Featured

Ali Cortex and the 40 Analyzers

Two months ago, TheHive Chefs announced that Cortex passed the 30 analyzers mark as they added HybridAnalysis, EmergingThreats and Shodan, all three contributed by our continuously growing user community.

It’s 2018 already and to wish you a very happy new DFIR year, Nils and Jérôme got out of their way and reviewed many outstanding pull requests for new analyzers and fixed several bugs. Kudos bees!

Snapseed
© Saâd Kadhi

The latest release of Cortex-Analyzers, v 1.8.0, contains not one, not two, not even three but ten new analyzers! Isn’t that good omen for a fresh new year fighting cybercrime?

The ten new analyzers, described below, are:

  1. Bluecoat: contributed by our longtime friends from CERT La Poste.
  2. C1fApp: submitted by Dimitris Lambrou.
  3. Censys.io: developed by Nils Kuhnert, now a full member of TheHive Project, on behalf of CERT-Bund.
  4. MISP WarningLists: Nils strikes again (watch out Jérôme! the youngster is gonna leave you way behind ;).
  5. Onyphe: contributed by Pierre Baudry and Adrien Barchapt. It comes in five different flavors.
  6. PayloadSecurity: submitted by Emmanuel Torquato. The analyzer comes in two flavors.
  7. Robtex: added by… Nils again! It has three flavors.
  8. SinkDB: guess who developed that one? Wow, impressive! How did you figure it out? Yes, Nils!
  9. Tor Blutmagie: contributed by Marc-André Doll.
  10. Tor Project: also contributed by Marc-André Doll.

We would like to wholeheartedly thank all the individuals and teams listed above for their invaluable contributions. So a big merci for your work!

Bluecoat

The Bluecoat analyzer queries the Symantec – previously known as Bluecoat – WebPulse site review API for the currently assigned site category of URLs or domains. The analyzer needs no further configuration. When executed through TheHive, the analyzer produces short and long reports as shown below:

firefox_2018-01-10_11-02-03

Bluecoat Analyzer
TheHive: Bluecoat 1.0 Analyzer – Short and Long Report Samples

C1fApp

The C1fApp analyzer queries the C1fApp service, an Open Source threat feed aggregation application, using the API for IP addresses, domains and URL.

Before using the analyzer, you need to create an account on the C1fApp website and get the associated API key which you’ll need to provide as a value for the key parameter of the analyzer config section of /etc/cortex/application.conf as shown below. Once you’ve done so, you’ll need to restart Cortex.

 C1fApp {
     service="query"
     key="<insert API key here>"
     url="https://www.c1fapp.com/cifapp/api/"
 }

When launched using TheHive, the analyzer produces short and long reports such as the following:

sc-short-c1fapp.png

sc-long-c1fapp.png
TheHive: C1fApp 1.0 Analyzer – Short and Long Report Samples

Censys.io

Censys.io continually monitors every reachable server and device on the Internet, so you can search for them and analyze them in real time. Using the corresponding analyzer, information about a website certificate can be obtained using the associated IP, domain or certificate hash.

In order to use this analyzer, an account at censys.io has to be registered and the API ID and secret need to be added to the Cortex configuration file:

Censys {
    uid="<Your ID here>"
    key="<Your secret here>"
}

Once done, you’ll have to restart Cortex. When ran from TheHive, the analyzer produces short and long reports such as the following:

Censys Short

Censys.io Analyzer
TheHive: Censys 1.0 Analyzer – Short and Long Report Samples

Details about the ports can be obtained with a click on the specific button.

MISP WarningLists

In order to detect false positives soon enough in the analysis process, our good friends at the MISP Project published their so called warning lists which contain lists of well-known services or indicators.

This analyzer queries observables against the MISP warning lists. Observables can be an IP address, a hash, a domain, a FQDN or a URL.

To iterate through all the warning lists, the repository itself must be available on the Cortex instance:

git clone https://github.com/MISP/misp-warninglists

We highly recommend you create a cron entry or use a similar mechanism to keep the lists fresh. While the default path for the lists is the misp-warninglists subdirectory it can be adjusted in the configuration file:

 MISPWarningLists {
     path = "/path/to/misp-warninglists/repository" # Default: "misp-warninglists"
 }

When called from TheHive, the analyzer produces short and long reports as shown below:

firefox_2018-01-10_11-01-46

MISP Warninglists Analyzer
TheHive: MISP WarningLists 1.0 Analyzer – Short and Long Report Samples

As you can see, The MISP WarningLists analyzer checks if the repository is up-to-date 😉

Onyphe

The Onyphe analyzer leverages Onyphe’s API to query the service, which provides data about the IP address space and the publicly available information in a single, handy location.

