Enable IOC Communication from Threat Command to the Device
Integrating a device with Threat Command enables them to communicate with each other, a process referred to as internal remediation. This section describes the general internal remediation process, where indicators of compromise (IOCs) are communicated from Threat Command to the device.
For information specific to each device, see the section for that device.
In Threat Command, IOCs are gathered in IOC groups, which are then transmitted to user devices. IOC groups can gather IOCs from various sources, and some of those sources may be user-created rules. These rules enable greater control over which IOCs are transmitted to a user device.
IOC groups are created with the Threat CommandAutomation > Integrations module.
The process of creating IOC groups is described in full in the Automate Internal Remediationsection of theThreat Command User Guide.
For pull devices, a unique IOC URL must be copied from Threat Command and configured in the device.
For push devices, there are various ways to receive IOCs from Threat Command.
Each group (or in some cases, each defined device) has a unique identifier which, when shared with the user device, enables IOCs to be transmitted.
Some IOC groups have a unique URL. This URL is copied from Threat Command to the management console of the device.
The following figure illustrates an IOC group with a unique URL (replace [APPLIANCE IP] with the real IP address):
Some devices have device details that are the same for all IOC groups. These details are copied from Threat Command to the management console of the device.
The following figure illustrates the details for a device (replace [APPLIANCE IP/URL] with the real IP address or URL):