If you are running TheHive v3.5.0 and / or Cortex v3.1.0, the underlying database is Elasticsearch v7.x.
Elastic recently released two new versions: v7.11.0 and v7.11.1. After some initial feedback and investigations, we found that the new releases introduce changes that break the compatibility with our products – TheHive 3.5.0 and Cortex 3.1.0.
Therefore, please DO NOT upgrade your current database to Elasticsearch v7.11.x as no rollback is possible. Elasticsearch v7.11.x breaks the installation process as well as the update process.
If you are in the process of installing or updating to Cortex v3.1.0 or TheHive v3.5.0, you need to specify the exact working version of Elasticsearch to use:
For Debian packages: “apt install elasticsearch=7.10.2”
FOR RPM packages: “yum install elasticsearch-7.10.2-1”
We are currently running deeper investigations and are planning to release updated versions as soon as possible for Cortex v3.1.0 and for TheHive 3.5.0.
Today, our public community has strong foundations and keeps growing as we welcome new users and organisations wishing to start their journey with TheHive Project. We can count on an amazing number of trusted and invested users willing to share their knowledge and help newcomers (the current Gitter channel is mostly self-managed). The GitHub issue highlighted several key improvements we could work on to provide a better chat experience to our community:
offering different channels, for different products to handle more targeted questions
implementing new roles like moderators and trusted-users
creating a channel for announcements
creating channels for contributions, automation
creating channels for languages other than English
listening to our member’s requests to improve the community server
We truly wish to enhance the chat experience of all community members, whether they join the conversation to ask a question, share their experience or help others troubleshooting an issue.
Why Discord?
Let us share a story.
TheHive Project’s core team first used Slack as its main private chat and communication tool. Slack is fine but we had some frustrating experience with it (ex: limited search history). We then moved to Keybase which is still our daily internal chat platform. Although we are satisfied with Keybase, we felt the onboarding experience might be a little too intense for some users.
So we decided to have a look at Discord, which was initially designed for gamer, allowing text chat, video, voice calls and screen sharing. Discord has great mobile apps too, in addition to those for web and desktop. And it’s really fast! It’s also getting a strong footprint with open source projects.
Last week, we posted a poll on Twitter about the move, and here are the democratic answers:
Twitter poll about Discord vs. Gitter
This confirmed our impression, so let’s do it.
How to join?
It’s easy peasy, here is the link Join our new Discord based community. It requires a Discord account with a valid email address (which is the lowest requirement). You will be welcomed with a screen that reminds the rules and code of conduct.
Welcome screen
Once registered:
If you wish to introduce yourself, you can share your story with us through the `#introductions` channel.
If you wish to share something you built in top of our products, your can do it in the `share-your-work`
If you need a new channel dedicated to your language, you can just ask for it or reach any core member or moderator
Community rules
What’s next?
We hope the current 1k+ users registered in Gitter will migrate to our new Discord platform. We will keep the light on in the Gitter channel for the time being, but we hope the Discord community will be the new land for all of you.
We are happy to announce the immediate availability of TheHive 3.5.0 and Cortex 3.1.0 that supports Elasticsearch 7. We are also releasing TheHive 3.4.4 to include security upgrades. All of them are including fixes for vulnerabilities reported on Play Framework this month. We encourage you to upgrade.
As promised, despite the release of TheHive 4.0 in July, we are still support version 3. Today we are releasing two versions of TheHive 3, but why ?
If you want to be up-to-date with TheHive and Cortex, you must use Elasticsearch 7 and the new released versions of our products: TheHive 3.5.0 and Cortex 3.1.0.
With that being said, we won’t let down the users who cannot migrate their Elasticsearch immediately to version 7, so we decided to fix an embarrassing bug related to alerts with large amount of observables, Thanks to TheHive 3.4.4.
