Tooling

Incident Response — TheHive, Cortex, DFIR-IRIS

Case management, playbooks, observable enrichment, IR workflow.

Incident response platforms turn alerts into cases, attach evidence, run analyzer playbooks against IOCs, and track response steps. The 2024–26 OSS reference is TheHive + Cortex; DFIR-IRIS is the rising community alternative. For SIEM-side detection see SIEM (Wazuh / Graylog). For DFIR collection see DFIR (Velociraptor). For threat intel feeding cases see Threat Intelligence (MISP). For detection content see Detection (Sigma / YARA / ATT&CK).

OSS IR / case management

  • ★ ★ TheHive (StrangeBee) — case management for security incidents; tasks, observables, TLP, MISP-sync, Cortex analyzers. TheHive 4 / 5 Open Source, TheHive Cloud / Enterprise paid. The reference OSS IR platform.
  • Cortex (StrangeBee) — analyzer engine; runs 100+ "analyzers" against observables (VirusTotal, GreyNoise, MISP, Shodan, abuse.ch, …) and "responders" to act. Free OSS.
  • DFIR-IRIS — open-source IR workflow & collaboration; growing community 2024–26; cleaner UI than older TheHive versions; modular reporter; Python jinja templates.
  • FIR (Fast Incident Response) by CERT Société Générale — case management; older; smaller.
  • RTIR (Best Practical) — request-tracker-derived IR system; legacy.
  • Catalyst — open-source; growing.

SOAR (paid)

  • Splunk SOAR (Phantom) — paid; market-leading SOAR.
  • Palo Alto Cortex XSOAR (Demisto) — paid; rich playbooks.
  • Tines — paid; low-code automation; free starter tier.
  • Torq — paid; growing.
  • Siemplify (Google Chronicle SOAR) — paid; Google-acquired.
  • Swimlane — paid.
  • Shuffle — open-source SOAR; pairs with TheHive. Free OSS + paid hosted.

Communication / runbooks

  • PagerDuty / Opsgenie / Splunk On-Call — paging on alerts.
  • Slack / Teams / Discord — bridges; many TheHive plugins.
  • war-room channels — automated channel creation per incident; DFIR-IRIS / TheHive / Tines / Shuffle integrations.
  • Runbook libraries:
    • NIST SP 800-61 r3 — official IR lifecycle.
    • SANS PICERL / DFIR cycle.
    • MITRE D3FEND — defensive countermeasures vocabulary.
    • The Threat Hunter Project — community runbooks.
    • BHIS / TaylorPolansky open runbooks.

Ticketing / project layer

  • Jira / Linear / GitLab Issues — generic; many shops use these instead of dedicated IR tools.
  • Hive2Jira / Cortex2Slack — common bridges.
  • Faraday / WriteHat / Ghostwriter — pentest-leaning; see Pentest Reporting.

Evidence / chain of custody

  • timesketch — collaborative timeline; see DFIR (Velociraptor).
  • Velociraptor server — store collected artifacts.
  • MinIO / S3 + lifecycle rules — long-term IR evidence vault; see Backup & DR.
  • Cryptographically hashed evidence sets — record sha256 of every artifact at acquisition.

Patterns

  • Wire SIEM → TheHive automatic case creation — alert with severity above threshold spawns a case with the alert as the first observable.
  • Run Cortex analyzers on every observable automatically — VT, GreyNoise, AbuseIPDB, MISP — saves analyst time.
  • Sync confirmed IOCs to MISP — close the loop into Threat Intelligence.
  • Time-box every task — IR moves fast; backlog → noise.
  • Post-incident write-up template — what / when / what worked / what didn't / fixes; in Git.

Pick this if…

  • Default OSS IR platform: TheHive + Cortex.
  • Modern UI / community-driven: DFIR-IRIS.
  • OSS SOAR pairing with TheHive: Shuffle.
  • Paid SOAR / mature playbook library: XSOAR or Splunk SOAR.
  • Quick low-code automation: Tines.
  • Bundle SIEM + IDS + IR in one box: Security Onion (see SIEM).

On this page