Compatibility issues with Elasticsearch update

Dear TheHive and Cortex users,

If you are running TheHive v3.5.0 and / or Cortex v3.1.0, the underlying database is Elasticsearch v7.x.

Elastic recently released two new versions: v7.11.0 and v7.11.1. After some initial feedback and investigations, we found that the new releases introduce changes that break the compatibility with our products – TheHive 3.5.0 and Cortex 3.1.0.

Therefore, please DO NOT upgrade your current database to Elasticsearch v7.11.x as no rollback is possible. Elasticsearch v7.11.x breaks the installation process as well as the update process.

If you are in the process of installing or updating to Cortex v3.1.0 or TheHive v3.5.0, you need to specify the exact working version of Elasticsearch to use:

  • For Debian packages: “apt install elasticsearch=7.10.2”
  • FOR RPM packages: “yum install elasticsearch-7.10.2-1”

We are currently running deeper investigations and are planning to release updated versions as soon as possible for Cortex v3.1.0 and for TheHive 3.5.0.

We will keep you informed, stay tuned!

TheHive 4.0.4 and TheHive4py 1.8.1: alerts got more APIs

Dear community, the new year has brought us another opportunity to build new features in your favorite Security Incident Response Platform, TheHive. We wish you a cheerful new year ahead and we thank you for being beside us all these years.

Last week, we released TheHive 4.0.4 and TheHive4py 1.8.1, and here is the official announcement including the details of the new features.

These releases focused on adding more capabilities to play with alert observables and give more flexibility when building alert feeders.

Please find the change logs for more details:

What’s new in TheHive

New Alert observable APIs

The major change in TheHive 4.0.4 is related to alert management. In TheHive 3, alert observables were included in the alert as an array of observable objects, and not as independent objects with links to the alert itself. This data model made alert observables CRUD operations, a bit challenging.

TheHive 4 has a better design for this, and alert observables have their own existence, and can be added/updated and deleted independently from the alert object.

This new design allows adding dedicated API endpoints to:

  • Add an observable to an existing alert;
  • Update the data of an existing alert observable;
  • Delete an observable from an alert.

Those APIs are not used by the user interface for now.

New Alert properties

This release introduced a new property called `importDate`. It represents the date at which an alert has been merged into a new/existing case. This property is then used to:

  • Allow filtering the alert list, for example: “List the alerts merged today”
  • Display the duration between the alert creation and its merge into a case.
Alert list showcasing alert importDate

This new property is of course available on the dashboard creation UI as a date field, among others:

  • imported: true if the alert has been merged
  • `handlingDurationInSeconds`: number of seconds before importing an alert
  • `handlingDurationInMinutes`: number of minutes before importing an alert
  • `handlingDurationInHours`: number of hours before importing an alert
  • `handlingDurationInDays`: number of days before importing an alert

To showcase the mentioned new properties, here are some screenshots:

importDate field used on a line chart as date field for x-axis
Simple line chart using the imported filter
Dashboard including two charts using the newly introduced alert fields

What’s new in TheHive4py

The 1.8.1 release of TheHive4py mainly focuses on adding support to the new alert APIs introduced by TheHive 4.0.4. It comes with 3 new functions:

  • `create_alert_artifact` to allow developers adding a new artifact to an existing alert
from thehive4py.api import TheHiveApi
from thehive4py.models import Tlp

THEHIVE_URL = 'http://127.0.0.1:9000'
THEHIVE_API_KEY = '**YOUR_API_KEY**'

api = TheHiveApi(THEHIVE_URL, THEHIVE_API_KEY)

# Instanciate a new domain artifact
artifact = AlertArtifact(dataType='domain', data='malicious-domain.tld', ignoreSimilarity=True, ioc=True)
api.create_alert_artifact(ALERT_ID, artifact)

# Instanciate a new file artifact
artifact = AlertArtifact(
    dataType='file', 
    data='malicious-file.exe', 
    ignoreSimilarity=False, 
    ioc=True, 
    sighted=True, 
    tlp=Tlp.RED.value)
api.create_alert_artifact(alert_id, artifact)
  • `update-alert-artifact` to allow updating the data of an existing alert artifact:
from thehive4py.api import TheHiveApi
from thehive4py.models import Tlp

THEHIVE_URL = 'http://127.0.0.1:9000'
THEHIVE_API_KEY = '**YOUR_API_KEY**'

api = TheHiveApi(THEHIVE_URL, THEHIVE_API_KEY)

# Create a new domain artifact
artifact = AlertArtifact(dataType='domain', data='malicious-domain.tld', ignoreSimilarity=True, ioc=True)
response = api.create_alert_artifact(ALERT_ID, artifact)

# Update its tlp, sighted and ignoreSimilarity flags
artifact_data = response.json()[0]
artifact_data['tlp'] = Tlp.RED.value
artifact_data['sighted'] = True
artifact_data['ignoreSimilarity'] = False

new_artifact = AlertArtifact(json=artifact_data)
api.update_alert_artifact(artifact_data['id'], new_artifact, fields=['tlp', 'ioc', 'ignoreSimilarity'])
  • `delete_alert_artifact` to allow removing an existing artifact from an existing alert
from thehive4py.api import TheHiveApi

THEHIVE_URL = 'http://127.0.0.1:9000'
THEHIVE_API_KEY = '**YOUR_API_KEY**'

api = TheHiveApi(THEHIVE_URL, THEHIVE_API_KEY)

# Delete alert artifact
api.delete_alert_artifact(ARTIFACT_ID)

Note that these new three methods are only available when using TheHive4py with TheHive 4.0.4+

You can find more details on the official documentation of TheHive4py.

