Unveiling Cortex 2

TheHive Project’s Master Chefs are extremely happy to share, for free their latest recipe with the Cyber Threat Intelligence, Digital Forensics and Incident Response communities: Cortex 2.

As its predecessor, Cortex 2 is published under an AGPL v3 license and it introduces many important features that we brushed upon in a Dec 2017 post.

Screen Shot 2017-12-15 at 17.16.06
Cortex 2 — Architecture

Update: Cortex 2.0.1 was released since this post went live. It corrects a few bugs we uncovered in 2.0.0 as described in the changelog. Please install Cortex 2.0.1 instead of 2.0.0.

Authentication

Cortex 2 supports all the authentication methods that TheHive supports: LDAP, Active Directory, local accounts, API Keys, and X.509 SSO.

To connect your favorite Security Incident Response Platform with Cortex 2, you will need to update TheHive to Cerana 0.7 (TheHive 3.0.7) which was released today as well. This version fixes a regression pertaining to case templates introduced by Cerana 0.6 and is the first version to fully support Cortex 2’s API changes and authentication.

To make TheHive 3.0.7 analyze observables at scale through Cortex 2, you have to create an account on Cortex 2 with the read and analyze roles (see the next section) and generate the associated API Key. Next, feed the key in TheHive’s /etc/thehive/application.conf as described in the documentation et voilà !

TheHive 3.0.7 remains compatible with Cortex 1 and you can connect it to a mixed set of Cortex 1 and/or Cortex 2 instances with no issues.

Organizations, Analyzers and Rate Limiting

Cortex 2 introduces multi-tenancy through organizations and each organization can have its own set of users, with different roles, its own set of analyzers and, if necessary, rate limits that will prevent analysts from burning quotas.

Multi-tenancy has several interesting use cases. For instance, if you are the CSIRT or CERT of a large multinational organization with several regional teams, you can create an organization for each region within your constituency and enable the analyzers that they may need to use. Let’s assume that you bought a VirusTotal subscription that limits you to 5000 requests per month. You can configure the corresponding analyzers to give each region a fair share of that quota and keeping some requests for your own use.

In case you are a commercial CSIRT or an MSSP, you could do the same for your customers by installing only one Cortex 2 instance and creating an organization for each customer.

Screen Shot 2018-03-29 at 16.27.05.png
Configure an analyzer graphically and impose rate limits if necessary

User Roles

By default, Cortex 2 is shipped with the default cortex organization which sole purpose is to create other ones and manage the users within each organization and their associated powers. The cortex organization hosts all users with the superAdmin role and it cannot be used to configure or run analyzers.

As described in the new Quick Start Guide, after installing Cortex 2, updating its database and creating the first user who will have super admin powers, you’ll have to create your first organization and at least one user within that organization with orgAdmin rights.

Screen Shot 2018-03-29 at 16.33.02
Create an organization

You can then log out and log in using the orgAdmin account to create further users within that organization, enable and configure analyzers etc. Please note that no analyzer is enabled by default and you need at least v 1.9.0 of the cortex-analyzers repository. To update your set of analyzers to 1.9.0, please run git pull.

Screen Shot 2018-03-29 at 16.28.47
Manage users within an organization

Besides the superAdmin and orgAdmin roles, Cortex 2 introduces the read role which allows users to access analyzer reports and read them but not execute analyzers. For that, users need the analyze role (which implies the read role). orgAdmin users can also run analyzers. superAdmin users are limited to the default cortex organization. While they can create organizations and manage users within them, they cannot access analyzer configurations such as confidential API keys or job reports.

Screen Shot 2018-03-29 at 16.31.28
Job reports

Report Persistence and Caching

Cortex 2 relies on Elasticsearch 5.x to store many configuration items but also all the analyzer reports that have been generated. Unlike its predecessor, you won’t lose your existing reports should you need to restart the service or the host it is running on.

Cortex 2 also introduces report caching. By default the cache.job parameter is set to 10 minutes in /etc/cortex/application.conf. That means that if an analysis on a given observable with a defined TLP is requested and that a report has been previously generated in the last 10 minutes, Cortex 2 will serve that report instead of running a new analysis. This feature can help prevent soliciting analyzers, particularly those which require a subscription or have quotas, when there is no need to do so. Please note that this parameter is global to all the analyzers and all the organizations that are configured in the Cortex 2 instance. We do have plans to make it more granular in future versions.

