View Page

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
pub:soc [26.11.2024 09:05] – created Predrag Tasevskipub:soc [26.11.2024 16:00] (current) Predrag Tasevski
Line 1: Line 1:
 ====== Unicis SOC Plan ====== ====== Unicis SOC Plan ======
  
 +<WRAP center round info>
 Comprehensive breakdown of features and integrations for UNICIS SOC stack that includes Wazuh, TheHive, Zabbix, MISP, Cortex, and Shuffle SOAR. Comprehensive breakdown of features and integrations for UNICIS SOC stack that includes Wazuh, TheHive, Zabbix, MISP, Cortex, and Shuffle SOAR.
 +</WRAP>
  
-Integrated Features 
-1. Centralised Incident Management 
-Wazuh + TheHive: 
-Automate alert ingestion from Wazuh into TheHive to create structured cases. 
-Analysts triage Wazuh alerts in TheHive and enrich them with observables from threat intelligence (via Cortex and MISP). 
-Zabbix + TheHive: 
-Send Zabbix performance or anomaly alerts to TheHive for further analysis. 
-Automatically create cases in TheHive when Zabbix detects critical infrastructure issues that may indicate security concerns. 
-TheHive + Shuffle SOAR: 
-Use Shuffle to automate TheHive workflows, such as escalating alerts to incidents, assigning tasks, or notifying teams. 
  
-2. Automated Threat Intelligence Integration +===== Integrated Features =====
-Wazuh + MISP: +
-Export Wazuh-detected IoCs (e.g., IPs, domains, hashes) to MISP for community sharing. +
-Use MISP threat feeds in Wazuh for correlation with logs and real-time alerts. +
-MISP + TheHive: +
-Automatically correlate IoCs from MISP with incidents in TheHive. +
-Enrich TheHive cases with detailed threat actor profiles, tactics, and related indicators from MISP. +
-MISP + Cortex: +
-Leverage Cortex analyzers to validate and enrich MISP IoCs (e.g., domain reputation, IP geolocation). +
-Cortex results can be fed back into MISP to keep threat intelligence updated. +
-Shuffle + MISP: +
-Automate the ingestion of new threat feeds into MISP and push updates to Wazuh. +
-Trigger Shuffle workflows for MISP when new IoCs are detected, such as adding alerts to Wazuh or sharing them with other organisations.+
  
-3Proactive Alert Management +==== 1Centralised Incident Management ====
-Wazuh + Zabbix: +
-Correlate Wazuh alerts with Zabbix metrics to identify suspicious activities with infrastructure context. +
-Zabbix + Shuffle SOAR: +
-Automate responses to Zabbix alerts, such as restarting failing services or notifying teams about resource exhaustion. +
-TheHive + Cortex: +
-When alerts in TheHive contain observables (IPs, domains, hashes), Cortex analyzers automatically enrich them with actionable intelligence. +
-TheHive + Shuffle SOAR: +
-Use Shuffle to assign tasks in TheHive, send notifications to teams, and escalate alerts based on severity or case type.+
  
-4. Enhanced Visualisations +  * Wazuh + TheHive
-Zabbix Dashboards+     * Automate alert ingestion from Wazuh into TheHive to create structured cases
-Combine security alerts from Wazuh with performance metrics from Zabbix into unified dashboards+     * Analysts triage Wazuh alerts in TheHive and enrich them with observables from threat intelligence (via Cortex and MISP)
-TheHive Analytics: +   * Zabbix + TheHive: 
-Analyse incident trends and response times, enhanced by enriched threat data from MISP and Cortex. +       * Send Zabbix performance or anomaly alerts to TheHive for further analysis. 
-Shuffle Dashboards+       * Automatically create cases in TheHive when Zabbix detects critical infrastructure issues that may indicate security concerns. 
-Use Shuffle to create centralised dashboards displaying SOC-wide metrics: alert countscase statusesresponse SLAsand resolved incidents.+   * TheHive + Shuffle SOAR
 +     * Use Shuffle to automate TheHive workflowssuch as escalating alerts to incidentsassigning tasksor notifying teams.
  
