docs/playbook.md · soc-automation-lab

60 lines · markdown

# Playbook walkthrough
 
This is the path a single alert takes, end to end, using rule 100210 (outbound
connection to a CTI-flagged IP) as the example.
 
## 1. Detection
 
An endpoint makes a connection to `45.137.21.9`, which is present in
`cti-malicious-ip`. Wazuh rule 100210 fires at level 12 and the alert is written
to `alerts.json`.
 
## 2. Handoff
 
The level is above 10, so the manager runs `custom-thehive` with the alert file.
The integration extracts the fields that matter - rule id, level, description,
MITRE ids, agent identity, source and destination IPs, and the full log - and
POSTs them to the Shuffle webhook as JSON.
 
## 3. Enrichment
 
Shuffle's router picks the destination IP. VirusTotal and OTX are queried in
parallel. The scoring step combines the results:
 
```
vt_malicious = 8
otx_pulses   = 3
score = 8 * 2 + 3 = 19  -> severity High
```
 
## 4. Case creation
 
A TheHive case is opened:
 
- Title: `[Wazuh] Outbound connection to CTI-flagged IP: 45.137.21.9`
- Severity: High
- Tags: `wazuh`, `automated`, `T1071`
- Description carries the agent, the rule, the reputation counts, and the raw log
 
The destination IP is attached as an observable, marked as an IOC, so it flows
into TheHive's observable history and can be swept against other cases.
 
## 5. Containment
 
Rule 100210 is also wired to active response, so the manager issues a
`firewall-drop` on the endpoint for 600 seconds. That buys time without making the
block permanent - the analyst decides whether to extend it.
 
## 6. Notification
 
Slack gets a one-line summary with the severity, the indicator, the reputation
counts, and the case id. The analyst opens the case already knowing what it is.
 
## Tuning notes
 
- The level-10 threshold on the integration is deliberate. Pushing everything to
  TheHive buries analysts; the brute-force and CTI rules are the ones worth a case.
- The active-response block is scoped to a single rule on purpose. Auto-blocking on
  a noisier rule would be a great way to firewall yourself out of your own hosts.
- If VirusTotal rate-limits (the free tier is 4 req/min), the scoring step treats a
  missing result as zero rather than failing the case creation.

1	# Playbook walkthrough
2
3	This is the path a single alert takes, end to end, using rule 100210 (outbound
4	connection to a CTI-flagged IP) as the example.
5
6	## 1. Detection
7
8	An endpoint makes a connection to `45.137.21.9`, which is present in
9	`cti-malicious-ip`. Wazuh rule 100210 fires at level 12 and the alert is written
10	to `alerts.json`.
11
12	## 2. Handoff
13
14	The level is above 10, so the manager runs `custom-thehive` with the alert file.
15	The integration extracts the fields that matter - rule id, level, description,
16	MITRE ids, agent identity, source and destination IPs, and the full log - and
17	POSTs them to the Shuffle webhook as JSON.
18
19	## 3. Enrichment
20
21	Shuffle's router picks the destination IP. VirusTotal and OTX are queried in
22	parallel. The scoring step combines the results:
23
24	```
25	vt_malicious = 8
26	otx_pulses = 3
27	score = 8 * 2 + 3 = 19 -> severity High
28	```
29
30	## 4. Case creation
31
32	A TheHive case is opened:
33
34	- Title: `[Wazuh] Outbound connection to CTI-flagged IP: 45.137.21.9`
35	- Severity: High
36	- Tags: `wazuh`, `automated`, `T1071`
37	- Description carries the agent, the rule, the reputation counts, and the raw log
38
39	The destination IP is attached as an observable, marked as an IOC, so it flows
40	into TheHive's observable history and can be swept against other cases.
41
42	## 5. Containment
43
44	Rule 100210 is also wired to active response, so the manager issues a
45	`firewall-drop` on the endpoint for 600 seconds. That buys time without making the
46	block permanent - the analyst decides whether to extend it.
47
48	## 6. Notification
49
50	Slack gets a one-line summary with the severity, the indicator, the reputation
51	counts, and the case id. The analyst opens the case already knowing what it is.
52
53	## Tuning notes
54
55	- The level-10 threshold on the integration is deliberate. Pushing everything to
56	TheHive buries analysts; the brute-force and CTI rules are the ones worth a case.
57	- The active-response block is scoped to a single rule on purpose. Auto-blocking on
58	a noisier rule would be a great way to firewall yourself out of your own hosts.
59	- If VirusTotal rate-limits (the free tier is 4 req/min), the scoring step treats a
60	missing result as zero rather than failing the case creation.