The service comes in five flavors:

  • Onyphe_Forward: retrieves forward DNS lookup information we have for the given IPv4/IPv6 address with history of changes.
  • Onyphe_Geolocate: retrieves geolocation information for the given IPv4/IPv6 address.
  • Onyphe_Ports: retrieves synscan information we have for the given IPv4/IPv6 address with history of changes.
  • Onyphe_Reverse: retrieves reverse DNS lookup information we have for the given IPv4/IPv6 address with history of changes.
  • Onyphe_Threats: retrieves Onyphe threats information on anIPv4/IPv6 address with associated history.

To use the analyzer, you need to create an account on the Onyphe website. Provide the API key associated with your account as a value for the key parameter and add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

Onyphe {
    key = "<insert API key here>"
}

When ran from TheHive, the analyzer produces short and long reports such as the following:

sc-short-onyphe.png

sc-long-onyphe.png
TheHive: Onyphe 1.0 Analyzer – Short and Long Report Samples

PayloadSecurity

The PayloadSecurity analyzer let you submit observables to a on-premises PayloadSecurity instance. To use it, you need to create an account on the PayloadSecurity service. Provide the API/secret pair as  values for the key and secretparameters, collect the URL and environmentid of the service,  and add the lines below to the ​​config section of  /etc/cortex/application.conf. Then restart the cortex service.

PayloadSecurity {
    url = "<insert URL here>"
    key="<insert API key here>"
    secret="<insert secret here>"
    environmentid="<insert environmentid here>"
    verifyssl=True
}

When launched through TheHive, the analyzer produces short and long reports such as the following:

sc-short-payloadsecurity.png

sc-long-payloadsecurity.png
TheHive: PayloadSecurity 1.0 Analyzer – Short and Long Report Samples

Robtex

When collecting data about IPs, domains and FQDNs, Robtex can be a good source of information. According to their statistics, they logged over 20 billion DNS resource records. The corresponding analyzer comes in three flavors:

  • Robtex_Forward_PDNS_Query: checks domains/FQDNs using the Robtex Passive DNS API
  • Robtex_IP_Query: checks IPs using the Robtex IP API
  • Robtex_Reverse_PDNS_Query: checks IPs using the Robtex reverse Passive DNS API

The analyzer uses the free Robtex API which needs no subsequent configuration. However, the free API limits the rate and amount of returned data.

When executed using TheHive, the analyzer produces short and long reports such as the following:

Robtex Short

Robtex Analyzer
TheHive: Robtex 1.0 Analyzer – Short and Long Report Samples

SinkDB

SinkDB is a private service provided by abuse.ch which collects sinkholed IPs. Access to the service is allowed to trusted partners only. If you think you qualify, you can request an access using the form available on the SinkDB website. This is most likely only granted to certain CSIRTs and CERTs and not to individuals.

Provide the API key associated with your account as a value for the key parameter and add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

SinkDB {
    key="<insert API key here>"
}

When ran from TheHive, the analyzer produces short and long reports such as the following:

SinkDB Short True

SinkDB Long
TheHive: SinkDB 1.0 Analyzer Short and Long Report Samples

Tor Blutmagie

Tor Blutmagie analyzer extracts data from torstatus.blutmagie.de  and checks if an observable is linked to a Tor node. The observable can be an IP address, a FQDN or a domain.

In order to check if an IP, domain or FQDN is a Tor exit node, this analyzer queries the Tor status service at Blutmagie.de. The analyzer uses a caching mechanism in order to save some time when doing multiple queries, so the configuration includes parameters for the cache directory and the caching duration.

Provide the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

TorBlutmagie {
    cache {
        duration=3600
        root=/tmp/cortex/tor_project
    }
}

When ran from TheHive, the analyzer produces short and long reports such as the following:

firefox_2018-01-10_11-01-55

Tor Blutmagie Analyzer

Tor Blutmagie Analyzer (2)
TheHive: Tor Blutmagie 1.0 Analyzer – Short and Long Report Samples

Tor Project

Tor Project analyzer has also been contributed by Marc-André Doll. As the above analyzer, this one checks if an observable is a Tor exit node. This time, however, the source of information is the official Tor network status which can be queried for IP addresses only.