Updating/Installing

To update your existing package to version 1.8.1:

$ sudo pip install thehive4py --upgrade

How to report issues

Please open an issue on GitHub with the dedicated template for TheHive 4 or the dedicated form for TheHive4py. We will monitor them closely and respond accordingly. 

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Discord, or send us an email at support@thehive-project.org. We will be more than happy to help!

Xmas Release: TheHive 4.0.3

This year is coming to an end. It’s a new opportunity to our team to release a new version of your favorite free and open source incident response platform, TheHive. We don’t aim to bother you during your Xmas holidays, but we thought of those who will be in front of their screens during the years’ last days.

Today, we announce the release of 4.0.3 that comes with some interesting enhancements and bug fixes.

What’s new?

The major features added in this release are:

  • improvement of the task management capabilities for collaboration, by adding a new flag called “Action Required”
  • review and improvement of the implementation of MISP synchronisation filters
  • new API capability to allow searching for Alerts per observables
  • new S3 provider and configuration for file storage (observables and task log attachments)

Require an action on a task

This feature is useful for collaboration to allow a master team requiring actions from the teams it collaborates with. Let’s explain it using a concrete example. Imagine a TheHive instance defining two organisations: SOC and CERT, both of them working on a Case led by the CERT team who is the owner of the Case.

For one of the tasks, the incident handler from the CERT team needs an action from the SOC team on a Task called “Gather evidences or IOC”. In the Task’s details page, at the “Sharing” section, for each “Share”, a new button “Require Action” is displayed. It allows any user with `manageTask` permission to enable the flag for the specific organisation for that specific Task.

The incident handler can also require an action from his team members.

Task details, Require Action from its own team
Task details, Require Action from another team

When the user clicks the “Require Action” button, TheHive asks if a Task Log needs to be added to the Task, to explain the required action. The user can proceed without adding a Task Log

Require Action confirmation dialog

If the user clicks on “Yes, add log”, a dialog is displayed asking the user to type a Task Log message and optionally add an attachment:

Add Task Log dialog

Once confirmed, the action is completed and the Task is marked as requiring action from the right team.

Action required from the SOC team on the “Gather evidences or IOC” Task

This feature comes not only with these Task related buttons but also includes some features for Case and Task listing pages, including filtering: its easier to list the cases where at least one task is still requiring an action from a team:

List of cases requiring actions

When navigating to the Task list, the user can easily see which Task needs an action:

Task list, filtered by the action required flag

When a user accesses a Task that is marked as requiring an action, the Task details page displays a warning message, with a “Mark as Done” button, that when clicked, confirms the completion of the required action:

Action Required warning message

When clicked, the “Mark as Done” button goes through the same confirm dialog as described above, allowing to optionally add a Task Log.

Review MISP filters configuration

TheHive 4.0.3 has reviewed and improved the performance of the MISP synchronisation services and added a new config to whitelist events by organisation, not only by tags. Below is a non exhaustive configuration of a MISP server, where the `whitelist.organisation` filter is used:

play.modules.enabled += org.thp.thehive.connector.misp.MispModule
misp {
  interval: 1 hour
  servers: [
    {
      name = "local"            # MISP name
      url = "http://localhost/" # URL or MISP
      auth {
        type = key
        key = "***"             # MISP API key
      }

      ...

      # Organization and tags 
      whitelist {
        organisation = ["good organisation"]
      #  tags = ["tag1", "tag2"]
      }
    }
  ]
}

Search for alerts by observable conditions

In TheHive 3, Alert observables are stored within the Alert data, not as un independent piece of data, and querying them is not possible through the `_search` APIs and the Query DSL.

In 4.0.3 this limitation has been removed, allowing querying an alert with conditions on it’s child observables.

Using TheHive4py, the following code is now possible:

import json
from thehive4py.api import TheHiveApi
from thehive4py.models import *
from thehive4py.query import *

THEHIVE_URL = 'http://127.0.0.1:9000'
THEHIVE_API_KEY = 'API_KEY'

api = TheHiveApi(THEHIVE_URL, THEHIVE_API_KEY)

# Define the query
query = And(
    Eq('source', 'THEHIVE-PROJECT'),
    Eq('severity', Severity.MEDIUM.value),
    Child('alert_artifact', And(
        Eq('dataType', 'hash'),
        Eq('data', 'A_HASH_VALUE')
    )),
    Like('title', '*MALSPAM*')
)

# Search for alerts
response = api.find_alerts(query=query, range='all')

# Print 
print(response.json(), indent=4)

The code snippet above, searches for Alerts of with:

  • source='TheHive-Project'
  • severity=medium
  • title including the word “MALSPAM”
  • having a specific `hash` observable

S3 storage support

File storage is used in TheHive to store attachments. TheHive now supports a new type of storage in addition to hadoop and local file system: Amazon S3.

S3 storage provider can be configured by specifying endpoint, region and credentials. The settings must be located in the provider section, in application.conf:

storage {
  provider: s3
  s3 {
    bucket = "thehive"
    readTimeout = 1 minute
    writeTimeout = 1 minute
    chunkSize = 1 MB
    endpoint = "http://s3.amazonaws.com"
    accessKey = "xxx"
    secretKey = "xxx"
    region = "us-west-1"
  }
}

How to install/update ?

Our installation guides are up-to-date.

Important note

If you are updating an existing instance of TheHive 4.0.0, ensure to read the installation guide. Since our recent release of TheHive 3.5.0, we updated our repositories. The codename of repositories containing all new released packages is now named release, instead of stable. So update your apt or yum repository file.

How to report issues

Please open an issue on GitHub with the dedicated template for TheHive 4. We will monitor them closely and respond accordingly. 

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Discord, or send us an email at support@thehive-project.org. We will be more than happy to help!

