Cerana 0.9 and Cortex 2.0.4 are Out!

We are proud to announce the immediate availability of Cerana 0.9 (TheHive 3.0.9) and Cortex 2.0.4. These hotfix releases address a number of issues and we encourage you to update your current installation at your earliest opportunity. For your comfort and sanity. Seriously.

We also took this opportunity to update Cortex analyzers to fix issues with CIRCL Passive SSL, Hybrid Analysis, and the Joe Sandbox URL Analysis template. Moreover, we have updated the cortexutils library to set the taxonomy level to info if it is invalid. To upgrade cortexutils​ to 1.2.4:

sudo pip install -U cortexutils && sudo pip3 install -U cortexutils

To update your Cortex analyzers:

cd /path/to/Cortex-analyzers && git pull

Note: the Bluecoat analyzer was removed since it does not comply with the updated Terms of Service of Symantec Web Pulse SiteReview. Symantec does no longer permit programmatic querying of the service.

Fixes in Cerana 0.9

  • #527: display long reports when the analyst clicks on the corresponding short reports. Meh!
  • #541: make the drop-down menu for case templates scroll when there is a truckload of them.
  • #452: prevent WSAPI failure.
  • #531: fix naming inconsistencies in the Live Stream.
  • #530: correct an error when trying to analyze a filename using the Hybrid Analysis analyzer.
  • #543: generate an error if unable to contact Cortex.
  • #518: merge observable sightings when merging cases.
  • #535: fix the tag color of the PhishTank analyzer which was transparent under certain conditions.

Fixes in Cortex 2.0.4

  • #89: let a read,analyze user change or display their API key.
  • #91: sort analyzers by name.
  • #92: redirect users to the index page when they click on the Cortex logo.
  • #93: under the Organization > Configurations page, the UI displays wrong green checkmarks for empty configurations.
  • #94: orgadmin users are not able to update their organization’s users after the users are created. The UI doesn’t display any error message.
  • #95: avoid ‘lax programming’, Nabil style😜, and strictly filter the list of analyzers in the Run dialog.
  • #90: fix Python dependency errors in docker.

Support

Something does not work as expected? You have troubles installing or upgrading? Spotted new bugs? No worries, please open issues on GitHub or comment on existing ones, join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

CorrectionApril 14, 2018
An earlier version of this post did not mention that the Bluecoat analyzer was removed in the latest Cortex Analyzers repository release.

Cortex 2.0.3 Released and Analyzer Updates

There’s a new version of your ultimate observable analysis engine in town : Cortex 2.0.3 is out!

Cortex 2.0.3 contains a few important enhancements over its predecessor and fixes a number bugs as described in the full changelog summarised below. So get it while it’s still hot out of the digital oven and let us know how tasty it is.

analyzeallthethings
Source : Quickmeme.com

Implemented Enhancements

  • #81: reflect proxy changes in the global configuration at the analyzer level
  • #82: display invalid analyzers and let orgadmins delete them
  • #85: allow orgadmins to override the default global report cache.job period per analyzer through the Web UI
  • #86: allow a job to run with arbitrary parameters

Fixed Bugs

  • #75: a version upgrade of an analyzer makes all analyzers invisible in TheHive
  • #80: fix the analyzer configuration dialog to allow orgadmins to override the auto artifact extraction at the analyzer level
  • #83: hit Nabil on the head pretty hard until the analyzer refresh UI button works (well now it does so you can stop hitting poor Nabil’s head).

Analyzer Updates

We took the opportunity of a new release to make a few updates to the public analyzers. Cortex-Analyzers 1.9.3 contains the following changes:

  • Remove the Bluecoat analyzer to comply with the new ‘no scrapping’ ToS imposed by Symantec
  • Fix the default configuration of the Cymon Check IP analyzer
  • Fix the View all VT long template
  • Make the MISP Warning Lists Analyzer ignore case sensitivity when searching for hashes
  • Restrict the Abuse Finder and FileInfo analyzer dependencies to Python 2.7

You can read the full changelog if you like but if you want to enjoy the goods right away, git pull is your friend.

Support

Something does not work as expected? You have troubles installing or upgrading? Spotted new bugs? No worries, please open issues on GitHub or comment on existing ones, join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

 

Cortex 2, TheHive and a Whole Slew of Updates

After announcing Cortex 2.0.0 and TheHive 3.0.7, the first version of your favorite SIRP that is (supposedly) compatible with the brand-new version of Cortex, last week, we thought it was time to relax and enjoy the upcoming, long Easter weekend, the sunny sky of Paris (if you can pierce the veil of the Forever Grey Cloud™ that is hanging over the city of lights), and great jazz music. Heck, I even tweeted about it … only to be proven wrong by Life (and Murphy).

