It’s a sunny week in Paris, France (not Texas) barring the tropical rain that washed out the city earlier this morning. And when there’s sun in France, there’s happiness and… coding of course (what else?). The French Chefs of TheHive Project seem to be in a good mood (n’est-ce pas Jérôme ?), thanks to the vitamin D extra charge they got for free from the big star up above.
TheHive Project French chefs are very excited to announce the immediate availability of Mellifera, TheHive 2.11.0, the greatest and latest iteration of our flagship product.
We are thrilled to share this major version with the incident response community, for free as usual. Yes, you read that sentence right. You don’t have to cough up a single € or BTC for a platform that is as good as some commercial alternatives, unless your boss is hassling you about paying big bucks to get so-called professional support. If that’s the case, try us and you might prove them wrong.
Going through all the features and fixes of this significant overhaul will take forever (well, almost) so let us highlight a few that we feel worthy of your attention and time.
The Alerting Framework
If you need one reason to upgrade from Buckfast to Mellifera or to ditch your existing, clunky incident handling platform and use ours, then that should be its brand-new and powerful alerting framework.
With Buckfast (TheHive 2.10.x) and earlier versions, you can configure multiple MISP instances. TheHive will then poll those instances at regular intervals and display new or updated events in a specific area where analysts can preview them, import them as cases using configurable templates or ignore them altogether (and if they do so by mistake, there’s no way to go back). And if you needed to raise alerts from a SIEM, email reports or other sources of noteworthy security events, you had to rely on TheHive4py API client and create a case without having a chance to preview the events in TheHive prior to the case creation.
Mellifera does not have these limitations. It features an all new, fancy and efficient alerting framework which can be displayed using the Alerts button in the Web interface. This button was previously called MISP.
Within the Alerts area, you can preview not only new or updated MISP events but also any event that you have pushed through TheHive4py. The client has been modified to be compatible with Mellifera. If you have an existing TheHive4py package, please upgrade to the new 1.2.0 version using PIP.
Using TheHive4py 1.2.0, you can send your SIEM alerts, user email reports and security events from various sources to Mellifera and your analysts will be able to preview and import them or simply ignore them. If they have ignored some events by mistake, they can use the quick actions on the top of the panel to retrieve them. Please note that you have to create programs that will bridge your event sources with Mellifera through TheHive4py.
All New Skin
Mellifera has an all new skin with many refinements spread all over the interface. For example, you can now easily reorder the tasks within a case template. You can also sort task logs according to their creation date (oldest first, newest first). The flow (a.k.a live stream) is also collapsible. Moreover, when you create a case, Mellifera will suggest existing tags.
Is MISP or Cortex There?
If you have configured Mellifera to interact with at least one MISP or Cortex instance, the Web interface will show their respective logos at the bottom of the page. Please note that you can now connect to MISP and Cortex even if you are behind a proxy which requires authentication.
New Installation Packages
Starting from this release, we no longer produce all-in-one binary packages and dockers containing TheHive and Cortex. Instead you can use dockers, binaries and RPM as well as DEB packages. Wink wink.
One More Thing
Mellifera has an all new logo and the project website has been completely redesigned. Now you can see who’s behind the project thanks to Alexandre Gohier, a close friend who also happens to be a professional photographer.
Download & Try
If you have an existing TheHive installation, please follow the new migration guide.
The French chefs at TheHive Project’s code kitchen have released version 1.1.1 of TheHive4py. The API client for our Security Incident Response Platform has been updated to comply with Buckfast 2 (TheHive 2.10.2).
In April 20, 2017, Buckfast 2 was released to plug a number of vulnerabilities identified by our friends at Randorisec. Among other changes, Buckfast 2 implements a protection against CSRF attacks. As a result, API calls made by TheHive4py have been modified in order to support that protection. In essence, TheHive4py 1.1.1 submits authentication credentials for each call instead of a per-session authentication.
While we released TheHive as a free, open source product in November 2016, it must not be chalked off quickly as a young, immature solution.
v1.0.0 was put into production in our environment in October 2014. Yes, October 2014. And we’ve been using it every day and refining it since then. Once we deemed it good enough, we decided to share it with the community under an AGPL license to help incident responders in their mission.
Make no mistake. TheHive is a field-tested, mature Security Incident Response Platform (SIRP) built by people who are passionate about Digital Forensics and Incident Response.
A few months after the first public release (v 2.9.0), we adopted bee-related codenames for new major versions and published Buckfast (v 2.10.0).Cortex, the analysis engine that allowed TheHive to analyze and assess observables at scale was shipped as a separate product. Buckfast can interface with one or several Cortex instances depending on your performance and OPSEC needs. For example, you may want to install a separate Cortex on your investigation, air-gapped network to interact with your sandbox as you don’t want to be firing those malicious samples on your corporate network.
Buckfast can also create cases out of MISP events. You can configure it to import them from a single or many MISP instances. And to prepare for the next major version, Mellifera, due in early May 2017, we have released TheHive4py, a Python API client for TheHive.
TheHive4py will be improved to fully support Mellifera’s alerting framework. To put it simply, Mellifera will not only let you preview MISP events and import them but also receive SIEM alerts, email incident reports and different other types of alerts depending on your environment thanks to TheHive4py. And if an analyst discards an alert by mistake in Mellifera’s notification area, they can go back to a ‘trash bin’ and fix their error. Mellifera will also allow you to export cases as MISP events to share IOCs with other teams.
Now lets’ get back to TheHive’s perfect companion: Cortex. As of this writing, Cortex features 13 analyzers. These analyzers can perform one type of analysis (such as Abuse Finder) or several (such as DomainTools which can do 6). In the very near future, we plan to add at least 10 more analyzers which are shown in the boxes with dotted borders in the picture above. All upcoming analyzers are contributed by our user community whom we wholeheartedly thank. One of the analyzers will allow you to check observables from TheHive against a MISP instance to search for events that may contain them.
We have also begun work on a Python API client for Cortex dubbed… Cortex4py (how creative wink wink). This will allow people who are not using TheHive to summon the power of Cortex from their SIRP, scripts or any other DFIR tool that can import or interact with Python code.
So in the few months since our project was born to the Internet, we have released a solid collaborative SIRP, a simple yet powerful analysis engine to analyze observables and aid teams in their investigations as well as a Python API client for our SIRP. We also have rather ambitious plans to make them even much more useful.
Oh and one more thing! We have released another piece of software around the same time as the first version of TheHive and on which we haven’t said much so far: Hippocampe. Hippocampe can regularly download feeds and exposes a REST API to let you query them from Cortex (or from other tools). You submit an observable and it’ll tell you if it appears in one or several feeds along with a score. The score takes into account the trust you put in the feed sources (which can be adjusted over time) and the number of sources which contain the observable. We’ll cover Hippocampe in more details in an upcoming post.
Before you run away from us
Before you’re lost between the notes
The beat goes round and round Jigsaw is falling into place
So there is nothing to explain