Following the release of Mellifera 13 last week, some users reported problems getting the platform working correctly. They couldn’t browse a case’s tasks. TheHive Chefs reproduced the bug and corrected swiftly in Mellifera 13.1 (TheHive 2.13.1), which is now available. Please note that the identified bug happens only when you haven’t upgraded TheHive from an earlier version.
Is ES 2.x still supported?
Mellifera 13 introduced the support of Elasticsearch 5.x and has been thoroughly tested with version 5.5 (5.6 should be probably work just fine). Given the numerous changes between ES 2.x and ES 5.x, we do not support both versions. Hence, and starting from Mellifera 13, only ES 5.x is supported.
Download & Get Down to Work
If you have an existing installation of TheHive, please follow the migration guide. This is paramount to ensure a good transition from earlier versions. You have been warned.
If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
After the release wagon we unleashed upon the Internet tracks last week, we have updated the training VM to include Mellifera 13 (TheHive 2.13.0), Cortex 1.1.4, TheHive4py 1.3.0, Cortex4py 1.1.0 and the latest Cortex analyzers with all dependencies.
We strongly encourage you to refrain from using it for production.
Get It
You can download the VM from the following location:
Something does not work as expected? No worries, we got you covered. Please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
Moments ago, we have announced the release of Mellifera 13, TheHive4py 1.3.0, and Cortex4py. And since we don’t want to leave you wanting for more fun time, you may want to schedule as well a Cortex update shall you need it 😉
Group ownership in Docker image prevents running on OpenShift #42
Fixed Bugs
Cortex removes the input details from failure reports #38
Display a error notification on analyzer start fail #39
Download & Get Down to Work
To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.
Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
TheHive Project French Chefs are very happy to announce Mellifera 13 (TheHive 2.13.0), a brand new, all shiny, major version of TheHive.
This new edition of your favorite Security Incident Response Platform (SIRP) has been cooked with great care to bring you a number of key features.
Mellifera 13 now uses ElasticSearch 5.x. We have tested it with v 5.5 but it should work just fine with ES 5.6.
Webhooks
TheHive has now basic support for webhooks. This allows your SIRP to post all the audit trail data to one or multiple webhooks defined in the configuration file. This way, you can listen to any change taking place on the platform and act on it as you see fit: create a ticket in an IT ticketing system, send a message to a Slack channel, display selected events of the audit trail on a screen, wake up your fellow analysts from sleep when a specific type of cases or a given alert is raised & so on. So get some elbow grease and code that Slack bot promptly 😉
Import and Export from Multiple MISP Servers
Mellifera 13 can not only import events from multiple MISP servers but also export cases as events to one or several MISP instances. The exported cases will not be published automatically though as they need to be reviewed prior to publishing.
Click on that Share button on the top right cornerSelect the MISP server to which to export the caseSee how the Share counter on the top right corner has now increased
We strongly advise you to review the categories and types of attributes at least, before publishing the corresponding MISP events. Please also note that only and all the observables marked as IOCs will be used to create the MISP event. Any other observable will not be shared. This is not configurable. For further details, check the documentation.
Review and publish the event on MISPReview the categories and types of your attributes
API Keys
Mellifera 13 introduce a new authentication mechanism: API keys. This auth method is recommended for all programs or scripts, including your SIEM, that raise alerts on TheHive. You can, as an administrator, generate and revoke as many API keys as you want. Existing software using the basic authentication method should be modified to use API keys. But do not panic, while the basic authentication mechanism has been disabled by default, you can still enable it in application.conf.
The ‘alert’ role
A new alert role has been added. Only users with this role can create an alert. All existing programs which create alerts must have this role. Otherwise they will no longer work.
Download & Get Down to Work
If you have an existing installation of TheHive, please follow the migration guide. This is paramount to ensure a good transition from earlier versions. You have been warned.
If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
Great, palatable recipes, even if they are cooked by fine French chefs, need to be refined over time and may not be as savoury as intended when they are served in their early days. Quality takes time, although smokeware vendors would have you think otherwise.
Mellifera 12.1 (TheHive 2.12.1) has been released to fix a number of outstanding bugs:
#254: TheHive does not send the file’s name when communicating with Cortex
#255: merging an alert into an existing case does not merge the alert description into the case’s description
#257: while TheHive does not let you add multiple attachments to a single task log, the UI makes you believe otherwise
#259: fix an API inconsistency. GET /api/case/task/:id/log has been fixed.
