DigitalShadows2TH 2.4.5, a new version of the DigitalShadows feeder for TheHive, has been released with major improvements.
Dockerise All The Things!
The most notable one is that you can now use it with docker. Run docker pull thehiveproject/ds2th and create a homedir for configuration and logs.
$ DS2TH_HOMEDIR = /opt/thehive_feeders/Digitalshadows2TH/
$ docker pull thehiveproject/ds2th:latest
$ mkdir -p $DS2TH_HOMEDIR/{config,log}
$ wget -O $DS2TH_HOMEDIR/config/config.py\
https://raw.githubusercontent.com/TheHive-Project/DigitalShadows2TH/master/config.py.template
Edit the config.py before runing the docker command below:
$ docker run --rm --net=host --mount\ type=bind,source="$DS2TH_HOMEDIR"/config,target=/app/config --mount type=bind,source="$DS2TH_HOMEDIR"/log,target=/app/log certbdf/ds2th <OPTIONS>
Quick Installation
If that sounds still complicated, worry not! We also wrote a little program that helps you prepare the environment and install everything. We ensured that it works well on Ubuntu 18.04. The program uses two environment variables to set up everything: FEEDERS_SYSACCOUNT and FEEDERS_HOMEDIR :
$ export FEEDERS_SYSACCOUNT=thehive $ export FEEDERS_HOMEDIR=/opt/thehive_feeders
There are also sane, default settings in case you did not set any value. DigitalShadows2TH’s home directory will be set to /opt/thehive_feeders/DigitalShadows2TH. To use the script, run the following command line and follow the instructions:
$ wget -qO- https://raw.githubusercontent.com/TheHive-Project/DigitalShadows2TH/mater/INSTALL/install_with_docker.sh | sudo -E bash -
Custom Case Templates
Previous versions of DigitalShadows2TH allowed only one case template to be associated with alerts created by the feeder in TheHive. Starting from DigitalShadows2TH 2.4.0, you can define a case template for each type of incidents raised by DigitalShadows in the configuration file.
The configuration pertaining to TheHive looks as follows:
TheHive = {
'proxies':{
'http': '',
'https': ''
},
'url':'THEHIVE_URL',
'key':'THEHIVE_API_KEY',
'templates': {
'default':''
}
}
Each incident type in DigitalShadows can be associated with a case template in TheHive, for example:
TheHive = {
'proxies':{
'http': '',
'https': ''
},
'url':'THEHIVE_URL',
'key':'THEHIVE_API_KEY',
'templates': {
'default':'MY_DEFAULT_CASE_TEMPLATE_FOR_DIGITALSHADOWS_INCIDENTS',
'DATA_LEAKAGE': 'MY_DATA_LEAKAGE_CASE_TEMPLATE',
'CYBER_THREAT': 'MY_CYBER_THREAT_CASE_TEMPLATE'
}
}
A template can be defined for all the following DigitalShadows incident types:
- DATA_LEAKAGE
- CYBER_THREAT
- PHYSICAL_SECURITY
- SOCIAL_MEDIA_COMPLIANCE
- BRAND_PROTECTION
- INFRASTRUCTURE
A default template can be defined for DigitalShadows incidents. If no template is found for a specific incident type, the feeder looks for the default template. if no default template is found, an empty case will be created by when importing the alert.
Update or Install
If you are not using docker, just pull the repository and update your configuration file with the new templates part for TheHive.
Update your Repository
$ cd /opt/TheHive_feeders/DigitalShadows2TH/ $ git pull
The configuration file has changed, so you need to update yours before running the program. A new templates section has been added for TheHive and the path has changed. It is now in the config/ directory of the project.
Install and Use via the Code Repository
$ cd /opt/TheHive_feeders $ git clone https://github.com/TheHive-Project/DigitalShadows2TH.git
After that, follow the prerequisites and edit the configuration file. In /opt/TheHive_feeders/DigitalShadows2TH/config/ copy config.py.template to config.py and modify it.
Use cases and detailed configuration instructions can be found in the README file in the repository.
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
TheHive Project 