WEBVTT 0:00:03.800000 --> 0:00:08.180000 In incident response with the Hive, a practical demo. 0:00:08.180000 --> 0:00:14.760000 So in this video, we're going to be getting started with the Hive by again 0:00:14.760000 --> 0:00:19.760000 going through a practical demo of how to deploy it, at least in the context 0:00:19.760000 --> 0:00:26.840000 of the demo or test virtual machine that the Hive or the company behind 0:00:26.840000 --> 0:00:32.080000 the Hive actually made available for free for this very purpose. 0:00:32.080000 --> 0:00:36.980000 So the company that developed the Hive actually have created this VM that 0:00:36.980000 --> 0:00:43.900000 you can again import or use with a hypervisor like VirtualBox or VMware. 0:00:43.900000 --> 0:00:50.240000 And it pretty much has a premium trial license. 0:00:50.240000 --> 0:00:53.640000 But then it reverts back to the community license. 0:00:53.640000 --> 0:00:57.340000 But the bottom line is it sort of gives you a very good idea of what the 0:00:57.340000 --> 0:01:00.100000 Hive is like in a production environment. 0:01:00.100000 --> 0:01:04.780000 And you might be asking, why are we using the VM and not in a lab? 0:01:04.780000 --> 0:01:09.760000 Well, given the hardware requirements to run the Hive as well as Cortex, 0:01:09.760000 --> 0:01:16.300000 which is about 8 gigabytes of RAM with a minimum of four CPUs, it really 0:01:16.300000 --> 0:01:20.560000 isn't viable at least for this demonstration to sort of have a practical 0:01:20.560000 --> 0:01:26.340000 lab. We will eventually have a lab on the INE platform, but that's when 0:01:26.340000 --> 0:01:30.840000 it will have proper integration with a SEAM, for example, so you can actually 0:01:30.840000 --> 0:01:33.400000 see the whole thing in action. 0:01:33.400000 --> 0:01:36.620000 But getting started with the VM is fairly easy. 0:01:36.620000 --> 0:01:39.020000 It's only about three or four gigabytes. 0:01:39.020000 --> 0:01:43.800000 You can import it into your or via or using your hypervisor and you should 0:01:43.800000 --> 0:01:48.740000 be good to go. The VM uses about six gigabytes of RAM. 0:01:48.740000 --> 0:01:52.380000 And you basically have the Hive as well as Cortex and they've already 0:01:52.380000 --> 0:01:53.920000 been integrated together. 0:01:53.920000 --> 0:01:57.400000 So you should have the analyzers good to go. 0:01:57.400000 --> 0:02:03.160000 In any case, what I'll be doing is I will switch over onto my browser 0:02:03.160000 --> 0:02:09.960000 and I'll show you where you can get the VM, how you can get started, so 0:02:09.960000 --> 0:02:10.760000 on and so forth. 0:02:10.760000 --> 0:02:14.780000 And then once I've sort of covered that, I'll then switch over into the 0:02:14.780000 --> 0:02:18.240000 Hive. I'm also using the VM. 0:02:18.240000 --> 0:02:22.580000 So from that point on, I'll be going through a couple of examples, incident 0:02:22.580000 --> 0:02:28.120000 response-themed examples to sort of show you the power of the Hive. 0:02:28.120000 --> 0:02:33.140000 In any case, I'm going to switch over to my browser and let's get started. 0:02:33.140000 --> 0:02:38.180000 All right, so I'm currently within my browser and the company that developed 0:02:38.180000 --> 0:02:40.940000 the Hive is called Strange Be Here. 0:02:40.940000 --> 0:02:42.300000 So I'm currently on the website. 0:02:42.300000 --> 0:02:46.780000 You can access it via the URL, strangebe.com. 0:02:46.780000 --> 0:02:49.620000 And this is pretty much it. 0:02:49.620000 --> 0:02:54.840000 So you have it right over here, empowering instant responders worldwide. 0:02:54.840000 --> 0:02:57.460000 If you take a look at the products, they have the Hive. 0:02:57.460000 --> 0:03:00.960000 There's also the cloud platform, which as you can see is pretty much the 0:03:00.960000 --> 0:03:10.840000 Hive's software as a service version in a secured and dedicated cloud, 0:03:10.840000 --> 0:03:13.120000 AWS cloud environment. 0:03:13.120000 --> 0:03:18.300000 You then have Cortex and then various cloud images for AWS, which again 0:03:18.300000 --> 0:03:19.840000 can be very useful. 0:03:19.840000 --> 0:03:24.220000 But if you click on the Hive right over here, you know, there's quite 0:03:24.220000 --> 0:03:26.440000 a few versions options you have available. 0:03:26.440000 --> 0:03:32.340000 You have the on-prem version, the SAS version and IaaS version. 0:03:32.340000 --> 0:03:35.140000 So infrastructure as a service version. 0:03:35.140000 --> 0:03:38.680000 And you can go through all the features here, which we did. 0:03:38.680000 --> 0:03:44.240000 And right at the bottom here, you can actually take a look at the integrations. 0:03:44.240000 --> 0:03:46.740000 Really excellent if you ask me. 0:03:46.740000 --> 0:03:49.900000 But at the bottom, you have the deployment options. 0:03:49.900000 --> 0:03:52.100000 So you have the on-prem option. 0:03:52.100000 --> 0:03:57.400000 And that's relatively easy to install as well or to set up and then the 0:03:57.400000 --> 0:04:00.040000 cloud images. You can also take a look at the pricing. 0:04:00.040000 --> 0:04:03.360000 The reason why I'm sort of showing you the pricing is because there's 0:04:03.360000 --> 0:04:06.940000 the community version. 0:04:06.940000 --> 0:04:10.100000 But this is limited to on-prem. 0:04:10.100000 --> 0:04:16.920000 If we click on this here, the software as a service option actually requires 0:04:16.920000 --> 0:04:21.000000 a license. And that actually makes sense given the use case there. 0:04:21.000000 --> 0:04:25.320000 But on-prem community would work just as well. 0:04:25.320000 --> 0:04:26.960000 But you also have gold and platinum. 0:04:26.960000 --> 0:04:30.720000 In any case, you can also take a look at the users. 