Security Case Management


Has anyone thought about building a cyber security case management solution on top of the ELK stack?
I can imagine a streamlined workflow for cyber security analysts/incident response teams. Analysts on a "hunt" could mark a record or records as the start of a new case and then could add additional records to that case. When adding records to a case it could potential prevent those records from being curated off the cluster or delay curation based on some criteria. This could also enable enrichment and correlation of case artifacts (IPs, hostnames, IOCs, etc...) more quickly or automatically and allowing analysts to operate within a single platform instead of moving between platforms frequently.

The only platform I've seen that achieves something like this is Apache Metron. I'd rather leverage an existing investment in the Elasticstack if possible which has the data I'm interested in using for case generation and enrichment.

Thanks for your input/ideas in advance.

(Mark Walkom) #2

There's a few tools out there that do some of this.
CAPESStack and NightHawk are two that come to mind.

That is (or was until recently) built on Elasticsearch.


Thanks for the feedback. Apache Metron still uses Elasticsearch on the backend. I'm also looking at TheHive Project.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.