TheHive4py 1.5.1 Released

When you need to interact with TheHive’s REST API and you ain’t shy of working with Python, TheHive4py is the way to go. It’s a free, open source library we provide to allow you to easily create alert feeders, automate certain tasks like creating cases, assign them to analysts and much more. For example, Synapse, DigitalShadows2TH and Zerofox2TH leverage the library to send alerts to your favourite SIRP/SOAR.

Sometime ago, we decided that it was time to overhaul the whole library and we began working on version 2.0.0 which will be easier to use. It should also support the full set of TheHive’s REST API calls. In the meantime we decided to release version 1.5.0, shortly followed by version 1.5.1 to support some new functionality contributed by our user community and correct a few issues.

code_quality
Source : XKCD

New Features Introduced in 1.5.0

Bugfixes Introduced in 1.5.0

  • #80: Prevent max recursion depth exceeded error, contributed by Psynbiotik

New Features Introduced in 1.5.1

Important note: TheHive4py 1.5.1 does not work with TheHive 3.0.10 or earlier versions. Please stick with 1.5.0 if you are using those versions.

Updating/Installing

To update your existing package:

$ sudo pip install thehive4py --upgrade

If you are just getting started with TheHive4py, you can forgo the --upgrade at the end of the command above.

But I just Wanna Play!

If you’d like to play around with TheHive4py 1.5.1, TheHive 3.1.1., Cortex4py 2.0.1 and Cortex 2.1.1, please download the training VM.

Paris? Are you There?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. As usual, we’ll be more than happy to help!

Correction: October 12, 2018
As reported by Robin Hahling, TheHive 1.5.1 does not work with TheHive 3.0.10 or earlier versions.

TheHive 3.1.0: Fresh out of the Oven

TheHive Project’s Master Cooks are happy to announce the immediate availability of TheHive 3.1.0. This is the first release of your favourite SIRP (Security Incident Response Platform) or, if you fancy new buzzwords, SOAR (Security Orchestration, Automation & Response) that we put out as a release candidate to give sufficient time for our ever growing user community to test it and report any outstanding bug before publishing a stable version.

Indeed, TheHive 3.1.0 brings significant new functionalities that we detailed in previous blog posts. One of the most prominent features of this new major version is the support of responders through Cortex 2.1, also released today as a stable version.

Responders are similar to analyzers but instead of analyzing stuff, they allow you to respond to stuff. Put otherwise, they give you the ability to implement specific actions by a simple click from different elements in TheHive: alerts, cases, tasks, task logs and observables.

For instance, imagine a user in your constituency reporting a suspicious email. Using Synapse or an alternative alert feeder, the email reported by the user will automatically show up as an alert in your alert pane. Before starting working on it as a case, you preview it only to realise it is a scam and it does not warrant your time & effort. Still, you’d like to reply to the user.

In such a case, you could implement a responder that will not only send an email back to the user asking them to ignore such a scam but that can mark the alert as read. Using. A. Simple. Click. C’est beau n’est-ce pas ?

Going through all 71 (yes, 71) issues that have been closed with this release and the 3 RCs we published since July 31, 2018 will be terribly boring but you can read the full changelog while dipping your croissant in your espresso cup.

We’d rather encourage you to install this new version, which is as usual, AI-free, machine learning free, cyberbullshit-free, gluten-free, organic (well as much as free, open source software can be anyway), vegan (if you can eat it), and most importantly made with huge love and care for the SOC, CSIRT & CERT communities and other fellow cybercrime fighters. So go ahead and try it out. It won’t cost you a dime (or a franc if you are a French old timer).

Caum6EmUMAA6vi8

Need Help?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Zerofox2TH: ZeroFOX Alert Feeder for TheHive

Earlier today, the French (but nonetheless happy) Chefs of TheHive’s code kitchen released DigitalShadows2TH, an alert feeder for TheHive that can consume incidents and intel-incidents from Digital Shadows, a Threat Intelligence provider and feed them as alerts to your favorite Security Incident Response Platform.

We are glad to do the same for ZeroFOX, a social media monitoring platform, with Zerofox2TH. If you are a ZeroFOX customer with a valid API subscription and use TheHive for managing your security incidents and investigating them, you can now feed alerts generated by ZeroFOX to TheHive. Ain’t that joli?

Zerofox2TH is released under an AGPLv3 license (read: free and open source). To use it, you’ll need Python 3, the requests and pillow libraries as well as TheHive4py. You also need TheHive 2.13 or better, with an account on your SIRP that can create alerts.

Please read the README file to learn how to install, configure and run this alert feeder.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

DigitalShadows2TH: Digital Shadows Alert Feeder for TheHive

Thanks to its REST API and alerting framework, TheHive can receive alerts from multiple sources: email notifications, SIEMs, IDS/IPS and, of course, one or several MISP instances.

