Marvin, (Malicious Activity Refining, Validating, and Integrating), is a framework that efficiently automates the handling and coordination of incidents caused by well-known threats. This framework is especially designed to save human resources for incident handling where automated treatment is feasible where technical guidance for specific threats can be provided. Incident handling automation by Marvin integrates data collection, contact management, incident categorization, technical guidance, and reporting. The framework leverages the relationship between a CSIRT or SOC and its customers and end-users. The constituent groups are granted access to a web-based portal where they can maintain their contact and network data. Marvin itself uses supplied data pertaining to security events in order to put together an actionable incident report that enables the affected site to resolve the incident. Furthermore, a web-based front end allows to configure Marvin workflows and displays event information to the internal Incident Response Team (IRT) of DFN-CERT.

More details on: [Slides]