TheHive 3.2.0-RC1: The MISP Love Edition

Guess what? Our integration with MISP, the de facto standard for threat sharing, has just gotten better with our latest beta release: TheHive 3.2.0-RC1.

While you could synchronize TheHive with one or multiple MISP instances in earlier versions and select events using filters like their age, the number of attributes they contain or exclude those which are created by specific organisations or contain one or several black-listed tags, 3.2.0-RC1 adds the ability to whitelist tags, thus limiting the events that would show up in TheHive’s Alerts pane to only those which have been tagged with labels your SOC/CSIRT/CERT needs to act on. This can be very useful for example if your Cyber Threat Intelligence analysts pre-select or create events in MISP and tag for SOC consumption those that need to be acted on.

The Hive - Logo - Schéma - V1_Plan de travail 1.png
TheHive, Cortex, MISP: The Power DFIR & CTI Trio

To use this feature, use the whitelist.tags parameter in the MISP section of TheHive’s application.conf as described in the documentation.

This new version also adds the ability to create dashboards out of responder actions, log responder operations, and offers a confirmation dialog before running a responder to avoid noob over-clicks and errors made by seasoned incident handlers running low on caffeine.

TheHive 3.2.0-RC1 will also show you the description of an observable if any while hovering over one in the Observables tab. You can also see observable tags when previewing an alert in the Alerts pane.

Last but not least, some users reported severe problems when they enabled TLS/SSL directly on TheHive without resorting to a reverse proxy such as NGINX. Blame that on the crappy TLS support in Play framework ;-). So we highly recommend using a reverse proxy for that purpose, and delegate authentication to it if you are relying on X.509 authentication, as TheHive 3.2.0-RC1 allows you to. Please check the Single Sign-On on TheHive with X.509 Certificates guide for further information.

For additional details on this release, please check the full changelog.

Warning Capt’n Robinson!

The RC in 3.2.0-RC1 stands for Release Candidate. Please help us make a great stable release out of it by testing it as thoroughly as possible and reporting back any bugs or issues you encounter so we can address them before the final release. You’ll find this release candidate in the pre-release, beta repositories.

Please check TheHive Installation guide for further details.

You got a problem?

Something does not work as expected? You have troubles installing or upgrading? Spotted new bugs? No worries, please open issues on GitHub or comment on existing ones, join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Synapse 1.1.0 Released

A few months ago, we released Synapse, our first “meta” alert feeder for TheHive in order to lower the burden of highly repetitive tasks on incident handlers. Thanks to a scalable and modular design, Synapse aims to make incident response easier by automating some of its tedious parts.

The first step towards this challenge was based on the integration of Microsoft Exchange with TheHive in Synapse 1.0.0. This way, user notifications pertaining to suspicious emails can be easily consumed and acted upon in TheHive.

Today, we are releasing version 1.1.0 which goes further by adding support for Microsoft Exchange O365 and the IBM QRadar SIEM.

big-picture

Exchange O365

Theoretically, Exchange O365 was supposed to be functional in Synapse 1.0.0.
However, since we did not have an O365 account we could not fully test that feature. Thankfully with the help of one of our users we managed to solve a bug and finally validate the Exchange O365 integration.

For more details about Exchange and TheHive, have a look here.

IBM QRadar SIEM

Members of TheHive’s Core Team have practical experience with QRadar and we decided to make good use of it to the benefit of our fellow analysts.

With the Community Edition of QRadar in one hand and an instance of TheHive in the other, we managed to create alerts in TheHive out of QRadar offenses. Furthermore, when a case or alert related to a QRadar offense is closed in TheHive, it also closes it in QRadar automatically.

For more details about QRadar and TheHive, have a look here. Alternatively, you may also want to consider Pierre Barlet’s qradar2thehive script.

Send your Ideas our Way

With this 1.1.0 release, the list of integrated products with TheHive goes up to three: Exchange, Exchange O365 and QRadar. However, we don’t really have a plan regarding the next candidate for integration so tweet us at @TheHive_Project and tell us what you want!

 

Cortex 101: Dissecting Observables a Hundred Ways

TheHive Project’s Code Chefs are glad to announce that, thanks to the precious contributions of the user community, Cortex has broken the one hundred analyzer mark.

Cortex-Analyzers version 1.14.0 is out and includes new analyzers, some improvements and some bug fixes.