We literally field tested Cortex 2 for 3 weeks, we squashed bugs here and there, until almost the very last minute before the release. And yet, our QA needs to be improved by leaps and bounds as we had to release Cortex 2.0.1 one day after unveiling 2.0.0 to correct some additional bugs. And then some members of the core team and of our growing user community took it for a spin. And all hell broke lose. Well, almost 🙂

good_code
Source: XKCD

Session collisions (when TheHive and Cortex 2 are used on the same machine), analyzer malfunctions, connectivity problems … issues that were not identified during the testing phase, even in a production environment, where everything worked as expected. And we call this ‘Computer Science’. Right, right…

So we worked hard, took out our Code Hammer (it’s like Thor’s but cyber) and blasted away all the bugs that we found out or that were reported to us (arigato gozaimasu!) and we are happy to announce the immediate availability of Cortex 2.0.2, TheHive 3.0.8, Cortexutils 1.2.3 and Cortex-Analyzers 1.9.2.

TL;DR Install or upgrade Cortex 2.0.2, update Cortexutils, git pull the Cortex-analyzers repo to get the latest version of the repository, upgrade to TheHive 3.0.8, follow the Quick Start Guide and have a drink.

If you have time (which is admittedly quite scarce nowadays), please read on the changelogs:

What’s Next?

As stated in the previous post, we will release a new version of Cortex4py in order to make it compatible with Cortex 2, continue the work we started with our MISP Project friends to support MISP attribute enrichment through Cortex 2 (MISP currently only supports enrichment using Cortex 1), and perform a long-overdue overhaul of our documentation. We will also release a brand new version of TheHive4py.

Last but not least, we’ll take a hard look at ourselves and our QA. You expect us from us high quality and we hold ourselves to high standards. And we will deliver.

Support

Something does not work as expected? You have troubles installing or upgrading? Spotted new bugs? No worries, please open issues on GitHub or comment on existing ones, join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Cerana 0.4: Hotfix & Way Beyond

Update: Cerana 0.5 (TheHive 3.0.5) was released on Feb 8, 2018 to fix a regression introduced by Cerana 0.4, pertaining to the observable mini-reports. Please install 3.0.5 instead.

Waiting for the menu, one of the numerous guests of TheHive Project’s world-renowned code restaurant grows impatient. He stands up and walks toward the kitchen, looking for a waiter to chastise. It’s certainly a free meal and, looking at the reviews on CodeAdvisor, a delicious one. But guests shouldn’t wait more than two minutes to get a copy of the menu, right?

As he approaches the door leading to the kitchen, it slams open and an all-smiling, all-French-looking man dressed in a bee costume comes out carrying hot plates. Peering at their content, the once angry guest cheers up as he stares down at Cerana 0.4 or TheHive 3.0.4 if you prefer. If the looks and smells of the dish match its taste, this will be a terrific meal.

As he sees how Cerana 0.4 prompted a change of heart of the guest, the waiter coming out of the kitchen where TheHive Chefs were busy creating this new recipe goes on describing its content.

Mon bon Monsieur‘, he starts in near-perfect Parisian-English accent, ‘this is the plat du jour, or the dish of the day if you prefer. Even though the mighty Chefs insist on calling it a hotfix, not only it fixes eleven bugs in previous versions but it adds four new features and two enhancements. Would you like me to describe them?’

dt010205.gif
Source : dilbert.com © Scott Adams

The guest, feeling hungry, his mouth watery, but feeling bad about what he was about to say to the waiter just a few seconds ago nods. So the waiter goes on and describe how the latest release of TheHive will serve his hunger for efficient though free security incident response platforms even better.

Fixed Bugs

Enhancements

New Features

At this point, the guest cannot control his lust so he snatches one of the plates out the waiter’s hands, runs back to his table and start installing Cerana 0.4 to unleash its power and use it to fight cybercrime. Bon appétit !

Feeling Generous? Donate!

As you know, we are a FOSS project and donations are always welcome to make our products even better for the community.

All donations go to Creative Source, the non-profit organization we have created, and we will use them to improve TheHive, Cortex & Hippocampe but also to develop (even better) integrations with other FOSS solutions such as MISP.

So if you are feeling generous, please contact us at support@thehive-project.org.

Creative Source can also provide so-called professional, entreprise-grade support, help integrating the products, train your analysts before they drain or assist you in specific areas such as developing in-house analyzers for Cortex.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

CorrectionFeb 6, 2018
An earlier version of this post contained an incomplete sentence.

Cortex Hits the 30 Analyzers Mark

Cortex has now 30 analyzers thanks to Daniil Yugoslavskiy, Davide Arcuri and Andrea Garavaglia (from LDO-CERT) as well as our longtime friend Sébastien Larinier. Their contributions, all under an AGPLv3 license, add handy ways to assess observables and obtain invaluable insight to an already solid Threat Intelligence and DFIR toolset.

In addition to these 3 new analyzers, v 1.7.0 of the Cortex-Analyzers repository also fixes a number of bugs and add a few improvements to existing analyzers as well.