And a new API call POST /api/case/task/:taskId/log/_search has been added, which accepts a “query” in the request body to filter logs of the task.
#268: cannot create an alert if the IOC field is set for a single alert’s attribute.
#269: closing a case with an open task does not dismiss it from ‘My Tasks’.
This new minor release adds the following enhancements:
#272: in alert preview, similar cases are shown regardless of their status. Merged or deleted ones should not appear in that list.
How About the Test VM?
The test VM has not been updated yet. It still contains Mellifera 12 (TheHive 2.12.0). We will update it in September, probably when Mellifera 13 is released. That version will bring the ability to export cases as MISP events.
Download & Get Down to Work
If you have an existing installation of TheHive, please follow the migration guide.
If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
Rejoice folks! You can now play with TheHive & Cortex thanks to the test VM we created. It includes Mellifera 12, the latest major version of TheHive, Cortex 1.1.3, the latest Cortex analyzers with all dependencies and ElasticSearch installed on top of Ubuntu 16.04 with Oracle JRE 8.
The test VM is intended to be used… well… for testing or training purposes. We strongly encourage you to refrain from using it for production.
Get It
You can download the VM from the following location:
click on Import templates button and select the downloaded package
Plug it with MISP
The test VM does not contain a MISP instance and none is configured in TheHive’s configuration file. To play with MISP, you may want to use the VM our good friends at CIRCL provide. Once you’ve downloaded it or if you have an existing instance, edit /etc/thehive/application.conf and follow the configuration guide.
Restart or Go Mad
After each modification of /etc/thehive/application.conf do not forget to restart the service:
$ sudo service thehive restart
Troubles?
TheHive service logs are located in /var/log/thehive/application.log.
Configure Cortex
All available analyzers are installed with their dependencies, but none is configured. To configure analyzers, edit /etc/cortex/application.conf and follow the configuration guide.
Restart or Go Mad
After each modification of /etc/cortex/application.conf do not forget to restart the service:
$ sudo service cortex restart
Troubles?
Cortex service logs are located in /var/log/cortex/application.log.
Need Help?
Something does not work as expected? No worries, we got you covered. Please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
Correction: July 8, 2017
An earlier version of this post offered to download the VM from Dropbox but they suspended the associated link due to seemingly heavy traffic. The post was updated to replace the Dropbox link with a Google Drive one.
TheHive, Cortex and MISP work nicely together and if you’ve read our June-Dec 17 roadmap post, the integration of our products with the de facto threat sharing platform will get better in a few months.
During the FIRST conference presentation we gave last week, we displayed a picture that we will use here to try to explain how these three open source and free products integrate with one another.
A Picture is Worth a Thousand Words…
TheHive
TheHive is a Security Incident Response Platform (SIRP). It can receive alerts from different sources (SIEM, IDS, email. etc.) via its REST API. This is where alert feeders come into play.
Alert Feeders
Think of an alert feeder as a specialized program which consumes a security event (SIEM alert, email report, IDS alert, and so on), parses it and outputs an alert that its sends to TheHive through TheHive4py, the Python library we provide to interact with TheHive’s REST API.
We do not supply such feeders but developing them should be straightforward. If not, let us know and we’ll do our best to help you out.
Alerts
Any alert sent to TheHive will show up in its Alerts pane. In addition to the sources mentioned above, new or updated MISP events will show up as well in that area if you configured TheHive to connect to one or several MISP instances. If so, TheHive will poll those MISP instance(s) at every interval looking for new or updated events. If there are any, TheHive will generate an alert which will end up in the Alerts pane.
The Alerts Pane
Alerts can be ignored, mark as read, previewed and imported. When an alert is imported, it becomes a case that needs to be investigated.
Cases
The Workflow that is at the Heart of TheHive
A case can be generated from an alert or created from scratch. It is subdivided into tasks (think identification, containment, eradication, check proxy logs, and so on) and observables (IP addresses, hashes, email addresses, domain names, URLs…). When analysts are working on tasks, they add logs as they go. In TheHive’s terminology, logs are text entries which may contain attachments to help analysts record what they have been doing. Logs can be written using Markdown or a rich-text editor.
