DigitalShadows2TH: Digital Shadows Alert Feeder for TheHive

Thanks to its REST API and alerting framework, TheHive can receive alerts from multiple sources: email notifications, SIEMs, IDS/IPS and, of course, one or several MISP instances.

While the integration with MISP is native and very easy to configure, teams need to develop their own code to feed alerts from other sources to TheHive, leveraging whenever possible TheHive4Py, a very handy Python library to interact with the API.

If you are a TheHive user and a Digital Shadows customer, you can now fetch any incident or intel-incident raised by their Searchlight service using DigitalShadows2TH, a free, open source alert feeder for TheHive freshly cooked by your friendly and so Frenchy Chefs behind TheHive Project.

To use DigitalShadows2TH, you’ll need Python 3, the requests library and TheHive4py. You also need a Digital Shadows subscription and TheHive 2.13 or better with an account on your SIRP that can create alerts.

Please read the README file to learn how to install, configure and run this alert feeder.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

 

Training VM Updated with Mellifera 13.2

Two days after the release of  Mellifera 13.2 (TheHive 2.13.2), we have updated the training VM with this version. You can download it from the following location:

https://drive.google.com/file/d/0B3G-Due88gfQMGZ2RjRlc1RfQ2M/view?usp=sharing

To ensure that your download went through nicely, check the file’s SHA256 hash which must be equal to the following value:

15dc0a1d1ef099abd852fefff3a12c1b752573c01b133fc6e643dd2fceb1d46f

The system’s login is thehive and the associated password is thehive1234.

Use It

You can start using TheHive & Cortex once the VM is started. To access TheHive, point your browser to the following URL:

http://IP_OF_VM:9000

For Cortex, the port is 9999:

http://IP_OF_VM:9999

Where to Go from Here?

Please read the associated documentation page to configure the services on your training virtual machine and plug it with MISP.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Mellifera 13.2: Stats, Security & More

The release of Mellifera 13 (TheHive 2.13.0) marked our move away from Elasticsearch v 2.x to 5.x. While we tried to test this major version as thoroughly as possible, some users were bitten by an ugly bug that made the metrics chart in the Statistics view basically useless.

This bug occurs only if you have freshly installed TheHive 2.13.0 or 2.13.1. If you migrated from a previous version, you would have no issue.

The problem was quickly identified. However, to correct it in Mellifera 13.2 (TheHive 2.13.2), a minor version released today, we had to force a database migration.

At the first connection to TheHive 2.13.2, a migration of the database will be asked. This will create a new ElasticSearch index (the_hive_11). See the Updating guide. TheHive 2.13.2 also fixes the following issues:

  • #331: fix an error when trying to merge cases containing custom fields
  • #347: non-IOC observables counted as IOC, and IOC word displayed twice in the stats view under the Observables tab
  • #356: update the Play framework to 2.6.6 to correct a security issue with the previous version

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Mellifera 13.1 Released

Following the release of Mellifera 13 last week, some users reported problems getting the platform working correctly. They couldn’t browse a case’s tasks. TheHive Chefs reproduced the bug and corrected swiftly in Mellifera 13.1 (TheHive 2.13.1), which is now available. Please note that the identified bug happens only when you haven’t upgraded TheHive from an earlier version.

Is ES 2.x still supported?

Mellifera 13 introduced the support of Elasticsearch 5.x and has been thoroughly tested with version 5.5 (5.6 should be probably work just fine). Given the numerous changes between ES 2.x and ES 5.x, we do not support both versions. Hence, and starting from Mellifera 13, only ES 5.x is supported.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guideThis is paramount to ensure a good transition from earlier versions. You have been warned.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

 

Training VM Reloaded: Mellifera 13, Cortex 1.1.4 & Other Updates

After the release wagon we unleashed upon the Internet tracks last week, we have updated the training VM to include Mellifera 13 (TheHive 2.13.0), Cortex 1.1.4, TheHive4py 1.3.0, Cortex4py 1.1.0 and the latest Cortex analyzers with all dependencies.

We strongly encourage you to refrain from using it for production.

Get It

You can download the VM from the following location:

https://drive.google.com/file/d/0B3G-Due88gfQajViaS01Ym1hdW8/view?usp=sharing

To ensure that your download went through nicely, check the file’s SHA256 hash which must be equal to the following value:

93176fffdbdd47cb8457efe10fb8c783eddd7895a18c8ca75a7c6bae316b081b

The system’s login is thehive and the associated password is thehive1234.

Use It

You can start using TheHive & Cortex once the VM is started. To access TheHive, point your browser to the following URL:

http://IP_OF_VM:9000

For Cortex, the port is 9999:

http://IP_OF_VM:9999

Where to Go from Here?

Please read the associated documentation page to configure the services on your training virtual machine and plug it with MISP.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Cortex 1.1.4 Released

Moments ago, we have announced the release of Mellifera 13, TheHive4py 1.3.0, and Cortex4py. And since we don’t want to leave you wanting for more fun time, you may want to schedule as well a Cortex update shall you need it 😉

Implemented Enhancements

  • Disable analyzer in configuration file #32
  • Group ownership in Docker image prevents running on OpenShift #42

Fixed Bugs

  • Cortex removes the input details from failure reports #38
  • Display a error notification on analyzer start fail #39

Download & Get Down to Work

To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.

Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

TheHive4py 1.3.0 is Here

Version 1.3.0 of the Python API client for TheHive is now available. It is compatible with the freshly released Mellifera 13. This new release includes the changes outlined below.

To update your existing package:

$ sudo pip install thehive4py --upgrade

If you are just getting started with TheHive4py, you can forgo the --upgrade at the end of the command above.

New Features

  • Add more options to sort, filter and paginate case tasks and observables
  • Add a find_alerts method to allow querying alerts
  • Add support to API Key authentication mechanism

Bug Fixes

  • Added verify parameter to calls

Breaking Changes

  • The `get_case_tasks` method has been made consistent with all the other methods and now returns a `Response` object instead of a JSON dict.

Houston? Are you There?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. As usual, we’ll be more than happy to help!