-5. Automated Playbooks +==== 2. Automated Threat Intelligence Integration ====
-Shuffle SOAR: +
-Automate multi-step responses, such as: +
-Triggering Cortex enrichment for new TheHive observables. +
-Updating MISP with new IoCs detected by Wazuh or validated by Cortex. +
-Quarantining affected endpoints using Wazuh triggers. +
-TheHive Playbooks: +
-Guide analysts through consistent incident response workflows: +
-Example: Phishing case playbook → Analyze email headers in Cortex → Cross-check domains in MISP → Update case findings in TheHive.+
  
-6. Improved Threat Detection +  * Wazuh + MISP
-Wazuh + Cortex+    * Export Wazuh-detected IoCs (e.g., IPs, domains, hashesto MISP for community sharing
-Automatically enrich Wazuh alerts using Cortex analyzers (e.g., VirusTotal for file hashes, AbuseIPDB for IPs). +    * Use MISP threat feeds in Wazuh for correlation with logs and real-time alerts
-Highlight false positives or flag high-risk threats based on enrichment data+  MISP + TheHive
-MISP + Shuffle SOAR+    * Automatically correlate IoCs from MISP with incidents in TheHive. 
-Detect changes in MISP IoCs and trigger Shuffle workflows to alert Wazuh or update TheHive cases+    * Enrich TheHive cases with detailed threat actor profiles, tactics, and related indicators from MISP
-Zabbix + MISP: +  * MISP + Cortex: 
-Correlate Zabbix anomaly alerts with known threat patterns in MISP, enabling proactive detection of infrastructure-based attacks.+    * Leverage Cortex analyzers to validate and enrich MISP IoCs (e.g., domain reputation, IP geolocation). 
 +    * Cortex results can be fed back into MISP to keep threat intelligence updated
 +  * Shuffle + MISP: 
 +    * Automate the ingestion of new threat feeds into MISP and push updates to Wazuh. 
 +    * Trigger Shuffle workflows for MISP when new IoCs are detectedsuch as adding alerts to Wazuh or sharing them with other organisations.
  
-Standalone Features +==== 3Proactive Alert Management ====
-Wazuh +
-Intrusion detection through log monitoring, anomaly detection, and file integrity checks. +
-Host-based monitoring with custom rule sets for advanced threat detection. +
-Compliance audits for standards like PCI-DSS, HIPAA, and GDPR.+
  
-TheHive +  * Wazuh + Zabbix: 
-Incident management with case tracking, observables, and collaboration tools+    * Correlate Wazuh alerts with Zabbix metrics to identify suspicious activities with infrastructure context. 
-Playbook automation for standardised incident handling. +  * Zabbix + Shuffle SOAR: 
-Trend analysis for understanding recurring threats and response efficiency.+    * Automate responses to Zabbix alertssuch as restarting failing services or notifying teams about resource exhaustion. 
 +  * TheHive + Cortex: 
 +    * When alerts in TheHive contain observables (IPsdomains, hashes), Cortex analyzers automatically enrich them with actionable intelligence
 +  * TheHive + Shuffle SOAR: 
 +    * Use Shuffle to assign tasks in TheHive, send notifications to teams, and escalate alerts based on severity or case type.
  
-Zabbix +==== 4Enhanced Visualisations ====
-Resource monitoring across servers, applications, networks, and databases. +
-Trend analysis for resource utilisation and performance anomalies. +
-Custom alerting for proactive response to potential issues.+
  
-MISP +  * Zabbix Dashboards: 
-Centralised threat intelligence management and sharing platform+    * Combine security alerts from Wazuh with performance metrics from Zabbix into unified dashboards
-Import/export of IoCs in formats like STIX, JSON, and CSV+  * TheHive Analytics: 
-Advanced IOC correlation and search for identifying related campaigns.+    * Analyse incident trends and response timesenhanced by enriched threat data from MISP and Cortex
 +  * Shuffle Dashboards: 
 +    * Use Shuffle to create centralised dashboards displaying SOC-wide metrics: alert counts, case statuses, response SLAs, and resolved incidents.
  
