Soon after we released Cortex-Analyzers 2.4.0, Jérôme noticed that something was definitely wrong. And that something was plural.
As he set to retest a few things here and there, he realised that many docker images, for the latest and greatest analyzers and responders, were not automatically built. The code factory wasn’t working 😰
So he started digging. And the more he dug, the more bugs he discovered. Our user community also reported a few issues. He thought it was about time he opens that bottle of Aloxe-Corton, put a Makaya McCraven album to play on his turntable, and rolls his sleeves to address all these problems headfirst 🍷
After a few hours of intense work, he managed to fix the docker build process and release Cortex-Analyzers 2.4.1, a hotfix that corrects the following issues:
[#545] Message extraction using FileInfo doesn’t always work
[#610] The VirusTotal analyzer contains a typo which prevents it from running
[#614] Many analyzers fail to run due to incorrect permissions
[#619] Abuse Finder not working with docker after force usage of python3
[#620] Missing library prevented the build of the docker image corresponding to the new MalwareClustering analyzer
Finally, he took the opportunity to rename Palo Alto AUTOFOCUS analyzers to Autofocus, for consistency purposes.
Please refer to our previous blog post, pertaining to Cortex-Analyzers 2.4.0, for update instructions.
Thank you in advance for your understanding and happy cyberfighting! 💪🏼
Guess what? TheHive Project is still alive and well, as Saâd already mentioned in a previous blog post.
We’ve been certainly very busy lately, preparing the upcoming release of TheHive 4 and doing many other things beside working on our FOSS project. As a result, it took us a rather long time to merge several community contributions and reduce the sizeable pile of pull requests.
We would like to thank our contributors for their patience and we hope the cyberdefenders out there will enjoy the brand new Cortex-Analyzers 2.4.0 release, with many new analyzers, responders and some bug fixes & improvements, bringing the total to a whooping 138 analyzers (counting all flavors) and 10 responders!
Additionally, with this release, all analyzers are now using Python 3. No more Python 2 technodebt!
The EmailRep analyzer checks the reputation of an email address against the emailrep.io database.
This analyzer accesses IP-centric features provided by ipinfo.io. While the EmailRep API can be used without a token for limited usage, the ipinfo.io analyzer requires the configuration of an API token before use.
This analyzer lets you query the free Maltiverse Threat Intelligence platform for enrichment information about a particular hash, domain, ip or url.
TheHive displays the analyzer results as follows:
Andrea Garavaglia contributed this one a long time ago and we finally merged it into the Cortex-Analyzers repository. Andrea gave a talk about the background of this analyzer at the fourth MISP summit. You can watch it here.
In order to use the analyzer, you need to point it to a Neo4j server (you need to supply the host, port, login & password).
This analyzer lets you leverage PaloAlto Autofocus services. Provided you are an Autofocus customer and you have access to their API, you need to configure the analyzer with your username and a token key.
The analyzer comes with 3 flavors:
AUTOFOCUS_GetSampleAnalysis lets you request a full report for a given hash.
AUTOFOCUS_SearchIOC lets you research for samples linked to specific IoCs with datatypes like domain, fqdn, user-agent, imphash, ip, mutex, tag and url. Please note that mutex and tag are not default datatypes in TheHive. You need to create them in TheHive before you can leverage them.
AUTOFOCUS_SearchJSON lets you research for samples based on a complex JSON query.
Important: TheHive has no templates corresponding to this analyzer have been published yet. They will be provided in the near future.
This analyzer queries Team Cymru’s Malware Hash Registry for known malware hashes (MD5 or SHA-1). If it is malware and known by the service, it returns the last time it has been seen along with an approximate anti-virus detection percentage.
Overview of the New Responders
This responder allows the integration between TheHive/Cortex and KnowBe4’s User Events API. If a mail observable is tagged with a specified tag, corresponding to the responder’s configuration (e.g. phished), then the associated user will have a custom event added to their profile in KnowBe4.
A valid account on KnowBe4 and an API key are required to run this responder.
This responder sends observables you select to a Palo Alto Minemeld instance.
This responder performs actions on Wazuh, the open source security monitoring platform. It currently supports ad-hoc firewall blocking of ip observables.
