It’s now time for TheHive 4 to get an update: TheHive 4.0.1 is out!

Back in July, we announced TheHive 4.0, the foundation for future releases of your favorite Open Source SIRP.

Today, we are pleased to deliver one of the biggest patch releases we’ve done so far, in terms of number of fixed issues: TheHive 4.0.1! Not only did we squash lots of bugs, we also included some cool improvements we didn’t want to hold until the next version.

As for TheHive 3 and Cortex unveiled few days ago, we fixed the vulnerabilities reported by Play framework in October as well.

A huge work has been accomplished to fix a backlog of bugs (thanks to the community) in several parts of the product:

  • Configuration;
  • API;
  • Dashboards;
  • Livestream;
  • Cases;
  • Alerts;
  • Observables;
  • Multi Factor authentication;
  • Active Directory authentication;
  • Export to MISP.

You can find details of the 80+ issues included in this milestone: Changelog file.

Wait, there is also new stuff:

  • Cases and Alerts similarity fine tuning;
  • Similar cases in Alert preview panel refined;
  • Filtering capabilities improvements;
  • New UI settings & options;
  • Custom fields in Case and Alert lists;
  • Statistics panel improvements;
  • API key in user settings page;
  • More migration tool options.

Cases and Alerts similarity fine tuning

In TheHive, correlation between Alerts and Cases, and between Cases themselves, is computed throughout their respective Observables:

  • A Case is considered similar to an Alert, if they have at least one common observable;
  • A Case is considered related to another Case, if they have at least one common observable.

In some situations, those relationships are undesirable when based on useless/meaningless observables.

Starting with TheHive 4.0.1, Observables are enriched with a new attribute called ignoreSimilarity, set to false by default. Now, when this attribute is set to true, an observable is simply not taken into account in the relationship between two cases, and is not involved in the similarity calculation, for Cases and Alerts.

This attribute is displayed alongside with the IOC and Sighted flags, in the Observables list – which has been tweaked for the occasion – as well as in the detailed view.

IgnoreSimilarity flag in the revamped Observables list

And you can also edit this for a set of selected observables.

Edit “Ignored for similarity”

Long story short, if you want to break a correlation, you just need to set the linking Observable‘s ignoreSimilarity flag to true.

Alerts and similar Cases

The attribute mentioned earlier is taken into account when correlating Alerts with existing Cases : the Similar Cases view in the Alert preview dialog.

Observables with ignoreSimilarity set to true will be ignored when fetching cases similar to the current Alert, whether it is in the Alert or the Case side.

A forthcoming update of thehive4py library will allow to set this attribute in Alerts, along with many other new things.

The Similar Cases view has been thoroughly enhanced to provide more highlights facilitating alert triage and the merging of alerts into existing cases. First, a column named “Matched” has been added. It contains the list of observable dataTypes and the number of occurrences matching the Alert : this should be very useful to identify quickly what type of data has matched the alert content. A filter on this column has also been added.

And there are more refining capabilities in this view:

  • Sorting and Filtering on Title of Similar Cases;
  • Specifying a minimum observables rate that matches the Alert;
  • Specifying a minimum IOCs rate that matches the Alert.
Refining the Similar Cases view during Alerts triage

… And, above all, columns can now be sorted. With all these new capabilities, triage and merge Alerts in Cases should be easier.

Filtering capabilities improvement

In TheHive 4, filter forms have the same structure all over the product. Any improvement in the area, benefits to all the listing pages.

For example, in the alert similar cases tab, a new filter form has been included. You can quickly select the type of Cases you want to display, but also use the advanced rules and search criterias.

In this release, the filter component has new capabilities:

  • Date filter: now allows setting dynamic ranges instead of setting from and to fixed date values. Possible values are:
    • Today;
    • Last 7 days;
    • Last 30 days;
    • Last 3 months;
    • Last 6 months;
    • Last year;
    • Custom: allowing the old-fashioned way of setting date ranges.
  • Tag filter: Autocomplete is now enabled.
Advanced filtering for Similar Cases during Alert triage
Autocompleted tags when adding a filter

In TheHive 4.0.1, there is one more place that welcomed a filter form: the list of Alert observables in the preview dialog.

New Org level UI settings

UI configuration page is the place where TheHive adds new options to customise the behavior of the UI, for a given organisation. This is an area that will be expanded over time.

For this milestone, two new options have been introduced:

  • Allow merging Alerts in resolved cases;
  • Default filter of Alert similar cases.
Default filter for Similar Cases in Alerts preview

The first one is self-explanatory and will hide the `Merge into case` button in the Alert similar cases section

The second one allows an administrator define, for an organisation, the default filter to apply to Alert similar cases view. For example: “show only potential similar cases created in the last 7 days and are still open”.

If during the triage, the filter has been updated by an analyst, the default filter cas be retrieved through Default filter option of the Quick Filters.