TheHive4py 1.8.0 is hot off the press

TheHive4py 1.8.0 is finally released. During the last 5 months, the team was busy working on TheHive and Cortex but today, it’s time to unveil the biggest milestone of TheHive’s official python API client.

TheHive4py official documentation website

1.8.0 contains 31 Github issues including 17 contributions for which, we would like to thank all the community members who helped shaping the release.

TheHive4py is getting a bit hard to maintain because of the backward compatibility constraints introduced by TheHive 3 and 4 versions. TheHive 4 also introduces new features that are not available in TheHive 3, and this makes it challenging to serve both versions with the same code base.

TheHive 4 has also its dedicated and optimised APIs (read APIs v1), and those are not used by TheHive4py, which is still relying on APIs v0 of TheHive 4.

Anyways.

What’s new?

1.8.0 release introduced a significant number of new methods and changes:

  • attachment download support for files (by id), observables and task log attachments
  • alert merge into case
  • alert delete
  • case task delete
  • case task log search
  • task log search
  • support to alert similarity in fetch
  • case observable search method
  • case observable fetch method
  • case observable delete method
  • support to in memory files when calling APIs evolving attachments
  • MISP export
  • support to PAP in alerts
  • add Tlp, Pap, Severity, CaseStatus, TaskStatus enumerations

in addition to some TheHive 4 related features:

  • Add a version parameter to TheHiveApi class’s constructor
  • Add support to ignoreSimilarity attribute
  • Add support to alert.externalLink attribute

Please read the full release notes for more details.

Below, we will highlight the major features other than the self explanatory newly added methods.

New version parameter

This change is important and required for developers using TheHive4py to play with a TheHive 4 instance. the `version` parameter has been introduced to allow fine tune access to features available on TheHive 4 and not in TheHive 3, like for `alert.extrnalLink` field.

The version is set by default to Version.THEHIVE_3.value, which means version 3.

from thehive4py.models import Version

# Init an API client for TheHive 4
api = TheHiveApi(THEHIVE_URL, API_KEY, version=Version.THEHIVE_4.value)

Add support to ignoreSimilarity field

This capability has been introduced by TheHive 4.0.1 release. It allows setting an `ignoreSimilarity` flag at the case and alert observable level. When set to True it tells TheHive to ignore the observable from any similarity computing.

So, if you need to create an alert with an observable you would like to skip when running the similarity algorithm, then, you need to set ignoreSimilarity to True

Here is an example that creates and alert with an observable to be ignored for similarity:

import uuid
from thehive4py.api import TheHiveApi
from thehive4py.models import Tlp, Pap, Alert, AlertArtifact

sourceRef = str(uuid.uuid4())[0:6]

# Prepare the Alert object
alert = Alert(title='Sample alert - ID {}'.format(sourceRef), 
  tlp=Tlp.AMBER.value, 
  pap=Pap.AMBER.value, 
  tags=['TheHive4Py'],
  description='Sample alert for the blog post',
  source='dev',
  type='script',
  sourceRef=sourceRef,
  externaleLink='https://some-web-site/alert/{}'.format(sourceRef),
  artifacts=[
    AlertArtifact(
      dataType='domain', 
      data='dl.some-web-site.com', 
      tlp=Tlp.WHITE.value, 
      ioc=True,
      sighted=False,
      ignoreSimilarity=True
    )
  ])

# Init an API client instance
api = TheHiveApi(THEHIVE_URL, THEHIVE_API_KEY, version=4)

# Create the alert
response = api.create_alert(alert)

Note that the same option is available for Case observables during creation and update:

# Set an observable as ignorable

api.update_case_observable(
   observable_id, 
   {"ignoreSimilarity": True}, 
   fields=['ignoreSimilarity']
 )

Support in-memory files

Old versions of TheHiv4py required existing files when dealing with attachments. For example, to create a file case observable, the corresponding file has to be already stored on the file system before calling the `create_case_observable` method.

This release allows using files from memory and not relying on file paths. So you use, for example, an API to download a file and you want to store that file as observable, you can use the new feature of TheHive4py, as below:

from thehive4py.models import Tlp, Pap, Alert, CaseObservable

# Say you have a method to get a screenshot
file = get_screenshot()

# Prepare the observable
observable = CaseObservable(
    dataType='file',
    data=(file, 'screenshot-{}.png'.format(int(time.time())*1000)),
    tlp=Tlp.WHITE.value,
    pap=Pap.GREEN.value,
    tags=['category:screenshot']
)

# Create the observable
response = api.create_case_observable(case_id, observable)

# Close the file object
file.close()

Note: closing the file object is still required. We will handle closing the files during the upcoming releases.

Attachment download features

The new methods introduced by 1.8.0 release and related to attachment download, light some interesting TheHive APIs up.

Did you know TheHive has APIs to download existing file from the datastore? Do you know how does TheHive store files?

Well, when a file is uploaded to TheHive as case observable, alert observable or case log attachments, the file is stored in the DataStore and is given an ID that can be used in two APIs:

  • `/api/datastore/{attachment_id}`: downloads the file content
  • `/api/datastorezip/{attachment_id}`: downloads the file content as zip password protected file, and the password is the one defined in application.conf (defaults to `malware`)

In this release, we introduced methods to make these APIs available on TheHive4py.

Download an attachment by its ID

This method is useful if you know the attachment ID (could be an alert file observable for exemple, in TheHive 4)

# Download an attachment by a known id
response = api.download_attachment(
  attachment_id, 
  filename='screenshot.png',
  archive=False
)

# Save the attachment to disk
f = open('./{}'.format('screenshot.png'), 'wb')
f.write(response.content)
f.close()

Download an attachment of a task log

This method allows downloading the attachment of a given task log object, identified by its ID

response = api.download_task_log_attachment(log_id, archive=False)

f = open('./{}'.format('screenshot.png'), 'wb')
f.write(response.content)
f.close()

If the task log doesn’t have an attachment, this methods throws an exception.