What’s new in TheHive 3.5.0 and Cortex 3.1.0
In addition to support for Elasticsearch 7.x, following fixes has been added in TheHive 3.5.0:
Fix a bug with the admin page of Analyzers report templates (#1591)
Keep date filters when pivoting from Dashboards to search page (#1581)
UI Configuration option to choose to filter TAG1 AND TAG2 or TAG1 OR TAG2 in Alerts view (#1171)
Fix issue when clicking on Analyzers short reports (#1350)
In addition to support for Elasticsearch 7.x, following fixes has been added in Cortex 3.1.0:
Take into account defaultValue in Neurons flavor file (#309)
Oauth2
Use OAuth2 with TheHive 3.5.0 and Cortex 3.1.0
Both versions have been updated to improve OAuth2 authentication support. They are now working the same way than TheHive 4.0.0, with a quite similar configuration.
We invite you to refer to the documentation for each application to configure it: TheHive and Cortex
Our support on TheHive and Cortex
However, starting from now, we will no longer support TheHive and Cortex version that use Elasticsearch < 7: i.e. TheHive < 3.5.0 and Cortex < 3.1.0. So please make sure to update your instances and rely on up-to-date and supported components.
Be aware that:
Any issue reported in TheHive version 3.4.4 and lower, will be fixed on top of TheHive 3.5;
Any issue reported in Cortex version 3.0.1 and lower, will be fixed on top of Cortex 3.1.0.
This situation made us also add strong changes regarding our repositories for DEB and RPM packages. Read carefully what follows and find your situation to learn how to upgrade.
You are still using or plan to continue with Elasticsearch 6 ?
Upgrade to TheHive 3.4.4
apt update && apt install thehive if you are using debian subsystems;
yum install thehiveif you are using RedHat, Fedora or CentOS.
If you are using docker image you need to specify the version. Get it by running the following command line:
docker pull thehiveproject/thehive:3.4.4-1
This version introduces a bug fix regarding the import of alerts having significant amount of observables.
Keep Cortex 3.0.1
3.0.1 is the last version of Cortex supporting Elasticsearch 6.x. So keep this version until you move to Elasticsearch 7.x.
You are using or plan to move to Elasticsearch 7.x ?
⚠️ DO NOT run an upgrade command on your system until your data has been migrated in Elasticsearch 7.x and Elasticsearch is running.
Upgrading an existing installation ?
Elasticsearch 7.x introduced changes that break our way of representing the data, so some updates need to be applied on the database configuration and on the index first.
We highly recommend reading carefully our dedicated migration guides before starting the upgrade process:
Obviously, we recommend testing this process on a testing environment before running it in production.
Running a fresh installation ?
To publish packages supporting Elasticsearch 7 and avoid anyone break his servers, we decided to create dedicated packages repository. To install TheHive 3.5.0, according to your Operating System, run the following processes.
Deb packages
After installing Elasticsearch 7.x, ensure your /etc/apt/source.list.d/thehive-project.list looks like this:
deb https://deb.thehive-project.org release main
Then, run following commands to install TheHive 3.5.0:
apt update
apt install thehive # or apt install thehive=3.5.0-1
and following commands to install Cortex 3.1.0:
apt update
apt install cortex # or apt install cortex=3.1.0-1
RPM packages
After installing and running Elasticsearch 7.x, ensure your /etc/yum.repo.d/thehive-project.repo looks like this:
Important modifications have been introduced in the docker image of Cortex 3.1.0. This image does not come anymore with programs of Analyzers and Responders and their dependencies.
Cortex is able to run those programs with Docker when images exist. The default configuration included in the official docker image of Cortex uses our catalogs of images of Analyzers and Responders.