Retrieve default filter in alert similar cases

Custom fields in Case and Alert lists

“Damn, why I’m not able to see my custom fields in my cases list”, “It’s a shame I cannot filter my alerts with my custom defined properties”… We are pretty sure you said it, at least once.

Well, you dreamt of it, and here we go, we did it for Cases and Alerts

  • You will be able to see all the custom fields you defined in your Case Templates and propagated to your Cases;
  • Custom fields with undefined values are not displayed;
  • Custom fields are shown with respect of the order you define;
  • Clicking on a custom field, filters your lists using the selected value;
  • You can enable displaying the custom fields using the toggle button on the toolbar located on top of the filter form;
  • All those capabilities are available in Cases and Alerts views.
Custom Fields in Alerts list

New statistics view in Cases and Observables lists

The Stats view has been revamped to represent the statistics using both tables and shiny colourful donuts (not only for managers).

This improvement has been made in Cases, Observables and Alerts views.

New “Stats view” in Cases list

User settings

This feature has been initially introduced in Cortex and was missing in TheHive. All users can now access their API key, copy or update it, as long as an administrator created it first. No more API keys sent over emails or chat applications.

User settings with API key enabled

Migration

The migration assistant program has been updated with a few bug fixes and new filtering options. When migrating, you can now specify:

  • If you want to include or exclude Alerts generated from specific Sources or by their Type;
  • If you want to include Audit trails regarding specific objectType (case, case_task, case_observable …);
  • If you want to filter out Audit trails with specific actions (Update, Creation, Delete).
/opt/thehive/bin/migrate --help

[..]  
  --include-alert-types ,...
                           migrate only alerts with this types
  --exclude-alert-types ,...
                           don't migrate alerts with this types
  --include-alert-sources ,...
                           migrate only alerts with this sources
  --exclude-alert-sources ,...
                           don't migrate alerts with this sources
[..]   
  --include-audit-actions 
                           migration only audits with this action (Update, Creation, Delete)
  --exclude-audit-actions 
                           don't migration audits with this action (Update, Creation, Delete)
  --include-audit-objectTypes 
                           migration only audits with this objectType (case, case_artifact, case_task, ...)
  --exclude-audit-objectTypes 
                           don't migration audits with this objectType (case, case_artifact, case_task, ...)

So, you can migrate your data directly to TheHive 4.0.1.

However, please note that the migration tool does not support data from TheHive 3.5.0 yet. In short, you can only consider migrating you data from TheHive 3.4.0, 3.4.1, 3.4.2 or 3.4.4 to TheHive 4.0 or TheHive 4.0.1 for the time being.

How to install/update ?

Our installation guides are up-to-date.

Important note

If you are updating an existing instance of TheHive 4.0.0, ensure to read the installation guide. Since our recent release of TheHive 3.5.0, we updated our repositories. The codename of repositories containing all new released packages is now named release, instead of stable. So update your apt or yum repository file.

Have you got a minute to let us know how you use TheHive ?

We would love to hear from you (10 questions < 1minute) : https://t.co/l5osjvQ1k7

Many thanks for taking the time 🙏

How to report issues

Please open an issue on GitHub with the dedicated template for TheHive 4. We will monitor them closely and respond accordingly. 

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Discord, or send us an email at support@thehive-project.org. We will be more than happy to help!

New releases for TheHive and Cortex: Elasticsearch 7 support and security fixes.

TheHive and Cortex with ES7 support

We are happy to announce the immediate availability of TheHive 3.5.0 and Cortex 3.1.0 that supports Elasticsearch 7. We are also releasing TheHive 3.4.4 to include security upgrades. All of them are including fixes for vulnerabilities reported on Play Framework this month. We encourage you to upgrade.

As promised, despite the release of TheHive 4.0 in July, we are still support version 3. Today we are releasing two versions of TheHive 3, but why ?

As mentioned previously, the EOL of Elasticsearch version 6 is the reason why we decided to upgrade TheHive and Cortex to exclusively support Elasticsearch version 7.

If you want to be up-to-date with TheHive and Cortex, you must use Elasticsearch 7 and the new released versions of our products: TheHive 3.5.0 and Cortex 3.1.0.

With that being said, we won’t let down the users who cannot migrate their Elasticsearch immediately to version 7, so we decided to fix an embarrassing bug related to alerts with large amount of observables, Thanks to TheHive 3.4.4.

What’s new in TheHive 3.5.0 and Cortex 3.1.0

In addition to support for Elasticsearch 7.x, following fixes has been added in TheHive 3.5.0:

  • Fix a bug with the admin page of Analyzers report templates (#1591)
  • Responder list is ordered alphabetically (#1564)
  • Keep date filters when pivoting from Dashboards to search page (#1581)
  • UI Configuration option to choose to filter TAG1 AND TAG2 or TAG1 OR TAG2 in Alerts view (#1171)
  • Fix issue when clicking on Analyzers short reports (#1350)

In addition to support for Elasticsearch 7.x, following fixes has been added in Cortex 3.1.0:

  • Take into account defaultValue in Neurons flavor file (#309)

Oauth2

Use OAuth2 with TheHive 3.5.0 and Cortex 3.1.0

Both versions have been updated to improve OAuth2 authentication support. They are now working the same way than TheHive 4.0.0, with a quite similar configuration.