Case Templates
You don’t need to add the same tasks over and over when working on cases belonging to a given category (DDoS, Malspam, APT, …). You can create custom templates to which you add tasks as shown below. This is very useful when you are dealing with alerts so that when you import them, you can select which case template you’d like to apply and there you go!
A Sample Case Template
Observables
Observables can be tagged, flagged as IOCs, and analyzed. When the investigation is well in progress or completed, you may want to share the resulting IOCs or a subset of those with partners and peers. TheHive will support the ability to export that data to MISP in September 2017. Until then, you can still export your IOCs as text, CSV or as a MISP-compatible format that you can use to add them to your MISP instance using the freetext editor. TheHive can export IOCs/observables in protected (hxxps://www[.]somewhere[.]com/) or unprotected mode.
Every observable must have a TLP (Traffic Light Protocol) level. By default, any added observable is considered TLP:AMBER. Please note that the TLP is taken into account by some analyzers. Wait! Analyzers?
Cortex
Cortex is our standalone analysis engine and a perfect companion for TheHive and MISP. Analysts can use it to analyze observables using its Web UI, in which case they can be submitted only one at a time. The Web UI should really be limited to quick assessments of observables before creating a case in TheHive (or in an alternate SIRP). The power of Cortex really comes into play when you use its REST API. TheHive speaks natively to Cortex (as MISP does). Moreover, TheHive can leverage one or several Cortex servers.
Observable Page and List of Analyzers
Analyzers
As of this writing, Cortex has 23 analyzers which come in a total of 39 flavors and more will be available soon.
An analyzer can be written in any programming language supported by Linux though all of our current analyzers are written in Python. This is because we provide a Python library called Cortexutils which contains a set of utility classes that make it easier to write an analyzer in Python.
Flavors
Analyzers such as VirusTotal, PassiveTotal or DomainTools can provide different analysis services. Let’s take VirusTotal as an example. You can scan a file or URL. That’s one flavor. You can also obtain the latest available report on VirusTotal.com for a file, hash, domain or IP address. That’s a second flavor. So the VirusTotal analyzer has two flavors.
How about PassiveTotal? It has 8 flavors: unique resolutions lookup, SSL certificate history lookup, malware lookup, passive DNS lookup, data enrichment lookup, SSL certificate details lookup, OSINT lookup and WHOIS data lookup.
The MISP Search Analyzer
At this point, we need to mention a special analyzer that may create some confusion if not understood correctly: the MISP Search analyzer. Thanks to it, Cortex has the ability to search observables within a MISP instance as represented by the arrow that goes from the Analyzers to MISP.
Search for MISP Events Containing a Given Observable
When an observable is found in an event, Cortex will return the number of records found (i.e. the number of events where the observable has been found) and a list of links to those events with additional data.
Searching for a Hash Using the MISP Search Analyzer from the Cortex Web UIThe Same Search Conducted from TheHive: Long ReportMini-Report
The current version of the MISP Search analyzer can only search within a single MISP instance but in the near future, it will be able to support multiple ones.
MISP Expansion Modules
Besides its own analyzers (which include MISP Search described above), Cortex can also invoke MISP expansion modules. These are normally used by MISP to enrich attributes within events but Cortex can also take advantage of them to analyze observables.
There is some overlap between the native Cortex analyzers and MISP expansion modules. When choosing between a native analyzer or an expansion module, we highly recommend you select the former. The expansion modules are deactivated in the default Cortex configuration.
Jobs
When you submit an observable for analysis, Cortex will create a job and, if successful, it will generate an analysis report in JSON format. TheHive has the ability to parse those results and present them in a human-friendly fashion thanks to report templates we offer for free. So when you’ll submit an observable to Cortex from TheHive, you’ll get back a short (or mini) report and a long one. The first can be thought of as a really tiny Exec Analyst Summary while the second provides more insight and details.
Calling Cortex from MISP
In addition to the expansion modules we have just mentioned, MISP 2.4.73 and up can enrich attributes using Cortex analyzers. The configuration is pretty straightforward. So if all you are concerned about is threat intelligence and sharing, you may augment your visibility into a given threat represented as a MISP event by leveraging all current 23 Cortex analyzers and any future ones.