The accepts another parameter, ttl, which is the threshold in seconds for exit nodes before they get discarded. Provide the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

TorProject {
    cache {
        duration=3600
        root=/tmp/cortex/tor_project
        ttl=86400
    }
}

When ran from TheHive, the analyzer produces short and long reports such as the following:

TorProject Short

Tor Project Analyzer
TheHive: Tor Project 1.0 Analyzer – Short and Long Report Samples

Additional Fixes and Improvements

  • #141: Joe Sandbox analyzer now supports API version 2
  • #158: Fix mode when creating FireHOL ipset directory
  • #162: Fix Snort alerts in Cuckoo analyzer
  • #149: Fix the VirusShare hash downloader

Please note that when we fixed the bug in the shell script of VirusShare analyzer, the original Python script was removed.

Update TheHive Report Templates

If you are using TheHive, get the last version of  the report templates and import them into TheHive.

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Correction: January 12, 2018
The post was updated to add the full name of the author of the PayloadSecurity analyzer.

Cerana 0.2: X-Pack Auth, Multi-source Dashboards

TheHive Chefs are happy to announce the immediate availability of their latest recipe: Cerana 0.2 (a.k.a. TheHive 3.0.2).

While TheHive 3.0.0 brought you dynamic dashboards among other niceties, the latest (and, of course, the greatest) version of your Mom’s favourite Security Incident Response Platform fixes a bug spotted by our longtime supporter Megan Roddie (merci !). Indeed, Nabil was running low on coffee so he didn’t make the necessary changes to support the new sighted toggle introduced by Cerana for file observables.

Cerana 0.2 also adds X-Pack authentication for Elasticsearch, a feature contributed by srilumpa. Thanks! To enable this functionality, and assuming the X-Pack plugin for Elasticsearch is installed, add the following section to /etc/thehive/application.conf:

search.username = "jessica"​​​​​

​search.password = "drink-beat-repeat"

Last but not least, we decided to make dynamic dashboards even more powerful. You can now create new graphs that support multiple series from multiple entities (or sources).

multiline2
Multi-line Dashboards Example — Number of IOCs imported from MISP vs. those imported from other sources

As Christmas is approaching, go ahead and play with dynamic dashboards to impress your management as soon as 2018 rears its head or truly drive your CTI and DFIR activities and plan well ahead how you should improve automation or collaboration (or beg for additional headcount).

multiline1.png
Multi-line Dashboards Example — How to create one

Ain’t that nifty? Who said bees aren’t nice? Joyeux Noël !

 

Feeling Generous? Donate!

As you know, we are a FOSS project and donations are always welcome to make our products even better for the community.

All donations go to Creative Source, the non-profit organization we have created, and we will use them to improve TheHive, Cortex & Hippocampe but also to develop (even better) integrations with other FOSS solutions such as MISP.

So if you are feeling generous, contact us at support@thehive-project.org. Of course the funds may also be used to keep Nabil happy by providing a steady flow of caffeine. 😉

Creative Source can also provide so-called professional, entreprise-grade support, help integrating the products, train your analysts before they drain or assist you in specific areas such as developing in-house analyzers for Cortex.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Creative Source, a New Ally and a New Home

The Chefs who’ve been working hard to create delicious recipes in TheHive Project’s code kitchen are happy to announce the establishment of Creative Source, a non-profit organization, which aims to support TheHive, Cortex and Hippocampe.

Who’s behind this NPO?

Creative Source is co-managed by all the members of TheHive Project’s core team: Nabil Adouani, Thomas Franco, Danni Co, Saâd Kadhi and Jérôme Léonard. Work is in progress to provide Creative Source with a Web face.

What Will you Provide through It?

We have already started working with a couple of large organizations to provide trainings, limited support and assistance in Cortex analyzer development. All the money Creative Source is going to gain will serve to further support the project and keep refining our recipes to make them even more palatable.

If you are interested in funding the project, training your analysts or if you are looking for professional assistance with our products, please contact us at support@thehive-project.org.

Will TheHive, Cortex and Hippocampe Stay Free?

Don’t you dare ask that question! TheHive, Cortex and Hippocampe will stay free and open source in the foreseeable future as we are deeply committed in helping the global fight against cybercrime to the best of our abilities.

New Ally

We are also very happy to announce that Nils Kuhnert (a.k.a. @0x3c7 on Twitter), a longtime contributor, has now joined TheHive Project! We are no longer a pure French project, damn! 😉

Nils, who created many analyzers, will work mainly with Jérôme to deal with existing and new ones and absorb the numerous pull requests that have been piling up for many months. Welcome on board Nils!

New Home

IMG_4034
Author : Saâd Kadhi

To accommodate Nils and future members, our code and documentation will leave the lofty shelter of CERT-BDF‘s Github and move to https://github.com/orgs/TheHive-Project/  on Wed Dec 20, 2017. Save the date folks!