We invite you to refer to the documentation for each application to configure it: TheHive and Cortex

Our support on TheHive and Cortex

However, starting from now, we will no longer support TheHive and Cortex version that use Elasticsearch < 7: i.e. TheHive < 3.5.0 and Cortex < 3.1.0. So please make sure to update your instances and rely on up-to-date and supported components.

Be aware that:

  • Any issue reported in TheHive version 3.4.4 and lower, will be fixed on top of TheHive 3.5;
  • Any issue reported in Cortex version 3.0.1 and lower, will be fixed on top of Cortex 3.1.0.

This situation made us also add strong changes regarding our repositories for DEB and RPM packages. Read carefully what follows and find your situation to learn how to upgrade.

You are still using or plan to continue with Elasticsearch 6 ?

Upgrade to TheHive 3.4.4

  • apt update && apt install thehive if you are using debian subsystems;
  • yum install thehive if you are using RedHat, Fedora or CentOS.

If you are using docker image you need to specify the version. Get it by running the following command line:

  • docker pull thehiveproject/thehive:3.4.4-1

This version introduces a bug fix regarding the import of alerts having significant amount of observables.

Keep Cortex 3.0.1

3.0.1 is the last version of Cortex supporting Elasticsearch 6.x. So keep this version until you move to Elasticsearch 7.x.

You are using or plan to move to Elasticsearch 7.x ?

⚠️ DO NOT run an upgrade command on your system until your data has been migrated in Elasticsearch 7.x and Elasticsearch is running.

Upgrading an existing installation ?

Elasticsearch 7.x introduced changes that break our way of representing the data, so some updates need to be applied on the database configuration and on the index first.

We highly recommend reading carefully our dedicated migration guides before starting the upgrade process:

Obviously, we recommend testing this process on a testing environment before running it in production.

Running a fresh installation ?

To publish packages supporting Elasticsearch 7 and avoid anyone break his servers, we decided to create dedicated packages repository. To install TheHive 3.5.0, according to your Operating System, run the following processes.

Deb packages

After installing Elasticsearch 7.x, ensure your /etc/apt/source.list.d/thehive-project.list looks like this:

deb https://deb.thehive-project.org release main

Then, run following commands to install TheHive 3.5.0:

apt update
apt install thehive # or apt install thehive=3.5.0-1

and following commands to install Cortex 3.1.0:

apt update
apt install cortex # or apt install cortex=3.1.0-1
RPM packages

After installing and running Elasticsearch 7.x, ensure your /etc/yum.repo.d/thehive-project.repo looks like this:

[thehive-project]
enabled=1
priority=1
name=TheHive-Project RPM repository
baseurl=https://rpm.thehive-project.org/release/main
gpgcheck=1

Them, run following commands to install TheHive 3.5.0:

yum update
yum install thehive # or yum install thehive-3.5.0-1

And following commands to install Cortex 3.1.0:

yum update
yum install cortex # or yum install cortex-3.1.0-1
Docker image
  • TheHive 3.5.0:
    • docker pull thehiveproject/thehive:3.5.0-1
  • Cortex 3.1.0:
    • docker pull thehiveproject/cortex:3.1.0-1
Ressources

Again, we strongly invite you to read detailed installation instructions:

Docker image of Cortex 3.1.0

Important modifications have been introduced in the docker image of Cortex 3.1.0. This image does not come anymore with programs of Analyzers and Responders and their dependencies.

Cortex is able to run those programs with Docker when images exist. The default configuration included in the official docker image of Cortex uses our catalogs of images of Analyzers and Responders.

Running Analyzers and Responders directly in Cortex container (using “process” method) is still supported. You can include them in container thanks to the Docker volumes when you start the container. If they need dependencies, you can create your own Docker image from our official Cortex image. Below an example of Dockerfile that retrieves Analyzers and Responders like previous Cortex Docker image:

FROM thehiveproject/cortex:3.1.0-1
RUN apt-get update
RUN apt-get install -y --no-install-recommends                        \
        python-pip python2.7-dev python3-pip python3-dev              \
        ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl          \
        libmagic1 build-essential git libssl-dev dnsutils iptables
RUN pip2 install -U pip setuptools
RUN pip3 install -U pip setuptools
RUN git clone https://github.com/TheHive-Project/Cortex-Analyzers.git \
        /opt/Cortex-Analyzers
RUN for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt')   \
    do                                                                \
        pip2 install -r $I || true                                    \
        pip3 install -r $I || true                                    \
    done

How to report issues

Please open an issue on GitHub if you’d like to report a bug for TheHive or Cortex. We will monitor those closely and respond accordingly. 

