A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
Multiple SOC and CERT analysts can collaborate on investigations simultaneously. Thanks to the built-in live stream, real time information pertaining to new or existing cases, tasks, observables and IOCs is available to all team members. Special notifications allow them to handle or assign new tasks, and preview new MISP events and alerts from multiple sources such as email reports, CTI providers and SIEMs. They can then import and investigate them right away.
Cases and associated tasks can be created using a simple yet powerful template engine. You may add metrics and custom fields to your templates to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks through dynamic dashboards. Analysts can record their progress, attach pieces of evidence or noteworthy files, add tags and import password-protected ZIP archives containing malware or suspicious data without opening them.
Add one, hundreds or thousands of observables to each case that you create or import them directly from a MISP event or any alert sent to the platform. Quickly triage and filter them. Harness the power of Cortex and its analyzers and responders to gain precious insight, speed up your investigation and contain threats. Leverage tags, flag IOCs, sightings and identify previously seen observables to feed your threat intelligence. Once investigations are completed, export IOCs to one or several MISP instances.
Documentation / Installation
See the Build, Operate, Maintain page for detailed instructions.