Download a file attachment of a file observable

This methods allows downloading a file observable, and forces protecting it as password protected zip archive

response = api.download_observable_attachment(observable_id)

f = open('./{}'.format('observable.png.zip'), 'wb')
f.write(response.content)
f.close()

If the observable is not a file, this methods throws an exception.

Documentation

As you might know, with the 1.7.0 release we released a documentation website for TheHive4py where all the methods are documented. Donc hesitate to refer to it for more details: https://thehive-project.github.io/TheHive4py

Updating/Installing

To update your existing package to version 1.8.0:

$ sudo pip install thehive4py --upgrade

Got a question?

If you encounter any difficulty, please join our  user forum, contact us on Discord, or send us an email at support@thehive-project.org. As usual, we’ll be more than happy to help!

TheHive Project’s chat has a new home

TheHive Project an Discord

Back in April 2020, we discovered an issue in our GitHub repository opening the discussion about moving our chat and creating a discord server for community discussions. It was obviously a relevant suggestion, but one we couldn’t address at the time since we were head down focusing on developing product updates (TheHive 4, TheHive and Cortex with ES7 support) and building a sustainable structure for your beloved TheHive Project to prosper in the long run.

Today, our public community has strong foundations and keeps growing as we welcome new users and organisations wishing to start their journey with TheHive Project. We can count on an amazing number of trusted and invested users willing to share their knowledge and help newcomers (the current Gitter channel is mostly self-managed). The GitHub issue highlighted several key improvements we could work on to provide a better chat experience to our community:

  • offering different channels, for different products to handle more targeted questions
  • implementing new roles like moderators and trusted-users
  • creating a channel for announcements
  • creating channels for contributions, automation
  • creating channels for languages other than English
  • listening to our member’s requests to improve the community server

We truly wish to enhance the chat experience of all community members, whether they join the conversation to ask a question, share their experience or help others troubleshooting an issue.

Why Discord?

Let us share a story.

TheHive Project’s core team first used Slack as its main private chat and communication tool. Slack is fine but we had some frustrating experience with it (ex: limited search history). We then moved to Keybase which is still our daily internal chat platform. Although we are satisfied with Keybase, we felt the onboarding experience might be a little too intense for some users.

So we decided to have a look at Discord, which was initially designed for gamer, allowing text chat, video, voice calls and screen sharing. Discord has great mobile apps too, in addition to those for web and desktop. And it’s really fast! It’s also getting a strong footprint with open source projects.

Last week, we posted a poll on Twitter about the move, and here are the democratic answers:

Twitter poll about Discord vs. Gitter

This confirmed our impression, so let’s do it.

How to join?

It’s easy peasy, here is the link Join our new Discord based community. It requires a Discord account with a valid email address (which is the lowest requirement). You will be welcomed with a screen that reminds the rules and code of conduct.

Welcome screen

Once registered:

  • If you wish to introduce yourself, you can share your story with us through the `#introductions` channel.
  • If you wish to share something you built in top of our products, your can do it in the `share-your-work`
  • If you need a new channel dedicated to your language, you can just ask for it or reach any core member or moderator
Community rules

What’s next?

We hope the current 1k+ users registered in Gitter will migrate to our new Discord platform. We will keep the light on in the Gitter channel for the time being, but we hope the Discord community will be the new land for all of you.

It’s not Patch Friday… TheHive 4.0.2 released

Last Friday, our team released a significant number of changes and fixes, improving TheHive 4. The community was very reactive and hurried to test it. Today we are announcing a patch release to fix annoying issues we decided to quickly patch: welcome to 4.0.2.

The major issue is related to Alert bulk merging which is part of the big refactoring of the Alert listing section.

Well, s**t happens, but as a gentlemen, we owe you a feature, or two 🙂

What’s new?

In addition to the Alert bulk merging issue, we fixed bugs related to:

  • Migration
  • Filtering observables by attachement attributes
  • Backward compatible APIs

Curious to read the detailed change log? Here your go.

TheHiveFS, do you remember?

It stands for TheHive File System, a feature we released with TheHive 4.0-RC1. In today’s milestone we are improving the security of this feature by adding a new user permission, required to have access to TheHiveFS features.

The newly created accessTheHiveFS permission is included by default in both org-admin and analyst user profiles.

Refined editable fields, for a better UX

In TheHive UI, editing objects relies on editable fields instead of dedicated form to edit objects. This means you can update a case title by clicking the Blue Pencil icon displayed when you mouse-over the case title for exemple.

In this release we refactored all the editable fields to provide a better user experience:

  • You no longer need to click just on the `Blue Pencil` icon to switch to edit mode, you just need to click on any value, for example the Case assignee field, or the Observable tags field:
Editable fields on mouse over events

Editable fields have now a `Clear` option, allowing users to unset the value of an attribute:

Editable custom fields can be set empty

This new improvement benefits to the custom fields sections in Case and Alert details sections, as showcased above.

Configurable layout of custom fields

In older TheHive versions, custom fields were displayed using a single column. Cases with big number of custom fields produced a long scrolling Case details pages, so we decided in TheHive 4 to use a 3-column layout to reduce the resulting scroll fatigue.

Now some users are complaining because of long custom fields values not being correctly displayed. So we decided to let users choose their preferred layout.

1-column layout to display custom fields in a Case details page
2-columns layout

How to install/update ?

Our installation guides are up-to-date.

Important note

If you are updating an existing instance of TheHive 4.0.0, ensure to read the installation guide. Since our recent release of TheHive 3.5.0, we updated our repositories. The codename of repositories containing all new released packages is now named release, instead of stable. So update your apt or yum repository file.