Running Analyzers and Responders directly in Cortex container (using “process” method) is still supported. You can include them in container thanks to the Docker volumes when you start the container. If they need dependencies, you can create your own Docker image from our official Cortex image. Below an example of Dockerfile that retrieves Analyzers and Responders like previous Cortex Docker image:
FROM thehiveproject/cortex:3.1.0-1
RUN apt-get update
RUN apt-get install -y --no-install-recommends \
python-pip python2.7-dev python3-pip python3-dev \
ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl \
libmagic1 build-essential git libssl-dev dnsutils iptables
RUN pip2 install -U pip setuptools
RUN pip3 install -U pip setuptools
RUN git clone https://github.com/TheHive-Project/Cortex-Analyzers.git \
/opt/Cortex-Analyzers
RUN for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt') \
do \
pip2 install -r $I || true \
pip3 install -r $I || true \
done
How to report issues
Please open an issue on GitHub if you’d like to report a bug for TheHive or Cortex. We will monitor those closely and respond accordingly.
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Discord, or send us an email at support@thehive-project.org. We will be more than happy to help!
Elasticsearch 7.0 can read indices created in version 6.0 or above. An Elasticsearch 7.0 node will not start in the presence of indices created in a version of Elasticsearch before 6.0.
Who could imagine what’s hiding behind this sentence ?
To be honest, we managed to support Elasticsearch 7.x pretty quickly ! But only for new and recent installations and instances — read, initially installed with Elasticsearch 6.x.
The harder part was ensure older instances, with indexes created with Elasticsearch 5.x, can migrate smoothly like for previous migrations: «stop the application, update the database software, update application and restart everything ». You might have to put your hands on the keyboard.
Source: Google Images
⚠️ TheHive 3.5.0-RC1 and Cortex 3.1.0-RC1 are not recommended for production use. These versions are intended for test only ; please, read carefully the full blog post and the associated documentation. Feel free to try it, try your migration and send us your feedbacks.
New and recent installations
If your instance has been initiated with Elasticsearch 6.x, you can follow the following process :
Stop TheHive version 3.4.2
Stop Elasticsearch version 6.x
Update Elasticsearch configuration file
Update Elasticsearch to version 7.x and restart the service
Update TheHive and restart the service
Update Cortex and restart the service
Instructions to install TheHive 3.5.0-RC1 or Cortex 3.1.0-RC1 can be found in this guide.
At this stage, connect TheHive and Cortex with your browser and you should be invited to update the database :
Older indexes
This is the tricky part. If you are using an instance initiated with Elasticsearch older that version 6.0, it is highly probable that you have to follow an heavier process to upgrade. In few words, you will have to :
Stop TheHive and Cortex applications
Create new indexes in Elasticsearch 6.x with part of the settings of your current indexes
Do specific reindexing operations to this new indexes
Delete old indexes.
How to identify if your index is ready for Elasticsearch 7
You can easily identify if indexes are ready for Elasticsearch 7. On the index named the_hive_15 run the following command:
If the version is 6.x.x then the index will be read by Elasticsearch 7.8.x. Otherwise (version is 5.x.x of below), reindexing the index is required.
Migration guide
You are not left alone there. A dedicated documentation is available. It should help you run this specific actions on your Elasticsearch database, and also install or update application whether you are using DEB, RPM or binary packages, and even docker images :
Didn’t you think we were going to holidays without letting few new stuff to play with ? 6 new Analyzers and 1 Responder complete the growing list of Neurons.
A Huge thanks to all the contributors for the great new features, without forgetting the work regarding improvements and bug fixes.
This analyzer comes in 1 flavor and let you check SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance) status of a domain or fqdn.
TheHive displays the analyzer results as follows:
DomainMailSPFDMARD short reportDomainMailSPFDMARD Long report
ForcepointWebsensePing
Forcepoint URL Filtering provides defenses against productivity draining web content and threats to operations. It ensures organizational productivity by delivering defenses against productivity draining web activity while providing the necessary security in a world of advanced threats.
Using WebsensePing utility is possible to query Master Database URL Categories that contains the industry’s most accurate, current and comprehensive classification of URLs. ForcePoint uses proprietary classification software and human inspection techniques to categorize and maintain definitions of more than 95 URL categories in more than 50 languages.
