Rejoice folks! You can now play with TheHive & Cortex thanks to the test VM we created. It includes Mellifera 12, the latest major version of TheHive, Cortex 1.1.3, the latest Cortex analyzers with all dependencies and ElasticSearch installed on top of Ubuntu 16.04 with Oracle JRE 8.
The test VM is intended to be used… well… for testing or training purposes. We strongly encourage you to refrain from using it for production.
Get It
You can download the VM from the following location:
click on Import templates button and select the downloaded package
Plug it with MISP
The test VM does not contain a MISP instance and none is configured in TheHive’s configuration file. To play with MISP, you may want to use the VM our good friends at CIRCL provide. Once you’ve downloaded it or if you have an existing instance, edit /etc/thehive/application.conf and follow the configuration guide.
Restart or Go Mad
After each modification of /etc/thehive/application.conf do not forget to restart the service:
$ sudo service thehive restart
Troubles?
TheHive service logs are located in /var/log/thehive/application.log.
Configure Cortex
All available analyzers are installed with their dependencies, but none is configured. To configure analyzers, edit /etc/cortex/application.conf and follow the configuration guide.
Restart or Go Mad
After each modification of /etc/cortex/application.conf do not forget to restart the service:
$ sudo service cortex restart
Troubles?
Cortex service logs are located in /var/log/cortex/application.log.
Need Help?
Something does not work as expected? No worries, we got you covered. Please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
Correction: July 8, 2017
An earlier version of this post offered to download the VM from Dropbox but they suspended the associated link due to seemingly heavy traffic. The post was updated to replace the Dropbox link with a Google Drive one.
Ahead of the imminent release of Mellifera 12 (TheHive 2.12.0), a new, major (as in MAJOR) version of your (soon to be?) favorite Security Incident Response Platform, we’ve made rather significant changes to Cortex analyzers and released a new version of the CortexUtils Python library.
Adjust the Cortex configuration for the new MISP 2.0 analyzer and for Hippocampe as shown below if you are using these analyzers then import the corresponding report templates into TheHive:
click on Import templates button and select the downloaded package
CortexUtils 1.2.0
CortexUtils has been updated to include a new function called build_taxonomy() which is required for analyzers relying on the Python library we released to make their development development easier.
Mini-Reports in The Observable Tabs
Starting from Mellifera 12 (TheHive 2.12.0), mini-reports will be displayed in the observable tab in each case as soon as an analysis has been completed. Now analyzers compute their short/mini reports and put them in the summary section of their JSON output, ready for consumption. TheHive 2.12.0 and up will no longer create them on-the-fly.
Taxonomy
The mini-reports of all the analyzers have been updated to comply with a taxonomy that is similar to the one we were already using for VirusTotal: VT:Score="14/56”. A “maliciousness” level was already included in TheHive’s analyzer templates and we used a specific color to display each level. This level is now produced directly by the analyzers:
info / blue: the analyzer produced an information, and the short report is shown in blue color in TheHive.
safe / green : the analyzer did not find anything suspicious or the analyzed observable is safe (according to the analyzer). TheHive displays the short report in green color.
suspicious / orange : the analyzer found that the observable is either suspicious or warrants further investigation. The short report is orange colored in TheHive.
malicious / red : the analyzer found that the observable is malicious. The short report is displayed by TheHive in red color as show below:
The short report is built with the summary() function of an analyzer. The build_taxonomy() of cortexutils mentioned earlier should help building it.
MISP 2.0
The MISP analyzer has been updated to version 2.0 and includes new functionality submitted by our long-term contributor Nils Kuhnert from CERT-Bund (thanks a heap!). Unlike the previous version, v 2.0 will let you search for an observable in multiple MISP servers at the same time.
The analyzer accepts a truckload of datatypes as input. To make it work, install the pymispPython library. It should already have been installed if you are just updating your current analyzers. You will also have to change Cortex configuration file (application.conf) for this new version:
Important note: You have to adjust your existing configuration to match the one shown above. The certpath variable can be left blank if you are not using a self-signed certificate.