New PassiveTotal flavors
Thanks to Brandon Dixon, the PassiveTotal analyzer gains 3 new flavors, bringing the total to 11:
PassiveTotal_Trackerslet you make tracker lookups on observables of type domain, fqdn and ip.
PassiveTotal_Host_Pairs let you make host pair lookups on observables of type domain, fqdn and ip.
PassiveTotal_Componentslets you make components lookup on observables of type domain, fqdn and ip.
They come with their own report templates.
The analyzer has been updated to support GreyNoise API v2, thanks to the contribution of Whitney Champion (#562).
New Data Types Supported by Some Analyzers
VirusTotal_GetReporthas been updated to allow requests for observables of type fqdn.
Threatcrowd has been updated to allow requests for observables of type domain.
Shodan has been updated to allow requests for observables of type fqdn.
[#602] The MISP analyzer was bumped to version 2.1 and is ready to use PyMISP 2.4.120.
Get It While Supply Lasts!
If you are using the dockerized analyzers & responders, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button.
If you are still using the old-style way of installing analyzers and responders, run the following commands:
cd path/to/Cortex-Analyzers git pull for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
We have been speaking about it for almost two years. We have been making it for more than twelve months. And the day (or rather the month in this case) has almost come for TheHive 4, our latest and greatest version, to be unleashed.
While the first release candidate should be published by the end of this month, we would like to cover some of the most important changes we introduced in a platform which we rewrote almost from the ground up (40,000 lines of Scala code and counting), while keeping the familiar look&feel our longtime users came to expect.In a previous blog post, we covered TheHiveFS, a nifty feature of TheHive4 that allows you to quickly access all files stored in TheHive directly from your investigation machine. It’s time now to get a look under the hood of THeHive 4.
My Time is Precious. TL;DR Please
A picture is worth a thousand words, right? Here you go then!
I am Puzzled, can you Elaborate a Bit?
So, you are not in a hurry anymore? Fine. Here, grab a seat, a glass of Gevrey-Chambertin and tasty Burgundy snails. All set? Let’s start then!
TheHive 4 will be the first version to use a graph database instead of Elasticsearch. Yes, you read that correctly. TheHive 4 won’t support Elasticsearch anymore but fear not fearless cyberdefender. Your friendly bees will not leave you hanging. If you are already using TheHive 3.4.x, we will provide a migration tool that will move your existing data to the new storage system (with no losses or bit flips hopefully).
We haven’t decided to ditch Elasticsearch on a whim or because Thomas (Franco, not Chopitea nor the General) dropped his leftist hipster attitude for a tight, tailor-made dictator uniform straight out of Spain. For all its greatness, ES has some annoying limitations which prevented us from adding, in an elegant, haiku-like way important features such as multi-tenancy, RBAC and large file management, while laying the ground for the future (stop being curious, the future has not been invented yet and when we do invent it, we’ll let you know).
Thanks to this brand new architecture, TheHive 4 is horizontally scalable. You can add as many TheHive, Cassandra and HDFS nodes to your Security Incident Response Platform cluster and sustain whatever load you might be facing without a sweat. Who said FOSS can’t be ‘enterprise grade’ (whatever that means in marketing lingo)?
A Tour d’Horizon of the Main Features
TheHive 4, boosted by all the passion and skills of Zen Master Franco and MC Adouani, will support, in addition to TheHiveFS:
We will cover some of these features in greater detail in future instalments. In the meantime, let’s take a ride in a helicopter and view the wonderful landscape laying before us from above. After you Messieurs-Dames, we are French gentlemen and gallantry is of the essence (except when we use the public transportation in Paris, then savages we become).
As in Cortex, you will be able to create multiple organisations within a single instance of TheHive 4. In addition, an organisation can decide to share a case or parts of it (say a task, some observables, etc.) with other organisations. That way, a peer organisation or a constituent can contribute to the investigation at hand, provide essential information, etc.
TheHive 4 supports a large set of user permissions. Some pertain to administrators, others to users and there are also permissions that apply to connectors. For example, users can manage tasks but not observables. They can have the power to share a case or part of it with sister organisations and execute Cortex analyzers but not responders.
You will be able to create roles for users, and, at the organisational level, what we call shares. RBAC deserves its own blog post and we’ll get to it pretty soon.
