation
- View Investigation Map and Overview
- View Investigation Additional Enrichment Data
Threat Library
- Threat Library Related Information
Sources
Integrations

Vulnerabilty Risk Analyzer (VRA)

Vulnerability Risk Analyzer
Manage Vulnerabilities
- CVE Details
- Export CVEs to a CSV
Vulnerability Alerts

Threat Third-Party

Threat Third Party
Risk Assessment

Automation

Automation
Automate Actions on Alerts
Automate Internal Remediation
- Create IOC Management Rules
- Manage IOC Groups
Alert Profiler

Integrate Devices

Integrate Devices
The Threat Command Virtual Appliance
Integrate Cloud Devices
Integrate On-Premises Devices
Automate Leaked Credentials with Active Directory
- Integrate an Azure Active Directory Device
- Integrate a Microsoft Active Directory
InsightIDR Integration
IntSights App for Splunk
- Splunk App Install, Configure, and Upgrade
IntSights Splunk App for Splunk SOAR (Phantom)
- IntSights Splunk App for Splunk SOAR Installation and Configuration
- IntSights Splunk App for Splunk SOAR Activities
Rapid7 Threat Command App for Elastic SIEM
ServiceNow Security App
ServiceNow ITSM App
IntSights App for IBM QRadar
- IBM QRadar App Installation and Configuration
Integration Appendix

Settings

Update User Profiles
Configure Users
Configure Customers
Subscription Settings, Keys, and API
Authentication Options

IntSights Extend Browser Extension

IntSights Extend Browser Extension
Install and Configure Rapid7 Extend
Manage and Configure Rapid7 Extend
View IOCs and CVEs with Rapid7 Extend

Phishing Watch

Phishing Watch
Website Clone Detection
Website Redirect Detection
IFrame Detection
Phishing Watch Frequently Asked Questions

Create IOC Management Rules

This topic describes how to create the IOC management rules and IOC groups.

Device definition and integration is described in Integrating Devices. Do that first.

IOC rules are used to collect IOCs. Like alert rules, in IOC rules, you select the IOCs that match certain criteria, then you associate the IOC rules with IOC groups, which then send the IOCS to the device.

Note: Email address IOCs are not sent to devices.

Before you begin, ensure that the device to which you want to send the IOCs has been created and integrated.

To create an IOC rule:

From the Automation > Policy page, click IOC.
Click the + sign.
Enter a user-defined name for the IOC rule.
The name can contain a maximum of thirteen letters, spaces, numbers, and underscores.
The IOC Profile tab enables you to define on which alerts to perform an action. Only alerts that match the selected criteria will match this rule.
Select the IOC severity and IOC types to be included.
(Optional) You can select a date range, IOC state, and tags that must match.
Click Next.
On the IOC Feed tab, select the feeds from which the IOCs should be matched, then click Next.
On the Internal Remediation tab, select the device and the IOC group where you want to add this rule.
If the group does not exist, click the + sign under the device to create a new group on-the-fly. Assign a name and a group limit to the new group.
At this point, some options are not available, such as setting priorities to feeds. To edit the group after its creation, see Manage IOC Groups.
Click Finish.