When called from TheHive, the following output is produced:
TheHive: MISP 2.0 Analyzer – Short and Long Report Samples
The short report will show the number of unique events found in all MISP servers while the long report will show information of each matching event in each MISP server.
CERTatPassiveDNS
The CERTatPassiveDNS analyzer is a new submission by Nils (thanks again). It lets you check the CERT.at PassiveDNS service for a given domain or hostname. It takes domains and FQDN as input.
Access to the CERT.at service is allowed to trusted partners only. If you think you qualify, please contact CERT.at. You do not need to add specific information into the Cortex configuration file to benefit from this analyzer as it calls the whois system command to perform the pDNS requests.
When called from TheHive, the following output is produced:
TheHive: CERTatPassiveDNS Analyzer – Short and Long Report Samples
Miscellaneous
The latest version of the Cortex-analyzers repository also include the following bug fixes and improvements:
#61: fix typos in two requirements.txt files – by Michael Salsone
#65: update the Joe Sandbox analyzer’s long report to support version 19.0.0
#67: fixed mistake in the FireHol analyzer – by Nils Kuhnert
#69: use http://server:port for Hippocampe instead of http://server:port/hippocampe/api/v1.0/
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
Correction: July 6, 2017
An earlier version of this post mispelled Nils Kuhnert’s last name.
TheHive, Cortex and MISP work nicely together and if you’ve read our June-Dec 17 roadmap post, the integration of our products with the de facto threat sharing platform will get better in a few months.
During the FIRST conference presentation we gave last week, we displayed a picture that we will use here to try to explain how these three open source and free products integrate with one another.
A Picture is Worth a Thousand Words…
TheHive
TheHive is a Security Incident Response Platform (SIRP). It can receive alerts from different sources (SIEM, IDS, email. etc.) via its REST API. This is where alert feeders come into play.
Alert Feeders
Think of an alert feeder as a specialized program which consumes a security event (SIEM alert, email report, IDS alert, and so on), parses it and outputs an alert that its sends to TheHive through TheHive4py, the Python library we provide to interact with TheHive’s REST API.
We do not supply such feeders but developing them should be straightforward. If not, let us know and we’ll do our best to help you out.
Alerts
Any alert sent to TheHive will show up in its Alerts pane. In addition to the sources mentioned above, new or updated MISP events will show up as well in that area if you configured TheHive to connect to one or several MISP instances. If so, TheHive will poll those MISP instance(s) at every interval looking for new or updated events. If there are any, TheHive will generate an alert which will end up in the Alerts pane.
The Alerts Pane
Alerts can be ignored, mark as read, previewed and imported. When an alert is imported, it becomes a case that needs to be investigated.
Cases
The Workflow that is at the Heart of TheHive
A case can be generated from an alert or created from scratch. It is subdivided into tasks (think identification, containment, eradication, check proxy logs, and so on) and observables (IP addresses, hashes, email addresses, domain names, URLs…). When analysts are working on tasks, they add logs as they go. In TheHive’s terminology, logs are text entries which may contain attachments to help analysts record what they have been doing. Logs can be written using Markdown or a rich-text editor.
Case Templates
You don’t need to add the same tasks over and over when working on cases belonging to a given category (DDoS, Malspam, APT, …). You can create custom templates to which you add tasks as shown below. This is very useful when you are dealing with alerts so that when you import them, you can select which case template you’d like to apply and there you go!
A Sample Case Template
Observables
Observables can be tagged, flagged as IOCs, and analyzed. When the investigation is well in progress or completed, you may want to share the resulting IOCs or a subset of those with partners and peers. TheHive will support the ability to export that data to MISP in September 2017. Until then, you can still export your IOCs as text, CSV or as a MISP-compatible format that you can use to add them to your MISP instance using the freetext editor. TheHive can export IOCs/observables in protected (hxxps://www[.]somewhere[.]com/) or unprotected mode.
Every observable must have a TLP (Traffic Light Protocol) level. By default, any added observable is considered TLP:AMBER. Please note that the TLP is taken into account by some analyzers. Wait! Analyzers?