Do you really want us to describe this one? Before you answer yes, we’d like to remind you that you are in a helicopter. Just sayin’.
Tired of using vi, Emacs or your favourite CLI editor for making configuration changes to TheHive’s application.conf? Tired of restarting the service to take into account those modifications? Then you will certainly go dance kizomba with Nabil all night long when we tell you that you don’t need to use vi & service (or whatever the kids are using these days) anymore!
Thanks to the new architecture, all the configuration will be stored in the underlying database and you will be able to edit it using the WebUI. TheHive will automatically take the changes into account and you won’t need to restart it.
We can feel your love here. Merci !
TheHive 4 adds API versioning and it will maintain backward compatibility with TheHive 3.4.x without preventing us from adding new features. TheHive4py will not be updated right away for TheHive 4 but thanks to the backward API compatibility, all existing feeders and programs that use the current version of TheHive4py will still work out of the box.
That’s all folks! Stay tuned for further news and, in the meantime, don’t be blue cuz’ the bees gonna take care of you.
TheHive Project’s Code Chefs, sweating under their toques, are working hard to deliver TheHive 4 as soon as feasible. The current target release date for the 1st release candidate (4.0-RC1) is Friday Feb 28, 2020.
While TheHive 4 will be the first release to support graph databases, multi-tenancy and Role-Based Access Control (RBAC), it will also have a nifty feature that can simplify the incident response and digital forensics workflows of our fellow cyberdefenders: TheHiveFS.
What is TheHiveFS?
Starting from TheHive 4, TheHive can be ‘mounted’ as a remote, WebDAV filesystem. The filesystem can be securely mounted if SSL/TLS is enabled.
Thanks to TheHiveFS, you can quickly access all files stored in TheHive directly from your investigation machine. This can speed up the time needed to triage and analyse evidence.
What Types of Files Can I Access through TheHiveFS?
You can access, in read-only mode, all files attached to task logs and all observables which datatype is file, as long as you are allowed to do so. Indeed, TheHive 4 comes with RBAC so if, for example, you are not allowed to view a case or some file observables in a case, you won’t be able to access them using TheHiveFS, the same way as if you are using the WebUI.
How Can I Mount TheHiveFS?
Assuming you have a WebDAV client, such as davfs2, use the following command line:
$ sudo mount -t davfs -o noexec https://myhiveinstance:9001/fs /mnt/dav/
You can also point your graphical file manager to:
You will need to authenticate using your username and password as if you were connecting to TheHive’s WebUI.
Mom, I’ve Just Stepped on a Landmine
Beware folks. When you download a file observable using TheHive’s WebUI, it will conveniently create a password-protected ZIP archive before handing you the file. This way, we avoid accidental double clicks that may lead to the infection and compromise of your workstation, which might reflect bad on you or force you to offer breakfast the next morning to all your fellow teammates.
There is no such protection if you use TheHiveFS. Let us repeat this so it sinks: there is no such protection if you use TheHiveFS.
If you mount TheHive’s filesystem and open by accident or by a great deal of will, as a true, hardcore fan of Russian roulette, a file observable that is in fact malware courtesy of your favourite bear, kitten, panda or eagle, you can’t blame your friendly bees. But we will empathise (and our empathy level is directly correlated to the amount of pains au chocolat you send our way).
You’ve been warned.
That Sounds Awesome! When Can I Try It?
As written above, you will be able to try TheHiveFS as soon as TheHive 4.0-RC1 is released and that’s currently planned for the end of February 2020.
You can cry, beg, try to bribe us with VC money, make the line at 3:00 AM in front of TheHive Store (there ain’t no such store, we are not Apple), this will not make us work any faster. But you can always cheer us up, hug us or just thank us. This means a lot to us and to the free, open source software flame we carry deep within our souls.
One More Thing…
While we aren’t Apple, we can mimic Steve to share one more information that will make TheHiveFS even more interesting by Q3-Q4 2020. We plan to add support for large file management in TheHive 4.1, the next major version after 4.0 as would Captain Obvious say. Thanks to this feature, you will be able to upload memory and disk images to TheHive and if your Internet line breaks, the upload will resume automatically.