0:04:30.720000 --> 0:04:35.000000 So in the case of users with community only limited to two, which sort 0:04:35.000000 --> 0:04:36.520000 of takes the power out of it. 0:04:36.520000 --> 0:04:41.300000 But if you're learning how to use the Hive, then you can either go for 0:04:41.300000 --> 0:04:45.180000 the on-prem deployment where you perform the installation manually or 0:04:45.180000 --> 0:04:52.040000 better yet. You can take a look at the demo virtual machine that they've 0:04:52.040000 --> 0:04:56.980000 made available. So if you go to the documentation from the main website, 0:04:56.980000 --> 0:05:01.140000 if you take a look at the resources tab and click on documentation, that'll 0:05:01.140000 --> 0:05:06.340000 take you to docs.strangeb.com. 0:05:06.340000 --> 0:05:10.080000 And if you take a look at resources, you'll find the demo virtual machine 0:05:10.080000 --> 0:05:11.140000 right over here. 0:05:11.140000 --> 0:05:17.080000 So you can then click on download it here. 0:05:17.080000 --> 0:05:20.780000 And you can see it's a ready-to-use virtual machine that can be downloaded 0:05:20.780000 --> 0:05:22.120000 via the following URL. 0:05:22.120000 --> 0:05:27.420000 You will have to register or provide some information. 0:05:27.420000 --> 0:05:31.000000 So you just need to provide your name, last name, email address. 0:05:31.000000 --> 0:05:34.920000 It needs to be a work email company name, your country region. 0:05:34.920000 --> 0:05:37.460000 Specify why you're downloading it. 0:05:37.460000 --> 0:05:42.560000 But more importantly, you can see that try the Hive as a virtual machine. 0:05:42.560000 --> 0:05:46.420000 That's the full functionality of our platform without installing anything. 0:05:46.420000 --> 0:05:50.700000 The VM is ready to use and powered by the Hive and Cortex, which is actually 0:05:50.700000 --> 0:05:52.200000 really, really cool. 0:05:52.200000 --> 0:05:57.520000 So it already has a pre-created organizations and accounts. 0:05:57.520000 --> 0:05:59.480000 And the VM has been designed beautifully. 0:05:59.480000 --> 0:06:00.880000 You'll actually see why. 0:06:00.880000 --> 0:06:07.860000 The Analyzer report templates, some mis -taxonomies, the Miter attack TTPs 0:06:07.860000 --> 0:06:13.280000 already set up good-to-go samples of custom fields, one case template, 0:06:13.280000 --> 0:06:16.320000 and one alert, just to get things going. 0:06:16.320000 --> 0:06:21.060000 But as I said, it's about 4 gigabytes once you download it. 0:06:21.060000 --> 0:06:25.680000 You then need to import it via your Hive Visor. 0:06:25.680000 --> 0:06:31.000000 So both VirtualBox and VMware will work just fine. 0:06:31.000000 --> 0:06:36.300000 And you can see it's not recommended for production. 0:06:36.300000 --> 0:06:37.980000 So do keep that in mind. 0:06:37.980000 --> 0:06:39.240000 But this is how it is. 0:06:39.240000 --> 0:06:42.840000 You just start the VM and you can see you need about 6 gigabytes of RAM 0:06:42.840000 --> 0:06:46.620000 to run. That's the minimum and it actually works really well. 0:06:46.620000 --> 0:06:51.220000 But once you've started the VM, you just need to browse to the address 0:06:51.220000 --> 0:06:53.000000 that it provides you here. 0:06:53.000000 --> 0:06:57.040000 And the same thing, both VMware VirtualBox instructions here. 0:06:57.040000 --> 0:06:58.340000 And you should be good to go. 0:06:58.340000 --> 0:07:03.820000 So what I'm going to do is I'm going to import my VM into VMware and I'll 0:07:03.820000 --> 0:07:09.120000 start it up. And I'll pretty much resume from the point or I'll get back 0:07:09.120000 --> 0:07:11.060000 to you guys when the VM is running. 0:07:11.060000 --> 0:07:15.720000 And I'll show you how to access the Hive as well as the Cortex. 0:07:15.720000 --> 0:07:18.760000 And we can get started with the demo. 0:07:18.760000 --> 0:07:24.340000 All right. So I've imported the Hive Virtual Machine into VMware and I 0:07:24.340000 --> 0:07:27.720000 started it up. And you can see just took a few seconds to start up. 0:07:27.720000 --> 0:07:33.140000 And the moment the VM boot successfully, the Hive will already be good 0:07:33.140000 --> 0:07:34.860000 to go as well as Cortex. 0:07:34.860000 --> 0:07:38.140000 So open your browser and follow the instructions on the following URL. 0:07:38.140000 --> 0:07:41.760000 So depending on your network configuration, I just use the default NAT 0:07:41.760000 --> 0:07:45.060000 option for the adapter for the virtual machine. 0:07:45.060000 --> 0:07:49.020000 So I should be able to access this on my host system. 0:07:49.020000 --> 0:07:52.860000 So you just need to open up this URL in your browser and then the instructions, 0:07:52.860000 --> 0:07:57.640000 which is what I mentioned when I said the VM has been beautifully designed. 0:07:57.640000 --> 0:08:03.660000 The instructions that will be listed on that page, you know, will pretty 0:08:03.660000 --> 0:08:04.680000 much drive the process. 0:08:04.680000 --> 0:08:07.360000 So let me switch back over into my browser. 0:08:07.360000 --> 0:08:11.900000 All right. So I'm back in my browser and you can see I've navigated to 0:08:11.900000 --> 0:08:14.620000 this IP here, the, you know, that URL. 0:08:14.620000 --> 0:08:20.040000 And you can see it'll give you this very, very nice welcome screen. 0:08:20.040000 --> 0:08:21.800000 So demo virtual machine. 0:08:21.800000 --> 0:08:25.140000 And then it gives you an introduction as to what's been configured. 0:08:25.140000 --> 0:08:29.200000 So you can see this environment includes a 14 day trial of the Hive Platinum 0:08:29.200000 --> 0:08:31.520000 edition, which is awesome. 0:08:31.520000 --> 0:08:36.540000 But after the trial is over, you then, you know, you can request a one 0:08:36.540000 --> 0:08:40.820000 year renewable community license, which requires you to sort of sign up. 0:08:40.820000 --> 0:08:43.540000 But that, you know, isn't too troublesome at all. 0:08:43.540000 --> 0:08:46.720000 So the VM comes with two accounts in the Hive. 0:08:46.720000 --> 0:08:51.460000 So you can click on the Hive logo icon here and that'll open up the Hive. 0:08:51.460000 --> 0:08:55.560000 Now the first time you start the VM, this may take a few minutes to, you 0:08:55.560000 --> 0:08:59.860000 know, start up. But don't worry if it tells you to refresh the page. 0:08:59.860000 --> 0:09:02.320000 Just, just give it a few minutes and you should be good to go. 0:09:02.320000 --> 0:09:03.580000 So there's two accounts. 0:09:03.580000 --> 0:09:08.340000 You have the administrator for administration and then a user named the 0:09:08.340000 --> 0:09:12.300000 Hive, which is supposed to represent a standard user that's actually an 0:09:12.300000 --> 0:09:17.280000 org admin for the organization that's already been created called testing. 0:09:17.280000 --> 0:09:18.920000 And these are the credentials here. 0:09:18.920000 --> 0:09:21.580000 You can also click on that direct link there. 