As seasoned Digital Forensics & Incident Response practitioners, we have been looking for years for a solid, scalable platform to investigate and collaborate on information security incidents, store heterogeneous observables and analyze them one by one or in bulk.
Unsatisfied with what we found on the market, development started in earnest in early 2014 and a first usable version was put in production in October 2014. TheHive was born and it has been used since then on a daily basis by about a dozen analysts since then.
TheHive is a scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
Collaboration is at the heart of TheHive. Multiple analysts can work on the same case simultaneously. For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker, thanks to the Flow (a Twitter-like stream that keeps everyone updated on what’s happening in real time).
Within TheHive, every investigation corresponds to a case. Cases can be created from scratch and tasks added on the go and dispatched to (or taken by) available analysts. They can also be created using templates with corresponding metrics to drive your team’s activity, identify the type of investigations that take significant time and seek to automate tedious tasks.
Each task can have multiple work logs where contributing analysts may describe what they are up to, what was the outcome, attach pieces of evidence or noteworthy files, etc. Markdown is supported.
You can add one or hundreds if not thousands of observables to each case that you create. You can also create a case out of a MISP event since TheHive can be very easily linked to your MISP instance should you have one. TheHive will automatically identify observables that have been already seen in previous cases.
Observables can also be associated with a TLP and their source (using tags). You can also easily mark observables as IOCs and isolate those using a search query and export them for searching in your SIEM or other data stores.
TheHive comes also with an analysis engine. Analyzers can be written in any programming language supported by Linux such as Python or Ruby to automate observable analysis: geolocation, VirusTotal lookups, pDNS lookups, Outlook message parsing, threat feed lookups, …
Security analysts with a knack for scripting can easily add their own analyzers (and contribute them back to the community since sharing is caring) to automate boring or tedious actions that must be performed on observables or IOCs. They can also decide how analyzers behave according to the TLP. For example, a file added as observable can be submitted to VirusTotal if the associated TLP is WHITE or GREEN. If it’s AMBER, its hash is computed and submitted to VT but not the file. If it’s RED, no VT lookup is done.
Check it Out
TheHive is an open source and free software released under the AGPL (Affero General Public License). We, TheHive Project, are committed to ensure that TheHive will remain a free and open source project on the long-run.