Manage IOC Groups

IOC groups transmit IOCs, derived from policy rules or Rapid7 feeds, to user security devices. For alert rules, only those parts that are transmittable IOCs are sent.

You can define separate IOC groups so that IOCs are delivered separately to the device. In some customer devices, this separation is required and Threat Command enforces those policies. In others, you may want the security device to treat different IOCs differently.

You can create IOC groups, on-the-fly, during the creation of IOC rules, or you can create them on their own. When creating on-the-fly, not all capabilities are available, so you may want to edit the created group afterwards.

You can edit existing IOC groups, create new groups, see which IOCs are included in existing groups, and view the device details/group URL – information that may be needed to complete the device integration.

Before you begin, ensure that the device is set up on the client side and in Threat Command. Also ensure that you have access credentials to the device.

Devices may have a limit of the maximum number of IOCs that they can receive. When you define IOC groups, the total limit for all IOC groups associated with a device cannot exceed the maximum device limit.

When creating an IOC group, to ensure that the most important IOCs are transmitted, you can use the following properties to prioritize which IOCs are transmitted to the device:

• IOC group limit - You can set a maximum limit of IOCs that are transmitted, per IOC group. If you have separate IOC groups, one for domains and another for addresses, for example, you can set the limits so that the more important group sends more IOCs. You can select to get notified when IOC groups reach their limit so that you can reconfigure to get the best ROI from your device limitations.
• IOC group source priority - You can adjust the priority of the sources within IOC groups to ensure that higher priority IOCs get sent to the device. IOCs from sources higher in the list are sent first, and IOCs from the next source are sent only if the maximum hasn’t reached.

When Threat Command IOCs are transmitted to a device, they may overwrite previously transmitted Threat Command IOCs, but they will not overwrite IOCs sent from other sources.

The following example exemplifies how limits and overwriting work:

If the IOC group limit is 3,000 IOCs, and the device already has 2,000 IOCs present, then no more than 1,000 IOCs will be sent. In the following figure, if there are 700 IOCs in the Threat Command  Potential phishing email address, 500 IOCs in Intelligence Feed, 500 in Remediation Blocklist, and 500 in Trends, Threat Command will send the first 1,000 IOCs, that is, 700 from Potential phishing email address and 300 from Intelligence Feed. If Trends is prioritized by moving it higher than Intelligence Feed, then the 300 IOCs from Trends will be sent instead of those from Intelligence Feed. The following table illustrates which IOCs will be sent:

Create an IOC group

Create an IOC group to communicate IOCs with customer devices. Before creating the IOC group, ensure that the device that will receive the IOC group data has already been integrated with Threat Command.

Use this procedure to create an IOC group before creating IOC rules. In general, you create IOC groups on-the-fly, from the Automation > Policy  tab during the creation of IOC rules.

To create an IOC group:

1. From the Automation > Integrations  tab, click On-Premises or Cloud.
2. From the Integrations device list, select a device.
   By selecting a device at this point, you are instructing Threat Command to send the new IOC group to the selected device.
3. Click  .
4. Type a user-defined name for the IOC group.
   The name can contain a maximum of thirteen letters, numbers, and underscores.
5. Set a limit for this IOC group.
6. (Optional) To be notified when this group's limt is reached, select Send a notification if this group's limit is reached, then select how to be notified:
   • With the notification bell  .
   • By email.
   • Email to others (you'll enter the addresses).
7. Set the sources from which IOCs will be derived:
   1. Click Edit sources.
   2. Select from existing policy rules and feeds from which the IOCs should be used to propagate the IOC group.
      You must select at least one feed.
      In the previous figure, one policy rule and five Rapid7 feeds are selected.
   3. Click Add.

• The selected sources are listed.

1. For each selected source, select at least one IOC type to include, for example, IP addresses and domains. Different sources offer different forms of IOC types.
   
2. (Optional) To change the priority of a source, select the  to the left of the source name, then drag the source to the desired position.
3. Click Save.

The IOC group is added to the device. IOCs that match the type from the selected feeds are added to the device.

To see which IOCs are in an IOC group:

1. From the Automation > Integrations tab, select a device.
2. Point to a group, then click the report icon: 
   

The IOCs in the group are listed.

Edit an IOC group

You can edit an existing IOC group. If you created an IOC group on-the-fly during IOC rule creation, where the creation rules are limited, you are likely to want to edit that group.

To edit an IOC group:

1. From the Automation > Integrations tab, click On-premises or Cloud, then click the device to which the group was assigned.

2. In the IOC Groups**** list, click the IOC group to edit.

3. Add sources:

   1. Click Edit sources.
   2. Select additional sources.
   3. Click Add.

4. For each selected source, select at least one IOC type to include, for example, IP addresses and domains.
   Different sources offer different forms of IOC types.

5. To change the priority of a source, select the to the left of the source name, then drag the source to the desired position.

6. (Optional) For sources that are alert or IOC rules, you can edit the rule by clicking****Edit Rule.

7. Click Save.