New Analyzers

New and enhanced analyzers, described below, are:

  • Cisco Investigate by Cisco Umbrella Research @opendns
  • Proofpoint Forensics Lookup by Emmanuel Torquato
  • Proofpoint Threat Insight Forensics Analyzer by Emmanuel Torquato
  • RecordedFuture by jojoob
  • urlscan.io search by ninoseki
  • Google DNS over HTTP by 0xswitch
  • RTF files support in FileInfo by Nils Kuhnert
  • Datascan and Inetnum flavors in Onyphe analyzer by Pierre Baudry and Adrien Barchapt

Again, huge thanks for the awesome work that has been performed by all our contributors!

Investigate

Cisco Umbrella Investigate provides threat intelligence about domains and IP addresses accross the Internet. The analyzer can be used to query the Cisco Umbrella (formerly OpenDNS) API and get information about an IP or a domain name. An API key is required to use this analyzer.

Results are displayed in TheHive in the following manner:

sc-investigate-short

sc-investigate-long
Cisco Investigate: short and long reports

Proofpoint Forensics Lookup

According to Proofpoint’s website, the Forensics API allows insight in detailed forensic evidences about individual threats or compaigns. The analyzer can be used to check observables against given indicators of compromise stored in the ProofPoint service.

Unfortunately, there are currently no sample report screenshots available, because TheHive’s Core Team does not have access to Proofpoint services. Also, due to the same reason, this analyzer could not be tested by us. If you have access to the service and can test the analyzer and/or provide report screenshots, please let us know.

RecordedFuture

This analyzer lets you get the latest risk data from RecordedFuture for a hash, domain or an IP address. It can be used to query the API and get information. An API key is required to use this analyzer.

Results are displayed in TheHive in the following manner:

sc-recordedfuture-short

sc-recordedfuture-long
RecordedFuture: short and long reports

Urlscan.io search

Urlscan.io is a service that scans and analyzes websites. Submitted pages will be browsed like a regular user would do and every activity gets recorded. The analyzer submitted by ninoseki queries urlscan without initiating a scan which would be publicly visible on the website. Accepted datatypes for this analyzer are URL, domain, hash and IP.

The templates which display the results of the analyzer look like the following screenshots:

Screenshot from 2018-10-25 09-55-34

Screenshot from 2018-10-25 09-48-58
Urlscan.io: short and long reports

Google DNS over HTTP

This analyzer provides DNS information for an IP, a domain or a FQDN by making calls to Google DNS-over-HTTP (DoH). No API key is required.

Results are displayed in TheHive in the following manner:sc-googleDNS-short

sc-googleDNS-long
Google DNS: short and long reports

RTF files support in FileInfo

The FileInfo meta analyzer has been improved and now leverages the rtfobj tool provided in the Oletools suite by Decalage.

Results are displayed in TheHive in the following manner:

sc-fileinfo_RTF-short

sc-rtfobj-long
FileInfo with rtfobj: short and long reports

Datascan and Inetnum flavors in Onyphe analyzer

The Onyphe analyzer has been enhanced with two new flavors. Datascan provides information about known open ports on a specific IP, and Inetnum enumerates all known network information about the analyzed IP address.

An API key is required to use the analyzer and can be obtained by creating an account on the Onyphe website.

Results are displayed in TheHive in the following manner:

sc-onyphe-inetnum-short

sc-onyphe_inetnum-long
Onyphe  Inetnum: short and long reports

sc-onyphe_datascan-short

sc-onyphe_datascan-long
Onyphe Datascan: long and short reports

Bug fixes and enhancements

  • #248: Improve error msg when VT Get Report does not have an entry for
  • #323: Fix an issue with HybridAnalysis analyzer filenames handler
  • #329: Enhance PassiveTotal Passive DNS report
  • #348: Fix a typo in URLhaus’s long.html
  • #356 : Force the use of Python3 in MISP analyzer
  • #362: Fix file not found issue and empty result set in CERT.at passive DNS analyzer

Get It While Supply Lasts!

Each analyzer comes with its own, pip compatible requirements.txt file. To update your Cortex analyzers to 1.14.0, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, do not forget to login to Cortex as an orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, get the latest version of  the report templates and import them into TheHive.

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

TheHive 3.1.2 & Cortex 2.1.2 Released

We could not leave for the week-end without issuing a minor release or two so here we go.

TheHive 3.1.2

Starting from TheHive 3.0.1, an administrator has the ability to configure Cortex job polling by defining the time between two polls thanks to the cortex.refreshDelay parameter as well as the number of consecutive failures before giving up (via cortex.MaxRetryOnError). However, these settings prevent the service from starting correctly. TheHive 3.1.2 corrects this issue.

