In Episode 11.5 We briefly recap both episodes 10 and 11 of our cyber security virtual lab building series, where we integrated Cortex and MISP with TheHive bringing our Security Operations Center (SOC). Since those videos were uploaded, there have been a few changes to this lab deployment and this video serves as a update to bring everyone up to speed before we move on with the series.
To recap, TheHive is a security incident response platform (SIRP), and together with Cortex and MISP we will be able to create cases/alerts, analyze observables and tap into a wealth of cybersecurity information allowing us to make well informed decisions, giving us the ability to respond to security incidents as quickly as possible. In this lab we will revisit our setup defined using docker-compose and make some amendments to these services/containers to allow for this integration to happen following a new more convenient method b method by using the improved GUI.
By the end of this lab our SOC will be ready to trigger observables analysis directly from TheHive as well as allow MISP to feed the latest threat alerts directly to TheHive dashboard and should we wish, create new indicators of compromise (IOC’s) that we can send back to MISP so others have the opportunity to benefit from our discoveries.
If you have been enjoying this series so far, please don’t forget to like and subscribe!
Links used in video:
https://github.com/ls111-cybersec/thehive-cortex-misp-docker-compose-lab11update