For this article and subsequent articles, I will be talking through the installation, configuration, and integration components in building an integrated threat and incident response lab. The primary purpose of this lab is to be able to replay malicious attack data into a SIEM environment (Splunk and Elastic will be used) and then generate appropriate alerts and actions within those SIEMs for an analyst to action. In addition, both SIEMS will be integrating MISP as a Threat Intelligence Platform to consume enriched intelligence and store and process newly generated intelligence from the lab.
Requirements
For this lab build, I will be deploying the following appliances (and I will be deploying them in a local /24 subnet):
- Elastic Cloud Enterprise (On-Premises) [192.168.1.202]
- Splunk Enterprise [192.168.1.204]
- MISP (Threat Intelligence Sharing Platform) [192.168.1.201]
- TheHive4 [192.168.1.200]
- Cortex
- AssemblyLine [192.168.1.205]
- Cuckoo
- Shuffle.io
- Threat Event Playback
Once all of the above appliances have been built, they will be integrated together with another virtual machine which will replay malicious Windows Event Logs (EVTX) to both Splunk and Elastic SIEM. The preconfigured and customized alerting within each SIEM solution will then trigger actions within MISP and TheHive4 for an analyst to respond to.
Theory of Operations
The full configuration of the environment will be rather complex to explain, and where possible I am consolidating some appliances to conserve resources, and in other cases, I have two appliances running in parallel so the integrations can be truly separate.
A diagram of what I am proposing to build can be seen below, and as you can see, there are two instances of TheHive. This is by design as there are a couple of different integration options available for MISP and Cortex which may need to be kept separate to prove a proper integration.