0:09:21.580000 --> 0:09:25.160000 It also tells you that the Hive database comes with several samples of 0:09:25.160000 --> 0:09:30.960000 data like custom fields, miss taxonomies, might attack data, a case template 0:09:30.960000 --> 0:09:33.220000 and an alert. You then have cortex. 0:09:33.220000 --> 0:09:37.280000 So same thing. Click on the icon and you'll have access to cortex there. 0:09:37.280000 --> 0:09:41.640000 You don't really need to log into cortex to use it. 0:09:41.640000 --> 0:09:44.400000 But you also have two accounts here. 0:09:44.400000 --> 0:09:49.820000 So you have general admin account for administration of the cortex, sorry. 0:09:49.820000 --> 0:09:56.480000 And an organization has also been created called, you know, with the an 0:09:56.480000 --> 0:09:57.660000 org admin account. 0:09:57.660000 --> 0:10:01.100000 And in this case, these are the credentials here. 0:10:01.100000 --> 0:10:06.180000 And then you can go through and, you know, sort of identify or get a list 0:10:06.180000 --> 0:10:08.780000 of all technologies or the stack being used. 0:10:08.780000 --> 0:10:15.160000 So you can see the Hive is built on top of or pretty much uses Cassandra, 0:10:15.160000 --> 0:10:20.300000 Elasticsearch, Nginx for, you know, the web services, Hive for Pi, Cortex 0:10:20.300000 --> 0:10:22.940000 for Pi, etc. And you also have the versions there. 0:10:22.940000 --> 0:10:26.820000 And then public cortex analyzes and responders are running with Docker. 0:10:26.820000 --> 0:10:29.820000 Then if you want to play around with a configuration, you can actually 0:10:29.820000 --> 0:10:34.980000 log into the virtual machine and play around with the Docker configs there. 0:10:34.980000 --> 0:10:37.380000 But for this case, we're not going to be doing any of that. 0:10:37.380000 --> 0:10:41.960000 So I'll go back to the Hive here and we can log in with the default admin 0:10:41.960000 --> 0:10:44.680000 account. Again, the credentials are specified here. 0:10:44.680000 --> 0:10:46.360000 I just have those filled in. 0:10:46.360000 --> 0:10:49.900000 So you can see this instance uses a platinum license. 0:10:49.900000 --> 0:10:54.540000 And in my case, mine will retire or expire in nine days. 0:10:54.540000 --> 0:10:59.000000 So when you log in, you're going to be presented as admin. 0:10:59.000000 --> 0:11:01.020000 You're going to be presented with the following screen. 0:11:01.020000 --> 0:11:06.140000 Now you can sort of expand the sidebar and you have organizations, which 0:11:06.140000 --> 0:11:07.100000 is what you see here. 0:11:07.100000 --> 0:11:13.020000 So there's a demo org and then admin and then you have users. 0:11:13.020000 --> 0:11:15.980000 So we have the default admin user account, which is the one we're logged 0:11:15.980000 --> 0:11:18.220000 in as and the Hive. 0:11:18.220000 --> 0:11:23.880000 So this one right over here, who is actually the org admin of the organization 0:11:23.880000 --> 0:11:27.260000 called testing, which we saw over here. 0:11:27.260000 --> 0:11:28.900000 And then you have the knowledge base. 0:11:28.900000 --> 0:11:32.960000 So you can actually create a knowledge base here, entities management. 0:11:32.960000 --> 0:11:39.320000 So you can actually play around with the profiles and then custom fields, 0:11:39.320000 --> 0:11:41.020000 all of that good stuff. 0:11:41.020000 --> 0:11:42.740000 And then the platform management. 0:11:42.740000 --> 0:11:46.960000 So once your trial is expired, you can then activate your community license 0:11:46.960000 --> 0:11:51.680000 over here. You then have the status where you can check the status of 0:11:51.680000 --> 0:11:56.440000 services. So the database schema service, database integrity service, 0:11:56.440000 --> 0:12:01.220000 branding. So you can modify what you want to call, you know, the title 0:12:01.220000 --> 0:12:06.820000 over here, the logo, all that good stuff and then connectors for ingestion 0:12:06.820000 --> 0:12:10.940000 of alerts or logs from, you know, the tools I mentioned in the slides 0:12:10.940000 --> 0:12:15.740000 and the previous video and then authentication. 0:12:15.740000 --> 0:12:19.840000 SMTP, which is quite important and then global endpoints. 0:12:19.840000 --> 0:12:23.780000 So, you know, you can connect to Slack, Metamos, Teams, etc. 0:12:23.780000 --> 0:12:28.100000 This is for chat ops and then LDAP servers right over here. 0:12:28.100000 --> 0:12:33.240000 Now we are not going to be using the admin, the admin account. 0:12:33.240000 --> 0:12:35.860000 We are going to use this one right over here. 0:12:35.860000 --> 0:12:42.300000 So the Hive at the hive.local and I'll just log in there. 0:12:42.300000 --> 0:12:43.600000 The password is the hive. 0:12:43.600000 --> 0:12:45.220000 One, two, three, four. 0:12:45.220000 --> 0:12:50.900000 We're going to log in because we already have the org setup. 0:12:50.900000 --> 0:12:54.900000 So when you log in now with, you know, standard account, in this case, 0:12:54.900000 --> 0:12:59.240000 it's an org admin, but still a standard account, you'll see the interface 0:12:59.240000 --> 0:13:03.020000 changes slightly in that you can enter a case number at the top or create 0:13:03.020000 --> 0:13:04.360000 a case immediately. 0:13:04.360000 --> 0:13:09.940000 But if we expand the sidebar here, you have cases, alerts, tasks, knowledge 0:13:09.940000 --> 0:13:12.840000 base, dashboards, search and the organization. 0:13:12.840000 --> 0:13:18.360000 So this is the demo organization, you know, that was referenced on the 0:13:18.360000 --> 0:13:21.920000 welcome page here that we also saw with the admin account. 0:13:21.920000 --> 0:13:28.040000 Within the org, the organization controls and I'll just zoom out slightly. 0:13:28.040000 --> 0:13:35.840000 You have templates which will actually touch on custom tags, the UI configuration, 0:13:35.840000 --> 0:13:41.620000 notifications, endpoints, functions, attachments, connectors, you know, 0:13:41.620000 --> 0:13:43.200000 fairly standard stuff. 0:13:43.200000 --> 0:13:48.580000 And then, you know, you can perform a search over here, but before we 0:13:48.580000 --> 0:13:54.720000 do any of that, you can actually see right over here, there that's connectors 0:13:54.720000 --> 0:14:02.680000 there. If we go back to, let's see, if we go back to the dashboards here, 0:14:02.680000 --> 0:14:05.260000 they should be dashboards created by default. 