Conclusion
TheHive, Cortex and MISP are three open source and free products that can highly aid you combat threats and keep the ‘monsters’ at bay.
TheHive, as a SIRP, allows you to investigate security incident swiftly in a collaborative manner. Several analysts can work simultaneously on tasks & cases . While cases can be created from scratch, TheHive can receive alerts from different sources thanks to alert feeders which consume security events generated by multiple sources and feed them into TheHive using TheHive4py Python library. TheHive can also sync to one or several MISP instances to receive new and updated events which will appear in the alert pane with all the other alerts generated by other sources. Analysts can then preview new alerts to decide whether they need to be acted upon. If so, they can transform them into investigation cases using templates.
To analyze the observables collected in the course of an investigation and/or imported from a MISP event, TheHive can rely on one or several Cortex analysis engines. Cortex is another standalone product that we have developed which sole purpose is to allow you to analyze observables at scale thanks to its large number of analyzers, MISP expansion modules and any analyzer you might have developed on the side. Cortex has a REST API that can be used to empower other security products such as ‘analytics’ software, alternate SIRPs or MISP.
The highly popular threat sharing platform can indeed enrich attributes thanks to Cortex as it has a native integration with it. And in a few months, you will also be able to export cases from TheHive as MISP events that you can share with peers and partners.
If you do share, you do care about our collective mission to defend thedigital assets that are under our watch from harm. So let us fight together as one.
A few days ago, we have been made aware of a bug in the way we pulled new or updated MISP events to inject them within Mellifera’s alerting panel. As a result, some events did not show up as intended. So you might have missed some of the action shared by peers and partners through MISP.
As true Frenchmen who care a lot about cuisine, TheHive Project’s Chefs went back to their code kitchen and figured out a more palatable recipe to make sure you won’t be left under the impression that you were seeing all new or updated MISP events while in fact you didn’t (we don’t want you to go too easy & lazy n’est-ce pas ?). Mellifera 11.3 (TheHive 2.11.3), a hotfix version has been released to that end and should fix the issue. Please note that you must use MISP 2.4.73 or better.
In addition, this new version of your favorite (or soon to be favorite) Security Incident Response Platform can be installed from a deb package on Ubuntu 16.04 without having to fiddle with OpenJDK. We have repackaged the software to avoid grabbing OpenJDK 9 (which TheHive does not support) and force the installation of version 8.
Finally, if an admin creates an empty case template, users can add tasks to it while previously this wasn’t possible.
Download & Get Down to Work
If you have an existing installation of TheHive, please follow the new migration guide.
If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
The Chefs behind TheHive Project’s delicious code are happy to announce the availability of Mellifera 2 (TheHive v2.11.2), the scalable, free and open source Security Incident Response Platform. This minor version fixes two irking issues related to MISP and adds a few enhancements detailed below.
Mellifera – The New Alerting Panel
Fixed Issues
#220: alerts related to MISP events are not properly updated.
#221: in some edge cases, alerts related to MISP events are created with no attribute.
Enhancements
#188: display the case severity in the My tasks and the Waiting tasks pages to let analysts prioritize their work.
#218: show the description of an alert in the alerting panel.
#224: visually distinguish between analyzed and non-analyzed observables.
Download & Get Down to Work
If you have an existing TheHive installation, please follow the new migration guide.
If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
Correction: May 26, 2017
A copy/paste error from a previous blog post was fixed.
We are glad to announce a new version of your favorite observable analysis engine which corrects bugs introduced by version 1.1.1 and adds a few enhancements. As a reminder, TheHive, our Security Incident Response Platform, can interact with one or several Cortex instances. Moreover, starting from version 1.1.1, Cortex has a two-way integration with MISP.
We highly advise you to upgrade your Cortex in to instance to 1.1.2.
Cortex 1.1.2 – Job Report Example with CERT-SG’s Abuse Finder
Fixed Issues
#27: fixed the daunting error 500 that many users of TheHive encountered when a job is submitted to Cortex.
#29: the MISP expansion modules are now disabled by default to avoid another error 500.
#31: the web interface was displaying SNAPSHOT (oops!) for the Cortex version. It now displays the correct version.
Enhancements
#28: when you enable the MISP expansion modules, Cortex will not be slowed down and starts without delay.
To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.
Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
TheHive Project 