Hear me SOAR - Using Elastic, ElastAlert and TheHive in an effective purple team pipeline

  • Wednesday, 06 Nov 2019 10:30AM EST (06 Nov 2019 15:30 UTC)
  • Speaker: NULL

As we've seen in previous webcasts, purple teaming can be highly automated by, for example, using Caldera. Specific attacks will test your defenses and detection mechanisms in place, this is however something which is performed at a specific point in time. Now what if a certain configuration change renders your defenses useless, allowing the attack to succeed, will you notice at any point in the future? This is where continuous purple teaming comes in, at a periodic interval your defenses will be tested after which an automatic alert, based on SIGMA rules, is triggered in your case management tool leveraging ElastAlert to link your Elastic stack to The Hive. This will not only allow you to get a reassurance that the implemented defenses are still functional, but it will also allow you to streamline (and partially automate) your response to such a potential attack.