0:14:05.260000 --> 0:14:08.940000 So this is, you know, part of the VM setup with a fresh install. 0:14:08.940000 --> 0:14:13.360000 You're going to need to create your own dashboards, but the ones created 0:14:13.360000 --> 0:14:18.400000 here are, you know, for the alert statistics, cases statistics, observable 0:14:18.400000 --> 0:14:20.720000 statistics and TTP statistics. 0:14:20.720000 --> 0:14:25.900000 So alert statistics just gives you, you know, breakdown of alerts by severity, 0:14:25.900000 --> 0:14:28.240000 by status, per source. 0:14:28.240000 --> 0:14:32.200000 And then over here, the alerts KPI, you have, you know, time to acknowledge, 0:14:32.200000 --> 0:14:35.380000 time to detect all the standard metrics you would typically associate 0:14:35.380000 --> 0:14:41.900000 with alerts, dealing with alerts, closing alerts, so on and so forth. 0:14:41.900000 --> 0:14:46.360000 And you also have the same four cases. 0:14:46.360000 --> 0:14:48.640000 And then the knowledge base here. 0:14:48.640000 --> 0:14:52.780000 Now, before we do that, just to make this a little bit more interesting, 0:14:52.780000 --> 0:14:56.480000 I'm going to, so this is the live feed where you can see, you know, all 0:14:56.480000 --> 0:14:58.780000 activity being done by all analysts. 0:14:58.780000 --> 0:15:00.660000 Don't worry about that at the moment. 0:15:00.660000 --> 0:15:05.540000 Let me just log out and log back in with the admin account and under organizations, 0:15:05.540000 --> 0:15:08.760000 I'm just going to click on this org here. 0:15:08.760000 --> 0:15:12.260000 Actually, hold on, let me take a step back. 0:15:12.260000 --> 0:15:15.840000 If I open this up here, I'm going to change the name to, we're just going 0:15:15.840000 --> 0:15:22.040000 to call this organization INE and confirm this. 0:15:22.040000 --> 0:15:25.420000 Okay, so it actually makes some sense in the context of what we're doing. 0:15:25.420000 --> 0:15:30.100000 I'll then log out and log back in with the org admin of INE. 0:15:30.100000 --> 0:15:34.420000 And just put in the email here. 0:15:34.420000 --> 0:15:39.980000 I've one, two, three, four, just log in again and I'll not update that 0:15:39.980000 --> 0:15:42.780000 there. And now we take a look at our organization. 0:15:42.780000 --> 0:15:47.040000 You can see it's called INE and we are the org admin. 0:15:47.040000 --> 0:15:52.980000 Anyway, at this point, you know, you obviously can start creating users. 0:15:52.980000 --> 0:15:57.780000 So you generally at this point can create a normal account or service 0:15:57.780000 --> 0:16:02.120000 account. The service account is used for bots, but normal, this could 0:16:02.120000 --> 0:16:04.120000 be, let's say, analyst. 0:16:04.120000 --> 0:16:10.360000 Actually, hold on, enter a login. 0:16:10.360000 --> 0:16:16.980000 At the hive.com, something actually, let's change that to local. 0:16:16.980000 --> 0:16:22.620000 We'll just say analyst and then the profile options here. 0:16:22.620000 --> 0:16:27.500000 So in this case, analyst license, we do have a trial so we can actually 0:16:27.500000 --> 0:16:29.060000 confirm that there. 0:16:29.060000 --> 0:16:31.580000 So you can start creating your accounts right over here. 0:16:31.580000 --> 0:16:35.300000 You have different types of roles, all that good stuff. 0:16:35.300000 --> 0:16:38.440000 So that's the organization management aspect of it. 0:16:38.440000 --> 0:16:40.120000 I'll not dive too deep into it. 0:16:40.120000 --> 0:16:43.920000 We're going to go through some examples, but if we go to cases and remember, 0:16:43.920000 --> 0:16:48.200000 we're sort of following the hierarchy of you create a case or sorry, you 0:16:48.200000 --> 0:16:52.280000 have an alert come in from an alert, you can then create a case. 0:16:52.280000 --> 0:16:56.420000 And within cases, you can have tasks. 0:16:56.420000 --> 0:17:00.680000 So if we take a look at the alert that's already been created, because 0:17:00.680000 --> 0:17:06.840000 if you remember, on the virtual machine page here, it actually points 0:17:06.840000 --> 0:17:10.800000 out that an alert has already been created. 0:17:10.800000 --> 0:17:11.780000 So there we are. 0:17:11.780000 --> 0:17:16.940000 So going back here, so for this alert, this is the one that's already 0:17:16.940000 --> 0:17:20.320000 been created. We're actually going to leave that as it is. 0:17:20.320000 --> 0:17:22.420000 You can actually delete it if you don't want it. 0:17:22.420000 --> 0:17:25.780000 So when you select one, you can actually delete it here. 0:17:25.780000 --> 0:17:31.880000 But let's say, we don't have any seam that is ingesting alerts into the 0:17:31.880000 --> 0:17:40.140000 hive. So let's just go ahead and create in this particular case, because 0:17:40.140000 --> 0:17:41.920000 again, nothing's coming in. 0:17:41.920000 --> 0:17:43.840000 We can just go to creating a case. 0:17:43.840000 --> 0:17:46.520000 So let's go ahead and create a case. 0:17:46.520000 --> 0:17:48.440000 And you have a couple of options. 0:17:48.440000 --> 0:17:52.560000 So you can create a case from an archive or from MISP. 0:17:52.560000 --> 0:17:54.940000 So that's JSON format or from a template. 0:17:54.940000 --> 0:18:00.560000 The MISP template is the one that was already pre-configured in the VM. 0:18:00.560000 --> 0:18:04.040000 We'll actually set up a template and you'll understand why this is important. 0:18:04.040000 --> 0:18:05.940000 But let's create an empty case. 0:18:05.940000 --> 0:18:13.020000 So in this case, let's say we're investigating a, let's just say, malware 0:18:13.020000 --> 0:18:20.160000 infection. You then specify the date and then the severity. 0:18:20.160000 --> 0:18:21.560000 So this is going to be high. 0:18:21.560000 --> 0:18:24.580000 And then you remember TLP mentioned it in the slides. 0:18:24.580000 --> 0:18:31.040000 If you've forgotten it already, TLP is the traffic light protocol. 0:18:31.040000 --> 0:18:36.600000 This is a classification scheme that used to specify how sensitive information 0:18:36.600000 --> 0:18:41.660000 is and how it can be shared. 0:18:41.660000 --> 0:18:47.280000 So we can set the TLP to pretty much amber plus strict or just red here. 0:18:47.280000 --> 0:18:51.480000 And then the PAP or PAP, which is permissible actions protocol, which 0:18:51.480000 --> 0:18:55.760000 is a classification system that defines or used to define how information 0:18:55.760000 --> 0:19:00.740000 may be used as opposed to TLP, which is how it can be shared. 