Please enable JavaScript.
Coggle requires JavaScript to display documents.
Firewall/IDS, ELK, Kubeclt, ELK, ELK, ELK - Coggle Diagram
-
-
-
ELK
Connector / Rules / Action
- create alert
- create observable
- create case
TheHive
Case
Observable
Analyzers
-
observables (IP addresses, hashes, email addresses, domain names, URLs…).
-
-
-
TASKs
When analysts are working on tasks, they add logs as they go.
Logs
TheHive’s terminology, logs are text entries which may contain attachments to help analysts record what they have been doing. Logs can be written using Markdown or a rich-text editor.
case is subdivided into tasks (think identification, containment, eradication, check proxy logs, and so on)
Case template
You don’t need to add the same tasks over and over when working on cases belonging to a given category (DDoS, Malspam, APT, …). You can create custom templates to which you add tasks as shown below. This is very useful when you are dealing with alerts so that when you import them, you can select which case template you’d like to apply and there you go!
through a connector in the rules and connectors section we specify an action to be preformed on theHive platform for example creating a Case(alert/observable) > incident
we can laverage to connector and create a rule and we can send the resulted alert directory to case management platform
these alerts being pushed from elk are considered as tickets/cases that needs to be investigated once appeared on thehive platform
- post message(alert) to teams channel
- post message(observable) to teams channel
- email case/incident to outlook to the analyst team
-
-