Cortex
Cortex is our standalone analysis engine and a perfect companion for TheHive and MISP. Analysts can use it to analyze observables using its Web UI, in which case they can be submitted only one at a time. The Web UI should really be limited to quick assessments of observables before creating a case in TheHive (or in an alternate SIRP). The power of Cortex really comes into play when you use its REST API. TheHive speaks natively to Cortex (as MISP does). Moreover, TheHive can leverage one or several Cortex servers.
Observable Page and List of Analyzers
Analyzers
As of this writing, Cortex has 23 analyzers which come in a total of 39 flavors and more will be available soon.
An analyzer can be written in any programming language supported by Linux though all of our current analyzers are written in Python. This is because we provide a Python library called Cortexutils which contains a set of utility classes that make it easier to write an analyzer in Python.
Flavors
Analyzers such as VirusTotal, PassiveTotal or DomainTools can provide different analysis services. Let’s take VirusTotal as an example. You can scan a file or URL. That’s one flavor. You can also obtain the latest available report on VirusTotal.com for a file, hash, domain or IP address. That’s a second flavor. So the VirusTotal analyzer has two flavors.
How about PassiveTotal? It has 8 flavors: unique resolutions lookup, SSL certificate history lookup, malware lookup, passive DNS lookup, data enrichment lookup, SSL certificate details lookup, OSINT lookup and WHOIS data lookup.
The MISP Search Analyzer
At this point, we need to mention a special analyzer that may create some confusion if not understood correctly: the MISP Search analyzer. Thanks to it, Cortex has the ability to search observables within a MISP instance as represented by the arrow that goes from the Analyzers to MISP.
Search for MISP Events Containing a Given Observable
When an observable is found in an event, Cortex will return the number of records found (i.e. the number of events where the observable has been found) and a list of links to those events with additional data.
Searching for a Hash Using the MISP Search Analyzer from the Cortex Web UIThe Same Search Conducted from TheHive: Long ReportMini-Report
The current version of the MISP Search analyzer can only search within a single MISP instance but in the near future, it will be able to support multiple ones.
MISP Expansion Modules
Besides its own analyzers (which include MISP Search described above), Cortex can also invoke MISP expansion modules. These are normally used by MISP to enrich attributes within events but Cortex can also take advantage of them to analyze observables.
There is some overlap between the native Cortex analyzers and MISP expansion modules. When choosing between a native analyzer or an expansion module, we highly recommend you select the former. The expansion modules are deactivated in the default Cortex configuration.
Jobs
When you submit an observable for analysis, Cortex will create a job and, if successful, it will generate an analysis report in JSON format. TheHive has the ability to parse those results and present them in a human-friendly fashion thanks to report templates we offer for free. So when you’ll submit an observable to Cortex from TheHive, you’ll get back a short (or mini) report and a long one. The first can be thought of as a really tiny Exec Analyst Summary while the second provides more insight and details.
Calling Cortex from MISP
In addition to the expansion modules we have just mentioned, MISP 2.4.73 and up can enrich attributes using Cortex analyzers. The configuration is pretty straightforward. So if all you are concerned about is threat intelligence and sharing, you may augment your visibility into a given threat represented as a MISP event by leveraging all current 23 Cortex analyzers and any future ones.
Conclusion
TheHive, Cortex and MISP are three open source and free products that can highly aid you combat threats and keep the ‘monsters’ at bay.
TheHive, as a SIRP, allows you to investigate security incident swiftly in a collaborative manner. Several analysts can work simultaneously on tasks & cases . While cases can be created from scratch, TheHive can receive alerts from different sources thanks to alert feeders which consume security events generated by multiple sources and feed them into TheHive using TheHive4py Python library. TheHive can also sync to one or several MISP instances to receive new and updated events which will appear in the alert pane with all the other alerts generated by other sources. Analysts can then preview new alerts to decide whether they need to be acted upon. If so, they can transform them into investigation cases using templates.
To analyze the observables collected in the course of an investigation and/or imported from a MISP event, TheHive can rely on one or several Cortex analysis engines. Cortex is another standalone product that we have developed which sole purpose is to allow you to analyze observables at scale thanks to its large number of analyzers, MISP expansion modules and any analyzer you might have developed on the side. Cortex has a REST API that can be used to empower other security products such as ‘analytics’ software, alternate SIRPs or MISP.
