You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Clarification Needed: Complete SOAR Workflow and IOC Enrichment Flow (Wazuh Logs → Slack Notification)
Hi Everyone,
I'm currently working on integrating a full SOAR workflow and I'm a bit unclear about the enrichment process, especially where IOCs come into play.
So far, I have successfully configured the alert generation (e.g., from Wazuh logs) and am able to create cases based on these alerts. However, I'm confused about the role and timing of IOC enrichment in this flow.
Some specific questions:
At what point in the pipeline should enrichment be performed?
Should enrichment happen before a case is created, or only for certain types of alerts?
Do we always need to create an IOC for enrichment to happen?
If not all alerts are supposed to trigger case creation, how do we determine which alerts need enrichment first?
My ideal end-to-end flow looks something like this:
Wazuh Logs → Alert Generated → (IOC Extracted?) → Enrichment (via Threat Intel, etc.) → Case Created (if applicable) → Slack Notification
If anyone has implemented a similar workflow or has best practices to share (especially around integrating enrichment tools like VirusTotal, AbuseIPDB, MISP, etc.), I’d love to learn more!
Thanks in advance for any guidance or suggestions!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
DFIR-IRIS
Uh oh!
There was an error while loading. Please reload this page.
-
Clarification Needed: Complete SOAR Workflow and IOC Enrichment Flow (Wazuh Logs → Slack Notification)
Hi Everyone,
I'm currently working on integrating a full SOAR workflow and I'm a bit unclear about the enrichment process, especially where IOCs come into play.
So far, I have successfully configured the alert generation (e.g., from Wazuh logs) and am able to create cases based on these alerts. However, I'm confused about the role and timing of IOC enrichment in this flow.
Some specific questions:
At what point in the pipeline should enrichment be performed?
Should enrichment happen before a case is created, or only for certain types of alerts?
Do we always need to create an IOC for enrichment to happen?
If not all alerts are supposed to trigger case creation, how do we determine which alerts need enrichment first?
My ideal end-to-end flow looks something like this:
Wazuh Logs → Alert Generated → (IOC Extracted?) → Enrichment (via Threat Intel, etc.) → Case Created (if applicable) → Slack NotificationIf anyone has implemented a similar workflow or has best practices to share (especially around integrating enrichment tools like VirusTotal, AbuseIPDB, MISP, etc.), I’d love to learn more!
Thanks in advance for any guidance or suggestions!
Beta Was this translation helpful? Give feedback.
All reactions