Cortex 2.1.2

When running a job in Cortex with the exact same details, the function findSimilarJob is called. It should return results from any previous jobs, but in the latest versions (2.1.0, 2.1.1) it does not because of a change that went past our QA.

In a similar fashion, the GUI search function was broken. Cortex 2.1.2 fixes both issues.

Excuse my French but I Need Help

Keep calm. We speak French. So if you encounter any difficulty to update TheHive or Cortex, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are always ready to help as does our user community.

TheHive 3.1.0: Fresh out of the Oven

TheHive Project’s Master Cooks are happy to announce the immediate availability of TheHive 3.1.0. This is the first release of your favourite SIRP (Security Incident Response Platform) or, if you fancy new buzzwords, SOAR (Security Orchestration, Automation & Response) that we put out as a release candidate to give sufficient time for our ever growing user community to test it and report any outstanding bug before publishing a stable version.

Indeed, TheHive 3.1.0 brings significant new functionalities that we detailed in previous blog posts. One of the most prominent features of this new major version is the support of responders through Cortex 2.1, also released today as a stable version.

Responders are similar to analyzers but instead of analyzing stuff, they allow you to respond to stuff. Put otherwise, they give you the ability to implement specific actions by a simple click from different elements in TheHive: alerts, cases, tasks, task logs and observables.

For instance, imagine a user in your constituency reporting a suspicious email. Using Synapse or an alternative alert feeder, the email reported by the user will automatically show up as an alert in your alert pane. Before starting working on it as a case, you preview it only to realise it is a scam and it does not warrant your time & effort. Still, you’d like to reply to the user.

In such a case, you could implement a responder that will not only send an email back to the user asking them to ignore such a scam but that can mark the alert as read. Using. A. Simple. Click. C’est beau n’est-ce pas ?

Going through all 71 (yes, 71) issues that have been closed with this release and the 3 RCs we published since July 31, 2018 will be terribly boring but you can read the full changelog while dipping your croissant in your espresso cup.

We’d rather encourage you to install this new version, which is as usual, AI-free, machine learning free, cyberbullshit-free, gluten-free, organic (well as much as free, open source software can be anyway), vegan (if you can eat it), and most importantly made with huge love and care for the SOC, CSIRT & CERT communities and other fellow cybercrime fighters. So go ahead and try it out. It won’t cost you a dime (or a franc if you are a French old timer).

Caum6EmUMAA6vi8

Need Help?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Hold your breath and git pull

Cortex-Analyzer 1.13.0 is out and includes new analyzers, some improvements and few bug fixes :

  • Hunter.io has been contributed by Rémi Allain (@remiallain)
  • DShield lookup contributed by Xavier Martens (@xme)
  • Pulsedive contributed by Nils Kuhnert (@3c7, TheHive Project)
  • FileInfo has been enhanced with Manalyze submodule for PE analysis ; by @lctrcl and Nils Kuhnert (@3c7)
  • Thanks to @silrumpa, the Fortiguard_URLCategory analyzer has been updated and let you configure categories and customize theirs maliciousness level
  • PhishingInitiative analyzer has been flavoured with a scan facility, thanks to Rémi Pointel

Huge thanks for the awesome work that has been performed by all our contributors!

Hunterio_DomainSearch

Hunter.io is a search engine that lets you find emails associated with a given domain name. The analyzer can be used to query the API and get a list of email addresses for a specific domain name. An API key is required to use this analyzer and can be obtained by registering on the website.

Results are displayed in TheHive in the following manner:

sc-hunterio-short

sc-hunterio-long
Hunterio_DomainSearch: short and long report samples

DShield_lookup

The analyzer lets you query the famous SANS Internet Storm Center (ISC) DShield API and look up IP address reputation. No API key is needed to run this analyzer.

Results are displayed in TheHive in the following manner:

sc-dshield-short
sc-dshield-long
DShield_lookup: short and long report templates

Pulsedive_GetIndicator

Pulsedive is a Threat Intelligence platform that allows you to enrich your observables. The analyzer can be used to query  the API and get information about a domain name,  hash, IP or URL. An API key is required to use this analyzer and can be acquired by creating an account on the webiste.

Results are displayed in TheHive in the following manner:

sc-pulsedive-short

sc-pulsedive-long
Pulsedive_GetIndicator: short and long report templates

Manalyze joins FileInfo

Manalyze is a tool developed by Ivan Kwiatkowski (@JusticeRage) that lets you analyze, operate PE (Portable Executable) and collect useful artifacts that help the analyst in determining its maliciousness.