0:19:00.740000 --> 0:19:02.480000 We can also set that to red. 0:19:02.480000 --> 0:19:06.620000 Then the tags, in this case, the general tags you'll see here, malware, 0:19:06.620000 --> 0:19:08.020000 something like this. 0:19:08.020000 --> 0:19:10.180000 You can also provide a description. 0:19:10.180000 --> 0:19:17.940000 If we follow the standard example of an incident or a case, then let's 0:19:17.940000 --> 0:19:21.700000 make it a bit more interesting and say, we'll just call this ransomware 0:19:21.700000 --> 0:19:26.320000 incident, make it a bit more realistic. 0:19:26.320000 --> 0:19:34.300000 And then in the description, we're going to say incident response case 0:19:34.300000 --> 0:19:42.120000 related to a ransomware attack and possible data breach. 0:19:42.120000 --> 0:19:43.900000 So this is generally how it would go. 0:19:43.900000 --> 0:19:48.500000 Now, don't worry, we'll get to the all the interesting stuff, but I click 0:19:48.500000 --> 0:19:51.040000 on confirm, so I create a case. 0:19:51.040000 --> 0:19:55.300000 Now, a case in and of itself is nothing interesting. 0:19:55.300000 --> 0:20:01.480000 Now, when you create a case here on the, I'll just collapse the sidebar, 0:20:01.480000 --> 0:20:04.400000 you're going to have the idea of the case, who it was created by, when 0:20:04.400000 --> 0:20:11.140000 it was created, the severity TLP, PAP, the assignee, so you can actually 0:20:11.140000 --> 0:20:16.220000 assign it to a particular analyst or individual or role. 0:20:16.220000 --> 0:20:20.440000 This is the case specifically, not the task, which is very important. 0:20:20.440000 --> 0:20:23.980000 And then you can set these status to new or in progress. 0:20:23.980000 --> 0:20:29.820000 You can also modify these statuses of case or task, you know, depending 0:20:29.820000 --> 0:20:32.000000 on how your org wants it. 0:20:32.000000 --> 0:20:38.000000 So it could be new, triage, in progress, closed, etc. 0:20:38.000000 --> 0:20:42.520000 So the moment it's still new, the start date, there's no tasks and the 0:20:42.520000 --> 0:20:45.680000 time metrics duration, so time to detect. 0:20:45.680000 --> 0:20:49.080000 So this is the time elapsed from the event occurrence to the creation 0:20:49.080000 --> 0:20:51.260000 of an alert or case. 0:20:51.260000 --> 0:20:55.280000 Okay, so under a case, you're going to have general, which is where we 0:20:55.280000 --> 0:20:59.260000 have the title, the tags, description, the linked elements, custom fields. 0:20:59.260000 --> 0:21:02.600000 So you can actually create custom fields if required, things like the 0:21:02.600000 --> 0:21:07.540000 business impact, business unit, contact hits, SLA, all that good stuff 0:21:07.540000 --> 0:21:12.120000 that we covered, you know, early on in this course, the cool stuff begins 0:21:12.120000 --> 0:21:14.480000 when we get into tasks. 0:21:14.480000 --> 0:21:16.840000 So let's say there's a ransomware incident. 0:21:16.840000 --> 0:21:22.460000 At this point, generally speaking, what you do is you'd create a task, 0:21:22.460000 --> 0:21:26.900000 right? That has to do with various aspects or phases of incident response, 0:21:26.900000 --> 0:21:28.460000 generally speaking. 0:21:28.460000 --> 0:21:34.520000 So the group would be something like detection and analysis. 0:21:34.520000 --> 0:21:42.040000 All right, the title, we'll just call it, you know, triage and artifacts 0:21:42.040000 --> 0:21:50.080000 collection. And we don't need to provide a description, we can actually 0:21:50.080000 --> 0:21:55.420000 assign ourselves as the assignee, and we can select a due date, provide 0:21:55.420000 --> 0:22:01.720000 a description. So, you know, something like perform triage and collect 0:22:01.720000 --> 0:22:06.840000 IOCs, something, you know, very general, and then hit confirm. 0:22:06.840000 --> 0:22:10.360000 Okay, so when you create a task, you can see it's still, it's saying waiting 0:22:10.360000 --> 0:22:12.920000 over here, and that's very important. 0:22:12.920000 --> 0:22:16.320000 So if I click on a particular task, we're now interacting with the task 0:22:16.320000 --> 0:22:23.660000 here, and you have the ability to set the status of the, you know, in 0:22:23.660000 --> 0:22:28.120000 this particular case, we go back to tasks here, and I select it here, 0:22:28.120000 --> 0:22:31.300000 and we can click on start. 0:22:31.300000 --> 0:22:34.920000 So that will mean this is something the analyst or responder would do, 0:22:34.920000 --> 0:22:37.260000 they would say start when they're dealing with it. 0:22:37.260000 --> 0:22:43.040000 So now this is actually being logged or has been logged as start. 0:22:43.040000 --> 0:22:48.360000 If I'm the responder, I would then start, you know, logging my activity. 0:22:48.360000 --> 0:22:58.380000 So I can create a task log and say, okay, begun. 0:22:58.380000 --> 0:23:04.480000 So I can then include it in the timeline with an exact timestamp and it 0:23:04.480000 --> 0:23:08.740000 confirm. And the reason this is important is you start to build a timeline. 0:23:08.740000 --> 0:23:13.160000 So if you click on the timeline tab, you can actually see start the instance 0:23:13.160000 --> 0:23:23.820000 started here. So 2024 or 824 start of instant response 826, and then stage 0:23:23.820000 --> 0:23:30.500000 change to in progress 829, and then write a via triage and artifacts collection 0:23:30.500000 --> 0:23:35.180000 829, and then I began initial triage 829. 0:23:35.180000 --> 0:23:36.620000 So very, very cool. 0:23:36.620000 --> 0:23:38.300000 Going back to the task. 0:23:38.300000 --> 0:23:43.240000 So in here within a task, you know, I can, I said I can log my activity, 0:23:43.240000 --> 0:23:47.920000 and then I can start adding observables, which is IOCs, as I mentioned 0:23:47.920000 --> 0:23:49.160000 in the previous video. 0:23:49.160000 --> 0:23:51.180000 So I can create a new observable. 0:23:51.180000 --> 0:23:54.940000 I specify the type of observable or IOC as it were. 0:23:54.940000 --> 0:23:58.140000 So let's say something like a hash, that's quite common. 0:23:58.140000 --> 0:24:00.500000 Then add the hash value here. 0:24:00.500000 --> 0:24:02.020000 We still have TLP here. 0:24:02.020000 --> 0:24:05.240000 So we can say red red, that's still being investigated. 