- Incidents are organized and assigned by case
• Cases follow steps in a pre-made case template (playbooks)
• Cases have tasks that to be completed
• Tasks have associated worklogs
• Cases can have observables assigned to them
• Observables can be enriched by analyzers enabled in Cortex engine
- TheHive: Automatic Case Creation with Context
1. Events collected in SIEM, items of interest become alerts
2. Alerts sent to TheHive for triage
• New case created for all accepted alerts
3. Case is populated with field from alert:
• Parses fields from alert
• IP addresses, domains, usernames, hostnames, etc.
• Pulls in additional info if available
• Tasks created from designated case template (playbook)
- Observables
- TheHive
allows you to associate observables to an incident at the case level.
These are meant to be interesting
snippets of data found
within the course of the investigation, but do not necessarily have to represent malicious infrastructure or files. - The
"is IOC"
star can be used to control whether the individual observable is an
"indicator of compromise" or whether it is just a piece of
data
potentially associated with the case. - the "has been sighted" checkbox If
we were investigating something that we hadn’t seen in our organization,
then this checkbox could be
unswitched to signify that it is not something the organization has encountered yet.
- Case Closure
- Once
a case has been worked to completion, which is defined as having
completed at least all
required tasks in the playbook, the case
can be closed. - writing a brief summary of what the ticket was about and how it was resolved.
