Alireza Gharib
@alirezagharib.net
Just a Techi Talkie Boy !
https://alirezagharib.net
https://alirezagharib.net
4/4 The Reality Check
Tools don't fix bad processes.
• Document your playbooks.
• Define your "normal."
• Automate the enrichment, not just the detection.
What open source tool is carrying your team lately? Sound off. 🗣️
Tools don't fix bad processes.
• Document your playbooks.
• Define your "normal."
• Automate the enrichment, not just the detection.
What open source tool is carrying your team lately? Sound off. 🗣️
December 17, 2025 at 6:30 AM
4/4 The Reality Check
Tools don't fix bad processes.
• Document your playbooks.
• Define your "normal."
• Automate the enrichment, not just the detection.
What open source tool is carrying your team lately? Sound off. 🗣️
Tools don't fix bad processes.
• Document your playbooks.
• Define your "normal."
• Automate the enrichment, not just the detection.
What open source tool is carrying your team lately? Sound off. 🗣️
3/4 The Workflow: TheHive + Cortex
Alerts need a place to live. TheHive is your case management. Cortex is your analysis engine.
The Magic: You click one button in TheHive, and Cortex runs the IP against 20 different threat engines. Saves 15 minutes per ticket.
Alerts need a place to live. TheHive is your case management. Cortex is your analysis engine.
The Magic: You click one button in TheHive, and Cortex runs the IP against 20 different threat engines. Saves 15 minutes per ticket.
December 17, 2025 at 6:30 AM
3/4 The Workflow: TheHive + Cortex
Alerts need a place to live. TheHive is your case management. Cortex is your analysis engine.
The Magic: You click one button in TheHive, and Cortex runs the IP against 20 different threat engines. Saves 15 minutes per ticket.
Alerts need a place to live. TheHive is your case management. Cortex is your analysis engine.
The Magic: You click one button in TheHive, and Cortex runs the IP against 20 different threat engines. Saves 15 minutes per ticket.
2/4 The Intel: MISP
"collect, store, distribute."
Don't manually hunt for IoCs. Connect your MISP instance to public feeds (like CIRCL).
Pro Tip: specific tags in MISP can trigger automated blocks on your firewall if you script it right. That is "pre-crime" for cyber.
"collect, store, distribute."
Don't manually hunt for IoCs. Connect your MISP instance to public feeds (like CIRCL).
Pro Tip: specific tags in MISP can trigger automated blocks on your firewall if you script it right. That is "pre-crime" for cyber.
December 17, 2025 at 6:30 AM
2/4 The Intel: MISP
"collect, store, distribute."
Don't manually hunt for IoCs. Connect your MISP instance to public feeds (like CIRCL).
Pro Tip: specific tags in MISP can trigger automated blocks on your firewall if you script it right. That is "pre-crime" for cyber.
"collect, store, distribute."
Don't manually hunt for IoCs. Connect your MISP instance to public feeds (like CIRCL).
Pro Tip: specific tags in MISP can trigger automated blocks on your firewall if you script it right. That is "pre-crime" for cyber.
1/4 The Endpoint: @wazuh
Stop sleeping on this. It gives you visibility into file changes (FIM), configuration assessment, and active response.
Key Feature: The integration with the ELK stack (or OpenSearch) means your visualization is built-in. No more grepping text files.
Stop sleeping on this. It gives you visibility into file changes (FIM), configuration assessment, and active response.
Key Feature: The integration with the ELK stack (or OpenSearch) means your visualization is built-in. No more grepping text files.
December 17, 2025 at 6:29 AM
1/4 The Endpoint: @wazuh
Stop sleeping on this. It gives you visibility into file changes (FIM), configuration assessment, and active response.
Key Feature: The integration with the ELK stack (or OpenSearch) means your visualization is built-in. No more grepping text files.
Stop sleeping on this. It gives you visibility into file changes (FIM), configuration assessment, and active response.
Key Feature: The integration with the ELK stack (or OpenSearch) means your visualization is built-in. No more grepping text files.