Lo and behold, we aren’t dead & TheHive Project ain’t toast! So, foremost, Happy New Year folks (we are still in January, right?)! We have some nice gifts coming up for you, gifts that have required very heavy-duty work. Of course, you might complain that we haven’t been responsive as of late but hey, there’s only so much we can do, right?
We’ll talk about those gifts in the upcoming weeks. In the meantime, there’s a new Cortex version in town and we urge you to upgrade to it, particularly if you consider deploying several Cortex nodes as a cluster. Indeed, Cortex 3.0.1 fixes a missing dependency that is required to set up such an architecture. Additionally (and this is the part where you should be paying attention), this version fixes the display of error messages pertaining to analyzer and responder operations, and also ensure that old responders and analyzers no longer show up once you clicked on that Refresh button.
Fixes and Enhancements
#244 Prevent the Play secret key from being displayed in the logs at startup. Nonetheless, you can still display it (for troubleshooting purposes or to make things easier for attackers that might have access to the logs and be interested in such a world-changing secret) by using the --show-secret option when starting Cortex
#243 fixes the display of error messages when analyzers & responders fail
One of the big improvements you’ll notice in Cortex 3 is the support for dockerized analyzers. And amongst some of their benefits, the installation process has been significantly simplified. So let’s assume you do not want to bang your head against Python, or other library dependencies. Then read one for a way to set up analyzers and run them quickly.
The following instructions have been tested on Ubuntu 18.04. If you already have a Cortex instance up and running, you can jump directly to the docker installation section below.
Install System Packages
Ensure your system contains the required packages:
Once Cortex is configured, restart the service with the following command, wait a few seconds and you should be able to connect to Cortex on https://<cortex_host>:9001 et voilà!
sudo service restart cortex
Important Note: The catalog analyzers.json contains information regarding versions of analyzers we consider stable and that are updated with bug fixes. This is typically synchronised with our master branch on Github. When you are using this catalog, you are de facto benefiting from the latest analyzer updates without needing to refresh anything in Cortex or setup again the configuration to get the latest version.
We also provide two additional catalogs:
analyzers-stable.json which strictly follows versions of analyzers if you do not want any uncontrolled updates. What does that mean in practice? You will have to click on the Refresh button in Cortex to update your analyzers, disable old ones and enable new versions. Moreover, you will also have to setup again their configuration. Typically, if you installed and setup Cortex with this catalog and the current version of FileInfo analyzers is 6.0, you won’t benefit from the next version, let’s say 6.1, unless you refresh Cortex.
analyzers-devel.jsonwhich contains information about new analyzers or version of analyzers that contains code that has been reviewed but not tested enough (or even not tested at all at times) to be deemed ready for production environments. This is typically synchronized with the develop branch of our Github repository.
Same goes for responders. All available catalogs for Cortex are published on bintray so you can choose the one that better fits your needs (or your risk/gambling profile :p).
For many months, we have been concentrating our efforts on TheHive 4, the next major version of your favourite Security Incident Response Platform, which we’ll finally provide RBAC (or multi-tenancy if you prefer), a feature that Cortex had for quite some time now.
As you well know, both TheHive and Cortex rely on Elasticsearch (ES) for storage. The choice of ES made sense in the beginning of the project but as we added additional features and had new ideas to give you the best experience possible, we faced several ES quirks and shortcomings that proved challenging if not outright blocking for making our roadmap a reality, including RBAC implementation in TheHive, a far more complex endeavour than RBAC in Cortex. Transitioning from ES to graph databases was necessary and since we want our existing users to have a smooth migration path, TheHive 4 (the first release candidate should come out of the oven by the end of the year) will support both ES and graph databases.
But while we were focusing on that, we completely lost sight of the end of life of ES 5.6 so we wrote an apology to you, our dear users, back in May.
Shortly after, we released TheHive 3.4.0-RC1, to add support for ES 6 (with all the breaking changes it has introduced). We also did the same for Cortex with the release of Cortex 3.0.0-RC3. We also took that opportunity to clear out some AngularJS technodebt we had.
We then asked you to take them for a spin and report back any bugs you find given that both versions had to support ES 5.6 and ES 6 to allow for proper migration.
After a few rounds of release candidates, we are pleased to announce the immediate availability of TheHive 3.4.0 and Cortex 3.0.0 as stable releases.