MISP works really well in an internet connected environment in gathering and creating correlations. However, in air-gapped environments the ability to query MISP for indicators is still incredibly useful, except that an air-gapped environment doesn’t ordinarilly have an Internet connection.
In this article I describe how MISP may be used in an Internet denied environment by leveraging off an existing Internet-connected instance.
Every few months, StrangeBee puts out an update to TheHive (Security Incident Response Platform). This month they have added Elasticsearch as an index engine to alleviate issues with using Cassandra, and they have integrated support for MISP galaxies as well!
Now Incident Responders using TheHive can export IOCs and Galaxy assignment directly from TheHive to MISP.
Read More “TheHive 4.1.0 Deployment and Integration with MISP” »
Static analysis for me has become more fun with the inclusion of Assemblyline into my arsenal. But the lack of integration between other elements of my FOSS SOC stack was concerning.
In this post I detail not only how to write a Cortex Analyzer, but also how to integrate with other appliances with that analyzer.
Read More “Building the Assemblyline Analyzer for TheHive’s Cortex.” »
Whilst I am a big fan of free open source solutions, I am going to bend my preference here a bit for the Elastic Cloud solution functioning as a SIEM.
Read More “Implementing Elastic Cloud and using Elastic Security” »
Since the last write up I published on TheHive, there have been some significant changes and updates to TheHive. So for this post I will be walking through the installation and deployment of TheHive4 (4.0.5) and the connection to MISP, Cortex and enabling Webhooks.
Read More “Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.” »