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Discord, or send us an email at support@thehive-project.org. We will be more than happy to help!

TheHive 3.5.0-RC1 and Cortex 3.1.0-RC1 are here!

Elasticsearch 7.0 can read indices created in version 6.0 or above. An Elasticsearch 7.0 node will not start in the presence of indices created in a version of Elasticsearch before 6.0.

https://www.elastic.co/guide/en/elasticsearch/reference/7.x/breaking-changes-7.0.html#_indices_created_before_7_0

Who could imagine what’s hiding behind this sentence ? 

To be honest, we managed to support Elasticsearch 7.x pretty quickly ! But only for new and recent installations and instances — read, initially installed with Elasticsearch 6.x. 

The harder part was ensure older instances, with indexes created  with Elasticsearch 5.x, can migrate smoothly like for previous migrations: «stop the application, update the database software, update application and restart everything ». You might have to put your hands on the keyboard.

Source: Google Images

⚠️  TheHive 3.5.0-RC1 and Cortex 3.1.0-RC1 are not recommended for production use. These versions are intended for test only ; please, read carefully the full blog post and the associated documentation. Feel free to try it, try your migration and send us your feedbacks. 

New and recent installations

If your instance has been initiated with Elasticsearch 6.x, you can follow the following process : 

  • Stop TheHive version 3.4.2
  • Stop Elasticsearch version 6.x
  • Update Elasticsearch configuration file
  • Update Elasticsearch to version 7.x and restart the service
  • Update TheHive and restart the service
  • Update Cortex and restart the service 

Instructions to install TheHive 3.5.0-RC1 or Cortex 3.1.0-RC1 can be found in this guide.

At this stage, connect TheHive and Cortex with your browser and you should be invited to update the database : 

Older indexes

This is the tricky part. If you are using an instance initiated with Elasticsearch older that version 6.0, it is highly probable that you have to follow an heavier process to upgrade. In few words, you will have to :  

  • Stop TheHive and Cortex applications
  • Create new indexes in Elasticsearch 6.x with part of the settings of your current indexes
  • Do specific reindexing operations to this new indexes
  • Delete old indexes.

How to identify if your index is ready for Elasticsearch 7

You can easily identify if indexes are ready for Elasticsearch 7. On the index named the_hive_15 run the following command:

curl -s http://127.0.0.1:9200/the_hive_15?human | jq '.the_hive_15.settings.index.version.created_string'

If the version is 6.x.x then the index will be read by Elasticsearch 7.8.x. Otherwise (version is 5.x.x of below), reindexing the index is required.

Migration guide

You are not left alone there. A dedicated documentation is available. It should help you run this specific actions on your Elasticsearch database, and also install or update application whether you are using DEB, RPM or binary packages, and even docker images : 

https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/upgrade_to_thehive_3_5_and_es_7_x.md

How to report issues

Please open an issue on GitHub using the template made for TheHive 3.x if you’d like to report a bug on this version. We will monitor those closely and respond accordingly. 

ElasticSearch, TheHive and Cortex

For a few weeks, many questions have been arising regarding the End of Life of ElasticSearch 6.8, and its impact on TheHive and Cortex applications.

We were about to release TheHive 4.0-RC3 when Thomas, akwardly calmly announced to us, having found some time (where?) to review new features and most important, breaking changes introduced by ES7. We have now a good idea of what should be updated or added in the code, as well as the amont of work it represents to get the application working perfectly.

What about current version ?

Few months ago, we announced our intention to maintain current stable versions until ES6 End of Life. At that time, we didn’t expect it to be sooner.

Discontinuing TheHive 3.x with the release of TheHive 4.0 has never been in our plans. With the time, more and more organisations adopted them, and it is important for us to give everyone enough space to schedule and make the move to the TheHive 4.0. This is why TheHive 3 and Cortex 3 will support ES7.

The good news is our ability to announce that the changes introduced by ES7 have no major impacts on us, We are scheduling a first RC1 for TheHive 3.5.0 and Cortex 3.1.0 in the last week of July. Not only will they include support for ES7, but also a few interesting improvements that will be introduced in the coming blog posts.

What’s next ?

Needless to say, the chiefs are sparing no effort in focusing on TheHive 4.0, which requires a huge amount of attention. The application stack has completely changed – the most important adjustment is pushing aside ElasticSearch in favour of Cassandra to manage TheHive’s data storage – and thanks to the community, lots of bugs have already been fixed allowing it to be stronger with time.

Once we consider TheHive 4.0 reliable enough to be used in production, we will publish it as a stable version, and that would be in the coming days. After all, our plans are to make the applications use the same technology stack, which will directly benefit to the next major version of Cortex.

Besides, Cortex is scheduled to be upgraded and based upon Scalligraph, Cassandra and Hadoop. We hope to publish a first RC in few months.

Stay tuned sounds like TheHive Project’s Twitter account will be on fire 🔥 in the coming days!