While the integration with MISP is native and very easy to configure, teams need to develop their own code to feed alerts from other sources to TheHive, leveraging whenever possible TheHive4Py, a very handy Python library to interact with the API.

If you are a TheHive user and a Digital Shadows customer, you can now fetch any incident or intel-incident raised by their Searchlight service using DigitalShadows2TH, a free, open source alert feeder for TheHive freshly cooked by your friendly and so Frenchy Chefs behind TheHive Project.

To use DigitalShadows2TH, you’ll need Python 3, the requests library and TheHive4py. You also need a Digital Shadows subscription and TheHive 2.13 or better with an account on your SIRP that can create alerts.

Please read the README file to learn how to install, configure and run this alert feeder.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

 

TheHive4py 1.3.0 is Here

Version 1.3.0 of the Python API client for TheHive is now available. It is compatible with the freshly released Mellifera 13. This new release includes the changes outlined below.

To update your existing package:

$ sudo pip install thehive4py --upgrade

If you are just getting started with TheHive4py, you can forgo the --upgrade at the end of the command above.

New Features

  • Add more options to sort, filter and paginate case tasks and observables
  • Add a find_alerts method to allow querying alerts
  • Add support to API Key authentication mechanism

Bug Fixes

  • Added verify parameter to calls

Breaking Changes

  • The `get_case_tasks` method has been made consistent with all the other methods and now returns a `Response` object instead of a JSON dict.

Houston? Are you There?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. As usual, we’ll be more than happy to help!

Mellifera 13: Export to MISP, Webhooks, API Keys & ES 5

TheHive Project French Chefs are very happy to announce Mellifera 13 (TheHive 2.13.0), a brand new, all shiny, major version of TheHive.

This new edition of your favorite Security Incident Response Platform (SIRP) has been cooked with great care to bring you a number of key features.

Mellifera 13 now uses ElasticSearch 5.x. We have tested it with v 5.5 but it should work just fine with ES 5.6.

Webhooks

TheHive has now basic support for webhooks. This allows your SIRP to post all the audit trail data to one or multiple webhooks defined in the configuration file. This way, you can listen to any change taking place on the platform and act on it as you see fit: create a ticket in an IT ticketing system, send a message to a Slack channel, display selected events of the audit trail on a screen, wake up your fellow analysts from sleep when a specific type of cases or a given alert is raised & so on. So get some elbow grease and code that Slack bot promptly 😉

Import and Export from Multiple MISP Servers

Mellifera 13 can not only import events from multiple MISP servers but also export cases as events to one or several MISP instances. The exported cases will not be published automatically though as they need to be reviewed prior to publishing.

Export_Case_1.png
Click on that Share button on the top right corner
Export_Case_2.png
Select the MISP server to which to export the case
Export_Case_3.png
See how the Share counter on the top right corner has now increased

We strongly advise you to review the categories and types of attributes at least, before publishing the corresponding MISP events. Please also note that only and all the observables marked as IOCs will be used to create the MISP event. Any other observable will not be shared. This is not configurable. For further details, check the documentation.

Export_Case_4.png
Review and publish the event on MISP
Export_Case_5.png
Review the categories and types of your attributes

 

API Keys

Mellifera 13 introduce a new authentication mechanism: API keys. This auth method is recommended for all programs or scripts, including your SIEM, that raise alerts on TheHive. You can, as an administrator, generate and revoke as many API keys as you want. Existing software using the basic authentication method should be modified to use API keys. But do not panic, while the basic authentication mechanism has been disabled by default, you can still enable it in application.conf.

The ‘alert’ role

A new alert​ role has been added. Only users with this role can create an alert. All existing programs which create alerts must have this role. Otherwise they will no longer work.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide. This is paramount to ensure a good transition from earlier versions. You have been warned.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

TheHive4py 1.2.2 is Here

It’s a sunny week in Paris, France (not Texas) barring the tropical rain that washed out the city earlier this morning. And when there’s sun in France, there’s happiness and… coding of course (what else?). The French Chefs of TheHive Project seem to be in a good mood (n’est-ce pas Jérôme ?), thanks to the vitamin D extra charge they got for free from the big star up above.

After updating CortexUtils and the analyzers, and releasing Mellifera 12, a new, major version of TheHive, why stop there when you can update TheHive4py as well?

Version 1.2.2 of the Python API client for TheHive is now available. It mainly fixes issues related to missing Python dependencies and adds support for creating alerts containing files for Python 3.

To update your existing package:

$ sudo pip install thehive4py --upgrade

If you are just getting started with TheHive4py, you can forgo the --upgrade at the end of the command above.

Houston? Are you There?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. As usual, we’ll be more than happy to help!