An active Forcepoint subscription is required to use the analyzer.
TheHive displays the analyzer results as follows:
ForcepointWebsensePing short report samplesForcepointWebsensePing long report sample
NERD
This analyzer allows to query the NERD (Network Entity Reputation) database, and get score and basic information. Project NERD aims to build an extensive reputation database of known sources of cyber threats. That is, a list of known malicious IP addresses or other network entities (e.g. ASNs or domain names) together with all security-relevant information about each of them.
A valid API key is required to run this analyzer.
TheHive displays the analyzer results as follows:
NERD short reportNERD long report
SekoiaIntelligenceCenter
This analyzer allows you to gather more context related to domain names, IP adresses, urls and file hashes using the SEKOIA.IO Intelligence Database.
An active SEKOIA.IO Intelligence Center subscription is required to use the analyzer.
TheHive displays the analyzer results as follows:
SEKOIAIntelligenceCenter_Indicators long report
Spamassassin
This analyzer let you query a local SpamAssassin instance by sending a file, and get a SPAM score.
Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email). It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.
TheHive displays the analyzer results as follows:
Spamassassin short reportSpamassassin long report
Splunk
This analyzer allows you to execute a list of searches in Splunk by passing the element you are looking for as a parameter.
This analyzer comes in 10 flavors:
Splunk_Search_Domain_FQDN: Dispatch a list of saved searches on a given domain/fqdn
Splunk_Search_File_Filename: Dispatch a list of saved searches on a given file/filename
Splunk_Search_Hash: Dispatch a list of saved searches on a given hash
Splunk_Search_IP: Dispatch a list of saved searches on a given IP (IPv4 only)
Splunk_Search_Mail_Email: Dispatch a list of saved searches on a given mail/email
Splunk_Search_Mail_Subject: Dispatch a list of saved searches on a given mail_subject
Splunk_Search_Other: Dispatch a list of saved searches on a given data (any type)
Splunk_Search_Registry: Dispatch a list of saved searches on a given registry
Splunk_Search_URL_URI_Path: Dispatch a list of saved searches on a given url/uri_path
Splunk_Search_User_Agent: Dispatch a list of saved searches on a given user_agent
Splunk_Search_User: Dispatch a list of saved searches on a given user id (variable name is ‘other’)
A valid Splunk subscription is required to run this analyzer.
TheHive displays the analyzer results as follows:
Splunk_Search_Registry short reportSplunk_Search_Registry long report
Responders
Velociraptor
Velociraptor let you interrogate your endpoint for specific data. Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries.
This responder can be used to run a flow for a Velociraptor artifact. This could include gathering data, or performing initial response.
It can be run on an observable type of ip, fqdn, or other, and will look for a matching client via the Velociraptor server. If a client match is found for the last seen IP, or the hostname, the responder will kick off the flow, the results will be returned, and the client ID will be added as a tag to the case and the observable.
Get It While Supply Lasts!
If you are still using the old-style way of installing analyzers and responders, run the following commands:
cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
go to Admin > Report templates menu ( Admin > Analyzer templates in TheHive 4.0)
click on Import templates button and select the downloaded package
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
Several months,no, years ! after the first line of code – the first line was committed in 2016–, we are very excited and proud to announce the release of TheHive 4.0.
This means more than a major version for us. This was – and still is — like a completely new project, a new generation, a lot more challenging than before. We had to make the application climb a major step to introduce new key features, some we added in this version, others we have in mind for the future.
Objectives
The development of the second generation of TheHive, aka. version 4, was driven by three main objectives:
Add support to multi-tenancy: allow 1 instance of TheHive to serve many teams and organisations
Add support to Role Based Access Control to define fine grained user profiles
Rethink the data model and structure to support the goals listed above (Moving from Elasticsearch as main persistence layer, to a data model designed as a graph).