TheHive 4.0-RC2, Fresh out of the Oven

Shortly after the release of TheHive 4.0 RC-1 in February 2020, many members of our community tested it and provided great feedback, spotting issues here and there. We would like to wholeheartedly thank all of those who, like us, want to make TheHive 4.0 a great, rock-solid release!

We are now happy to unveil the 2nd release candidate. It fixes many bugs and introduce – or reintroduce – some new (and old) features :-). In this blog post, we will concentrate on the following features:

  • 2FA
  • Age of cases
  • Reintroduction of webhooks

Please read the changelog for a more comprehensive view, including bugfixes.

And since the COVID-19 crisis is here to stay for quite some time, we don’t want you to rediscover boredom, a dreadful feeling long forgotten thanks to the continued stream of notifications, solicitations and attention-grabbing, 280 chars ‘thoughts’. So instead of getting bored, we invite you to test TheHive 4.0-RC2 to the best extent possible and, should you encounter any issue, please let us know. We want to issue the final release during the summer so that everyone can have it just in time for their forthcoming vacations at home!

2FA

Two factor authentication was initially scheduled for the final release. We changed our minds and decided to offer you the possibility to test this feature right away to gather your feedback and improvement ideas before we finish up baking the final recipe.

Users can enable 2FA from their account. To enable it, first go to your account Settings and check Enable Multi-Factor Authentication.

Once done, you are invited to use your preferred TOTP application (Google Authenticator, Authy, Microsoft Authenticator etc.) to scan the QR code or the code underneath it. Your 2FA will generate A TOTP that you should supply in the MFA Code area. If it is valid, 2FA will be activated.

Important notes:

  1. If a user loses access to their TOTP application, only an administrator can restore access to their account.
  2. If an org administrator loses access to their TOTP application and they are the only administrator for that org, only a super admin can restore access to their account.
  3. If a super admin loses access to their TOTP application and they are the only super admin of the instance, they should pack up their things and look for another job. That or use a magic DB command to restore access to their account. We’ll update the documentation accordingly.
  4. The current implementation of 2FA does not support backup codes or alternate authentication methods should a user loses access to their TOTP application. However, we are considering adding backup codes to the final release.
  5. 2FA cannot be enforced by default for all users at this stage. It is thus of rather marginal value. However, an org admin can see from the UI who did not activate it and pester them until they do. In the same way, a super admin can do the same for org admins, other super admins and mere users. We are updating the documentation to add an API query that will allow you to list all users who did not activate 2FA.
  6. We will consider making 2FA mandatory in TheHive 4.1.
2FA configuration view

Next time you log in, you will need to supply the TOTP verification code in addition to your login and password.

TOTP verification code required at login

Age of Cases

A new information regarding case duration has been added in the list of cases and in case view, so you can easily keep an eye on how old your cases are and activate your escalation procedures etc. if necessary.

Age of Cases in list view
Age of a Case in Case view

Webhooks are back!

TheHive 4.0-RC1 was released without webhooks. They have been reintroduced in this version. You can now configure TheHive 4.0 to use them, but also filter data sent to the remote server by Organisation.

How to report issues

Please open an issue on GitHub using the template made for TheHive4 if you’d like to report a bug on this version. We will monitor those closely and respond accordingly.

Cortex-Analyzers 2.5.0: 142 Analyzers, 16 Responders

Shortly after the release of Cortex-Analyzers 2.4.0, TheHive Project’s code Chefs are happy to announce Cortex-Analyzers 2.5.0, a new Cortex analyzer & responder release which brings the total to 142 analyzers and 16 responders, up from 138 and 10 respectively!

We’d like to thank all the contributors for their precious work which will certainly provide more options to fellow cyber defenders and cyber threat intelligence analysts for improving their efficiency and focus on what really matters.

Source: https://dilbert.com/strip/2007-08-03

What’s New?

New Analyzers

New Responders

Analyzers

Clamav

Clamav is a powerful and open source antivirus engine that allows writing custom signatures using Yara and sigtool. @Hestat contributed with this analyzer that permits to TheHive to communicate with a local clamav-daemon.

A detailed configuration guide is available on Hetstat’s website.

Clamav short report for safe and malicious samples

IPVoid

Contributed by @jdsnape, this analyzer leverages the IP reputation check of apivoid.com, the API of www.ipvoid.com. As you can probably guess by its name, this analyzer can be used to enrich ip observables.

In order to use this analyzer, an account and a valid subscription to apivoid.com are required. An API key needs then to be provided.

TheHive displays the analyzer results as follows:

IPVoid analyzer short report
IPVoid analyzer long report

ThreatResponse

This analyzer lets you leverage the Cisco Threat Response service. Query Threat Response for verdicts and sightings for observables of type domain, filename, fqdn, hash (MD5, SHA1, SHA256), ip and url.

The analyser report lets you pivot into a Threat Response investigation of an observable.