TheHive4py 1.4.0 Released

Version 1.4.0 of the Python API client for TheHive is now available. It is compatible with the freshly released Cerana (TheHive 3.0.0).

We’d like to thank Nick Pratley, a frequent contributor, Bill Murrin, Alexander Gödeke and “srilumpa” for their code additions and documentation.

To update your existing package:

$ sudo pip install thehive4py --upgrade

If you are just getting started with TheHive4py, you can forgo the --upgrade at the end of the command above.

New Features

  • #5: Add a method to update a case, contributed by Nick Pratley
  • #34: Add a get_task_logs method in order to obtain all the task logs associated with a given taskId. Contributed by Bill Murrin
  • #37: A new, very cool case helper class by Nick Pratley
  • #39: Add support for custom fields to the case model
  • #40: Ability to run a Cortex analyzer through the API by Alexander Gödeke
  • #45: Simplify case creation when using a template by providing just its name
  • #49: Add a query builder capability to support TheHive’s DSL query syntax

Paris? Are you There?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. As usual, we’ll be more than happy to help!

Introducing Cerana

Update: 2 days after publishing this blog post, we’ve released Cerana 0.1 (TheHive 3.0.1) which fixes a number of issues. We encourage you to use 3.0.1 instead of 3.0.0.

The friendly honeybees at TheHive’s code kitchen were pretty busy lately even though winter came and temperatures have been close to zero Celsius in Paris, France. As we wrote a couple of weeks ago on this very blog, we are happy to announce Cerana to the world, available immediately.

Cerana or TheHive 3.0.0 is the latest (and obviously greatest) release of a now highly popular open source, free Security Incident Response Platform (or SIRP for short). Its flagship feature in comparison to previous releases is Dynamic Dashboards.

Dynamic Dashboards

Dynamic Dashboards replace the Statistics module in Cerana to allow you to explore the data available in Elasticsearch, which TheHive uses for storage, in many ways. For example, you can have a usage breakdown of Cortex analyzers, the number of open cases per assignee, the number of alerts per source (MISP, email notifications, DigitalShadows, Zerofox, Splunk, …), the number of observables that have been flagged as IOCs in a given time period, how many attributes were imported from MISP instances, top 10 tags of imported MISP attributes or incident categories.

case3.png
Dynamic Dashboards

Dynamic Dashboards can be created by an analyst and kept private or shared with the other team members. Dashboards can also be exported and imported into another instance. This would facilitate community participation in the establishment of valuable data exploration graphs to drive DFIR activity and seek continuous improvement.

When you’ll migrate to Cerana, you won’t have to build dashboards from scratch. We recreated more or less those which were available under the Statistics view and included them in the Cerana build.

Cortex and MISP Health Status

Cerana will also allow you to monitor the health status of all the Cortex and MISP instances that it is connected to. In the bottom right corner of TheHive’s Web UI, the Cortex and MISP logos appear when you have configured the integration with those products as in previous releases. However, the logos will have a small outer circle which color will change depending on whether Cortex and/or MISP instances are reachable or not.

status
Cortex & MISP Health

If TheHive can’t reach N out of M Cortex/MISP instances, the outer circle will be orange. If it can’t reach all M instances, the circle will red. If everything is fine, the circle will be green. The exact status of each Cortex/MISP instance can be seen in the About page. And when you try to run analyzers on a Cortex which cannot be reached, TheHive will tell you so as well.

about
Cortex & MISP: Version & Status

Sighted IOCs

In previous releases of TheHive, observables can be flagged as IOCs. However, this doesn’t necessarily mean you’ve seen them in your network. Think for example of a suspicious attachment which you’ve submitted to Cuckoo or Joe Sandbox through Cortex. The analyzer returns some C2 addresses to which the sample tries to connect to. You’d be right to add those C2 addresses to your case and flag them as IOCs. Then you search for them in your proxy logs and you find connection attempts to one out of four. In previous versions, you’d add a seen label but this would be inconsistent among analysts. One may use found instead. Another will add a description and no labels.

To avoid such situations and give you a simple way to declare an IOC as seen, Cerana adds a sighted toggle which you can switch on/off. We will leverage this toggle in future versions to indicate sightings when sharing back cases to MISP.