Challenges
TheHive Project is thoroughly adopted by SOC, CERTs and CSIRT teams, who decided to go with TheHive Project since the first releases. It is worth noting that until today, TheHive has had a total of 52 releases since 2016.
Those teams helped the project by contributing to our QA, questions, feature requests etc… and our way of thinking drove us to not let them down, and we decided to produce a backward compatible software.
The way we have been working until now aims to make our community move smoothly from TheHIve 3 to TheHive 4.
Backward compatibility
This is the most difficult challenge we have had, but we have hard heads and soft hearts.
TheHive 4 is expected to be backward compatible, thanks to APIs v0. Yes, we provide versioned APIs having the same endpoints as TheHive 3, and producing the same results. Search APIs also support the same query language, except some corner cases like searching using the “_string” operator (which is tightly coupled to Elasticsearch query language, but we have working alternatives).
Performance concerns
Supporting backward compatibility might force you to accept complex designs. And TheHive 4 RC3 was a clear example of that limitation.
Many kind users who tested TheHive 4 RC3, raised performance issues, slow UI problems etc… And it was completely expected. We thank them for making such a pressure on us, we used it to boost the refactoring of the UI, which was using backward compatible APIs (unoptimized for the new data model and representation), specially to read data (listing cases or observables for example).
We can discuss the technical details of this hard point later, but it mainly relates to navigating through graph-based data using a document based query system, which is not optimised.
For example, if you want to search for list of observable of a given case, the ideal way of doing that on a graph-base model is to:
Get the case by its ID, which is indexed (very fast operation)
Navigate through case relation, to find its links of type observable
But the backward compatible query language works differently: It scans all the graphs to search for observables that have a case parent with a given ID, which has a slower performance in a graph-based database.
Multi-tenancy and RBAC
TheHive 4 comes with a special multi-tenancy support. It allows the following strategies:
Use a siloed multi-tenancy: you can define many organisations, without allowing them to share data
Use a collaborative multi-tenancy: you can define a set of organizations and allow them to collaborate on specific cases/tasks/observables, using custom defined user profiles (RBAC)
This feature is very powerful but has a cost: an expected performance overhead. For example, when scanning the graph of data to search for a list of cases, TheHive must return the cases of your organisation and the case you can have access to because of the sharing rule.
New foundations
TheHive 3 was based on a framework called Elastic4play, written by Thomas to abstract all the routines required by a web application written with play 2 and using Elasticsearch.
TheHive 4 has its own core framework: Scalligraph, built to handle the following features.
Scalligraph will be the foundation of the next major version of Cortex.
What’s new in 4.0
TheHive 4.0 release has a significant amount of changes. We will quickly explain the most important, and you can refer to the change logs if you need to have more details.
UI Performance
This was the most important task of this release. As we mentioned above, we were using backward compatible APIs in RC3 release, and migrated 80% of the UI to use the APIs v1 which are optimised for the new graph-based and multi-tenant data model.
OAuth2 Support
This topic gave birth to many github issues, some of them related to TheHive’s UI not correctly redirecting authenticated users. OAuth2 support has been tested with many providers like: Okta, Keycloak, FusionAuth, Microsoft Azure, Office 365 and Google Gsuite.
Starting from this version, there is an API endpoint that handle all the authentication and redirections: /api/ssoLogin
Analyzer selection when calling bulk observable analysis has been improved to show the possible analyzers per observable type.
Analyzers selection during observable bulk analysis
For responders, the user experience has been improved as well, especially for instances with a big number of responders. The simple dropdown menu available to select responders has been replaced by a dialog allowing list filtering and scrolling:
New Responder selection dialog
Add bulk operations to case listing
Before this release, simple case updates required visiting the cases one by one and editing them. We added in this release a bulk edit feature, depending on user’s permissions on the selected cases
Bulk edit dialog, used here from case list
The same bulk editing component has been used to improve the same operations on observable list page.
