Commit 50cb97fe authored by Arne Øslebø's avatar Arne Øslebø
Browse files

Update usecase.md

parent 85964f15
......@@ -8,10 +8,14 @@ Assume that a threat analyst in a SOC learns about a specific IP address used by
All logs collected by SOCTools are processed by Apache NiFi. NiFi is integrated with MISP and attributes are automatically downloaded to enrich the collected data before sending it to Elasticsearch. NiFi stores the information from MISP in an internal memory database and uses it to look up all IP addresses in logs. If it finds a match then it adds a new field to the log record that contains the event ID in MISP that contains attribute that matches the IP address. For example if you have a field "destination.ip" and it matches an attribute in MISP, the field "destination.ip_misp" will be created.
A security analyst is using the preinstalled Kibana dashboard "Suricata Alerts" to keep an eye on Suricata alerts that are comming in. The dashboard contains a visualization listing destination IPs that are registered in MISP. By clicking on the magnifying class in front of the IP "10.10.10.10" the analyst filters out events with this destination IP. He then expands one of the events and scrolls down till he sees the field "destination.ip_misp". He there sees that it is event 2 in MISP that contains information about the IP "10.10.10.10". He is not familiar with this event so he clicks on the field below "destination.ip_misp_url" which opens up the event in MISP in a separate browser tab. Here he can see all the information that the threat analyst registered.
A security analyst is using the preinstalled Kibana dashboard "Suricata Alerts" to keep an eye on Suricata alerts that are comming in. The dashboard contains a visualization listing destination IPs that are registered in MISP. By clicking on the magnifying class in front of the IP "10.10.10.10" the analyst filters out events with this destination IP.
<img src="images/use_case2.png" width=640>
After evaluating the information in MISP, the security analyst concludes that this is a real threat and decides to create a new case in the Hive, the tool for doing incident response. He does this by clicking on the red button "Create new Case" in the Kibana dashboard. A dialog box opens up where he can add details about the case before clicking on "Create Case". This will then automatically create a new case in the Hive and all necesarry information is automatically registered.
He then expands one of the events and scrolls down till he sees the field "destination.ip_misp". He there sees that it is event 2 in MISP that contains information about the IP "10.10.10.10". He is not familiar with this event so he clicks on the field below "destination.ip_misp_url" which opens up the event in MISP in a separate browser tab. Here he can see all the information that the threat analyst registered.
<img src="images/use_case4.png" width=480>
After evaluating the information in MISP, the security analyst concludes that this is a real threat and decides to create a new case in the Hive, the tool for doing incident response. He does this by clicking on the red button "Create new Case" in the Kibana dashboard. A dialog box opens up where he can add details about the case and select source IP addresses that should be added as an observable in Kibana. When he is ready he clicks on "Create Case" and a new tab opens up showing the newly created case in the Hive.
<img src="images/use_case3.png" width=640>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment