doc: use case description updated

The Kibana plugin doesn't work in OSD, so the case must be created manually in The Hive.

doc: use case description updated
6f8a0b24 · Václav Bartoš · 738b1128 · 738b1128 · 6f8a0b24 · 738b1128
Commit 6f8a0b24 authored 2 years ago by Václav Bartoš
--- a/doc/images/use_case3.png
+++ b/doc/images/use_case3.png
--- a/doc/images/use_case4.png
+++ b/doc/images/use_case4.png
--- a/doc/images/use_case5.png
+++ b/doc/images/use_case5.png
--- a/doc/usecase.md
+++ b/doc/usecase.md
@@ -4,18 +4,25 @@ In this use case we describe a typical workflow in a SOC and shows how it can be
 Assume that a threat analyst in a SOC learns about a specific IP address used by a new threat actor. He adds the IP address to the threat intelligence platform MISP by creating a new event and adding the IP address as an attribute. This is done automatically during the SOCTools installation for demonstration purposes. An event called "testevent" is created and the IP "10.10.10.10" and domain "example.evil" are added as attributes:
-<img src="images/use_case1.png" width=640>
+<img src="images/use_case1.png" width=800>
-All logs collected by SOCTools are processed by Apache NiFi. NiFi is integrated with MISP and attributes are automatically downloaded to enrich the collected data before sending it to OpenSearch. NiFi stores the information from MISP in an internal memory database and uses it to look up all IP addresses in logs. If it finds a match then it adds a new field to the log record that contains the event ID in MISP that contains attribute that matches the IP address. For example if you have a field "destination.ip" and it matches an attribute in MISP, the field "destination.ip_misp" will be created.
+All logs collected by SOCTools are processed by Apache NiFi. NiFi is integrated with MISP and attributes are automatically downloaded to enrich the collected data before sending it to OpenSearch. NiFi stores the information from MISP in an internal memory database and uses it to look up all IP addresses in logs. If it finds a match, it adds a new field to the log record that contains the event ID in MISP that contains the attribute that matches the IP address. For example, if you have a field "destination.ip" and it matches an attribute in MISP, the field "destination.ip_misp" will be created.
-A security analyst is using the preinstalled OpenSearch Dashboard "Suricata Alerts" to keep an eye on Suricata alerts that are comming in. The dashboard contains a visualization listing destination IPs that are registered in MISP. By clicking on the magnifying class in front of the IP "10.10.10.10" the analyst filters out events with this destination IP. 
+A security analyst is using the preconfigured OpenSearch Dashboard "Suricata Alerts" to keep an eye on Suricata alerts that are coming in. The dashboard contains a visualization listing destination IPs that are registered in MISP. By clicking on the magnifying class in front of the IP "10.10.10.10" the analyst filters out events with this destination IP. 
-<img src="images/use_case2.png" width=640>
+<img src="images/use_case2.png" width=800>
-He then expands one of the events and scrolls down till he sees the field "destination.ip_misp". He there sees that it is event 2 in MISP that contains information about the IP "10.10.10.10". He is not familiar with this event so he clicks on the field below "destination.ip_misp_url" which opens up the event in MISP in a separate browser tab. Here he can see all the information that the threat analyst registered. 
+He then expands one of the events and scrolls down till he sees the field "destination.ip_misp". He sees there that it is event 2 in MISP that contains the information about the IP "10.10.10.10". He is not familiar with this event, so he clicks on the field below "destination.ip_misp_url" which opens up the event in MISP in a separate browser tab. Here he can see all the information that the threat analyst registered. 
-<img src="images/use_case4.png" width=480>
+<img src="images/use_case3.png" width=400>
-After evaluating the information in MISP, the security analyst concludes that this is a real threat and decides to create a new case in the Hive, the tool for doing incident response. He does this by clicking on the red button "Create new Case" in the Opensearch dashboards. A dialog box opens up where he can add details about the case and select the IP addresses that should be added as an observable in the Hive. When he is ready he clicks on "Create Case" and a new tab opens up showing the newly created case in the Hive.
+After evaluating the information in MISP, the security analyst concludes that this is a real threat and decides to create a new case in the Hive, the tool for doing incident response.
+He goes to The Hive, clicks on "New Case" in the main menu and fill in basic information about the threat.
-<img src="images/use_case3.png" width=640>
+<img src="images/use_case4.png" width=800>
+When the Case is created, the IP "10.10.10.10" is added as an observable to it.
+<img src="images/use_case5.png" width=800>
+(Note: In a future version, there will be a plugin for OpenSearch Dashboards which will allow to create the case and add relevant IP address(es) directly from the dashboard.)