Enable IOC Communication from Digital Risk Protection (Threat Command) to the Device
Copy link

Integrating a device with Digital Risk Protection (Threat Command) enables them to communicate with each other, a process referred to as internal remediation. This section describes the general internal remediation process, where indicators of compromise (IOCs) are communicated from Digital Risk Protection (Threat Command) to the device.

For information specific to each device, see the section for that device.

In Digital Risk Protection (Threat Command), IOCs are gathered in IOC groups, which are then transmitted to user devices. IOC groups can gather IOCs from various sources, and some of those sources may be user-created rules. These rules enable greater control over which IOCs are transmitted to a user device.

IOC groups are created with the Digital Risk Protection (Threat Command)Automation > Integrations module.

The process of creating IOC groups is described in full in the Automate Internal Remediationsection of the Digital Risk Protection (Threat Command) User Guide*.

For pull devices, a unique IOC URL must be copied from Digital Risk Protection (Threat Command) and configured in the device.

For push devices, there are various ways to receive IOCs from Digital Risk Protection (Threat Command).

Each group (or in some cases, each defined device) has a unique identifier which, when shared with the user device, enables IOCs to be transmitted.

Some IOC groups have a unique URL. This URL is copied from Digital Risk Protection (Threat Command) to the management console of the device.

The following figure illustrates an IOC group with a unique URL (replace [APPLIANCE IP] with the real IP address):

temporary placeholder

Some devices have device details that are the same for all IOC groups. These details are copied from Digital Risk Protection (Threat Command) to the management console of the device.

The following figure illustrates the details for a device (replace [APPLIANCE IP/URL] with the real IP address or URL):

temporary placeholder