Get the Skills you need from Home with SANS OnDemand


To attend this webcast, login to your SANS Account or create your Account.

Hear me SOAR - Using Elastic, ElastAlert and TheHive in an effective purple team pipeline

  • Wednesday, November 6th, 2019 at 10:30 AM EST (15:30:00 UTC)
  • Michel Coene
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


As we've seen in previous webcasts, purple teaming can be highly automated by, for example, using Caldera. Specific attacks will test your defenses and detection mechanisms in place, this is however something which is performed at a specific point in time. Now what if a certain configuration change renders your defenses useless, allowing the attack to succeed, will you notice at any point in the future? This is where continuous purple teaming comes in, at a periodic interval your defenses will be tested after which an automatic alert, based on SIGMA rules, is triggered in your case management tool leveraging ElastAlert to link your Elastic stack to The Hive. This will not only allow you to get a reassurance that the implemented defenses are still functional, but it will also allow you to streamline (and partially automate) your response to such a potential attack.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.