Have you got a minute to let us know how you use TheHive ?

We would love to hear from you (10 questions < 1minute) : https://t.co/l5osjvQ1k7

Many thanks for taking the time 🙏

How to report issues

Please open an issue on GitHub with the dedicated template for TheHive 4. We will monitor them closely and respond accordingly. 

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Discord, or send us an email at support@thehive-project.org. We will be more than happy to help!

It’s now time for TheHive 4 to get an update: TheHive 4.0.1 is out!

Back in July, we announced TheHive 4.0, the foundation for future releases of your favorite Open Source SIRP.

Today, we are pleased to deliver one of the biggest patch releases we’ve done so far, in terms of number of fixed issues: TheHive 4.0.1! Not only did we squash lots of bugs, we also included some cool improvements we didn’t want to hold until the next version.

As for TheHive 3 and Cortex unveiled few days ago, we fixed the vulnerabilities reported by Play framework in October as well.

A huge work has been accomplished to fix a backlog of bugs (thanks to the community) in several parts of the product:

  • Configuration;
  • API;
  • Dashboards;
  • Livestream;
  • Cases;
  • Alerts;
  • Observables;
  • Multi Factor authentication;
  • Active Directory authentication;
  • Export to MISP.

You can find details of the 80+ issues included in this milestone: Changelog file.

Wait, there is also new stuff:

  • Cases and Alerts similarity fine tuning;
  • Similar cases in Alert preview panel refined;
  • Filtering capabilities improvements;
  • New UI settings & options;
  • Custom fields in Case and Alert lists;
  • Statistics panel improvements;
  • API key in user settings page;
  • More migration tool options.

Cases and Alerts similarity fine tuning

In TheHive, correlation between Alerts and Cases, and between Cases themselves, is computed throughout their respective Observables:

  • A Case is considered similar to an Alert, if they have at least one common observable;
  • A Case is considered related to another Case, if they have at least one common observable.

In some situations, those relationships are undesirable when based on useless/meaningless observables.

Starting with TheHive 4.0.1, Observables are enriched with a new attribute called ignoreSimilarity, set to false by default. Now, when this attribute is set to true, an observable is simply not taken into account in the relationship between two cases, and is not involved in the similarity calculation, for Cases and Alerts.

This attribute is displayed alongside with the IOC and Sighted flags, in the Observables list – which has been tweaked for the occasion – as well as in the detailed view.

IgnoreSimilarity flag in the revamped Observables list

And you can also edit this for a set of selected observables.

Edit “Ignored for similarity”

Long story short, if you want to break a correlation, you just need to set the linking Observable‘s ignoreSimilarity flag to true.

Alerts and similar Cases

The attribute mentioned earlier is taken into account when correlating Alerts with existing Cases : the Similar Cases view in the Alert preview dialog.

Observables with ignoreSimilarity set to true will be ignored when fetching cases similar to the current Alert, whether it is in the Alert or the Case side.

A forthcoming update of thehive4py library will allow to set this attribute in Alerts, along with many other new things.

The Similar Cases view has been thoroughly enhanced to provide more highlights facilitating alert triage and the merging of alerts into existing cases. First, a column named “Matched” has been added. It contains the list of observable dataTypes and the number of occurrences matching the Alert : this should be very useful to identify quickly what type of data has matched the alert content. A filter on this column has also been added.

And there are more refining capabilities in this view:

  • Sorting and Filtering on Title of Similar Cases;
  • Specifying a minimum observables rate that matches the Alert;
  • Specifying a minimum IOCs rate that matches the Alert.
Refining the Similar Cases view during Alerts triage

… And, above all, columns can now be sorted. With all these new capabilities, triage and merge Alerts in Cases should be easier.

Filtering capabilities improvement

In TheHive 4, filter forms have the same structure all over the product. Any improvement in the area, benefits to all the listing pages.

For example, in the alert similar cases tab, a new filter form has been included. You can quickly select the type of Cases you want to display, but also use the advanced rules and search criterias.

In this release, the filter component has new capabilities:

  • Date filter: now allows setting dynamic ranges instead of setting from and to fixed date values. Possible values are:
    • Today;
    • Last 7 days;
    • Last 30 days;
    • Last 3 months;
    • Last 6 months;
    • Last year;
    • Custom: allowing the old-fashioned way of setting date ranges.
  • Tag filter: Autocomplete is now enabled.
Advanced filtering for Similar Cases during Alert triage
Autocompleted tags when adding a filter

In TheHive 4.0.1, there is one more place that welcomed a filter form: the list of Alert observables in the preview dialog.

New Org level UI settings

UI configuration page is the place where TheHive adds new options to customise the behavior of the UI, for a given organisation. This is an area that will be expanded over time.

For this milestone, two new options have been introduced:

  • Allow merging Alerts in resolved cases;
  • Default filter of Alert similar cases.
Default filter for Similar Cases in Alerts preview

The first one is self-explanatory and will hide the `Merge into case` button in the Alert similar cases section

The second one allows an administrator define, for an organisation, the default filter to apply to Alert similar cases view. For example: “show only potential similar cases created in the last 7 days and are still open”.

If during the triage, the filter has been updated by an analyst, the default filter cas be retrieved through Default filter option of the Quick Filters.

Retrieve default filter in alert similar cases

Custom fields in Case and Alert lists

“Damn, why I’m not able to see my custom fields in my cases list”, “It’s a shame I cannot filter my alerts with my custom defined properties”… We are pretty sure you said it, at least once.