Migrating from Cortex 1

If you are migrating from Cortex 1.x, we recommend that you:

  1. Save the configuration of your analyzers (which ones are enabled and what their configuration items are, such as users/passwords or API keys).
  2. Install Cortex 2.
  3. Edit /etc/cortex/application.conf to add the secret key as shown in Step 1 of the Quick Start Guide and point Cortex to the location of the analyzers.
  4. Follow the remaining steps of the Quick Start Guide to enable the analyzers you need and reinject their configuration.

What’s Next?

In the upcoming weeks, we will release a new version of Cortex4py in order to make it compatible with Cortex 2, continue the work we started with our MISP Project friends to support MISP attribute enrichment through Cortex 2 (MISP currently only supports enrichment using Cortex 1), and perform a long-overdue overhaul of our documentation.

Feeling Generous? Donate!

As you know, we are a FOSS project and donations are always welcome to make our products even better for the community.

All donations go to Creative Source, the non-profit organization we have created, and we will use them to improve TheHive, Cortex & Hippocampe but also to develop (even better) integrations with other FOSS solutions such as MISP.

So if you are feeling generous, please contact us at support@thehive-project.org.

Creative Source can also provide so-called professional, entreprise-grade support, help integrating the products, train your analysts before they drain or assist you in specific areas such as developing in-house analyzers for Cortex.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Correction: March 30, 2018
Instructions on how to update the cortex-analyzers have been added. Also, Cortex 2.0.1 was released to correct a few bugs in the previous version since this post went live.

The Perfect Christmas Gift

George Abitbol* doesn’t feel well. Christmas is approaching at a fast pace and the gift he ordered days ago for his girlfriend didn’t find its way to his mailbox yet. He checked it out three times today and save for some spam catalogues on how to take care of his handsome silhouette, nothing resembling a gift showed up.

IMG_4107.jpg
Picture by Saâd Kadhi

He tried to call the French parcel service to know the whereabouts of the luxurious, limited version of the organic sweet potato chips his lovely Jacqueline* likes so much, which sells for four times the regular price (to bear the cost of the enhanced packaging, certainly), but he couldn’t get hold of a living soul all day long. When he placed the order, the delivery was supposed to be lightning fast. It turned out to be a false promise.

With a sinking heart, he climbs back the stairs leading to his apartment, fetches his laptop and sits on his club chair. With his headphones on, immersed in the wonderful jazz of Christian Scott, he wanders randomly through online shopping sites trying to make out his mind on what other presents he could get for his dear Jacqueline, in time for Christmas.

In the middle of the track called Encryption, featuring the uncanny Elena Pinderhugues on flute, a Twitter notification resonates in his ears. He checks it out and learn that TheHive Chefs, as true and elegant gentlemen, have published a new training VM for Cerana 0.3 (a.k.a. TheHive 3.0.3), including Cortex 1.1.4 and the latest set of Cortex-Analyzers.

George loves bees in all shapes and forms, including digital ones so he swiftly downloads the new VM and as the cautious person he is, he verifies the file’s SHA256 hash: 86a87b70627e8db672c57cb57821461f2564ae9b8087cc22fdd1e7a599c16aedWonderful! Everything checks out beautifully. He then imports the file in his VM software, starts the virtual machine and logs in as thehive then types in thehive1234 when asked for the password.

He thoroughly reads the documentation to configure various analyzers and integrate his favourite Security Incident Response Platform with MISP.  A few minutes later, his VM is ready for prime time and he starts playing with the new multi-source dashboards and interacting with fellow analysts on Gitter.

And he totally forgets about Jacqueline’s gift.

(*) Any resemblance to real and actual names is purely coincidental.

Correction: Dec 23, 2017
An earlier version of this post was referring to a previous training VM that included Cerana 0.2, a version affected by a privilege escalation vulnerability which was corrected in Cerana 0.3. Some typos were corrected as well.

Introducing Cerana

Update: 2 days after publishing this blog post, we’ve released Cerana 0.1 (TheHive 3.0.1) which fixes a number of issues. We encourage you to use 3.0.1 instead of 3.0.0.

The friendly honeybees at TheHive’s code kitchen were pretty busy lately even though winter came and temperatures have been close to zero Celsius in Paris, France. As we wrote a couple of weeks ago on this very blog, we are happy to announce Cerana to the world, available immediately.

Cerana or TheHive 3.0.0 is the latest (and obviously greatest) release of a now highly popular open source, free Security Incident Response Platform (or SIRP for short). Its flagship feature in comparison to previous releases is Dynamic Dashboards.