The highly popular threat sharing platform can indeed enrich attributes thanks to Cortex as it has a native integration with it. And in a few months, you will also be able to export cases from TheHive as MISP events that you can share with peers and partners.
If you do share, you do care about our collective mission to defend thedigital assets that are under our watch from harm. So let us fight together as one.
Lo and behold, The Chefs behind TheHive Project have been pretty busy at the code kitchen, continuously improving some of your favorite recipes. After releasing Mellifera 11.3 and Cortex 1.1.3, here comes the turn of Cortexutils, the Python library containing utility classes for Cortex analyzers.
Version 1.1.1 of the library solves an encoding issue, in fact a regression introduced by the previous release. It also corrects a situation where error reports wouldn’t be generated in case the analyzer did not require configuration (we have a handful of such creatures in store).
You can grab the new Cortexutils release through PIP. To update your existing installation, please run the following command:
sudo pip install cortexutils --upgrade
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
Moments ago, we have announced the release of Mellifera 11.3. And since we don’t want to leave you wanting for more update er fun time, you may want to schedule as well a Cortex update shall you need it 😉
Cortex 1.1.3 is now available. This hotfix corrects the deb package to make it compatible with Ubuntu 16.04 without having to fiddle with OpenJDK. As we did with TheHive, we have repackaged the software to avoid grabbing OpenJDK 9 (which Cortex does not support) and force the installation of version 8. This version also corrects a cryptic error that might be thrown out by Cortex as a result of an improper interpretation of an analyzer failure.
Download & Get Down to Work
To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.
Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
We are glad to announce a new version of your favorite observable analysis engine which corrects bugs introduced by version 1.1.1 and adds a few enhancements. As a reminder, TheHive, our Security Incident Response Platform, can interact with one or several Cortex instances. Moreover, starting from version 1.1.1, Cortex has a two-way integration with MISP.
We highly advise you to upgrade your Cortex in to instance to 1.1.2.
Cortex 1.1.2 – Job Report Example with CERT-SG’s Abuse Finder
Fixed Issues
#27: fixed the daunting error 500 that many users of TheHive encountered when a job is submitted to Cortex.
#29: the MISP expansion modules are now disabled by default to avoid another error 500.
#31: the web interface was displaying SNAPSHOT (oops!) for the Cortex version. It now displays the correct version.
Enhancements
#28: when you enable the MISP expansion modules, Cortex will not be slowed down and starts without delay.
To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.
Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
We are pleased to announce the availability of 2 new Cortex analyzers and an update to 2 existing ones:
New: VMRay and FireHOL
Updated: Joe Sandbox and Fortiguard URL Category
We would like to thank Nils Kuhnert from CERT-BUND, CERT-BDF and Eric Capuano for their precious contributions.
To install the new analyzers, grab the Cortex-Analyzers repository and unpack its content (or git pull the master branch) in your existing /path/to/cortex-analyzers. Then follow the Cortex analyzers guide.
To import the new report templates in your instance of TheHive:
click on Import templates button and select the downloaded package
VMRay
The VMRay analyzer has been submitted by Nils Kunhert from CERT-BUND. It lets you run a file in a local or remote (cloud) VMRay sandbox. The analyzer also lets you check existing analysis reports.
The analyzer accepts files and hashes as input. VMRay is a commercial service and you need an API key to run the analyzer. To make it work, install the requestsPython library. It should already have been installed since it is used by other analyzers as well.
To use the analyzer, add the following section to the Cortex configuration file (application.conf):
VMRay {
url = ""
key = ""
certpath = ""
}
When called from TheHive, the following output is produced:
TheHive: VMRay Analyzer – Short and Long Report Samples
Important note: an analysis on VMRay, like on any other sandbox, can take a long time. That is why the analyzer tries to fetch the report until it is ready.
FireHOL
The FireHOL analyzer has been submitted by Nils Kuhnert from CERT-BUND. It lets you use the lists maintained by FireHOL project and check if an IP resides in one of them. FireHOL is an open source project. The analyzer reports the block lists in which an IP resides with the latest updated ones displayed first. To make it work, you’ll need to download the lists in a directory first (and it would be wise to do it on a regular fashion using a cron entry for example):
The ignoreolderthandays parameter lets you tell the analyzer to ignore matches found in lists that have not been refreshed in <int> days where <int> is an integer.