Well, you dreamt of it, and here we go, we did it for Cases and Alerts

  • You will be able to see all the custom fields you defined in your Case Templates and propagated to your Cases;
  • Custom fields with undefined values are not displayed;
  • Custom fields are shown with respect of the order you define;
  • Clicking on a custom field, filters your lists using the selected value;
  • You can enable displaying the custom fields using the toggle button on the toolbar located on top of the filter form;
  • All those capabilities are available in Cases and Alerts views.
Custom Fields in Alerts list

New statistics view in Cases and Observables lists

The Stats view has been revamped to represent the statistics using both tables and shiny colourful donuts (not only for managers).

This improvement has been made in Cases, Observables and Alerts views.

New “Stats view” in Cases list

User settings

This feature has been initially introduced in Cortex and was missing in TheHive. All users can now access their API key, copy or update it, as long as an administrator created it first. No more API keys sent over emails or chat applications.

User settings with API key enabled

Migration

The migration assistant program has been updated with a few bug fixes and new filtering options. When migrating, you can now specify:

  • If you want to include or exclude Alerts generated from specific Sources or by their Type;
  • If you want to include Audit trails regarding specific objectType (case, case_task, case_observable …);
  • If you want to filter out Audit trails with specific actions (Update, Creation, Delete).
/opt/thehive/bin/migrate --help

[..]  
  --include-alert-types ,...
                           migrate only alerts with this types
  --exclude-alert-types ,...
                           don't migrate alerts with this types
  --include-alert-sources ,...
                           migrate only alerts with this sources
  --exclude-alert-sources ,...
                           don't migrate alerts with this sources
[..]   
  --include-audit-actions 
                           migration only audits with this action (Update, Creation, Delete)
  --exclude-audit-actions 
                           don't migration audits with this action (Update, Creation, Delete)
  --include-audit-objectTypes 
                           migration only audits with this objectType (case, case_artifact, case_task, ...)
  --exclude-audit-objectTypes 
                           don't migration audits with this objectType (case, case_artifact, case_task, ...)

So, you can migrate your data directly to TheHive 4.0.1.

However, please note that the migration tool does not support data from TheHive 3.5.0 yet. In short, you can only consider migrating you data from TheHive 3.4.0, 3.4.1, 3.4.2 or 3.4.4 to TheHive 4.0 or TheHive 4.0.1 for the time being.

How to install/update ?

Our installation guides are up-to-date.

Important note

If you are updating an existing instance of TheHive 4.0.0, ensure to read the installation guide. Since our recent release of TheHive 3.5.0, we updated our repositories. The codename of repositories containing all new released packages is now named release, instead of stable. So update your apt or yum repository file.

Have you got a minute to let us know how you use TheHive ?

We would love to hear from you (10 questions < 1minute) : https://t.co/l5osjvQ1k7

Many thanks for taking the time 🙏

How to report issues

Please open an issue on GitHub with the dedicated template for TheHive 4. We will monitor them closely and respond accordingly. 

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Discord, or send us an email at support@thehive-project.org. We will be more than happy to help!

New releases for TheHive and Cortex: Elasticsearch 7 support and security fixes.

TheHive and Cortex with ES7 support

We are happy to announce the immediate availability of TheHive 3.5.0 and Cortex 3.1.0 that supports Elasticsearch 7. We are also releasing TheHive 3.4.4 to include security upgrades. All of them are including fixes for vulnerabilities reported on Play Framework this month. We encourage you to upgrade.

As promised, despite the release of TheHive 4.0 in July, we are still support version 3. Today we are releasing two versions of TheHive 3, but why ?

As mentioned previously, the EOL of Elasticsearch version 6 is the reason why we decided to upgrade TheHive and Cortex to exclusively support Elasticsearch version 7.

If you want to be up-to-date with TheHive and Cortex, you must use Elasticsearch 7 and the new released versions of our products: TheHive 3.5.0 and Cortex 3.1.0.

With that being said, we won’t let down the users who cannot migrate their Elasticsearch immediately to version 7, so we decided to fix an embarrassing bug related to alerts with large amount of observables, Thanks to TheHive 3.4.4.

What’s new in TheHive 3.5.0 and Cortex 3.1.0

In addition to support for Elasticsearch 7.x, following fixes has been added in TheHive 3.5.0:

  • Fix a bug with the admin page of Analyzers report templates (#1591)
  • Responder list is ordered alphabetically (#1564)
  • Keep date filters when pivoting from Dashboards to search page (#1581)
  • UI Configuration option to choose to filter TAG1 AND TAG2 or TAG1 OR TAG2 in Alerts view (#1171)
  • Fix issue when clicking on Analyzers short reports (#1350)

In addition to support for Elasticsearch 7.x, following fixes has been added in Cortex 3.1.0:

  • Take into account defaultValue in Neurons flavor file (#309)

Oauth2

Use OAuth2 with TheHive 3.5.0 and Cortex 3.1.0

Both versions have been updated to improve OAuth2 authentication support. They are now working the same way than TheHive 4.0.0, with a quite similar configuration.

We invite you to refer to the documentation for each application to configure it: TheHive and Cortex

Our support on TheHive and Cortex

However, starting from now, we will no longer support TheHive and Cortex version that use Elasticsearch < 7: i.e. TheHive < 3.5.0 and Cortex < 3.1.0. So please make sure to update your instances and rely on up-to-date and supported components.

Be aware that:

  • Any issue reported in TheHive version 3.4.4 and lower, will be fixed on top of TheHive 3.5;
  • Any issue reported in Cortex version 3.0.1 and lower, will be fixed on top of Cortex 3.1.0.

This situation made us also add strong changes regarding our repositories for DEB and RPM packages. Read carefully what follows and find your situation to learn how to upgrade.

You are still using or plan to continue with Elasticsearch 6 ?

Upgrade to TheHive 3.4.4

  • apt update && apt install thehive if you are using debian subsystems;
  • yum install thehive if you are using RedHat, Fedora or CentOS.