Dynamic Dashboards

Dynamic Dashboards replace the Statistics module in Cerana to allow you to explore the data available in Elasticsearch, which TheHive uses for storage, in many ways. For example, you can have a usage breakdown of Cortex analyzers, the number of open cases per assignee, the number of alerts per source (MISP, email notifications, DigitalShadows, Zerofox, Splunk, …), the number of observables that have been flagged as IOCs in a given time period, how many attributes were imported from MISP instances, top 10 tags of imported MISP attributes or incident categories.

case3.png
Dynamic Dashboards

Dynamic Dashboards can be created by an analyst and kept private or shared with the other team members. Dashboards can also be exported and imported into another instance. This would facilitate community participation in the establishment of valuable data exploration graphs to drive DFIR activity and seek continuous improvement.

When you’ll migrate to Cerana, you won’t have to build dashboards from scratch. We recreated more or less those which were available under the Statistics view and included them in the Cerana build.

Cortex and MISP Health Status

Cerana will also allow you to monitor the health status of all the Cortex and MISP instances that it is connected to. In the bottom right corner of TheHive’s Web UI, the Cortex and MISP logos appear when you have configured the integration with those products as in previous releases. However, the logos will have a small outer circle which color will change depending on whether Cortex and/or MISP instances are reachable or not.

status
Cortex & MISP Health

If TheHive can’t reach N out of M Cortex/MISP instances, the outer circle will be orange. If it can’t reach all M instances, the circle will red. If everything is fine, the circle will be green. The exact status of each Cortex/MISP instance can be seen in the About page. And when you try to run analyzers on a Cortex which cannot be reached, TheHive will tell you so as well.

about
Cortex & MISP: Version & Status

Sighted IOCs

In previous releases of TheHive, observables can be flagged as IOCs. However, this doesn’t necessarily mean you’ve seen them in your network. Think for example of a suspicious attachment which you’ve submitted to Cuckoo or Joe Sandbox through Cortex. The analyzer returns some C2 addresses to which the sample tries to connect to. You’d be right to add those C2 addresses to your case and flag them as IOCs. Then you search for them in your proxy logs and you find connection attempts to one out of four. In previous versions, you’d add a seen label but this would be inconsistent among analysts. One may use found instead. Another will add a description and no labels.

To avoid such situations and give you a simple way to declare an IOC as seen, Cerana adds a sighted toggle which you can switch on/off. We will leverage this toggle in future versions to indicate sightings when sharing back cases to MISP.

Other Features and Improvements

Cerana contains numerous other features and improvements such as:

  • Case template import, export
  • The ability to assign default values to metrics and custom fields to case templates
  •  The ability to assign by default tasks to their rightful owners in case templates
  • Show already known observables when previewing MISP events in the Alerts page
  • Add autonomous systems to the list of default datatypes
  • Single-sign on using X.509 certificates (in BETA currently)

We will update the documentation for Cerana in the upcoming weeks. So stay tuned.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Cortex Hits the 30 Analyzers Mark

Cortex has now 30 analyzers thanks to Daniil Yugoslavskiy, Davide Arcuri and Andrea Garavaglia (from LDO-CERT) as well as our longtime friend Sébastien Larinier. Their contributions, all under an AGPLv3 license, add handy ways to assess observables and obtain invaluable insight to an already solid Threat Intelligence and DFIR toolset.

In addition to these 3 new analyzers, v 1.7.0 of the Cortex-Analyzers repository also fixes a number of bugs and add a few improvements to existing analyzers as well.

To get the new release, go to your existing Cortex-Analyzers folder and run git pull.

HybridAnalysis

The HybridAnalysis analyzer has been contributed by Daniil Yugoslavskiy. It fetches Hybrid Analysis reports associated with hashes and filenames. This analyzer comes in only one flavor called HybridAnalysis_GetReport.

Requirements

You need to have or create a free Hybrid Analysis account.  Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair. Provide the API key as a value for the key parameter and the secret as a value to the secret parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

HybridAnalysis {
  secret = "mysecret"
  key = "myAPIKEY"
}

When run from TheHive, the analyzer produces short and long reports such as the following:

sc-short-hybridanalysis_1_0.png

TheHive: HybridAnalysis 1.0 Analyzer – Short and Long Report Samples
TheHive: HybridAnalysis 1.0 Analyzer – Short and Long Report Samples

EmergingThreats

The EmergingThreats analyzer has been submitted by Davide Arcuri and Andrea Garavaglia  from LDO-CERT. It leverages Proofpoint’s Emerging Threats Intelligence service to assess the reputation of various observables and obtain additional and valuable information on malware.

