An open-source SOC automation lab integrating MISP, Cortex, TheHive and Maltego into a single threat intelligence workflow, demonstrating that enterprise-grade security automation is achievable without enterprise-grade costs.
Does automating SOC enrichment and triage workflows meaningfully reduce analyst investigation time and by how much?
Yes by an average of 78% across four incident scenario types, consistent across two weeks of structured testing.
The motivation came from direct experience using MISP and TheHive during an Erasmus exchange in Finland, where these tools were deployed in a real SOC environment. They worked well individually but were almost always used in isolation. This project connects all four tools into a single automated workflow something that is rarely done in open-source environments.
Enterprise-grade threat intelligence platforms like IBM QRadar and Splunk Phantom offer integrated automation pipelines but at a cost that puts them out of reach for small organisations, regional CERTs, and academic institutions. This project demonstrates that the same core capabilities are achievable using entirely free, open-source tools.
Threat indicators are created or imported into MISP as attributes within an event. Events are published and automatically picked up by TheHive as alerts.
Cases are created from MISP alerts. Observables such as IP addresses, domains, file hashes are added and tracked through the investigation workflow.
Cortex analysers query VirusTotal, AbuseIPDB and IPInfo automatically. Results return to TheHive as structured reports within seconds.
Enriched intelligence is fed back into MISP, completing the closed-loop cycle. New context from one investigation strengthens detection of future similar events.
Simulated phishing email targeting a finance department user. IOCs: spoofed sender IP, typosquatted domain, credential harvesting URL, EICAR test hash.
Simulated AgentTesla infostealer infection on an endpoint. IOCs: C2 server IPs, malware dropper domain, malware file hash, persistence registry key.
Simulated data exfiltration alert from a SIEM. IOCs: internal source IP, suspicious destination IPs, exfiltration URL via paste site.
Simulated password spray attack on a privileged account. IOCs: attacker IPs, compromised account, off-hours login timestamp, scripted user-agent.
Several pipeline improvements were discovered and documented during testing:
β’ Cassandra RAM capped from 1,280MB β 512MB β freed 768MB, eliminated most crashes
β’ Elasticsearch heap reduced 512MB β 256MB β freed additional 256MB
β’ Microsoft Edge β Google Chrome incognito β resolved persistent blank screen bug
β’ Fixed restart order: Elasticsearch β Cassandra β TheHive β reliable recovery under 3 minutes
β’ Four browser tabs instead of four windows β allowed 4 concurrent cases without crash
| Scenario | Auto W1 | Auto W2 | Manual W1 | Manual W2 | % Reduction |
|---|---|---|---|---|---|
| A β Phishing | 0:35 | 0:36 | 3:05 | 3:01 | 81% |
| B β Malware | 0:45 | 0:40 | 2:52 | 2:50 | 74% |
| C β Network Activity | 0:42 | 0:39 | 3:10 | 3:07 | 78% |
| D β Account Compromise | 0:35 | 0:32 | 2:56 | 3:02 | 80% |
| Average | 0:39 | 0:37 | 3:01 | 3:00 | ~78% |
| Test | Time | Errors | Crashed | RAM Impact |
|---|---|---|---|---|
| Single case (baseline) | 0:39 | 0 | No | Baseline |
| Two concurrent cases | 1:33 | 0 | No | Negligible |
| Four cases (4 windows) | N/A | β | Yes | β |
| Four cases (4 tabs) | 2:26 | 0 | No | +200MB |
| Failure Scenario | Impact | Recovery | Data Lost |
|---|---|---|---|
| API rate limit (12 jobs) | None β Cortex queued automatically | N/A | None |
| Cortex restarted mid-job | Job terminated, TheHive unaffected | 0:40 | None |
| MISP disconnected | No impact on TheHive or Cortex | 2:14 | None |