When called from TheHive, the following output is produced:
TheHive: FireHOL Analyzer – Short and Long Report Samples
Joe Sandbox
Thanks to CERT-BDF, the Joe Sandbox analyzer has been updated to support Joe Sandbox Cloud service beside the on-premises version (Ultimate). Like with other Joe Sandbox services, you need to add the following section to the Cortex configuration file (application.conf):
JoeSandbox {
url = ""
apikey = ""
}
Fortiguard URL Category
Thanks to Eric Capuano, the Fortiguard URL Category analyzer is working again. Eric has modified it to handle the changes made by Fortiguard to their free online API.
Correction: May 23, 2017
An earlier version of this post used ignoredays instead of ignoreolderthandays for the FireHOL Blocklists analyzer. This parameter has also been described.
Thanks to the invaluable contributions of our growing and thriving user community, Cortex has now 6 more analyzers, bringing the total to 21. The new analyzers, released under our usual AGPL v3 license, are:
CIRCLPassiveDNS
CIRCLPassiveSSL
GoogleSafebrowsing
Nessus
Virusshare
Yara
All but one have been submitted by Nils Kuhnert of CERT-Bund. The Nessus analyzer has been contributed by our long-time friend Guillaume Rousse.
Cortexutils 1.1.0
While reviewing the submissions, we realized that a new version of the Cortexutils library was needed in order to support both Python 2 and 3. Hence we released version 1.1.0. You can grab it through PIP. To update your existing installation, please run the following command:
sudo pip install cortexutils --upgrade
Note that Cortexutils 1.1.0 is required to benefit from these analyzers and future ones. If you are performing a fresh Cortex installation, follow the guide.
Installation
To install the new analyzers, grab the Cortex-Analyzers repository and unpack its content (or git pull the master branch) in your existing /path/to/cortex-analyzers. Then follow the Cortex analyzers guide.
New Short and Long Report Templates for TheHive
Short and long reports for TheHive were also created to parse and display the results produced by the new analyzers. We also bundled in the new package a URL analysis template for Joe Sandbox which was missing and improved some of the older short templates in order to follow a taxonomy.
To import the new report templates in your instance of TheHive:
click on Import templates button and select the downloaded package
CIRCLPassiveDNS
The CIRCLPassiveDNS analyzer lets you check the CIRCL’s Passive DNS service for a given domain. It takes domains and URLs as input. Access to the service is allowed to trusted partners in Luxembourg and abroad. If you think you qualify, please contact the good CIRCL folks. To make it work, you’ll need the pypdns Python library.
In order to take advantage of CIRCLPassiveDNS, you need to add the following section to the Cortex configuration file (application.conf):
CIRCLPassiveDNS {
user=""
password=""
}
When called from TheHive, the following output is produced:
TheHive: CIRCLPassiveDNS Analyzer – Short and Long Report Samples
CIRCLPassiveSSL
The CIRCLPassiveSSL analyzer lets you check CIRCL’s Passive SSL service for a given IP address or certificate hash. Access to the service is restricted to partners and security researchers worldwide. If you think you qualify, please contact the good CIRCL folks. This analyzer needs the pypssl Python library to work properly.
To use it, please add the following section to the Cortex configuration file (application.conf):
CIRCLPassiveSSL {
user=""
password=""
}
When called from TheHive, the following output is produced:
TheHive: CIRCLPassiveSSL Analyzer – Short and Long Report Samples
To leverage GoogleSafebrowsing, add the following section to Cortex’ configuration file:
GoogleSafebrowsing{
key=""}
When you run the analyzer fromTheHive, you should see output similar to the samples below:
TheHive: GoogleSafebrowsing Analyzer — Short and Long Report Samples
Nessus
The Nessus analyzer lets you leverage Tenable’s Nessus Vulnerability Scanner to scan an IP address or a FQDN. Of course, you must not scan assets that do not belong to you, unless you really know what you are doing. That’s why safeguards were built in the analyzer’s configuration:
The nessrest Python library is needed to make REST API calls to Nessus. Analysts would use the analyzer to assess the vulnerabilities of potentially compromised machines or new, unknown assets that have been plugged into one of their constituency’s networks. Of course, penetration testers conducting large-scale reconnaissance can also benefit from this analyzer.