0:24:05.240000 --> 0:24:07.140000 Now this is the cool bit. 0:24:07.140000 --> 0:24:12.420000 If it's not yet been confirmed as an indicator of compromise, then I can 0:24:12.420000 --> 0:24:16.400000 leave this is IOC button unchecked. 0:24:16.400000 --> 0:24:20.580000 Okay, if it is, or I have confirmed it, then I will check it, right? 0:24:20.580000 --> 0:24:23.060000 And then I can also specify tag. 0:24:23.060000 --> 0:24:27.200000 So I can just say, you know, in this case, the tags, we would say, are 0:24:27.200000 --> 0:24:33.160000 malware, ran somewhere, and then I can say hash, something like this. 0:24:33.160000 --> 0:24:35.560000 And then I provide a description. 0:24:35.560000 --> 0:24:41.660000 So, you know, I'll let me see if I can find a particular hash that I can 0:24:41.660000 --> 0:24:46.020000 use here. Interesting. 0:24:46.020000 --> 0:24:56.400000 Let me see. So let me see if I can find a hash. 0:24:56.400000 --> 0:25:05.320000 Okay, so we'll actually get to that when we talk about creating templates. 0:25:05.320000 --> 0:25:08.220000 So for now, let's see. 0:25:08.220000 --> 0:25:11.520000 I'm actually going to pull up a hash really quick. 0:25:11.520000 --> 0:25:18.580000 All right, so I'm just going to get a, an IOC from APT 29, one of the 0:25:18.580000 --> 0:25:21.280000 analysis performed on APT 29. 0:25:21.280000 --> 0:25:25.500000 So for example, the sunburst malware, so I'll just copy this hash here 0:25:25.500000 --> 0:25:28.260000 based in the value there. 0:25:28.260000 --> 0:25:32.560000 And now I can also say, you know, as this been cited before, which in 0:25:32.560000 --> 0:25:36.560000 this case, you know, it has, or, you know, this is specifically related 0:25:36.560000 --> 0:25:41.560000 to the task. So I've created the observable here. 0:25:41.560000 --> 0:25:43.420000 Now, of course, I can control it. 0:25:43.420000 --> 0:25:47.940000 So if I select it, I can modify, delete, but this button here, run analysis 0:25:47.940000 --> 0:25:51.340000 is the, is where cortex comes into play. 0:25:51.340000 --> 0:25:57.160000 So the cortex analyzes, you can see hash analyzes. 0:25:57.160000 --> 0:26:00.300000 So these are the analyzes available for hashes. 0:26:00.300000 --> 0:26:06.860000 So I can use multiverse team, sim, or simuru, I think it's pronounced. 0:26:06.860000 --> 0:26:09.280000 URL house, URL scan. 0:26:09.280000 --> 0:26:13.800000 So I can select all to perform the enrichment of the IOC or the observable 0:26:13.800000 --> 0:26:18.820000 in this case. Now you want to give it a few seconds after a few seconds 0:26:18.820000 --> 0:26:21.680000 to a minute, depending on what's being analyzed, you'll actually see the 0:26:21.680000 --> 0:26:24.220000 reports for the observables. 0:26:24.220000 --> 0:26:27.560000 And we'll actually wait for this to complete. 0:26:27.560000 --> 0:26:30.880000 Let me change that to manual refresh. 0:26:30.880000 --> 0:26:35.300000 So there we are, URL scan, zero results that makes scan, that makes sense, 0:26:35.300000 --> 0:26:38.340000 because, you know, we're not really scanning URLs. 0:26:38.340000 --> 0:26:43.960000 But over here, if we click on this here, we can see the result from team 0:26:43.960000 --> 0:26:53.480000 simuru or simuru, the detection percentage is 44% last seen 2024. 0:26:53.480000 --> 0:26:55.560000 So that's a year, year, month. 0:26:55.560000 --> 0:27:00.700000 So December 2024 on the 20th, 23, 1800 hours over here. 0:27:00.700000 --> 0:27:02.600000 So this is the enrichment I was talking about. 0:27:02.600000 --> 0:27:06.400000 Now that's just a very basic example that I'm using here. 0:27:06.400000 --> 0:27:10.820000 And we'll talk a little bit about the other types of analyzes that can 0:27:10.820000 --> 0:27:16.880000 come into play. So that's the general flow of things. 0:27:16.880000 --> 0:27:23.100000 Now just to close this up, if I go back to the tasks here and, you know, 0:27:23.100000 --> 0:27:24.860000 let's say I am done now. 0:27:24.860000 --> 0:27:31.800000 So in here, you know, I can sort of add some more activity. 0:27:31.800000 --> 0:27:42.640000 I can say, I identified, ran somewhere hash. 0:27:42.640000 --> 0:27:46.660000 So just, you know, very basic for now, just confirm that in there. 0:27:46.660000 --> 0:27:51.940000 Okay. And, you know, pretty much done. 0:27:51.940000 --> 0:27:56.940000 And, you know, you can then close this deleted, take a look at the respondents. 0:27:56.940000 --> 0:28:01.540000 So you can actually, you know, see the actions run on the current task. 0:28:01.540000 --> 0:28:08.440000 But if we go back to the task list here, if we take a look at this, if 0:28:08.440000 --> 0:28:12.700000 we select, actually know we've already assigned it and run the analyzes, 0:28:12.700000 --> 0:28:14.080000 I wanted to showcase. 0:28:14.080000 --> 0:28:17.960000 So where is this ISI forgot it is here. 0:28:17.960000 --> 0:28:19.280000 So I want to set this in progress. 0:28:19.280000 --> 0:28:22.360000 This is the case itself now. 0:28:22.360000 --> 0:28:27.540000 And now, you know, you can also flag this here. 0:28:27.540000 --> 0:28:32.840000 What this does is if we go into, we take a look at the cases, you can 0:28:32.840000 --> 0:28:36.140000 see this is in progress, run somewhere incident. 0:28:36.140000 --> 0:28:39.900000 There's only one task, one observable, TTPs, linked alerts, all that good 0:28:39.900000 --> 0:28:46.460000 stuff. So, you know, I can just dive into the particular case here. 0:28:46.460000 --> 0:28:51.560000 And at this point, I can take a look at the tasks here. 0:28:51.560000 --> 0:28:57.120000 And I can then take a look at settings, actually know one second. 0:28:57.120000 --> 0:29:01.260000 So we click on this here, detection and analysis. 0:29:01.260000 --> 0:29:04.440000 So we have the activity, yes, right over here. 0:29:04.440000 --> 0:29:10.560000 And now you can see that when you click on require action, this will say, 0:29:10.560000 --> 0:29:14.560000 would you like to add a task log before requesting action? 0:29:14.560000 --> 0:29:16.380000 Because we're doing triage. 0:29:16.380000 --> 0:29:21.600000 We've already done that to a certain extent, action from your organization. 