Schleswig
$15/hr
Cybersecurity Analyst and Software developer
- Reply rate:
- -
- Availability:
- Hourly ($/hour)
- Location:
- Nairobi, Nairobi, Kenya
- Experience:
- 2 years
Security Ticketing
In this lab excerise the main activity was going through the process of profiling and searching a
log file.
For a Ticketing System using the an open-source application “TheHive”:
Steps followed
1. Launching of TheHive
2. On the dock we launch the web browser
3. On the browser navigation bar, we click the "theHive" bookmark to access theHive's web
interface.
• Part 1: Explore a Ticket
◇ We will explore a security ticket to understand its primary components. We begin on the
Cases page within theHive.
1/11
◇ In most ticketing systems, a page like this will be your default view. This page is typically
referred to as the Ticket Queue.
1- On the Cases page, click the case titled Excessive Authentication Failures for Single User
to open the Case Details view for this case.
- Note: You can return to the Cases page at any time by clicking the Cases icon on the
left-hand navigation menu.
2/11
2- On the Case Details page, review the General tab for this ticket.
- You should see all of the key metadata introduced in the previous lesson. You will need
some of the details to answer of the questions on the Tasks tab.
• Part 2: Create a Ticket
◇ One of the most common tasks in any operational security environment is the creation of a
security ticket. Tickets may be created for a variety of reasons discussed in the previous lesson.
In the next steps, you will create a new ticket from scratch in TheHive.
1) On theHive's navigation bar, click the Create Case button to open the Create Case dialog
box.
2) In the Create Case drawer, click the Empty case button to start with a blank case.
▪ The Create case dialogue will change to show new options.
3/11
3) Enter a name for the ticket in the Title field.
4) Click the Low button to set the severity to Low.
4/11
5) Enter descriptive text of your choosing in the Description field.
6) Click the Confirm button to create the ticket.
7) From the left-hand navigation menu, click the Cases button to return to the Cases page.
5/11
▪ You should now see your ticket in the list of cases.
▪ NOTE:
- On the far-right side of your ticket's entry in the Case Queue, you should see three
letters with corresponding date/time stamps.
→ S refers to Started, which indicates when the ticket was started by an analyst.
→ C refers to Created, which indicates when the ticket was originally created (but not
necessarily started).
→ U refers to Updated, which indicates when the ticket was last modified.
• Part 3: Annotate and Re-Assign a Ticket
◇ In the next steps, we will modify the ticket you created in Part 2.
◇ As part of this modification, we will add a note and re-assign the ticket to a different
analyst.
◇ Changing ticket assignment is a common task in any SOC, as tickets often need to be
transferred to a specialist, handed off to a new shift, or escalated to a higher tier of analyst. In
the steps below, we will re-assign the ticket to Marcus-Analyst.
1. In the Case Queue, click the name of your ticket to open the Case.
◇ On the right side of the Case Details page, you should see a sidebar labelled Comments. T
◇ his is where we will add our annotations.
2. Type Assigning this ticket to Marcus the Analyst in the Comments field, then click the C‐
omment button to add your comment.
6/11
When you are done, you will notice the comment appearing above the entry field in the same
page. Next, we will re-assign the ticket to another user.
On the left side of the Case Details page, click the Assignee field and select Marcus-Analyst from
the menu, then click Save.
Click the Cases button to return to the Case Queue.
7/11
Part 4: Filter Your Ticket View
In the next steps, we will filter the list of tickets. Sorting and filtering can help you identify tickets
that fit a specific criteria.
For example, imagine one of your fellow SOC analysts just had to go home sick, and you need to
find and re-assign their tickets.
Let's use the filter view to identify all tickets that belong to Marcus-Analyst.
In the top-right corner, click the Filters button to activate the Filters feature.
It should turn blue, and a new field will appear below. You can use this field to add different
filters to the ticket queue.
Click the Filters field, then select the Assignee filter option from the menu.
New additional fields will appear to the right.
Click the right-most field to display a list of Assignees, then select Marcus-Analyst.
You will need to click outside of the Assignees filter field to commit your selection.
8/11
Click the Apply filters link.
The applied filter should now be shown above the cases list, and the cases list should have
changed. Review the list. You should only see cases assigned to Marcus-Analyst.
Part 5: Close a Ticket
To conclude this exercise, we will close a ticket.
1. Click the Clear filters link to remove the filter you applied in the previous steps.
2. From the Cases Queue, open the ticket titled Excessive Authentication Failures for
Single User.
3. In the upper-right corner, click the Close button.
4. When prompted, click the Status field and select Other from the menu.
9/11
5. Add descriptive text of your choosing in the Summary field below. Here is an example:
10/11
6. Click the Confirm button to confirm that you are closing the ticket.
7. Return to the Cases Queue.
◇ You should see that the case you just closed has been marked with the new status and has
a date and time stamp for when you closed it.
Summary
This ends our brief tour of a security ticketing system using TheHive as an example. In the
Challenge Exercise, you will continue practicing with the TheHive to answer some basic questions
about this same set of security tickets.
11/11