TheHive: Nessus Analyzer — Short and Long Report Samples
Virusshare
The Virusshare analyzer lets you verify whether a file or hash is available on VirusShare.com. It requires the progressbar2 Python library besides requests (which should be already installed if you have an existing Cortex installation). As stated by Nils:
This analyzer enables searching for md5 hashes in Virusshare.com hash list. It does not download samples for you nor links directly to the sample – the author of virusshare prohibits the automatic download/site scraping and I respect that. It provides a button to start the virusshare search, though, but you need an account for that. You can request an invitation to the platform through contacting the admin via mail, directly.
To use it, add the following section to your Cortex application.conf:
Virusshare {
path="/path/to/download/directory"
}
Quoting Nils again, in order to download the newest available hash lists from virusshare.com, you can run the download_hashes.py script that comes with the analyzer.
Upon running the analyzer from TheHive, the report will contain a link to the corresponding Virusshare page if a match is found as shown below.
TheHive: Virusshare Analyzer — Long Report Sample
Yara
Last but not least, the Yara analyzer can check files against YARA rules using yara-python. To use it, add the following to your Cortex configuration file:
You can specify path to directories and files. If you supply a directory, the analyzer expects to find an index.yar or index.yas file. The index file can include other rule files. An example can be found in the Yara-rules repository.
TheHive: Yara Analyzer — Short and Long Report Samples
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
We are thrilled to announce that Cortex has two new analyzers: Joe Sandbox and MISP Search. Moreover, we have produced new analyzer report templates for TheHive and improved existing ones.
Joe Sandbox
Cortex: New Joe Sandbox Analyzer
Joe Sandbox, by Joe Security LLC, is a very powerful malware analysis platform that has been around for many years and comes in two flavors: cloud and on-premises. The Joe Sandbox Cortex analyzer has been tested using an on-prem Joe Sandbox Ultimate version and can process URLs and files. The analyzer can process files with or without Internet access.
To use the analyzer, you must provide the API key of your Joe Sandbox instance. You must log in to Joe Sandbox, click on your account name, then on Settings and on the API Key tab.
Cortex: Joe Sandbox Output Example
We have produced a report template for the Joe Sandbox analyzer output resulting from file analysis. The URL analysis report template is not yet available but it should be in a few days.
TheHive: Joe Sandbox Analyzer – Short and Long Report Samples
MISP Search
Cortex: New MISP Search Analyzer
It is no longer necessary to present MISP, the de facto standard of threat sharing. The new MISP Search analyzer will let you search events containing the observable you provide as an input. It applies to a lot of observable types as you can see in the screenshot above.
To use it, you’ll need to supply the API key available in the MISP UI interface.
Cortex: MISP Analyzer Output Sample
Nils Kuhnert created an alternate MISP Search analyzer which has the ability to query multiple MISP instances. We are currently reviewing his submission along with several other analyzers he contributed before improving the newly released MISP Search analyzer.
PassiveTotal Report Templates
While we published the PassiveTotal analyzer weeks ago, TheHive didn’t have report templates for it at the time. We have now new, shiny short and long report templates for most of the services provided by the PT analyzer.
TheHive: PassiveTotal PassiveDNS – Long Report Sample
DomainTools Whois Lookup Report Template
The short report templates of the DomainTools Whois Lookup analyzer has been improved. We now use a taxonomy to provide more context and differentiate between the DomainTools and PassiveTotal Whois results.
VirusTotal Get Report and VirusTotal Scan Report Templates
The short report templates for both services have also been improved to use a taxonomy to provide additional context and distinguish their results from the PassiveTotal Malware service.
Get the new analyzers
To install the new analyzers, grab the Cortex-Analyzers repository and unpack its content (or git pull the master branch) in your existing /path/to/cortex-analyzers.
