Introducing TheHive4py

Following popular demand, the chefs at TheHive Project‘s code kitchen added some icing on an already tasty cake.

We are happy to announce the immediate availability of a Python API client for TheHive dubbed (surprise surprise!) TheHive4py.

What Is It?

TheHive4py allows analysts to create cases in TheHive out of different sources such as… drum roll…email.

For example, a SOC may ask its constituency to send suspicious email reports to a specific mailbox that a script polls at regular intervals. When a new email is received, the script parses it then calls TheHive4py to create a corresponding case in TheHive. Once the case has been created, SOC analysts will get a notification thanks to TheHive’s Flow so they can start investigating the new case.

Work in Progress

TheHive4py is a work in progress. It is considered beta software though we are using it on a regular basis for the use case outlined above. The client doesn’t leverage yet the richness of TheHive’s REST API (which is partially documented) but it should be sufficient in most situations. If not, please feel free to contribute and submit pull requests or request missing features if you are not comfortable with Python.

Use It

To install the client, PIP is your friend as indicated on the GitHub repository.

Mellifera and the Alerting Framework

TheHive4py will be enhanced in order to take advantage of the alerting framework that will be included in Mellifera, the next major version of TheHive (v 2.11).

The alerting framework will allow Mellifera and later releases to receive ‘alerts’ not only from multiple MISP instances, which is already possible with Buckfast and earlier, but also from mailboxes, SIEMs, and other services. Analysts will be able to develop programs that include TheHive4py in order to send an ‘alert’ to TheHive. Mellifera’s Web UI will then allow analysts to pick interesting ‘alerts’ and transform them into cases by a click of a button using pre-defined templates.

Our current target date for releasing Mellifera and the alerting framework is the end of April 2017.

How Much Does it Cost?

TheHive4py is released under an AGPL license as all the other products we publish to help the cyberdefense community fight the good fight.So apart from the effort it’ll cost you to install and use, the price of our software is nada, zero, rien. But if you are willing to contribute one way or another, do not hesitate to drop us an email at support@thehive-project.org or contact us via Twitter.