To get the new release, go to your existing Cortex-Analyzers folder and run git pull.

HybridAnalysis

The HybridAnalysis analyzer has been contributed by Daniil Yugoslavskiy. It fetches Hybrid Analysis reports associated with hashes and filenames. This analyzer comes in only one flavor called HybridAnalysis_GetReport.

Requirements

You need to have or create a free Hybrid Analysis account.  Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair. Provide the API key as a value for the key parameter and the secret as a value to the secret parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

HybridAnalysis {
  secret = "mysecret"
  key = "myAPIKEY"
}

When run from TheHive, the analyzer produces short and long reports such as the following:

sc-short-hybridanalysis_1_0.png

TheHive: HybridAnalysis 1.0 Analyzer – Short and Long Report Samples
TheHive: HybridAnalysis 1.0 Analyzer – Short and Long Report Samples

EmergingThreats

The EmergingThreats analyzer has been submitted by Davide Arcuri and Andrea Garavaglia  from LDO-CERT. It leverages Proofpoint’s Emerging Threats Intelligence service to assess the reputation of various observables and obtain additional and valuable information on malware.

The service comes in three flavors:

  • EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
  • EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
  • EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.

Requirements

You need a valid Proofpoint ET Intelligence subscription.  Retrieve the API key associated with your account and provide it as a value to the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

 EmergingThreats {
   key="MYETINTELKEYGOESHERE"
 }

When run from TheHive, it produces short and long reports such as the following:

sc-short-ET_1_0.png

sc-long-ET-1_1_0.png

sc-long-ET-2_1_0.png

sc-long-ET-3_1_0.png

sc-long-ET-4_1_0.png

sc-long-ET-5_1_0.png
TheHive: EmergingThreats 1.0 Analyzer – Short and Long Report Samples

Shodan

The Shodan analyzer is the first submission by Sébastien Larinier. It lets you retrieve key Shodan information on domains and IP addresses.

This analyzer comes in two flavors:

  • Shodan_Host: get Shodan information on a host.
  • Shodan_Search: get Shodan information on a domain.

Requirements

You need to create a Shodan account and retrieve the associated API Key. For
best results, it is advised to get a Membership level account, otherwise a free one can be used.

Supply the API key as the value for the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

Shodan {
  key= "myawesomeapikey"
}

When run from TheHive, it produces short and long reports such as the following:

sc-short-shodan_1_0.png

sc-long-shodan_1_0.png
TheHive: Shodan 1.0 Analyzer – Short and Long Report Samples

Miscellaneous Fixes and Improvements

  • #100 : support both Cuckoo versions – by Garavaglia Andrea
  • #113 : Cuckoo Analyzer requires final slash – by Garavaglia Andrea
  • #93 : VirusTotal URL Scan Bug
  • #101 : Missing olefile in MsgParser requirements
  • #126 : PhishTank analyzer doesn’t work – by Ilya Glotov

Update TheHive Report Templates

If you are using TheHive, get the last version of  the report templates and import them into TheHive.

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Mellifera 13.2: Stats, Security & More

The release of Mellifera 13 (TheHive 2.13.0) marked our move away from Elasticsearch v 2.x to 5.x. While we tried to test this major version as thoroughly as possible, some users were bitten by an ugly bug that made the metrics chart in the Statistics view basically useless.

This bug occurs only if you have freshly installed TheHive 2.13.0 or 2.13.1. If you migrated from a previous version, you would have no issue.

The problem was quickly identified. However, to correct it in Mellifera 13.2 (TheHive 2.13.2), a minor version released today, we had to force a database migration.

At the first connection to TheHive 2.13.2, a migration of the database will be asked. This will create a new ElasticSearch index (the_hive_11). See the Updating guide. TheHive 2.13.2 also fixes the following issues:

  • #331: fix an error when trying to merge cases containing custom fields
  • #347: non-IOC observables counted as IOC, and IOC word displayed twice in the stats view under the Observables tab
  • #356: update the Play framework to 2.6.6 to correct a security issue with the previous version

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Mellifera 13.1 Released

Following the release of Mellifera 13 last week, some users reported problems getting the platform working correctly. They couldn’t browse a case’s tasks. TheHive Chefs reproduced the bug and corrected swiftly in Mellifera 13.1 (TheHive 2.13.1), which is now available. Please note that the identified bug happens only when you haven’t upgraded TheHive from an earlier version.

Is ES 2.x still supported?

Mellifera 13 introduced the support of Elasticsearch 5.x and has been thoroughly tested with version 5.5 (5.6 should be probably work just fine). Given the numerous changes between ES 2.x and ES 5.x, we do not support both versions. Hence, and starting from Mellifera 13, only ES 5.x is supported.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guideThis is paramount to ensure a good transition from earlier versions. You have been warned.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.