The Joe Sandbox analyzer does not need any additional Python library if you have already installed Cortex and the analyzers following the guide we provide. To use it, edit your Cortex configuration file (/path/to/cortex/application.conf) and add the following lines in the analyzer section:
JoeSandbox {
apikey="..."
url="..."
}
By default, Joe Sandbox will time out the analysis after 30*60 seconds (30 minutes). Additionally, the analyzer will wait for the Joe Sandbox server to respond within 30 seconds. If no response is received within this period, it will time out. If you want to override these values, you’ll need to add the following lines in the analyzer section:
The MISP Search analyzer requires pymisp. Use the following command line to install the required library:
sudo pip install pymisp
Then edit your Cortex configuration file (/path/to/cortex/application.conf) and add the following lines in the analyzer section:
MISP {
api_key="..."
url="..."
}
Please note that you must restart Cortex to take the changes into account. The current version has no persistence so you’ll lose all your existing jobs.
click on Import templates button and select the downloaded package
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help you!
While we released TheHive as a free, open source product in November 2016, it must not be chalked off quickly as a young, immature solution.
v1.0.0 was put into production in our environment in October 2014. Yes, October 2014. And we’ve been using it every day and refining it since then. Once we deemed it good enough, we decided to share it with the community under an AGPL license to help incident responders in their mission.
Make no mistake. TheHive is a field-tested, mature Security Incident Response Platform (SIRP) built by people who are passionate about Digital Forensics and Incident Response.
A few months after the first public release (v 2.9.0), we adopted bee-related codenames for new major versions and published Buckfast (v 2.10.0).Cortex, the analysis engine that allowed TheHive to analyze and assess observables at scale was shipped as a separate product. Buckfast can interface with one or several Cortex instances depending on your performance and OPSEC needs. For example, you may want to install a separate Cortex on your investigation, air-gapped network to interact with your sandbox as you don’t want to be firing those malicious samples on your corporate network.
Buckfast can also create cases out of MISP events. You can configure it to import them from a single or many MISP instances. And to prepare for the next major version, Mellifera, due in early May 2017, we have released TheHive4py, a Python API client for TheHive.
TheHive4py will be improved to fully support Mellifera’s alerting framework. To put it simply, Mellifera will not only let you preview MISP events and import them but also receive SIEM alerts, email incident reports and different other types of alerts depending on your environment thanks to TheHive4py. And if an analyst discards an alert by mistake in Mellifera’s notification area, they can go back to a ‘trash bin’ and fix their error. Mellifera will also allow you to export cases as MISP events to share IOCs with other teams.
Jigsaw Falling Into Place
Now lets’ get back to TheHive’s perfect companion: Cortex. As of this writing, Cortex features 13 analyzers. These analyzers can perform one type of analysis (such as Abuse Finder) or several (such as DomainTools which can do 6). In the very near future, we plan to add at least 10 more analyzers which are shown in the boxes with dotted borders in the picture above. All upcoming analyzers are contributed by our user community whom we wholeheartedly thank. One of the analyzers will allow you to check observables from TheHive against a MISP instance to search for events that may contain them.
We have also begun work on a Python API client for Cortex dubbed… Cortex4py (how creative wink wink). This will allow people who are not using TheHive to summon the power of Cortex from their SIRP, scripts or any other DFIR tool that can import or interact with Python code.
So in the few months since our project was born to the Internet, we have released a solid collaborative SIRP, a simple yet powerful analysis engine to analyze observables and aid teams in their investigations as well as a Python API client for our SIRP. We also have rather ambitious plans to make them even much more useful.
Oh and one more thing! We have released another piece of software around the same time as the first version of TheHive and on which we haven’t said much so far: Hippocampe. Hippocampe can regularly download feeds and exposes a REST API to let you query them from Cortex (or from other tools). You submit an observable and it’ll tell you if it appears in one or several feeds along with a score. The score takes into account the trust you put in the feed sources (which can be adjusted over time) and the number of sources which contain the observable. We’ll cover Hippocampe in more details in an upcoming post.
Before you run away from us
Before you’re lost between the notes
The beat goes round and round Jigsaw is falling into place
So there is nothing to explain
TheHive Project 