If you are using docker image you need to specify the version. Get it by running the following command line:

  • docker pull thehiveproject/thehive:3.4.4-1

This version introduces a bug fix regarding the import of alerts having significant amount of observables.

Keep Cortex 3.0.1

3.0.1 is the last version of Cortex supporting Elasticsearch 6.x. So keep this version until you move to Elasticsearch 7.x.

You are using or plan to move to Elasticsearch 7.x ?

⚠️ DO NOT run an upgrade command on your system until your data has been migrated in Elasticsearch 7.x and Elasticsearch is running.

Upgrading an existing installation ?

Elasticsearch 7.x introduced changes that break our way of representing the data, so some updates need to be applied on the database configuration and on the index first.

We highly recommend reading carefully our dedicated migration guides before starting the upgrade process:

Obviously, we recommend testing this process on a testing environment before running it in production.

Running a fresh installation ?

To publish packages supporting Elasticsearch 7 and avoid anyone break his servers, we decided to create dedicated packages repository. To install TheHive 3.5.0, according to your Operating System, run the following processes.

Deb packages

After installing Elasticsearch 7.x, ensure your /etc/apt/source.list.d/thehive-project.list looks like this:

deb https://deb.thehive-project.org release main

Then, run following commands to install TheHive 3.5.0:

apt update
apt install thehive # or apt install thehive=3.5.0-1

and following commands to install Cortex 3.1.0:

apt update
apt install cortex # or apt install cortex=3.1.0-1
RPM packages

After installing and running Elasticsearch 7.x, ensure your /etc/yum.repo.d/thehive-project.repo looks like this:

[thehive-project]
enabled=1
priority=1
name=TheHive-Project RPM repository
baseurl=https://rpm.thehive-project.org/release/main
gpgcheck=1

Them, run following commands to install TheHive 3.5.0:

yum update
yum install thehive # or yum install thehive-3.5.0-1

And following commands to install Cortex 3.1.0:

yum update
yum install cortex # or yum install cortex-3.1.0-1
Docker image
  • TheHive 3.5.0:
    • docker pull thehiveproject/thehive:3.5.0-1
  • Cortex 3.1.0:
    • docker pull thehiveproject/cortex:3.1.0-1
Ressources

Again, we strongly invite you to read detailed installation instructions:

Docker image of Cortex 3.1.0

Important modifications have been introduced in the docker image of Cortex 3.1.0. This image does not come anymore with programs of Analyzers and Responders and their dependencies.

Cortex is able to run those programs with Docker when images exist. The default configuration included in the official docker image of Cortex uses our catalogs of images of Analyzers and Responders.

Running Analyzers and Responders directly in Cortex container (using “process” method) is still supported. You can include them in container thanks to the Docker volumes when you start the container. If they need dependencies, you can create your own Docker image from our official Cortex image. Below an example of Dockerfile that retrieves Analyzers and Responders like previous Cortex Docker image:

FROM thehiveproject/cortex:3.1.0-1
RUN apt-get update
RUN apt-get install -y --no-install-recommends                        \
        python-pip python2.7-dev python3-pip python3-dev              \
        ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl          \
        libmagic1 build-essential git libssl-dev dnsutils iptables
RUN pip2 install -U pip setuptools
RUN pip3 install -U pip setuptools
RUN git clone https://github.com/TheHive-Project/Cortex-Analyzers.git \
        /opt/Cortex-Analyzers
RUN for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt')   \
    do                                                                \
        pip2 install -r $I || true                                    \
        pip3 install -r $I || true                                    \
    done

How to report issues

Please open an issue on GitHub if you’d like to report a bug for TheHive or Cortex. We will monitor those closely and respond accordingly. 

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Discord, or send us an email at support@thehive-project.org. We will be more than happy to help!

TheHive 3.5.0-RC1 and Cortex 3.1.0-RC1 are here!

Elasticsearch 7.0 can read indices created in version 6.0 or above. An Elasticsearch 7.0 node will not start in the presence of indices created in a version of Elasticsearch before 6.0.

https://www.elastic.co/guide/en/elasticsearch/reference/7.x/breaking-changes-7.0.html#_indices_created_before_7_0

Who could imagine what’s hiding behind this sentence ? 

To be honest, we managed to support Elasticsearch 7.x pretty quickly ! But only for new and recent installations and instances — read, initially installed with Elasticsearch 6.x. 

The harder part was ensure older instances, with indexes created  with Elasticsearch 5.x, can migrate smoothly like for previous migrations: «stop the application, update the database software, update application and restart everything ». You might have to put your hands on the keyboard.

Source: Google Images

⚠️  TheHive 3.5.0-RC1 and Cortex 3.1.0-RC1 are not recommended for production use. These versions are intended for test only ; please, read carefully the full blog post and the associated documentation. Feel free to try it, try your migration and send us your feedbacks. 

New and recent installations

If your instance has been initiated with Elasticsearch 6.x, you can follow the following process : 

  • Stop TheHive version 3.4.2
  • Stop Elasticsearch version 6.x
  • Update Elasticsearch configuration file
  • Update Elasticsearch to version 7.x and restart the service
  • Update TheHive and restart the service
  • Update Cortex and restart the service 

Instructions to install TheHive 3.5.0-RC1 or Cortex 3.1.0-RC1 can be found in this guide.

At this stage, connect TheHive and Cortex with your browser and you should be invited to update the database : 

Older indexes

This is the tricky part. If you are using an instance initiated with Elasticsearch older that version 6.0, it is highly probable that you have to follow an heavier process to upgrade. In few words, you will have to :  

  • Stop TheHive and Cortex applications
  • Create new indexes in Elasticsearch 6.x with part of the settings of your current indexes
  • Do specific reindexing operations to this new indexes
  • Delete old indexes.