Other noteworthy changes
We need to mention that the following changes have been included in TheHive 4.0 release:
Add pagination and filtering to users administration
Add back the UI configuration by organisation. The only available option is related to enabling/disabling the use of Empty Case.
Show sharing summary in task and observable lists
Improve alert preview dialog
Add alert externalLink feature allowing the display of external links for any alert, not only MISP alerts.
Known limitations
Even after 49 closed Github Issues, there are still major topics to be addressed by the upcoming releases:
Add back support to case merge which is not satisfying today. The challenge is to find the best to merge cases and make sure that it works in a profile-based multi-tenant design.
Add full text search support. In older versions, TheHive benefited from the full text search capabilities of Elasticsearch. With the new database and persistence system, full text support requires adding a dedicated indexing layer.
Installing and testing TheHive 4.0
After months of testing versions, this official release means that we consider it ready for production purposes. If you’re new with TheHive, we recommend going with TheHive 4.0.
Several installation guides have already been published, suitable with the chosen operating system and installation type, and new are coming.
For testing and training purposes, a virtual machine with a simple configuration of TheHive 4.0 and Cortex 3.0.1, is also published and available starting from now. Please refer to the documentation for download and usage instructions.
Want to upgrade from TheHive 3.x ?
All changes brought to TheHive make the upgrade more challenging than installing the new package and watch the progress bar. To support you with the upgrade, a migration tool comes along with the application to shift your current version of TheHive to TheHive 4.0.
A dedicated guide has been published to help users with this significant task. We recommend using a new server aside from your production server to ensure everything works fine with the migration.
Future of TheHive 3.x
This major outcome doesn’t mean TheHive 3 end of life is reached. As previously announced, we plan to support this version for some time, our next milestone being to support Elasticsearch 7.x with a first Release Candidate.
Thanks to the community and all the contributors, this release comes with 1 new Analyzer, 2 new Responders, lots of improvements and bug fixes.
But there is more news from the front.
Starting from this milestone, bugfixes and new Analyzers or Responders should be released in a smoother way as we are improving few processes. Some changes and recommandations should appear in the next days for submission, and our release process will be improved to fix bugs easier and release new code faster.
We also plan to offer a better documentation. We already started to publish information regarding each Analyzer and Responder. This is a work in progress, and it will be updated with the current requirements guide.
DomainToolsIris documentation page
For each Analyzer and Responder, a page details the purpose of each flavors, the configuration required and even some screenshots from report samples. It will also allow developers to share their own notes if wanted.
New Analyzers
LastInfoSec analyzer, contributed by @remydewa (#754)
Improvement in Shodan: add vulns in template and taxonomies (#772 & #776)
Improvement in Mailer responder: tasks support and auth (#764, #737, #379)
Improvement in SinkDb: support for new api with new dataTypes supported (#483, #498, #756)
Analyzers
LastInfoSec
LastInfoSec offers innovative and automated solutions to collect data, refine it and turn it into useful and actionable information, quickly available to improve the protection, detection and investigation capabilities of companies and government organizations.
TheHive displays the analyzer results as follows:
Short template for LastInfoSec ReportLong Template for LastInfoSec Report
Onyphe
An important work has been made on Onyphe Analyzer to support APIv2. All 7 flavors from older version have been removed and merged into only one flavor named “Onyphe_Summary”. An API key is still needed to query Onyphe API.
TheHive displays the analyzer results as follows:
Onyphe_Summary short reportOnyphe_Summary long report
Responders
Sendgrid
Sendgrid is a customer communication platform for transactional and marketing email used when you have to ensure that your notifications and transactional emails are delivered quickly and securely.
This analyzer works like the Mailer one, but relying on SendGrid external service to delivery emails.
In order to use the service please follow the instruction being careful to the verify your email address.
VirusTotalDownloader
This responders runs on Observables of type “hash” and allows analyst to download corresponding file from VirusTotal. Once downloaded, the file is added to the current case observables in TheHive.
