====== Unicis SOC Plan ====== Comprehensive breakdown of features and integrations for UNICIS SOC stack that includes Wazuh, TheHive, Zabbix, MISP, Cortex, and Shuffle SOAR. ===== Integrated Features ===== ==== 1. Centralised Incident Management ==== * Wazuh + TheHive: * Automate alert ingestion from Wazuh into TheHive to create structured cases. * Analysts triage Wazuh alerts in TheHive and enrich them with observables from threat intelligence (via Cortex and MISP). * Zabbix + TheHive: * Send Zabbix performance or anomaly alerts to TheHive for further analysis. * Automatically create cases in TheHive when Zabbix detects critical infrastructure issues that may indicate security concerns. * TheHive + Shuffle SOAR: * Use Shuffle to automate TheHive workflows, such as escalating alerts to incidents, assigning tasks, or notifying teams. ==== 2. Automated Threat Intelligence Integration ==== * Wazuh + MISP: * Export Wazuh-detected IoCs (e.g., IPs, domains, hashes) to MISP for community sharing. * Use MISP threat feeds in Wazuh for correlation with logs and real-time alerts. * MISP + TheHive: * Automatically correlate IoCs from MISP with incidents in TheHive. * Enrich TheHive cases with detailed threat actor profiles, tactics, and related indicators from MISP. * MISP + Cortex: * Leverage Cortex analyzers to validate and enrich MISP IoCs (e.g., domain reputation, IP geolocation). * Cortex results can be fed back into MISP to keep threat intelligence updated. * Shuffle + MISP: * Automate the ingestion of new threat feeds into MISP and push updates to Wazuh. * Trigger Shuffle workflows for MISP when new IoCs are detected, such as adding alerts to Wazuh or sharing them with other organisations. ==== 3. Proactive Alert Management ==== * Wazuh + Zabbix: * Correlate Wazuh alerts with Zabbix metrics to identify suspicious activities with infrastructure context. * Zabbix + Shuffle SOAR: * Automate responses to Zabbix alerts, such as restarting failing services or notifying teams about resource exhaustion. * TheHive + Cortex: * When alerts in TheHive contain observables (IPs, domains, hashes), Cortex analyzers automatically enrich them with actionable intelligence. * TheHive + Shuffle SOAR: * Use Shuffle to assign tasks in TheHive, send notifications to teams, and escalate alerts based on severity or case type. ==== 4. Enhanced Visualisations ==== * Zabbix Dashboards: * Combine security alerts from Wazuh with performance metrics from Zabbix into unified dashboards. * TheHive Analytics: * Analyse incident trends and response times, enhanced by enriched threat data from MISP and Cortex. * Shuffle Dashboards: * Use Shuffle to create centralised dashboards displaying SOC-wide metrics: alert counts, case statuses, response SLAs, and resolved incidents. ==== 5. Automated Playbooks ==== * Shuffle SOAR: * Automate multi-step responses, such as: * Triggering Cortex enrichment for new TheHive observables. * Updating MISP with new IoCs detected by Wazuh or validated by Cortex. * Quarantining affected endpoints using Wazuh triggers. * TheHive Playbooks: * Guide analysts through consistent incident response workflows: * Example: Phishing case playbook → Analyze email headers in Cortex → Cross-check domains in MISP → Update case findings in TheHive. ==== 6. Improved Threat Detection ==== * Wazuh + Cortex: * Automatically enrich Wazuh alerts using Cortex analyzers (e.g., VirusTotal for file hashes, AbuseIPDB for IPs). * Highlight false positives or flag high-risk threats based on enrichment data. * MISP + Shuffle SOAR: * Detect changes in MISP IoCs and trigger Shuffle workflows to alert Wazuh or update TheHive cases. * Zabbix + MISP: * Correlate Zabbix anomaly alerts with known threat patterns in MISP, enabling proactive detection of infrastructure-based attacks. ===== Standalone Features ===== ==== Wazuh ==== * Intrusion detection through log monitoring, anomaly detection, and file integrity checks. * Host-based monitoring with custom rule sets for advanced threat detection. * Compliance audits for standards like PCI-DSS, HIPAA, and GDPR. ==== TheHive ==== * Incident management with case tracking, observables, and collaboration tools. * Playbook automation for standardised incident handling. * Trend analysis for understanding recurring threats and response efficiency. ==== Zabbix ==== * Resource monitoring across servers, applications, networks, and databases. * Trend analysis for resource utilisation and performance anomalies. * Custom alerting for proactive response to potential issues. ==== MISP ==== * Centralised threat intelligence management and sharing platform. * Import/export of IoCs in formats like STIX, JSON, and CSV. * Advanced IOC correlation and search for identifying related campaigns. ==== Cortex ==== * Observable enrichment using powerful analyzers like VirusTotal, PassiveTotal, and WHOIS lookup. * Automation of threat intelligence workflows with integration to other tools like MISP and TheHive. * Supports hundreds of analyzers for advanced threat data insights. ==== Shuffle SOAR ==== * Orchestrates and automates workflows across all integrated tools. * Provides a centralised automation hub to connect Wazuh, Zabbix, MISP, TheHive, and Cortex. * Simplifies repetitive tasks like alert forwarding, case creation, and threat enrichment.