The service comes in three flavors:

  • EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
  • EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
  • EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.

Requirements

You need a valid Proofpoint ET Intelligence subscription.  Retrieve the API key associated with your account and provide it as a value to the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

 EmergingThreats {
   key="MYETINTELKEYGOESHERE"
 }

When run from TheHive, it produces short and long reports such as the following:

sc-short-ET_1_0.png

sc-long-ET-1_1_0.png

sc-long-ET-2_1_0.png

sc-long-ET-3_1_0.png

sc-long-ET-4_1_0.png

sc-long-ET-5_1_0.png
TheHive: EmergingThreats 1.0 Analyzer – Short and Long Report Samples

Shodan

The Shodan analyzer is the first submission by Sébastien Larinier. It lets you retrieve key Shodan information on domains and IP addresses.

This analyzer comes in two flavors:

  • Shodan_Host: get Shodan information on a host.
  • Shodan_Search: get Shodan information on a domain.

Requirements

You need to create a Shodan account and retrieve the associated API Key. For
best results, it is advised to get a Membership level account, otherwise a free one can be used.

Supply the API key as the value for the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

Shodan {
  key= "myawesomeapikey"
}

When run from TheHive, it produces short and long reports such as the following:

sc-short-shodan_1_0.png

sc-long-shodan_1_0.png
TheHive: Shodan 1.0 Analyzer – Short and Long Report Samples

Miscellaneous Fixes and Improvements

  • #100 : support both Cuckoo versions – by Garavaglia Andrea
  • #113 : Cuckoo Analyzer requires final slash – by Garavaglia Andrea
  • #93 : VirusTotal URL Scan Bug
  • #101 : Missing olefile in MsgParser requirements
  • #126 : PhishTank analyzer doesn’t work – by Ilya Glotov

Update TheHive Report Templates

If you are using TheHive, get the last version of  the report templates and import them into TheHive.

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Training VM Reloaded: Mellifera 13, Cortex 1.1.4 & Other Updates

After the release wagon we unleashed upon the Internet tracks last week, we have updated the training VM to include Mellifera 13 (TheHive 2.13.0), Cortex 1.1.4, TheHive4py 1.3.0, Cortex4py 1.1.0 and the latest Cortex analyzers with all dependencies.

We strongly encourage you to refrain from using it for production.

Get It

You can download the VM from the following location:

https://drive.google.com/file/d/0B3G-Due88gfQajViaS01Ym1hdW8/view?usp=sharing

To ensure that your download went through nicely, check the file’s SHA256 hash which must be equal to the following value:

93176fffdbdd47cb8457efe10fb8c783eddd7895a18c8ca75a7c6bae316b081b

The system’s login is thehive and the associated password is thehive1234.

Use It

You can start using TheHive & Cortex once the VM is started. To access TheHive, point your browser to the following URL:

http://IP_OF_VM:9000

For Cortex, the port is 9999:

http://IP_OF_VM:9999

Where to Go from Here?

Please read the associated documentation page to configure the services on your training virtual machine and plug it with MISP.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Cortex 1.1.4 Released

Moments ago, we have announced the release of Mellifera 13, TheHive4py 1.3.0, and Cortex4py. And since we don’t want to leave you wanting for more fun time, you may want to schedule as well a Cortex update shall you need it 😉

Implemented Enhancements

  • Disable analyzer in configuration file #32
  • Group ownership in Docker image prevents running on OpenShift #42

Fixed Bugs

  • Cortex removes the input details from failure reports #38
  • Display a error notification on analyzer start fail #39

Download & Get Down to Work

To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.

Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Introducing Cortex4py

Following popular demand, the chefs at TheHive Project‘s code kitchen are happy to announce the immediate availability of Cortex4py.

What Is It?

Cortex4py is a Python API client for Cortex, a powerful observable analysis engine where observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed one by one using a Web interface or en masse through the API.

Cortex4py allows analysts to automate these operations and submit observables in bulk mode through the Cortex REST API from alternative SIRP platforms (TheHive has native support for one or multiple Cortex instances) and custom scripts.

 

Use It

To install the client, use PIP:

$ sudo pip install cortex4py

 

How Much Does it Cost?