0:29:21.600000 --> 0:29:26.240000 So we can just mark it as done over here. 0:29:26.240000 --> 0:29:33.420000 One second, because I'm using, let's see, create a log right over here, 0:29:33.420000 --> 0:29:36.320000 completed triage. 0:29:36.320000 --> 0:29:40.880000 Okay, include this in timeline confirm. 0:29:40.880000 --> 0:29:46.500000 If we go back to general and we take a look at tasks right over here. 0:29:46.500000 --> 0:29:49.860000 Yeah, okay, so that's still running on second. 0:29:49.860000 --> 0:29:51.900000 Let me get rid of that filter there. 0:29:51.900000 --> 0:29:58.480000 Should have probably used a different user to do this instead of using 0:29:58.480000 --> 0:30:05.520000 the org admin. When I'm done, I can then just, you know, click on close 0:30:05.520000 --> 0:30:10.000000 here. And this is sort of completing the triage. 0:30:10.000000 --> 0:30:16.780000 So actually this is in relation to this particular one second. 0:30:16.780000 --> 0:30:17.620000 That was the case. 0:30:17.620000 --> 0:30:20.180000 So I click on close for the task here. 0:30:20.180000 --> 0:30:22.520000 So this is now marked as done. 0:30:22.520000 --> 0:30:26.120000 Okay, and you can get rid of the in progress filter and that's done. 0:30:26.120000 --> 0:30:30.060000 But when you're done with the case, let's say we arrived at, you know, 0:30:30.060000 --> 0:30:30.760000 specific conclusion. 0:30:30.760000 --> 0:30:36.020000 I can click on close and say, let's say it was a, you know, false positive 0:30:36.020000 --> 0:30:38.760000 or something like this. 0:30:38.760000 --> 0:30:42.660000 Even though it wasn't, because we did find a hash there. 0:30:42.660000 --> 0:30:49.620000 So we can just say false positive as an example. 0:30:49.620000 --> 0:30:52.680000 Okay, now I click on confirm here. 0:30:52.680000 --> 0:30:59.100000 And now if I go back to cases, you can see that that's, you know, considered 0:30:59.100000 --> 0:31:03.700000 closed. And generally speaking, that's how you go from alert to case to 0:31:03.700000 --> 0:31:05.720000 task to, you know, completion. 0:31:05.720000 --> 0:31:13.720000 Now that may have been a, you know, very poor example of, you know, what 0:31:13.720000 --> 0:31:15.320000 you typically encounter. 0:31:15.320000 --> 0:31:20.980000 And what I really wanted to showcase was the use of templates in Playbook. 0:31:20.980000 --> 0:31:28.600000 So if I go into the org settings here and I create a new case template, 0:31:28.600000 --> 0:31:34.100000 what we can do is we can create playbooks for different types of events. 0:31:34.100000 --> 0:31:38.520000 If you remember the playbook video, so let's create one called run somewhere 0:31:38.520000 --> 0:31:43.020000 playbook. Okay, actually, no, that's the prefix. 0:31:43.020000 --> 0:31:45.080000 We can just say this is 01. 0:31:45.080000 --> 0:31:50.660000 And then in here, we'll say, run somewhere playbook. 0:31:50.660000 --> 0:31:53.320000 The display name can be run somewhere attack. 0:31:53.320000 --> 0:31:56.240000 We'll set this to red red. 0:31:56.240000 --> 0:31:57.920000 Actually, that would be high. 0:31:57.920000 --> 0:32:03.320000 Then the tags here would be, you know, malware, run somewhere like so. 0:32:03.320000 --> 0:32:10.260000 Okay. Yeah, that should be fine. 0:32:10.260000 --> 0:32:22.920000 Let's see. The description here, we can just say, you know, playbook. 0:32:22.920000 --> 0:32:26.220000 Or ransomware attacks. 0:32:26.220000 --> 0:32:27.940000 Okay, so let's save it. 0:32:27.940000 --> 0:32:32.140000 Now we'll go ahead and modify it again. 0:32:32.140000 --> 0:32:37.920000 And we want to create tasks that are created when this template is used. 0:32:37.920000 --> 0:32:47.600000 Okay. So what we're going to do here is now create playbooks for different. 0:32:47.600000 --> 0:32:52.320000 We're going to create tasks to that represent different aspects of the 0:32:52.320000 --> 0:32:56.780000 playbook. So if you remember, when we in the playbook video, we utilize 0:32:56.780000 --> 0:32:59.080000 the public playbooks repo. 0:32:59.080000 --> 0:33:00.780000 So let's actually use this as an example. 0:33:00.780000 --> 0:33:10.220000 Like I'll click on the ransom playbook here and let's set up one for analysis. 0:33:10.220000 --> 0:33:15.820000 So I'll go ahead and just copy maybe this aspect here. 0:33:15.820000 --> 0:33:18.700000 Actually, no, one second. 0:33:18.700000 --> 0:33:19.880000 Let's use this one. 0:33:19.880000 --> 0:33:24.620000 So we're going to create a playbook for. 0:33:24.620000 --> 0:33:29.380000 We'll just call it investigation. 0:33:29.380000 --> 0:33:31.140000 It's really analysis. 0:33:31.140000 --> 0:33:34.560000 So we're just going to copy this here. 0:33:34.560000 --> 0:33:38.440000 Okay. So something like this, just, you know, what you do. 0:33:38.440000 --> 0:33:49.220000 The group. We'll just call this a then analysis or investigation. 0:33:49.220000 --> 0:33:53.420000 If I'm using sans nomenclature, we'll just call this investigate. 0:33:53.420000 --> 0:33:59.040000 The title is let me paste in in the description. 0:33:59.040000 --> 0:34:03.820000 So there's a bit of a, you know, typos there are spelling mistakes, but 0:34:03.820000 --> 0:34:08.660000 the title would be identified, you know, threat, act or ransomware family. 0:34:08.660000 --> 0:34:10.920000 Let's get rid of this here. 0:34:10.920000 --> 0:34:13.920000 So let's correct some of the spelling mistakes. 0:34:13.920000 --> 0:34:18.620000 Use the various artifacts we need to identify who the adversary is. 0:34:18.620000 --> 0:34:23.760000 So we can maybe change those to bullet points and then, you know, understand 0:34:23.760000 --> 0:34:27.780000 the effect of a reboot. 0:34:27.780000 --> 0:34:36.840000 And then, you know, for example, let's see, uh, the, the, which OS this 0:34:36.840000 --> 0:34:40.600000 also would need to be in a list of sorts. 0:34:40.600000 --> 0:34:47.940000 Um, let me, we can actually just change it to something like this. 0:34:47.940000 --> 0:34:52.320000 And, uh, let me get rid of that there. 0:34:52.320000 --> 0:34:54.820000 Just clean it up a little bit here. 0:34:54.820000 --> 0:34:57.680000 And then things we can use. 0:34:57.680000 --> 0:35:02.140000 Okay, just make it, of course I'm rushing through this. 0:35:02.140000 --> 0:35:03.700000 We can see what it looks like. 0:35:03.700000 --> 0:35:08.460000 So identify the threat. 