Taking action against indicators of compromise (IOCs)

To automate actions for whenever an indicator of compromise (IOC) is identified in your environment, define a New Trigger for When a Indicator is Marked on a Detection.
 

Next, define a playbook with the set of actions you want to run for every indicator identified:

By utilizing the trigger When a Indicator is Marked on a Detection , you are taking action against indicators of compromise (IOCs) that are published with the initial detection, and taking action against any indicators that are amended to the detection at a later point due to new activity on the same endpoint.


Details

Important: If you use the trigger When a Detection is Published to action against indicators of compromise (IOCs), you will only be taking action against indicators that were a part of the initial publication, not any indicators that are amended post-publication as a result of new activity identified by our CIRT.

We suggest you only perform IOC-specific actions when using the trigger  When a Indicator is Marked on a Detection, and perform endpoint, user and detection-specific actions when using the trigger When a Detection is Published.

Example:

Did this answer your question?