Cortex4py is released under an AGPL license as all the other products we publish to help the IR community fight the good fight. So apart from the effort it’ll cost you to install and use, the price of our software is nada, zero, rien. But if you are willing to contribute one way or another, do not hesitate to drop us an email at support@thehive-project.org or contact us via Twitter.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

WOT? Did You See a Yeti Hugging a Cuckoo?

While many are enjoying the summer holidays, the busy bees of TheHive Project have been working hard lately to develop new Cortex analyzers and review few of those submitted by our growing and thriving user community, bringing the grand total to 27. Yes, you read that right. Cortex can leverage 27 analyzers to help you analyze observables very simply in many different ways.

The latest update to the Cortex-analyzers repository contains 3 new analyzers: Yeti, Cuckoo Sandbox and WOT, described below. And your first step to benefit from them should consist of refreshing your master working copy on your Cortex instance:

$ cd where/your/analyzers/are
$ git pull master

Yeti

YETI is a FOSS platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.  It is mainly developed by fellow APT busters Thomas Chopitea and Gael Muller (who said France doesn’t produce good software?).

The new Cortex analyzer for this platform lets you make API calls to YETI and retrieve all available information pertaining to a domain, a fully qualified domain name, an IP address, a URL or a hash.

To be able to use the analyzer edit the Cortex configuration file (/etc/cortex/application.conf) and add the following lines:

Yeti {
    # URL of the Yeti server: example: http://120.0.0.1:5000
    url = ""
}

When called from TheHive, the following output is produced:

sc-YETI-short.png

sc-YETI-long.png
TheHive: YETI analyzer — Short and Long Report Samples

CuckooSandox

The Cuckoo Sandbox analyzer has been submitted by Andrea Garavaglia (Thanks!) and you can use it to analyze files and URLs with Cuckoo Sandbox.

By default, we chose to limit analysis to TLP:WHITE and TLP:GREEN observables for OPSEC reasons, in case your Cuckoo server provides Internet access to potentially harmful files. If you want to use it with TLP:AMBER or TLP:RED observables, edit CuckooSanbox_File_analysis.json or CuckooSanbox_URL_analysis.json and change the max_tlp parameter to 2 or 3.

To use the analyzer, edit the Cortex configuration file and add the following lines:

CuckooSandbox {
   url = “http://mycuckoosandbox”
}

When called from TheHive, the following output is produced:

sc-CSB-short.png

sc-CSB-long.png
TheHive: Cuckoo Sandbox Analyzer — Short and Long Report Samples

WOT

The WOT analyzer was also submitted by Andrea Garavaglia (kudos!). Use it to check reputation of a given domain on the Web of Trust service. It takes domains and FQDNs as input.

An API key is needed to use this service, and has to be added in the Cortex configuration file:

WOT {
    # API key of the Web of Trust account
    key=“”
}

When called from TheHive, the following output is produced:

sc-WOT-short.png.png

sc-WOT-long.png.png
TheHive: WOT Analyzer — Short and Long Report Samples

Support

Something does not work as expected? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

 

Train till you Drain: TheHive & Cortex VM

Rejoice folks! You can now play with TheHive & Cortex thanks to the test VM we created. It includes Mellifera 12, the latest major version of TheHive, Cortex 1.1.3, the latest Cortex analyzers with all dependencies and ElasticSearch installed on top of Ubuntu 16.04 with Oracle JRE 8.

The test VM is intended to be used… well… for testing or training purposes. We strongly encourage you to refrain from using it for production.

Get It

You can download the VM from the following location:

https://drive.google.com/file/d/0B3G-Due88gfQYWR6WVlkLWhRemM/view?usp=sharing

To ensure that your download went through nicely, check the file’s SHA256 hash which must be equal to the following value:

17df5989d852583e3046daefb97caadff90d30ecf4402df69cf6036d7ad1cacd

The system’s login is thehive and the associated password is thehive1234.

Use It

You can start using TheHive & Cortex once the VM is started. To access TheHive, point your browser to the following URL:

http://IP_OF_VM:9000

For Cortex, the port is 9999:

http://IP_OF_VM:9999

Configure TheHive

The first time you access TheHive, you’ll need to create the associated database by clicking on the Update Database button as shown below:

Screen_Shot_2017-07-06_at_21_52_46.png
Update TheHive’s Database on First Access

TheHive’s configuration file is located in /etc/thehive/application.conf. For additional configuration, read the docs.

Cortex

TheHive is already configured to use the local Cortex service.