-Cortex +==== 5Automated Playbooks ====
-Observable enrichment using powerful analyzers like VirusTotal, PassiveTotal, and WHOIS lookup. +
-Automation of threat intelligence workflows with integration to other tools like MISP and TheHive. +
-Supports hundreds of analyzers for advanced threat data insights.+
  
-Shuffle SOAR +  * Shuffle SOAR: 
-Orchestrates and automates workflows across all integrated tools. +    * Automate multi-step responses, such as: 
-Provides a centralised automation hub to connect Wazuh, Zabbix, MISP, TheHive, and Cortex. +      * Triggering Cortex enrichment for new TheHive observables. 
-Simplifies repetitive tasks like alert forwarding, case creation, and threat enrichment.+      * Updating MISP with new IoCs detected by Wazuh or validated by Cortex. 
 +      * Quarantining affected endpoints using Wazuh triggers. 
 +    * TheHive Playbooks: 
 +      * Guide analysts through consistent incident response workflows: 
 +      * Example: Phishing case playbook → Analyze email headers in Cortex → Cross-check domains in MISP → Update case findings in TheHive. 
 + 
 +==== 6. Improved Threat Detection ==== 
 + 
 +  * Wazuh + Cortex: 
 +    * Automatically enrich Wazuh alerts using Cortex analyzers (e.g., VirusTotal for file hashes, AbuseIPDB for IPs). 
 +    * Highlight false positives or flag high-risk threats based on enrichment data. 
 +  * MISP + Shuffle SOAR: 
 +    * Detect changes in MISP IoCs and trigger Shuffle workflows to alert Wazuh or update TheHive cases. 
 +  * Zabbix + MISP: 
 +    * Correlate Zabbix anomaly alerts with known threat patterns in MISP, enabling proactive detection of infrastructure-based attacks. 
 + 
 +===== Standalone Features ===== 
 + 
 +==== Wazuh ==== 
 + 
 +  * Intrusion detection through log monitoring, anomaly detection, and file integrity checks. 
 +  * Host-based monitoring with custom rule sets for advanced threat detection. 
 +  * Compliance audits for standards like PCI-DSS, HIPAA, and GDPR. 
 + 
 +==== TheHive ==== 
 + 
 +  * Incident management with case tracking, observables, and collaboration tools. 
 +  * Playbook automation for standardised incident handling. 
 +  * Trend analysis for understanding recurring threats and response efficiency. 
 + 
 +==== Zabbix ==== 
 + 
 +  * Resource monitoring across servers, applications, networks, and databases. 
 +  * Trend analysis for resource utilisation and performance anomalies. 
 +  * Custom alerting for proactive response to potential issues. 
 + 
 +==== MISP ==== 
 + 
 +  * Centralised threat intelligence management and sharing platform. 
 +  * Import/export of IoCs in formats like STIX, JSON, and CSV. 
 +  * Advanced IOC correlation and search for identifying related campaigns. 
 + 
 +==== Cortex ==== 
 + 
 +  * Observable enrichment using powerful analyzers like VirusTotal, PassiveTotal, and WHOIS lookup. 
 +  * Automation of threat intelligence workflows with integration to other tools like MISP and TheHive. 
 +  * Supports hundreds of analyzers for advanced threat data insights. 
 + 
 +==== Shuffle SOAR ==== 
 + 
 +  * Orchestrates and automates workflows across all integrated tools. 
 +  Provides a centralised automation hub to connect Wazuh, Zabbix, MISP, TheHive, and Cortex. 
 +  Simplifies repetitive tasks like alert forwarding, case creation, and threat enrichment.