Combining it with AMP for Endpoints Responder

It will extract the connector GUIDs as new observables to enable seamless use of the AMP for Endpoints Responder if a target is returned from the AMP for Endpoints module. It requires the AMP for Endpoints module to be configured in Threat Response.

A valid Cisco ThreatResponse subscription is required, and you have to provide your client ID and password information to use this analyzer.

TheHive displays the analyzer results as follows:

ThreatResponse analyzer short report
ThreatResponser analyzer long report

ThreatGrid

This analyzer queries Cisco Threat Grid for file, url, or hash and deliver analysis report. It also lets you pivot into the Threat Grid report to access more information related to Behavioral indicators or TCP/IP stream.

A valid Cisco Threat Grid subscription is required, and you have to provide hostname and api key to use this analyzer.

TheHive displays the analyzer results as follows:

ThreatGrid analyzer short report
ThreatGrid analyzer long report

Responders

AMPForEndpoints

This responders performs several actions on Cisco AMP for Endpoints. It comes in 5 flavors:

  • AMPforEndpoints_IsolationStart: Start Host Isolation.
  • AMPforEndpoints_IsolationStop: Stop Host Isolation.
  • AMPforEndpoints_MoveGUID: Move Connector GUID to a new group.
  • AMPforEndpoints_SCDAdd: Add SHA256 to a Simple Custom Detection List. TheHive’s case ID and description are appended to the description
  • AMPforEndpoints_SCDRemove: Remove SHA256 from a Simple Custom Detetion List.

A valid Cisco AMP for Endpoints subscription is required, and you have to provide the client id, api key and several context information to use this responder.

Redmine

Redmine is a free and open source, web-based project management and issue tracking tool. It allows users to manage multiple projects and associated subprojects. 

This responder, contribuited by srilumpa, can be used to create an issue in the Redmine ticketing system from a case. It will use the case title as the issue subject and the case description as the issue body.

To set it up in Cortex, you will need:

  • To define a user to allow Cortex to connect to Redmine and with access to the various projects in which issues should be created
  • Define three custom fields in TheHive that will be used to select the project, the tracker and, optionally, the assignee of the issue. These fields can be free form or can be custom fields with preset values.
Custom fields in TheHive for Redmine integration

At the moment the responder has few capabilities. If you need any other integration feel free to discuss on the pull issue.

Cortex responder output and corresponding issue in Redmine

Fixes

  • Umbrella Investigate [#698]

Get It While Supply Lasts!

If you are still using the old-style way of installing analyzers and responders, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates` menu
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Unleash the Power of Dockerized Analyzers in 5 Minutes

One of the big improvements you’ll notice in Cortex 3 is the support for dockerized analyzers. And amongst some of their benefits, the installation process has been significantly simplified. So let’s assume you do not want to bang your head against Python, or other library dependencies. Then read one for a way to set up analyzers and run them quickly.

The following instructions have been tested on Ubuntu 18.04. If you already have a Cortex instance up and running, you can jump directly to the docker installation section below.

Install System Packages

Prerequisites

  • Ensure your system contains the required packages:
sudo apt-get install apt-transport-https ca-certificates curl software-properties-common
  • Oh, and Cortex should have access to the internet 😉

Cortex

Configure your system to install packages from TheHive-Project repositories.

echo 'deb https://dl.bintray.com/thehive-project/debian-stable any main' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list
sudo apt-key adv --keyserver hkp://pgp.mit.edu --recv-key 562CBC1C

Install Cortex:

sudo apt-get update
sudo apt-get install cortex

The Cortex files will be put in /opt/cortex. The Cortex binary will be executed using the cortex account.

The configuration file is /etc/cortex/application.conf.

The Cortex log file is /var/log/cortex/application.log.

Docker

We recommend reading the Docker documentation to install the software.

For Ubuntu 18.04, you can run the following commands:

wget -O- https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable"
sudo apt-get update
sudo apt-get install docker-ce

Use Docker with Cortex

Start by giving the cortex account the permission to run Docker.

usermod -a -G docker cortex

Next, in the Cortex configuration file (/etc/cortex/application.conf) ensure jobs will be executed using Docker:

job {
runner = [docker]
}

Follow the Standard Analyzer Catalog

If you are a complete Cortex noob, please read the Quick Start Guide.

Configure Cortex to get the catalog with up-to-date versions of analyzers. Edit /etc/cortex/application.conf to set the catalog URLs in the analyzer configuration section as shown below:

## ANALYZERS
#
analyzer {
  urls = ["https://dl.bintray.com/thehive-project/cortexneurons/analyzers.json"]
[..]
}

Once Cortex is configured, restart the service with the following command, wait a few seconds and you should be able to connect to Cortex on https://<cortex_host&gt;:9001 et voilà!

sudo service restart cortex

Important Note: The catalog analyzers.json contains information regarding versions of analyzers we consider stable and that are updated with bug fixes. This is typically synchronised with our master branch on Github. When you are using this catalog, you are de facto benefiting from the latest analyzer updates without needing to refresh anything in Cortex or setup again the configuration to get the latest version.

