Indicators of compromise (IoCs) are clues or evidence that suggest a system or network has been breached or is under attack. This forensic evidence, help security teams identify and respond to malicious activity.

SaaS Alerts IoCs - Allows you to basically create custom events in the application, mix and match various things that are taking place, have that be an indicator of compromise. It shows partners that they can make their own IOCs anytime they want.  and the details can include specific playbooks or actions that their techs should run.

Requirements

1. SaaS Alerts "MSP Admin" privileges
2. When using IoCs combined with our Respond module. Sign in with Microsoft, K1 or Google OAuth or Enable MFA in SaaS Alerts user settings
3. Accept all the module security permissions
   
   *Note - Please make sure you disable MFA if you choose to use Google, K1 or Microsoft Authentication

Rules

After clicking on the "Indicators of Compromise" you will land on the "Rules" screen. From here partners will be able to create a new rule and manage existing rules.

Creating a Rule

Before creating a rule it's important to understand how rules are structured.  Rules apply to one or more organizations, at least one account (typically a user account), and must be "listening" for at least one event. IoCs are "alerts only" which is the equivalent of creating a new SaaS Alerts event.

Creating a Rule:

1. From the "Indicators of Compromise" screen click on the  button.
2. Click on "Untitled Rule" to edit the name of the new rule.
3. You can add a description to your IoC Rule.
4. Under the "Trigger" section. Select the application to be monitored. Next, select the "Organizations and Accounts" button.

     5. Select the "Organizations" and "Accounts" to be monitored. Partners have the option to select one, all, or multiple organizations and accounts. 

Note: If "Trigger rules for all organizations" or "Trigger rules for all accounts" is active this will include all Organizations and Accounts to be added in the future. By clicking on the "Trigger rule for all organizations" checkmark box, you are going to be able to exclude organizations as well.

6. Click on the "Conditions" button to go to the next screen.  Here you can select the event or "Alert Description" that needs to occur in order for this rule to be triggered. Select the event, and set the number of occurrences and the timeframe. The minimum occurrence is 1, and the minimum timeframe is 15 minutes.  Partners will also have the option to add multiple events with equal or different parameters with the ability to combine them as well.  Logical "OR" and "AND" operators are available to create complex event monitoring flows.

Note: IoCs will be scanned every 5 minutes to check for the occurrence of any conditions set in the rule.

Filters:

For each event selected within the rule, a filter may be applied. Filters allow for additional criteria to be set based on a subset of event details. As an example Country Contains US or Country does not contain US. This will then include or exclude instances of an event depending upon the filter.

7. Next, click on the "Summary" button to review the "Trigger" section. If you want to add, change or remove any of the "Trigger" settings, please click on the edit pencil or the numbers to go back to the previous screen. If everything looks correct please scroll down and advance to the "IOC Configuration" section.

8. On the "IOC Configuration" section, partners can customize the "Alert Severity" such as Critical, Medium, or Low for the created event.  Additionally, you can configure the "Event Alert Assignment".  This will allow you to customize how events are assigned in Event Reports on SaaS Alerts.

9. When configuring an "IOC Event" you are able to customize the fields related to the events previously set in the rule by clicking on the blue boxes. 

From the customization window, common short codes will be showing for partners to select them and the data to be included in their custom IoCs. You could also assign a name to your new IoC alert or write a description to it as needed. 

10. The "IOC Notifications" screen is where a MSP Admin can provide a phone number, Email address or opt-in to receive push notifications in via the Mobile app to enable the capability to receive notifications when a rule gets triggered. Multiple phone numbers and Email addresses can be added. 

The Initial step has an explanation of the notification you are about to receive and a checkbox requiring approval.

11. Next, click on the "Summary" button to review the "IOC Configurations" section. If you want to add, change or remove any of the "IOC Configurations" settings, please click on the edit pencil or the numbers to go back to the previous screen.

Pro tip: Respond Rules can be converted into an IoC simply by heading to your Respond rule and clicking on the "Convert to IOC" button.