ISC Stormcast For Tuesday, December 5th 2017 https://isc.sans.edu/podcastdetail.html?id=5779

IR using the Hive Project.

Published: 2017-12-05
Last Updated: 2017-12-05 00:56:51 UTC
by Tom Webb (Version: 1)
1 comment(s)

Request Tracker Incident Response (RTIR) is one of the most popular IR ticketing systems. Its a open source project based on perl and MySQL. While it meets all your typical ticket tracking items, it needs lots of customization to meet your SOC needs. A few months ago I came across a project called TheHive (https://thehive-project.org/) that is a scalable open source platform.

 

The frontend is written in AngularJS and the backend is Elastic Search. The platform has the ability to create tickets, organize workflow, track indicators, import data about indicators from other sources and export it into MISP. The group of guys that are developing this are doing an amazing job of fixing bugs and adding new features to the system on a monthly basis.

 

 

The hive has several other components that should be leveraged to give you the power of the overall system. These components are Cortex and Hippocampe.

 

They have several ways to get started. They have a set Docker Images, a test VM, and you can download from source and install. I'd start with the VM or Docker just to get a feel for it.


 

Basic GUI workflow:

To create a new cause using a template select new case and the template you want.



 



 

The initial details page is filled with whatever you set up for the template, new tags and any additional information can be added.

Tasks is where you put your case notes. You can have it broken out by the 6 stages of IR, by tools, or playbook processes. Within the tasks you can have the IR processes documented to go along with the task itself.



 

Select the task you are working and then add a new task log to document your findings.

 

 

TheHive definitely meets the requirement for for logging,tracking, tracking. You can also add metrics that are required before the case is closed. What make this system great is the ability to add your IOC’s into the case, additionally if will tell you any other case that also has this IOC’s for better tracking.


 

Once you add in your IOC, you can ran analyzers in Cortex against the data and it will automatically be added to the case. They have 30 analyzers currently you can setup and use.
 

 

I have just scratched the surface of the tool, they do a great job of documentation and you should check out their blog https://blog.thehive-project.org for lots more information.

 

--

Tom Webb

@twsecblog

Keywords: Incident Response TheHive
1 comment(s)

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
8 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
8 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
8 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
8 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
8 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
8 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
8 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives