This year is coming to an end. It’s a new opportunity to our team to release a new version of your favorite free and open source incident response platform, TheHive. We don’t aim to bother you during your Xmas holidays, but we thought of those who will be in front of their screens during the years’ last days.
Today, we announce the release of 4.0.3 that comes with some interesting enhancements and bug fixes.
What’s new?
The major features added in this release are:
- improvement of the task management capabilities for collaboration, by adding a new flag called “Action Required”
- review and improvement of the implementation of MISP synchronisation filters
- new API capability to allow searching for Alerts per observables
- new S3 provider and configuration for file storage (observables and task log attachments)
Require an action on a task
This feature is useful for collaboration to allow a master team requiring actions from the teams it collaborates with. Let’s explain it using a concrete example. Imagine a TheHive instance defining two organisations: SOC and CERT, both of them working on a Case led by the CERT team who is the owner of the Case.
For one of the tasks, the incident handler from the CERT team needs an action from the SOC team on a Task called “Gather evidences or IOC”. In the Task’s details page, at the “Sharing” section, for each “Share”, a new button “Require Action” is displayed. It allows any user with `manageTask` permission to enable the flag for the specific organisation for that specific Task.
The incident handler can also require an action from his team members.
When the user clicks the “Require Action” button, TheHive asks if a Task Log needs to be added to the Task, to explain the required action. The user can proceed without adding a Task Log
If the user clicks on “Yes, add log”, a dialog is displayed asking the user to type a Task Log message and optionally add an attachment:
Once confirmed, the action is completed and the Task is marked as requiring action from the right team.
This feature comes not only with these Task related buttons but also includes some features for Case and Task listing pages, including filtering: its easier to list the cases where at least one task is still requiring an action from a team:
When navigating to the Task list, the user can easily see which Task needs an action:
When a user accesses a Task that is marked as requiring an action, the Task details page displays a warning message, with a “Mark as Done” button, that when clicked, confirms the completion of the required action:
When clicked, the “Mark as Done” button goes through the same confirm dialog as described above, allowing to optionally add a Task Log.
Review MISP filters configuration
TheHive 4.0.3 has reviewed and improved the performance of the MISP synchronisation services and added a new config to whitelist events by organisation, not only by tags. Below is a non exhaustive configuration of a MISP server, where the `whitelist.organisation` filter is used:
play.modules.enabled += org.thp.thehive.connector.misp.MispModule
misp {
interval: 1 hour
servers: [
{
name = "local" # MISP name
url = "http://localhost/" # URL or MISP
auth {
type = key
key = "***" # MISP API key
}
...
# Organization and tags
whitelist {
organisation = ["good organisation"]
# tags = ["tag1", "tag2"]
}
}
]
}Search for alerts by observable conditions
In TheHive 3, Alert observables are stored within the Alert data, not as un independent piece of data, and querying them is not possible through the `_search` APIs and the Query DSL.
In 4.0.3 this limitation has been removed, allowing querying an alert with conditions on it’s child observables.
Using TheHive4py, the following code is now possible:
import json
from thehive4py.api import TheHiveApi
from thehive4py.models import *
from thehive4py.query import *
THEHIVE_URL = 'http://127.0.0.1:9000'
THEHIVE_API_KEY = 'API_KEY'
api = TheHiveApi(THEHIVE_URL, THEHIVE_API_KEY)
# Define the query
query = And(
Eq('source', 'THEHIVE-PROJECT'),
Eq('severity', Severity.MEDIUM.value),
Child('alert_artifact', And(
Eq('dataType', 'hash'),
Eq('data', 'A_HASH_VALUE')
)),
Like('title', '*MALSPAM*')
)
# Search for alerts
response = api.find_alerts(query=query, range='all')
# Print
print(response.json(), indent=4)The code snippet above, searches for Alerts of with:
source='TheHive-Project'severity=mediumtitleincluding the word “MALSPAM”- having a specific `hash` observable
S3 storage support
File storage is used in TheHive to store attachments. TheHive now supports a new type of storage in addition to hadoop and local file system: Amazon S3.
S3 storage provider can be configured by specifying endpoint, region and credentials. The settings must be located in the provider section, in application.conf:
storage {
provider: s3
s3 {
bucket = "thehive"
readTimeout = 1 minute
writeTimeout = 1 minute
chunkSize = 1 MB
endpoint = "http://s3.amazonaws.com"
accessKey = "xxx"
secretKey = "xxx"
region = "us-west-1"
}
}
How to install/update ?
Our installation guides are up-to-date.
Important note
If you are updating an existing instance of TheHive 4.0.0, ensure to read the installation guide. Since our recent release of TheHive 3.5.0, we updated our repositories. The codename of repositories containing all new released packages is now named release, instead of stable. So update your apt or yum repository file.
How to report issues
Please open an issue on GitHub with the dedicated template for TheHive 4. We will monitor them closely and respond accordingly.
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Discord, or send us an email at support@thehive-project.org. We will be more than happy to help!
TheHive Project 