In order to use this responder, a Premium API key from VirusTotal is needed. An API key from TheHive is also needed to upload the file in the observables list.
Use the responder on the hash to add the sample in your Observables
Fixes and Improvements
Fix: some analyzer uses invalid “email” dataType (#799)
Fix in MalwareBazaar: wrong dataTypes in config (#794)
Fix in PhishTank: the JSON object must be str, not ‘bytes’ (#786)
Fix in VMRay: fix error in parsing and workflow (#785 & #784)
Fix in ThreatResponse: module_type key removed from response (#759)
Fix in Abuse_Finder: pythonwhois dependency (#742)
Get It While Supply Lasts!
If you are still using the old-style way of installing analyzers and responders, run the following commands:
cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
click on Import templates button and select the downloaded package
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
For a few weeks, many questions have been arising regarding the End of Life of ElasticSearch 6.8, and its impact on TheHive and Cortex applications.
We were about to release TheHive 4.0-RC3 when Thomas, akwardly calmly announced to us, having found some time (where?) to review new features and most important, breaking changes introduced by ES7. We have now a good idea of what should be updated or added in the code, as well as the amont of work it represents to get the application working perfectly.
What about current version ?
Few months ago, we announced our intention to maintain current stable versions until ES6 End of Life. At that time, we didn’t expect it to be sooner.
Discontinuing TheHive 3.x with the release of TheHive 4.0 has never been in our plans. With the time, more and more organisations adopted them, and it is important for us to give everyone enough space to schedule and make the move to the TheHive 4.0. This is why TheHive 3 and Cortex 3 will support ES7.
The good news is our ability to announce that the changes introduced by ES7 have no major impacts on us, We are scheduling a first RC1 for TheHive 3.5.0 and Cortex 3.1.0 in the last week of July. Not only will they include support for ES7, but also a few interesting improvements that will be introduced in the coming blog posts.
What’s next ?
Needless to say, the chiefs are sparing no effort in focusing on TheHive 4.0, which requires a huge amount of attention. The application stack has completely changed – the most important adjustment is pushing aside ElasticSearch in favour of Cassandra to manage TheHive’s data storage – and thanks to the community, lots of bugs have already been fixed allowing it to be stronger with time.
Once we consider TheHive 4.0 reliable enough to be used in production, we will publish it as a stable version, and that would be in the coming days. After all, our plans are to make the applications use the same technology stack, which will directly benefit to the next major version of Cortex.
Besides, Cortex is scheduled to be upgraded and based upon Scalligraph, Cassandra and Hadoop. We hope to publish a first RC in few months.
Stay tuned sounds like TheHive Project’s Twitter account will be on fire 🔥 in the coming days!
Good morning (or evening if you are on that side of the planet) folks!
We had a very busy week, packed with announcements. First, we released TheHive 4.0-RC2 which you’ve certainly taken to test, then we announced two patch releases for TheHive 3.4. And guess what? Here are some additional Cortex analyzers, a responder and a number of fixes and improvements for existing ones, bringing the total to a whopping 146 analyzers and 18 responders!
RT4-CreateTicket responder, contributed by @mdavis332 (#543)
Analyzers
ANY.RUN
ANY.RUN is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as:
Interactive access
Research threats by filter in public submissions
File and URL dynamic analysis
Mitre ATT&CK mapping
Detailed malware reports
ANY.RUN short reportANY.RUN long report
CyberChef
CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.
This analyzer connects to a CyberChef-server and comes in 3 flavors:
CyberChef_FromBase64, that takes Base64 strings as input for CyberChef-server
CyberChef_FromCharCode, that takes CharCode as input for CyberChef-server and run this recipe
CyberChef_FromHex, that takes Hex strings as input for CyberChef-server
TheHive displays the analyzer results as follows:
CyberChef short report
CyberChef long report
MalwareBazaar
MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
This analyzer allows analysts to query the API of this service on observables of types ip, domain, fqdn, url, and hash.
