Manage your cyber defense

Manage your cyber defense more efficiently with TheHive‘s powerful case and observable management tools:

• Cases are created instantly with predefined tasks that guide analysts, ensuring procedures are followed.
• Observables, like IPs and file hashes, are enriched with context for more precise analysis.
• Automated analyzers provide real-time threat assessments, and automated responders allow teams to take immediate action, such as isolating compromised hosts or blocking malicious IPs.

A multinational corporation detects unusual activity within its network, raising concerns about a potential breach. The security team quickly mobilizes, leveraging TheHive to manage the investigation and response.

1. Case management: The team declares a new security incident within TheHive, initiating a case. The case is immediately populated with relevant information, and tasks are assigned to team members based on the company’s predefined playbooks.
   These tasks guide the analysts through the necessary steps, ensuring that all company-specific procedures are followed. Collaboration within the team is efficient, with all activities tracked and documented in real time.

2. Observable management: As the investigation unfolds, the team identifies several technical indicators related to the incident, such as suspicious URLs, IP addresses and file hashes. These observables are declared within TheHive and enriched with additional context, such as descriptions, tags, TLP levels, and whether they are considered IOCs.
   This enrichment helps various teams to better understand the potential threat and facilitates more targeted analysis.

3. Analyzers: The security team then triggers automated forensic investigations using TheHive’s built-in and third-party analyzers. These analyzers assess the maliciousness of the observables, providing detailed, human-readable reports directly within TheHive.
   For example, a suspicious IP address is analyzed against known threat intelligence feeds, revealing that it is associated with a botnet previously used in ransomware attacks. This information is crucial for determining the severity of the incident.

4. Responders: Based on the analysis, the team identifies that one of the observables—a compromised host—needs immediate attention. Using TheHive’s automated responders, they quickly isolate the host from the network to prevent further spread of the potential malware.
   Additionally, they add the malicious IP address to the organization’s proxy block list, ensuring that no further communication with the known botnet can occur. These actions are executed directly from TheHive, enabling a rapid response to the threat.

The incident is efficiently managed and neutralized through TheHive’s comprehensive security case management and automation tools.

By enriching observables, investigating them with powerful analyzers and responding swiftly using responders, the security team effectively mitigates the threat, minimizing the impact on the organization.