We also provide two additional catalogs:

  • analyzers-stable.json which strictly follows versions of analyzers if you do not want any uncontrolled updates. What does that mean in practice? You will have to click on the Refresh button in Cortex to update your analyzers, disable old ones and enable new versions. Moreover, you will also have to setup again their configuration. Typically, if you installed and setup Cortex with this catalog and the current version of FileInfo analyzers is 6.0, you won’t benefit from the next version, let’s say 6.1, unless you refresh Cortex.
  • analyzers-devel.jsonwhich contains information about new analyzers or version of analyzers that contains code that has been reviewed but not tested enough (or even not tested at all at times) to be deemed ready for production environments. This is typically synchronized with the develop branch of our Github repository.

Same goes for responders. All available catalogs for Cortex are published on bintray so you can choose the one that better fits your needs (or your risk/gambling profile :p).

DigitalShadows Feeder 2.4.5

DigitalShadows2TH 2.4.5, a new version of the DigitalShadows feeder for TheHive, has been released with major improvements.

Source : https://www.bustle.com

Dockerise All The Things!

The most notable one is that you can now use it with docker. Run docker pull thehiveproject/ds2th and create a homedir for configuration and logs.

$ DS2TH_HOMEDIR = /opt/thehive_feeders/Digitalshadows2TH/
$ docker pull thehiveproject/ds2th:latest
$ mkdir -p $DS2TH_HOMEDIR/{config,log}
$ wget -O $DS2TH_HOMEDIR/config/config.py\
https://raw.githubusercontent.com/TheHive-Project/DigitalShadows2TH/master/config.py.template

Edit the config.py before runing the docker command below:

$ docker run --rm --net=host --mount\
type=bind,source="$DS2TH_HOMEDIR"/config,target=/app/config --mount type=bind,source="$DS2TH_HOMEDIR"/log,target=/app/log certbdf/ds2th <OPTIONS>
Quick Installation

If that sounds still complicated, worry not! We also wrote a little program that helps you prepare the environment and install everything. We ensured that it works well on Ubuntu 18.04. The program uses two environment variables to set up everything: FEEDERS_SYSACCOUNT and FEEDERS_HOMEDIR :

$ export FEEDERS_SYSACCOUNT=thehive
$ export FEEDERS_HOMEDIR=/opt/thehive_feeders

There are also sane, default settings in case you did not set any value. DigitalShadows2TH’s home directory will be set to /opt/thehive_feeders/DigitalShadows2TH. To use the script, run the following command line and follow the instructions:

 $ wget -qO- https://raw.githubusercontent.com/TheHive-Project/DigitalShadows2TH/mater/INSTALL/install_with_docker.sh | sudo -E bash -

Custom Case Templates

Previous versions of DigitalShadows2TH allowed only one case template to be associated with alerts created by the feeder in TheHive. Starting from DigitalShadows2TH 2.4.0, you can define a case template for each type of incidents raised by DigitalShadows in the configuration file.

The configuration pertaining to TheHive looks as follows:

TheHive = {
 'proxies':{
     'http': '',
     'https': ''
},
   'url':'THEHIVE_URL',
   'key':'THEHIVE_API_KEY',
   'templates': {
       'default':''
  }
}

Each incident type in DigitalShadows can be associated with a case template in TheHive, for example:

TheHive = {
  'proxies':{
      'http': '',
      'https': ''
  },
    'url':'THEHIVE_URL',
    'key':'THEHIVE_API_KEY',
    'templates': {
        'default':'MY_DEFAULT_CASE_TEMPLATE_FOR_DIGITALSHADOWS_INCIDENTS',
        'DATA_LEAKAGE': 'MY_DATA_LEAKAGE_CASE_TEMPLATE',
        'CYBER_THREAT': 'MY_CYBER_THREAT_CASE_TEMPLATE'
    }
}

A template can be defined for all the following DigitalShadows incident types:

  • DATA_LEAKAGE
  • CYBER_THREAT
  • PHYSICAL_SECURITY
  • SOCIAL_MEDIA_COMPLIANCE
  • BRAND_PROTECTION
  • INFRASTRUCTURE

A default template can be defined for DigitalShadows incidents. If no template is found for a specific incident type, the feeder looks for the default template. if no default template is found, an empty case will be created by when importing the alert.

Update or Install

If you are not using docker, just pull the repository and update your configuration file with the new templates part for TheHive.

Update your Repository
$ cd /opt/TheHive_feeders/DigitalShadows2TH/
$ git pull

The configuration file has changed, so you need to update yours before running the program. A new templates section has been added for TheHive and the path has changed. It is now in the config/ directory of the project.