Other Features and Improvements

Cerana contains numerous other features and improvements such as:

  • Case template import, export
  • The ability to assign default values to metrics and custom fields to case templates
  •  The ability to assign by default tasks to their rightful owners in case templates
  • Show already known observables when previewing MISP events in the Alerts page
  • Add autonomous systems to the list of default datatypes
  • Single-sign on using X.509 certificates (in BETA currently)

We will update the documentation for Cerana in the upcoming weeks. So stay tuned.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Cortex Hits the 30 Analyzers Mark

Cortex has now 30 analyzers thanks to Daniil Yugoslavskiy, Davide Arcuri and Andrea Garavaglia (from LDO-CERT) as well as our longtime friend Sébastien Larinier. Their contributions, all under an AGPLv3 license, add handy ways to assess observables and obtain invaluable insight to an already solid Threat Intelligence and DFIR toolset.

In addition to these 3 new analyzers, v 1.7.0 of the Cortex-Analyzers repository also fixes a number of bugs and add a few improvements to existing analyzers as well.

To get the new release, go to your existing Cortex-Analyzers folder and run git pull.

HybridAnalysis

The HybridAnalysis analyzer has been contributed by Daniil Yugoslavskiy. It fetches Hybrid Analysis reports associated with hashes and filenames. This analyzer comes in only one flavor called HybridAnalysis_GetReport.

Requirements

You need to have or create a free Hybrid Analysis account.  Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair. Provide the API key as a value for the key parameter and the secret as a value to the secret parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

HybridAnalysis {
  secret = "mysecret"
  key = "myAPIKEY"
}

When run from TheHive, the analyzer produces short and long reports such as the following:

sc-short-hybridanalysis_1_0.png

TheHive: HybridAnalysis 1.0 Analyzer – Short and Long Report Samples
TheHive: HybridAnalysis 1.0 Analyzer – Short and Long Report Samples

EmergingThreats

The EmergingThreats analyzer has been submitted by Davide Arcuri and Andrea Garavaglia  from LDO-CERT. It leverages Proofpoint’s Emerging Threats Intelligence service to assess the reputation of various observables and obtain additional and valuable information on malware.

The service comes in three flavors:

  • EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
  • EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
  • EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.

Requirements

You need a valid Proofpoint ET Intelligence subscription.  Retrieve the API key associated with your account and provide it as a value to the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

 EmergingThreats {
   key="MYETINTELKEYGOESHERE"
 }

When run from TheHive, it produces short and long reports such as the following:

sc-short-ET_1_0.png

sc-long-ET-1_1_0.png

sc-long-ET-2_1_0.png

sc-long-ET-3_1_0.png

sc-long-ET-4_1_0.png

sc-long-ET-5_1_0.png
TheHive: EmergingThreats 1.0 Analyzer – Short and Long Report Samples

Shodan

The Shodan analyzer is the first submission by Sébastien Larinier. It lets you retrieve key Shodan information on domains and IP addresses.

This analyzer comes in two flavors:

  • Shodan_Host: get Shodan information on a host.
  • Shodan_Search: get Shodan information on a domain.

Requirements

You need to create a Shodan account and retrieve the associated API Key. For
best results, it is advised to get a Membership level account, otherwise a free one can be used.

Supply the API key as the value for the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

Shodan {
  key= "myawesomeapikey"
}

When run from TheHive, it produces short and long reports such as the following:

sc-short-shodan_1_0.png

sc-long-shodan_1_0.png
TheHive: Shodan 1.0 Analyzer – Short and Long Report Samples

Miscellaneous Fixes and Improvements

  • #100 : support both Cuckoo versions – by Garavaglia Andrea
  • #113 : Cuckoo Analyzer requires final slash – by Garavaglia Andrea
  • #93 : VirusTotal URL Scan Bug
  • #101 : Missing olefile in MsgParser requirements
  • #126 : PhishTank analyzer doesn’t work – by Ilya Glotov

Update TheHive Report Templates

If you are using TheHive, get the last version of  the report templates and import them into TheHive.

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Zerofox2TH: ZeroFOX Alert Feeder for TheHive

Earlier today, the French (but nonetheless happy) Chefs of TheHive’s code kitchen released DigitalShadows2TH, an alert feeder for TheHive that can consume incidents and intel-incidents from Digital Shadows, a Threat Intelligence provider and feed them as alerts to your favorite Security Incident Response Platform.

We are glad to do the same for ZeroFOX, a social media monitoring platform, with Zerofox2TH. If you are a ZeroFOX customer with a valid API subscription and use TheHive for managing your security incidents and investigating them, you can now feed alerts generated by ZeroFOX to TheHive. Ain’t that joli?

Zerofox2TH is released under an AGPLv3 license (read: free and open source). To use it, you’ll need Python 3, the requests and pillow libraries as well as TheHive4py. You also need TheHive 2.13 or better, with an account on your SIRP that can create alerts.

Please read the README file to learn how to install, configure and run this alert feeder.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.