How to identify if your index is ready for Elasticsearch 7

You can easily identify if indexes are ready for Elasticsearch 7. On the index named the_hive_15 run the following command:

curl -s http://127.0.0.1:9200/the_hive_15?human | jq '.the_hive_15.settings.index.version.created_string'

If the version is 6.x.x then the index will be read by Elasticsearch 7.8.x. Otherwise (version is 5.x.x of below), reindexing the index is required.

Migration guide

You are not left alone there. A dedicated documentation is available. It should help you run this specific actions on your Elasticsearch database, and also install or update application whether you are using DEB, RPM or binary packages, and even docker images : 

https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/upgrade_to_thehive_3_5_and_es_7_x.md

How to report issues

Please open an issue on GitHub using the template made for TheHive 3.x if you’d like to report a bug on this version. We will monitor those closely and respond accordingly. 

Cortex-Analyzers 2.9.0: Summer Edition!

Didn’t you think we were going to holidays without letting few new stuff to play with ? 6 new Analyzers and 1 Responder complete the growing list of Neurons.

A Huge thanks to all the contributors for the great new features, without forgetting the work regarding improvements and bug fixes.

Documentation

Find the complete documentation of Analyzers and Responders at the dedicated website: https://thehive-project.github.io/Cortex-Analyzers/

For each Analyzer and Responder, a page details the purpose of each flavor, the configuration required and even some screenshots from report samples.

New Analyzers

New Responder

Fixes and Improvements

  • Fix a bug in Hashdd_Detail_1_0 analyzer (#831)
  • Fix a bug in PhishingInitiative_Scan_1_0 analyzer (#832)
  • Fix a bug related to dataType in MalwareBazaar_1_0 analyzer (#830)
  • Fix a bug in MISPWarninglists analyzer (#827)
  • Fix a bug in Mailer_1_0 responder (#835)

Analyzers

DomainMailSPFDMARC

This analyzer comes in 1 flavor and let you check SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance) status of a domain or fqdn.

TheHive displays the analyzer results as follows:

DomainMailSPFDMARD short report
DomainMailSPFDMARD Long report

ForcepointWebsensePing

Forcepoint URL Filtering provides defenses against productivity draining web content and threats to operations. It ensures organizational productivity by delivering defenses against productivity draining web activity while providing the necessary security in a world of advanced threats.

Using WebsensePing utility is possible to query Master Database URL Categories that contains the industry’s most accurate, current and comprehensive classification of URLs. ForcePoint uses proprietary classification software and human inspection techniques to categorize and maintain definitions of more than 95 URL categories in more than 50 languages.

An active Forcepoint subscription is required to use the analyzer.

TheHive displays the analyzer results as follows:

ForcepointWebsensePing short report samples
ForcepointWebsensePing long report sample

NERD

This analyzer allows to query the NERD (Network Entity Reputation) database, and get score and basic information. Project NERD aims to build an extensive reputation database of known sources of cyber threats. That is, a list of known malicious IP addresses or other network entities (e.g. ASNs or domain names) together with all security-relevant information about each of them.

A valid API key is required to run this analyzer.

TheHive displays the analyzer results as follows:

NERD short report
NERD long report

SekoiaIntelligenceCenter

This analyzer allows you to gather more context related to domain names, IP adresses, urls and file hashes using the SEKOIA.IO Intelligence Database.

An active SEKOIA.IO Intelligence Center subscription is required to use the analyzer.

TheHive displays the analyzer results as follows:

SEKOIAIntelligenceCenter_Indicators long report

Spamassassin

This analyzer let you query a local SpamAssassin instance by sending a file, and get a SPAM score.

Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email). It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.

TheHive displays the analyzer results as follows:

Spamassassin short report
Spamassassin long report

Splunk

This analyzer allows you to execute a list of searches in Splunk by passing the element you are looking for as a parameter.

This analyzer comes in 10 flavors:

  • Splunk_Search_Domain_FQDN: Dispatch a list of saved searches on a given domain/fqdn
  • Splunk_Search_File_Filename: Dispatch a list of saved searches on a given file/filename
  • Splunk_Search_Hash: Dispatch a list of saved searches on a given hash
  • Splunk_Search_IP: Dispatch a list of saved searches on a given IP (IPv4 only)
  • Splunk_Search_Mail_Email: Dispatch a list of saved searches on a given mail/email
  • Splunk_Search_Mail_Subject: Dispatch a list of saved searches on a given mail_subject
  • Splunk_Search_Other: Dispatch a list of saved searches on a given data (any type)
  • Splunk_Search_Registry: Dispatch a list of saved searches on a given registry
  • Splunk_Search_URL_URI_Path: Dispatch a list of saved searches on a given url/uri_path
  • Splunk_Search_User_Agent: Dispatch a list of saved searches on a given user_agent
  • Splunk_Search_User: Dispatch a list of saved searches on a given user id (variable name is ‘other’)

A valid Splunk subscription is required to run this analyzer.

TheHive displays the analyzer results as follows:

Splunk_Search_Registry short report
Splunk_Search_Registry long report

Responders

Velociraptor

Velociraptor let you interrogate your endpoint for specific data. Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries.

This responder can be used to run a flow for a Velociraptor artifact.  This could include gathering data, or performing initial response.

It can be run on an observable type of ipfqdn, or other, and will look for a matching client via the Velociraptor server. If a client match is found for the last seen IP, or the hostname, the responder will kick off the flow, the results will be returned, and the client ID will be added as a tag to the case and the observable.

Get It While Supply Lasts!

If you are still using the old-style way of installing analyzers and responders, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu ( Admin > Analyzer templates in TheHive 4.0)
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!