Install and Use via the Code Repository
$ cd /opt/TheHive_feeders 
$ git clone https://github.com/TheHive-Project/DigitalShadows2TH.git

After that, follow the prerequisites and edit the configuration file. In /opt/TheHive_feeders/DigitalShadows2TH/config/ copy config.py.template to config.py and modify it.

Use cases and detailed configuration instructions can be found in the README file in the repository.

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

More than 120 ways of Analyzing your Observables

There’s a new version of Cortex-Analyzers in cybertown and its has an awesome, mind-blowing name and that’s… wait for it… wait for it: 2.1.0.

In this new release, we added two analyzers which bring the total number to more than 120:

We could not duly test DNSSinkhole since we do not have access to the associated service. So we would really appreciate it if you could test it and let us know whether it works or not.

Others analyzers have been fixed or improved:

DNSSinkhole

This analyzer lets you check if an IP address has been registered in your DNS sinkhole. TheHive displays the analyzer results as follows:

DNSSinkhole analyzer: long report
DNSSinkhole analyzer: short report

TalosReputation

This analyzer lets you determine whether an IP address has been reported as a threat on Cisco Talos Intelligence service. No special access to the service is required to run the analyzer.

TheHive displays the analyzer results as follows:

Talos Reputation: long report
Talos Reputation analyzer : short report

Crt.sh

This analyzer has been enriched to display SHA-1 fingerprints. The long report format has been updated to reflect this new information.

Crt.sh analyzer: long report

FileInfo

FileInfo has been updated and is now able to parse PDF files and extract IOCs such as URLs, hosts, domains, IPs, hashes and many more.The analyzer does also support the last version of the extract-msg library.

FileInfo analyzer: IOC Parser long report
FileInfo analyzer: IOC Parser short report

VirusTotal and Python3

The VirusTotal analyzer, including all its flavours, now uses Python3 and an updated virustotal-api library.

Yeti API key

An optional API key can now be configured and used by the Yeti analyzer.

Malwares_GetReport

A hash computation has been fixed in this analyzer.

EMLParser

A first fix has been introduced to avoid this analyzer to crash when there is no content-description in content_header, and a second has been added to correct a header display issue.

IBM XForce Lookup

The analyzer has been improved to allow users to add a trailing / at the end of the API URL without breaking everything.

Updating your Analyzers in Cortex 2.x

Each analyzer and responder comes with its own, pip compatible requirements.txt file. Run the following commands to update your Cortex analyzers to the latest version:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, do not forget to login to Cortex as an orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.

Dockerised Analyzers

Cortex 3.x gives you the opportunity to run dockerised analyzers and responders. This means that you no longer have to download all the git repository of Cortex-Analyzers and run lengthy commands to update your analyzers and responders.

If you want to use dockerised analyzers and responders, ensure that the URL of the catalog.json file corresponding to the Cortex-Analyzers repository is registered in application.conf. Please note that this won’t work if you are tracking the stable catalog.

After doing so, do not forget to login to Cortex as an orgadmin, click on the Refresh Analyzers button, then Disable and Enable again each analyzer and responder. Analyzer (and responder) updates should occur automatically as long as docker.autoUpdate is set to true in application.conf (this is the default setting).

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

The Dead don’t Die

In December 2017, we published a fix for a nasty privilege escalation vulnerability, namely THP-SEC-ADV-2017-001.

On Tuesday May 21, 2019, it came back to bite us like a dead that doesn’t die when Adam Mariš reported it was still possible to do a privilege escalation in all versions of TheHive, including version 3.3.0.

After analysis, we found that THP-SEC-ADV-2017-001 did not address the full scope of the vulnerability. Adam hit the nail on the head – be like Adam! 👏

We have released a hotfix for the last version of TheHive which completely puts the dead to rest once and for all and we sincerely apologise for the issue.

What’s THP-SEC-ADV-2017-001?

The vulnerability allows users with read-only or read/write access to escalate their privileges and eventually become administrators. To exploit it, an attacker must have access to an account on TheHive with read-only or read/write privileges.

The attacker needs to interact with the API in a specific yet trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect to TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.

And Now What?

We highly recommend you to update to TheHive 3.3.1 which completely fixes the vulnerability. If you are still using TheHive 2.x and have not made the move to TheHive 3 yet, please update to TheHive 2.13.4 which also addresses this flaw.

If you cannot immediately apply the hotfixes we have released, a shell script is still available and will allow you to spot anyone who exploited the vulnerability. You can download this script from the following location:

https://drive.google.com/file/d/1F8VOUMLoCVnIdHjnbhMTzf_9Z2Ud_Vuw/view?usp=sharing

The SHA256 hash of the script is:

18c74f921b92cc68ea7bc10c7522691d671074331191fe22269cc936bfdb0e9a

When you run the script, it will display all users that have changed their roles. If a single match is found, it means your  instance has been potentially compromised. We advise you to create a crontab which will execute the script on a regular basis until you apply the hotfixes.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

If you are using TheHive 3.x, upgrade to TheHive 3.3.1 by updating the binary package on your system.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.