0:35:08.460000 --> 0:35:11.700000 Okay. So let's modify this a little bit here. 0:35:11.700000 --> 0:35:14.020000 So this would be a header. 0:35:14.020000 --> 0:35:21.200000 Um, and then, you know, we can get rid of that there. 0:35:21.200000 --> 0:35:24.900000 Yeah. And, uh, then let's see how this looks now. 0:35:24.900000 --> 0:35:26.060000 So there we are. 0:35:26.060000 --> 0:35:30.760000 Very nice. So something like this, then the assignee could be just ourselves. 0:35:30.760000 --> 0:35:32.740000 We don't need, uh, we don't need the analyst. 0:35:32.740000 --> 0:35:42.400000 And then once we're done with this, um, we can, uh, let's see, uh, we 0:35:42.400000 --> 0:35:43.920000 can just save that as it is. 0:35:43.920000 --> 0:35:45.720000 And then edit the case template. 0:35:45.720000 --> 0:35:49.920000 So we're essentially creating playbooks in the form of tasks for different 0:35:49.920000 --> 0:35:51.500000 aspects of the response. 0:35:51.500000 --> 0:35:56.060000 So we've done one for, in this case, identify the threat actor or ransomware 0:35:56.060000 --> 0:36:01.800000 family. And I'll just use the same workflow or playbook here. 0:36:01.800000 --> 0:36:06.580000 Uh, we can also have one for let's say scope validation, etc. 0:36:06.580000 --> 0:36:09.620000 We're not going to go through that, but you can create, uh, you know, 0:36:09.620000 --> 0:36:18.980000 tasks to sort of address the bottom line is now when I go into, uh, cases 0:36:18.980000 --> 0:36:23.500000 and I create a new case, I can then use the ransomware attack template 0:36:23.500000 --> 0:36:29.960000 here. And we can just call this, um, you know, um, uh, what should we, 0:36:29.960000 --> 0:36:36.460000 uh, generally speaking, uh, we'll just say, you know, run somewhere related, 0:36:36.460000 --> 0:36:40.080000 uh, security incident. 0:36:40.080000 --> 0:36:43.680000 Okay. That would be high red. 0:36:43.680000 --> 0:36:46.880000 And then you can see because it's template, uh, because, you know, it's 0:36:46.880000 --> 0:36:51.300000 using a template, we already have the investigate task or playbook as 0:36:51.300000 --> 0:36:52.980000 it were already good to go. 0:36:52.980000 --> 0:36:58.200000 So when we hit confirm, the person we assigned it to, you can see two 0:36:58.200000 --> 0:36:59.120000 tasks over here. 0:36:59.120000 --> 0:37:02.760000 One was completed, but this one is already created and assigned to us. 0:37:02.760000 --> 0:37:07.260000 So you can actually create the tasks, uh, in the form of playbooks, um, 0:37:07.260000 --> 0:37:11.820000 and then assign them to the responders responsible for, you know, the 0:37:11.820000 --> 0:37:16.120000 various aspects of response, whether it be analysis, um, you know, detection 0:37:16.120000 --> 0:37:22.320000 analysis, um, containment eradication, recovery, et cetera. 0:37:22.320000 --> 0:37:26.680000 So now me as the, um, let's say in this case, the forensic analyst or 0:37:26.680000 --> 0:37:30.840000 malware analyst, I then need to perform the analysis here. 0:37:30.840000 --> 0:37:34.880000 And then of course, you know, I, we've already covered the activity log 0:37:34.880000 --> 0:37:37.380000 here or creating a task log. 0:37:37.380000 --> 0:37:44.500000 Um, and, uh, I can, um, wait if I click on start, so that will start it 0:37:44.500000 --> 0:37:46.020000 up. There we go. 0:37:46.020000 --> 0:37:50.760000 And then I can go ahead and start adding my observables or IOCs as we 0:37:50.760000 --> 0:37:54.660000 covered. And, uh, you know, we're, you know, pretty much the, the same 0:37:54.660000 --> 0:37:57.220000 thing, um, we did previously. 0:37:57.220000 --> 0:38:01.800000 So that is pretty much all that I wanted to cover in this practical demo 0:38:01.800000 --> 0:38:06.940000 to sort of give you an idea as to, um, you know, how the Hive works with 0:38:06.940000 --> 0:38:10.660000 regards to instant management and how it would relate to you as an instant 0:38:10.660000 --> 0:38:15.660000 responder. And hopefully this gives you the visibility over these tools 0:38:15.660000 --> 0:38:17.880000 and, you know, the nomenclature and the systems. 0:38:17.880000 --> 0:38:21.500000 And generally speaking, you're going to be using a platform just like 0:38:21.500000 --> 0:38:26.920000 this, you know, in terms of getting notified about incidents, um, that 0:38:26.920000 --> 0:38:27.860000 you need to investigate. 0:38:27.860000 --> 0:38:29.980000 So this is how they'll be assigned to you. 0:38:29.980000 --> 0:38:33.540000 And you can see the platforms make it really easy to log all the stuff 0:38:33.540000 --> 0:38:34.740000 that you're doing. 0:38:34.740000 --> 0:38:39.400000 And this way, you know, you're able to go through, um, and, uh, you know, 0:38:39.400000 --> 0:38:44.740000 pretty much work through all the tasks that have been assigned to you. 0:38:44.740000 --> 0:38:46.900000 And you have everything documented. 0:38:46.900000 --> 0:38:50.160000 Of course the dashboards, if we take a look at them now, there'll be a 0:38:50.160000 --> 0:38:54.260000 bit more, um, enriched with data on the alerts specifically. 0:38:54.260000 --> 0:38:59.560000 This is generally for the executives or the, um, IR team lead, whoever 0:38:59.560000 --> 0:39:04.460000 is managing the instant response process, they can actually see a summary 0:39:04.460000 --> 0:39:09.560000 of incidents or alerts and likewise observables. 0:39:09.560000 --> 0:39:13.240000 You know, you can actually see the observables that the categories, so 0:39:13.240000 --> 0:39:14.900000 hash IP, et cetera. 0:39:14.900000 --> 0:39:18.040000 That being said, that brings us to the end of the practical demonstration 0:39:18.040000 --> 0:39:21.740000 section of this video. 0:39:21.740000 --> 0:39:25.440000 All right. So that was, uh, instant response with a hive, a practical 0:39:25.440000 --> 0:39:27.960000 demo. Hopefully you found that valuable. 0:39:27.960000 --> 0:39:31.660000 Definitely give the virtual machine a try for yourself. 0:39:31.660000 --> 0:39:36.600000 And, uh, again, you can go through various examples and try and, you know, 0:39:36.600000 --> 0:39:40.640000 integrate the playbooks that we looked at earlier on in this course in 0:39:40.640000 --> 0:39:42.120000 the form of templates. 0:39:42.120000 --> 0:39:45.440000 But with that being said, that's going to be it for this video. 0:39:45.440000 --> 0:39:47.600000 And I will be seeing you in the next video.