Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • opensearch
  • master-wo-opendistro-plugins
  • dev-bartos
  • tag-modification
  • java-upgrade
  • ports
  • nifi-update
  • kiril.kjiroski-master-patch-71888
  • user-mgmt-ui
  • interactive
  • cluster-support
  • dev5
  • dev4
  • dev02
  • dev01b
  • dev1
  • dev3
  • dev2
  • v1.0
  • v0.7
21 results
Blame Permalink
usecase.md 2.48 KiB

SOCTools Use Case

In this use case we describe a typical workflow in a SOC and shows how it can be solved using SOCTools.

Assume that a threat analyst in a SOC learns about a specific IP address used by a new threat actor. He adds the IP address to tthe hreat intelligence platform MISP by creating a new event and adding the IP address as an attribute. This is done automatically during the SOCTools installation for demonstration purposes. An event called "testevent" is created and the IP 10.10.10.10 and domain example.evil are added as attributes:

All logs collected by SOCTools are processed by Apache NiFi. NiFi is integrated with MISP and attributes are automatically downloaded to enrich the collected data before sending it to Elasticsearch. NiFi stores the information from MISP in an internal memory database and uses it to look up all IP addresses in logs. If it finds a match then it adds a new field to the log record that contains the event ID in MISP that contains attributes that matches the IP address. For example if you have a field "destination.ip" and it matches an attribute in MISP, the field "destination.ip_misp" will be created.

A security analyst is using the preinstalled Kibana dashboard "Suricata Alerts" to keep an eye on Suricata alerts that are comming in. The dashboard contains a visualization listing destination IPs that are registered in MISP. By clicking on the magnifying class in front of the IP "10.10.10.10" the analyst filters out events with this destination IP. He then expands one of the events and scrolls down till he sees the field "destination.ip_misp". He there sees that it is event 2 in MISP that contains information about the IP "10.10.10.10". He is not familiar with this event so he clicks on the field below "destination.ip_misp_url" which opens up the event in MISP in a separate browser tab. Here he can see all the information that the threat analyst registered.

After evaluating the information in MISP, the security analyst concludes that this is a real threat and creates a new case in the Hive, the tool for doing incident response. He does this by clicking on the red button "Create new Case" in the Kibana dashboard. A dialog box opens up where he can add details about the case before clicking on "Create Case". This will then automatically create a new case in the Hive and all necesarry information is automatically registered.