Featured

Introducing Cerana

Update: 2 days after publishing this blog post, we’ve released Cerana 0.1 (TheHive 3.0.1) which fixes a number of issues. We encourage you to use 3.0.1 instead of 3.0.0.

The friendly honeybees at TheHive’s code kitchen were pretty busy lately even though winter came and temperatures have been close to zero Celsius in Paris, France. As we wrote a couple of weeks ago on this very blog, we are happy to announce Cerana to the world, available immediately.

Cerana or TheHive 3.0.0 is the latest (and obviously greatest) release of a now highly popular open source, free Security Incident Response Platform (or SIRP for short). Its flagship feature in comparison to previous releases is Dynamic Dashboards.

Dynamic Dashboards

Dynamic Dashboards replace the Statistics module in Cerana to allow you to explore the data available in Elasticsearch, which TheHive uses for storage, in many ways. For example, you can have a usage breakdown of Cortex analyzers, the number of open cases per assignee, the number of alerts per source (MISP, email notifications, DigitalShadows, Zerofox, Splunk, …), the number of observables that have been flagged as IOCs in a given time period, how many attributes were imported from MISP instances, top 10 tags of imported MISP attributes or incident categories.

case3.png
Dynamic Dashboards

Dynamic Dashboards can be created by an analyst and kept private or shared with the other team members. Dashboards can also be exported and imported into another instance. This would facilitate community participation in the establishment of valuable data exploration graphs to drive DFIR activity and seek continuous improvement.

When you’ll migrate to Cerana, you won’t have to build dashboards from scratch. We recreated more or less those which were available under the Statistics view and included them in the Cerana build.

Cortex and MISP Health Status

Cerana will also allow you to monitor the health status of all the Cortex and MISP instances that it is connected to. In the bottom right corner of TheHive’s Web UI, the Cortex and MISP logos appear when you have configured the integration with those products as in previous releases. However, the logos will have a small outer circle which color will change depending on whether Cortex and/or MISP instances are reachable or not.

status
Cortex & MISP Health

If TheHive can’t reach N out of M Cortex/MISP instances, the outer circle will be orange. If it can’t reach all M instances, the circle will red. If everything is fine, the circle will be green. The exact status of each Cortex/MISP instance can be seen in the About page. And when you try to run analyzers on a Cortex which cannot be reached, TheHive will tell you so as well.

about
Cortex & MISP: Version & Status

Sighted IOCs

In previous releases of TheHive, observables can be flagged as IOCs. However, this doesn’t necessarily mean you’ve seen them in your network. Think for example of a suspicious attachment which you’ve submitted to Cuckoo or Joe Sandbox through Cortex. The analyzer returns some C2 addresses to which the sample tries to connect to. You’d be right to add those C2 addresses to your case and flag them as IOCs. Then you search for them in your proxy logs and you find connection attempts to one out of four. In previous versions, you’d add a seen label but this would be inconsistent among analysts. One may use found instead. Another will add a description and no labels.

To avoid such situations and give you a simple way to declare an IOC as seen, Cerana adds a sighted toggle which you can switch on/off. We will leverage this toggle in future versions to indicate sightings when sharing back cases to MISP.

Other Features and Improvements

Cerana contains numerous other features and improvements such as:

  • Case template import, export
  • The ability to assign default values to metrics and custom fields to case templates
  •  The ability to assign by default tasks to their rightful owners in case templates
  • Show already known observables when previewing MISP events in the Alerts page
  • Add autonomous systems to the list of default datatypes
  • Single-sign on using X.509 certificates (in BETA currently)

We will update the documentation for Cerana in the upcoming weeks. So stay tuned.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

VMRay, FireHOL, Joe Sandbox & Fortiguard Analyzers

We are pleased to announce the availability of 2 new Cortex analyzers and an update to 2 existing ones:

  • New: VMRay and FireHOL
  • Updated: Joe Sandbox and Fortiguard URL Category

We would like to thank Nils Kuhnert from CERT-BUND, CERT-BDF and Eric Capuano for their precious contributions.

To install the new analyzers, grab the Cortex-Analyzers repository and unpack its content (or git pull the master  branch) in your existing /path/to/cortex-analyzers. Then follow the Cortex analyzers guide.

To import the new report templates in your instance of TheHive:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu
  • click on Import templates button and select the downloaded package

VMRay

The VMRay analyzer has been submitted by Nils Kunhert from CERT-BUND. It lets you run a file in a local or remote (cloud) VMRay sandbox. The analyzer also lets you check existing analysis reports.

The analyzer accepts files and hashes as input. VMRay is a commercial service and you need an API key to run the analyzer. To make it work, install the requests Python library. It should already have been installed since it is used by other analyzers as well.

To use the analyzer, add the following section to the Cortex configuration file (application.conf):

VMRay {
 url = ""
 key = ""
 certpath = ""
 }

When called from TheHive, the following output is produced:

sc-short-vmray.png

sc-long-vmray.png
TheHive: VMRay Analyzer – Short and Long Report Samples

Important note: an analysis on VMRay, like on any other sandbox, can take a long time. That is why the analyzer tries to fetch the report until it is ready.