Analyzer and Associated Report Templates

To fully benefit from the analyzers, you should install the associated report templates:

  • download the report template package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu
  • click on Import templates button and select the downloaded package
Plug it with MISP

The test VM does not contain a MISP instance and none is configured in TheHive’s configuration file.  To play with MISP, you may want to use the VM our good friends at CIRCL provide.  Once you’ve downloaded it or if you have an existing instance, edit /etc/thehive/application.conf and follow the configuration guide.

Restart or Go Mad

After each modification of /etc/thehive/application.conf do not forget to restart the service:

$ sudo service thehive restart

Troubles?

TheHive service logs are located in /var/log/thehive/application.log.

Configure Cortex

All available analyzers are installed with their dependencies, but none is configured. To configure analyzers, edit /etc/cortex/application.conf and follow the configuration guide.

Restart or Go Mad

After each modification of /etc/cortex/application.conf do not forget to restart the service:

$ sudo service cortex restart
Troubles?

Cortex service logs are located in /var/log/cortex/application.log.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

 

Correction: July 8, 2017 
An earlier version of this post offered to download the VM from Dropbox but they suspended the associated link due to seemingly heavy traffic. The post was updated to replace the Dropbox link with a Google Drive one.

Mellifera 12: The MAGA Edition

TheHive Project French Chefs are very happy to announce Mellifera 12, a brand new, all shiny, major version of TheHive.

This MAGA (Make Analysis Great Again) edition of your (soon to be?) favorite Security Incident Response Platform (SIRP) contains an awful lot of changes and improvements. While you can read the full changelog while waiting in line for your burger at HopDoddy or for your turn for the latest Disney attraction, we’d like to concentrate on a few features that would make you enjoy Digital Forensics & Incident Response like never before 🙂

Go Short or Go North

The Observables tab can now display the short (a.k.a. mini) reports produced by analyzers. Whenever you run an analysis (or many), the mini-reports will be shown as soon as the corresponding analyzer jobs have successfully finished. That way, you no longer have to click on each observable to access the short report.

sc-Mellifera12-#131.png
Short Reports shown on the Observables Tab

In fact, you don’t even have to click on the observable to access the long reports. You must simply click on the corresponding short report and the long one will be displayed on top of the observables tab as shown in the following screencast. Ain’t that nifty?

 

sc-Mellifera12-#191-2.png
A Single Click on the Short Report Shows the Long One

The short reports have been also improved to follow a taxonomy. To get to this stage, we had to review all 24 analyzers and their flavors, add new functionality to the CortexUtils Python library and improve the analyzers to add a summary section to their JSON output which Mellifera 12 interprets and displays according to a color code as described in our previous post. Please make sure to read it as it contains important information on how to update your cortexutils version and the analyzers as well as the report templates.

Is This Alert New or What?

Mellifera 12 introduces an important feature pertaining to alerts. To put it simply, whenever you receive a new alert from MISP, email, SIEM or any other source that you have connected with TheHive, the alert preview page will tell you if there are similarities with existing cases and if so, Mellifera 12 will let you import the new alert in the existing case and any updates made to that alert (think of an ongoing MISP event) will be automatically added to the case.

sc-mellifera12-#232.png
Alert Preview Page with the new Similar cases Section

Template this, Template that

In addition to the ‘similarity’ feature outlined above, Mellifera 12 lets you choose the case template to use when importing a new alert instead of having to use only a specific case template per alert type/source.

sc-mellifera12-#232-2.png
Choose the Template You’d Like to Use to Import an Alert

Custom Fields

We heard our community and implemented a feature that was requested by several users: custom fields.

So you’d like to add a business impact to a specific type of cases? Or a set of TTPs? Or a Threat Actor? Or specify a Business Unit? No problem! Ask an admin to create a custom field, associate it with a case template and there you go.

sc-mellifera12-#12-customfields2.png
Add a Custom Field

Unlike metrics, custom fields must not be filled to close a case. You can also supercharge a case with custom fields that have not been associated to a case template. We currently support four types of custom fields: strings, numbers, booleans and dates. And you can create lists of acceptable values to limit your analysts’ choices to legitimate data.

Other New Features

Mellifera 12 gives you the ability to reopen closed tasks. And when viewing the related cases tab of the current case, you’ll see the resolution status of the ones that were closed (false positive, true positive, indeterminate). External links will also be opened in a new tab.  Moreover, files included in alerts are no longer limited to 32 KB so you have no longer an excuse to avoid sending user email reports with their attachments to TheHive 😉

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.