@lctrcl wrote an analyzer that triggers Manalyze on a PE file and gives the analyst a useful report. Nils Kuhnert (@3c7) from TheHive Project then included this analyzer as a submodule into our FileInfo meta-analyzer for files ; it can run Manalyze from compiled binary, or, if your Cortex server is ready for that, through the right docker. If you decide to use the compiled binary, please follow instruction from Manalyze github page.

This submodule is disabled by default. To use it, you have to set some configuration in Cortex:

sc-fileinfo-config
FileInfo: configuration for Manalyze in Cortex

Results are displayed in TheHive in the following manner:

sc-fileinfo-short3

sc-fileinfo-long3
Manalyze submodule: short and long report templates

Fortiguard_URLCategory

This analyzer has been enhanced to let analysts choose categories considered as malicious or suspicious. It comes with a default configuration but you can setup your own by selecting the categories from the Fortiguard website.

sc-fortiguard-config
Fortiguard_URLCategory: default configuration for categories  in Cortex

Select which categories you want to be considered malicious or suspicious, and others will be considered by the analyzer as info. Analyzed observables that are not categorised by Fortigard service is considered as safe.

PhishingInitiative_Scan

PhishingInitiative has been enhanced with a new scan flavor. This let the analyst submit an URL to the webservice. An API key is needed to run this analyzer and can be obtained by registering on the website.

Results are displayed in TheHive in the following manner:

sc-phishinginitiative-short

sc-phishinginitiative-long
PhishingInitiative_Scan: short and long report samples

Bug fixes

  • #335 : fix a bug in MISP analyzer
  • #340 : fix short report template in C1fApp
  • #339 : fix short and mini reports for Domaintools Whois history flavor

Get It While Supply Lasts!

Each analyzer comes with its own, pip compatible requirements.txt file. To update your Cortex analyzers to 1.13.0, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers//requirements.txt; do sudo -H pip2 install -r $I; done && \
for I in analyzers/
/requirements.txt; do sudo -H pip3 install -r $I || true; done

Once done, do not forget to login to Cortex as an orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, get the latest version of  the report templates and import them into TheHive.

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Correction: September 25, 2018
The link to the report templates was incorrect.

TheHive 3.1.0-RC2 is Out!

After a nice summer break which allowed us to rest and enjoy Real Life™ (mostly) away from keyboards, screens and constant distractions and interruptions, we set to take into account the bug reports and feedback on TheHive 3.1.0-RC1 which we released a day or so before packing up for the mountains and elsewhere.

We are pleased to announce the immediate availability of Release Candidate 2 for TheHive 3.1.0. It contains numerous bug fixes and enhancements. You can read the full change log if you have nothing better to do with your life.

Among the changes we introduce in this new RC, we would like to highlight the following:

  • #652: the ability to set custom fields as mandatory.
  • #685: the quick case search box on the top navigation bar has been restored as it is highly useful for quick lookups without having to resort to the revamped search page.
  • #667: use alternative authentication methods when certificate authentification is enabled and the client does not present a certificate.

We would also like to thank Marc-André Doll for contributing a nice UX enhancement and GitHub user secdecompiled for adding the ability to view alerts and cases with large descriptions in an easy way.

We encourage you to take TheHive 3.1.0-RC2 for a spin as quickly as you can and report any bug or issue so we can address them for the final release, scheduled in a couple of weeks. Cortex 2.1.0 is still at RC1 and we should be able to make a stable release at the same date as TheHive 3.1.0.

Important Note

We would like to remind you that starting from these versions, we have two release channels: a stable one that should be used for production systems and a pre-release channel that should be used to try the release candidates such as TheHive 3.1-RC2 and Cortex 2.1-RC1, and help us iron out bugs before adding them to the stable channel. Those who love living on the bleeding edge may be tempted by running the release candidates on their production environment given all the candy and icing we added. They are at liberty of doing so but we don’t want to hear anyone one whining about an RC that broke everything and beyond.

We also moved our package and binary repositories to https://bintray.com/thehive-project and Docker images are now under thehiveproject.

Please check TheHive Installation and Cortex Installation guides for further details.

Running into Troubles?

Something does not work as expected? You have troubles installing or upgrading? Spotted new bugs? No worries, please open issues on GitHub or comment on existing ones, join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.