Automated DFIR

TheHive automates Digital Forensics and Incident Response by transforming non-native alerts, like those from Cortex XDR, into actionable formats using custom Functions.

These Functions extract key observables like IPs and URLs, automating alert and case creation. Notifications trigger instant analysis, enriching observables with critical insights before analysts even open the case. Findings are shared on MISP, contributing to broader threat intelligence.

A global enterprise security team manages a complex infrastructure with various security tools. One day, an alert is generated by an XDR, indicating unusual activity in the network.

However, since alert format is not natively compatible with TheHive, the alert would traditionally require manual conversion to make it usable for analysis. Instead, the team uses TheHive’s automated DFIR capabilities, which include powerful Functions that handle the data transformation automatically.

1. Alert transformation with functions: The XDR alert arrives in a proprietary format. TheHive’s custom Functions process this data, transforming it into a format that TheHive can understand.
   These Functions automatically create an alert in TheHive, disassembling the incoming data and extracting key observables such as suspicious IP addresses, URLs or file hashes. This step happens behind the scenes, enabling TheHive to quickly integrate the incoming alert without any manual intervention from the team.
2. Automated analysis with notifications: Once the alert is ingested, notifications are triggered automatically. These notifications immediately run TheHive’s analyzers on the extracted observables—before a security analyst even opens the case.
   For example, IP addresses are checked against threat intelligence feeds, URLs are scanned for known malware connections and file hashes are compared to known malicious files. By the time the analyst accesses the case, the observables have already been enriched with critical context from the automated analysis.
3. Case enrichment and review: As the analyst opens the case, they see that the analysis has already been completed and the observables are enriched with detailed findings. Analyzers have dissected and cross-referenced the observables with known TTPs of potential threat actors.
   Analysts might immediately draw conclusions and take informed action without running separate analysis tasks manually.
4. Sharing findings on MISP: Once the analyst has reviewed the case and confirmed the maliciousness of the observables, they proceed to upload the case to the organization’s MISP instance. Through that, newly discovered IOCs and enriched intelligence can be shared with external partners and other security teams, contributing to a broader collaborative defense.
   The integration with MISP ensures that any insights gained from the investigation are quickly distributed and can be acted upon by other organizations facing similar threats.

By using TheHive’s automated DFIR capabilities, the team can handle and analyze alerts from various tools that don’t natively communicate in TheHive’s format. Custom functions transform the incoming data into actionable alerts, and automatic notifications trigger analyzers to run immediately on observables.