TheHive displays the analyzer results as follows:
MalwareBazaar short reportMalwareBazaar long report
OpenCTI
OpenCTI is an open source platform allowing organisations to manage their Cyber Threat Intelligence knowledge and observables. It has been created in order to structure, store, organise and visualise technical and non-technical information about cyber threats.
This analyzer allows an analyst to query the API and request for information about observables of types domain, ip, url, fqdn, uri_path, user-agent, hash, email, mail, mail_subject, registry, regexp,filename and other.
TheHive displays the analyzer results as follows:
OpenCTI short reportOpenCTI long report
MISPWarningLists reloaded (need for speed aka DB support)
The previous version of this analyzer basically used to clone the MISP Warning lists repository and do a lookup in downloaded files. This can be very long to complete.
This new version introduces the optional support of PostgreSQL:
To store warning lists, in a similar way to the NSRL (National Software Reference Library) Analyzer.
Make lookups through these lists faster.
If you want to benefit from the performance boost, using a PostgreSQL server to store the data, you can simply install the requirements.txt, feed the database and configure the connection in the configuration as well:
In the analyzer folder, use the program warninglists_create_db.py to import the warning lists in PostgreSQL. Before running, edit the program file and update the path of where your lists are stored (warninglists_path = "misp-warninglists/**/list.json")
You can schedule these jobs (ex. with cron): first, sync a folder with the repository, and then run the program to update the database.
Once done, configure the analyzer with the conn parameter to connect to the database, or, if you prefer to continue using the previous behaviour and do your lookups in files, just specify the path of the folder:
MISPWarningList Configuration example
Templates have also been updated, and TheHive displays the analyzer results as follows:
MISPWarningList short reportMISPWarningList long report
Responders
RT4-CreateTicket
RT4 (Request Tracker) is a ticketing system. With this responder, an analyst can create a ticket in RT. CaseID is submitted to RT as a reference.
Unfortunately, like for some other analyzers and responders, we have not been able to test this responder on our side. Please feel free to share your feedback with us and also with Michael Davis, who we would like to thank for the hard work and for having shared this responder with the community.
Fixes and Improvements
Fix Inconsistent Key References in Shodan Analyzer (#748)
Improvement: EmlParser now extracts some useful IOCs (#710)
Get It While Supply Lasts!
If you are still using the old-style way of installing analyzers and responders, run the following commands:
cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
click on Import templates button and select the downloaded package
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
Last month (that should be… April… we are kinda losing track of time during the confinement), we made silently 2 patch releases for TheHive 3.4, our current stable version even if we have our hands full of soap and bleach as we are working on the eagerly awaited TheHive 4.0.0 final release: 3.4.1, shortly followed by 3.4.2. Your lovely bees are truly committed at keeping TheHive 3 branch buzzing well after 4.0.0 is out.
As usual, we’d like to start by thank the community for bringing the issues they discover to our attention. This is definitely one of the best contributions that we can get from you!
A simple way to help any open source project
3.4.1 Release
Released on April 25, 2020, 3.4.1 mainly fixed some docker-related issues as well as problems with OAuth2 and MISP integration, in addition to a few bugs, as described in the changelog.
Implemented Enhancements
Docker: TheHive fails to connect to Elasticsearch (NoNodeAvailableException) #854
Improved support for OpenID connect and OAuth2 #1110
TheHive’s Docker entrypoint logs the Play secret key at startup (… looking elsewhere hoping not to attract too much attention on this one) #1177
Configure TheHive’s first run using Docker Compose #1199
TheHive’s docker containers should be orchestration-ready #1204
MISP synchronisation: any attribute having the to_idsflag will be imported as ioc by TheHive. In the same way, when you export a case to MISP, observables which have the iocflag on will become MISP attributes for which to_ids is true #1273
File observables in alert are not created in case #1292
Analyzer’s artifacts tags and message are not kept when importing observables #1285
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help as usual!
TheHive Project 