Taking action against indicators of compromise (IOCs)
To automate actions for whenever an indicator of compromise (IOC) is identified in your environment, define a New Trigger for When an Indicator is Marked on a Threat.
Next, define a Playbook with the set of Actions you want to run for every indicator identified:
By utilizing the Trigger When an Indicator is Marked on a Threat, you are taking action against indicators of compromise (IOCs) that are published with the initial threat, and taking action against any indicators that are amended to the threat at a later point due to new activity on the same endpoint.
Details
Important: If you use the Trigger When a Threat is Published to action against indicators of compromise (IOCs), you will only be taking action against indicators that were a part of the initial publication, not any indicators that are amended post-publication as a result of new activity identified by our CIRT.
We suggest you only perform IOC-specific actions when using the trigger When an Indicator is Marked on a Threat, and perform endpoint, user and threat-specific actions when using the trigger When a Threat is Published.
Comments
0 comments
Please sign in to leave a comment.