FireHOL

The FireHOL analyzer has been submitted by Nils Kuhnert from CERT-BUND. It lets you use the lists maintained by FireHOL project and check if an IP resides in one of them. FireHOL is an open source project. The analyzer reports the block lists in which an IP resides with the latest updated ones displayed first. To make it work, you’ll need to download the lists in a directory first (and it would be wise to do it on a regular fashion using a cron entry for example):

git clone https://github.com/firehol/blocklist-ipsets

The FireHOL analyzer depends on the following librairies:

ipaddress
pytz
dateutil
datetime

Add the following section to the Cortex configuration file (application.conf) to activate the analyzer:

FireHOLBlocklists {
 blocklistpath = ""
 ignoreolderthandays = <int>
 }

The ignoreolderthandays parameter lets you tell the analyzer to ignore matches found in lists that have not been refreshed in <int> days where <int> is an integer.

When called from TheHive, the following output is produced:

sc-short-fireHOL.png

sc-long-firehol.png

TheHive: FireHOL Analyzer – Short and Long Report Samples

Joe Sandbox

Thanks to CERT-BDF, the Joe Sandbox analyzer has been updated to support Joe Sandbox Cloud service beside the on-premises version (Ultimate). Like with other Joe Sandbox services, you need to add the following section to the Cortex configuration file (application.conf):

JoeSandbox {
 url = ""
 apikey = ""
 }

Fortiguard URL Category

Thanks to Eric Capuano, the Fortiguard URL Category analyzer is working again. Eric has modified it to handle the changes made by Fortiguard to their free online API.

Correction: May 23, 2017
An earlier version of this post used ignoredays instead of ignoreolderthandays for the FireHOL Blocklists analyzer. This parameter has also been described.

Joe Sandbox, MISP Search and Report Improvements

We are thrilled to announce that Cortex has two new analyzers: Joe Sandbox and MISP Search. Moreover, we have produced new analyzer report templates for TheHive and improved existing ones.

Joe Sandbox

List JSB Cortex.png
Cortex: New Joe Sandbox Analyzer

Joe Sandbox, by Joe Security LLC, is a very powerful malware analysis platform that has been around for many years and comes in two flavors: cloud and on-premises. The Joe Sandbox Cortex analyzer has been tested using an on-prem Joe Sandbox Ultimate version and can process URLs and files. The analyzer can process files with or without Internet access.

To use the analyzer, you must provide the API key of your Joe Sandbox instance. You must log in to Joe Sandbox, click on your account name, then on Settings and on the API Key tab.

report JSB Cortex.png
Cortex: Joe Sandbox Output Example

We have produced a report template for the Joe Sandbox analyzer output resulting from file analysis. The URL analysis report template is not yet available but it should be in a few days.

JSB TH short report

JSB_THEHIVE.png
TheHive: Joe Sandbox Analyzer – Short and Long Report Samples

MISP Search

Screen Shot 2017-03-31 at 15.25.07.png
Cortex: New MISP Search Analyzer

It is no longer necessary to present MISP, the de facto standard of threat sharing. The new MISP Search analyzer will let you search events containing the observable you provide as an input. It applies to a lot of observable types as you can see in the screenshot above.

To use it, you’ll need to supply the API key available in the MISP UI interface.

result_MISP_Cortex.jpg
Cortex: MISP Analyzer Output Sample

Nils Kuhnert created an alternate MISP Search analyzer which has the ability to query multiple MISP instances. We are currently reviewing his submission along with several other analyzers he contributed before improving the newly released MISP Search analyzer.

PassiveTotal Report Templates

PT Whois short report.pngPT UniqueRes TH short report.png

While we published the PassiveTotal analyzer weeks ago, TheHive didn’t have report templates for it at the time. We have now new, shiny short and long report templates for most of the services provided by the PT analyzer.

PT PDNS long report.png
TheHive: PassiveTotal PassiveDNS – Long Report Sample

DomainTools Whois Lookup Report Template

DT Whois TH short report.png

The short report templates of the DomainTools Whois Lookup analyzer has been improved. We now use a taxonomy to provide more context and differentiate between the DomainTools and PassiveTotal Whois results.

VirusTotal Get Report and VirusTotal Scan Report Templates

VT TH short report.png
VT and JSB TH short report.png

The short report templates for both services have also been improved to use a taxonomy to provide additional context and distinguish their results from the PassiveTotal Malware service.

Get the new analyzers

To install the new analyzers, grab the Cortex-Analyzers repository and unpack its content (or git pull the master  branch) in your existing /path/to/cortex-analyzers.

The Joe Sandbox analyzer does not need any additional Python library if you have already installed Cortex and the analyzers following the guide we provide.  To use it, edit your Cortex configuration file (/path/to/cortex/application.conf) and add the following lines in the analyzer section:

 JoeSandbox {
     apikey="..."
     url="..."
 }

By default, Joe Sandbox will time out the analysis after 30*60 seconds (30 minutes). Additionally, the analyzer will wait for the Joe Sandbox server to respond within 30 seconds. If no response is received within this period, it will time out. If you want to override these values, you’ll need to add the following lines in the analyzer section:

JoeSandbox {
     apikey="..."
     url="..."
     analysistimeout=<NEW VALUE> # optional
     networktimeout=<NEW VALUE> # optional
}

The MISP Search analyzer requires pymisp. Use the following command line to install the required library:

sudo pip install pymisp

Then edit your Cortex configuration file (/path/to/cortex/application.conf) and add the following lines in the analyzer section:

MISP {
     api_key="..."
     url="..."
}

Please note that you must restart Cortex to take the changes into account. The current version has no persistence so you’ll lose all your existing jobs.

You can find the full installation requirements for Cortex and Cortex-Analyzers on the Cortex wiki pages.

Use the New Report Templates

To import the new report templates in your instance of TheHive:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help you!