We are happy to announce the immediate availability of TheHive 3.5.0 and Cortex 3.1.0 that supports Elasticsearch 7. We are also releasing TheHive 3.4.4 to include security upgrades. All of them are including fixes for vulnerabilities reported on Play Framework this month. We encourage you to upgrade.
As promised, despite the release of TheHive 4.0 in July, we are still support version 3. Today we are releasing two versions of TheHive 3, but why ?
If you want to be up-to-date with TheHive and Cortex, you must use Elasticsearch 7 and the new released versions of our products: TheHive 3.5.0 and Cortex 3.1.0.
With that being said, we won’t let down the users who cannot migrate their Elasticsearch immediately to version 7, so we decided to fix an embarrassing bug related to alerts with large amount of observables, Thanks to TheHive 3.4.4.
What’s new in TheHive 3.5.0 and Cortex 3.1.0
In addition to support for Elasticsearch 7.x, following fixes has been added in TheHive 3.5.0:
- Fix a bug with the admin page of Analyzers report templates (#1591)
- Responder list is ordered alphabetically (#1564)
- Keep date filters when pivoting from Dashboards to search page (#1581)
- UI Configuration option to choose to filter
TAG1 AND TAG2or
TAG1 OR TAG2in Alerts view (#1171)
- Fix issue when clicking on Analyzers short reports (#1350)
In addition to support for Elasticsearch 7.x, following fixes has been added in Cortex 3.1.0:
- Take into account
defaultValuein Neurons flavor file (#309)
Both versions have been updated to improve OAuth2 authentication support. They are now working the same way than TheHive 4.0.0, with a quite similar configuration.
Our support on TheHive and Cortex
However, starting from now, we will no longer support TheHive and Cortex version that use Elasticsearch < 7: i.e. TheHive < 3.5.0 and Cortex < 3.1.0. So please make sure to update your instances and rely on up-to-date and supported components.
Be aware that:
- Any issue reported in TheHive version 3.4.4 and lower, will be fixed on top of TheHive 3.5;
- Any issue reported in Cortex version 3.0.1 and lower, will be fixed on top of Cortex 3.1.0.
This situation made us also add strong changes regarding our repositories for DEB and RPM packages. Read carefully what follows and find your situation to learn how to upgrade.
You are still using or plan to continue with Elasticsearch 6 ?
Upgrade to TheHive 3.4.4
apt update && apt install
thehiveif you are using debian subsystems;
yum install thehiveif you are using RedHat, Fedora or CentOS.
If you are using docker image you need to specify the version. Get it by running the following command line:
docker pull thehiveproject/thehive:3.4.4-1
This version introduces a bug fix regarding the import of alerts having significant amount of observables.
Keep Cortex 3.0.1
3.0.1 is the last version of Cortex supporting Elasticsearch 6.x. So keep this version until you move to Elasticsearch 7.x.
You are using or plan to move to Elasticsearch 7.x ?
⚠️ DO NOT run an upgrade command on your system until your data has been migrated in Elasticsearch 7.x and Elasticsearch is running.
Upgrading an existing installation ?
Elasticsearch 7.x introduced changes that break our way of representing the data, so some updates need to be applied on the database configuration and on the index first.
We highly recommend reading carefully our dedicated migration guides before starting the upgrade process:
- For TheHive 3.5.0
- Migration Guide: https://github.com/TheHive-Project/TheHiveDocs/blob/master/migration-guide.md#from-34x-to-350
- Migration to Elasticsearch 7.x: https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/upgrade_to_thehive_3_5_and_es_7_x.md
- For Cortex 3.1.0
- Migration Guide: https://github.com/TheHive-Project/CortexDocs/blob/master/migration_guide.md
- Migration to Elasticsearch 7.x: https://github.com/TheHive-Project/CortexDocs/blob/master/admin/upgrade_to_cortex_3_1_and_es7_x.md
Obviously, we recommend testing this process on a testing environment before running it in production.
Running a fresh installation ?
To publish packages supporting Elasticsearch 7 and avoid anyone break his servers, we decided to create dedicated packages repository. To install TheHive 3.5.0, according to your Operating System, run the following processes.
After installing Elasticsearch 7.x, ensure your
/etc/apt/source.list.d/thehive-project.list looks like this:
deb https://deb.thehive-project.org release main
Then, run following commands to install TheHive 3.5.0:
apt update apt install thehive # or apt install thehive=3.5.0-1
and following commands to install Cortex 3.1.0:
apt update apt install cortex # or apt install cortex=3.1.0-1
After installing and running Elasticsearch 7.x, ensure your
/etc/yum.repo.d/thehive-project.repo looks like this:
[thehive-project] enabled=1 priority=1 name=TheHive-Project RPM repository baseurl=https://rpm.thehive-project.org/release/main gpgcheck=1
Them, run following commands to install TheHive 3.5.0:
yum update yum install thehive # or yum install thehive-3.5.0-1
And following commands to install Cortex 3.1.0:
yum update yum install cortex # or yum install cortex-3.1.0-1
- TheHive 3.5.0:
docker pull thehiveproject/thehive:3.5.0-1
- Cortex 3.1.0:
docker pull thehiveproject/cortex:3.1.0-1
Again, we strongly invite you to read detailed installation instructions:
- For TheHive
- For Cortex
Docker image of Cortex 3.1.0
Important modifications have been introduced in the docker image of Cortex 3.1.0. This image does not come anymore with programs of Analyzers and Responders and their dependencies.
Cortex is able to run those programs with Docker when images exist. The default configuration included in the official docker image of Cortex uses our catalogs of images of Analyzers and Responders.
Running Analyzers and Responders directly in Cortex container (using “process” method) is still supported. You can include them in container thanks to the Docker volumes when you start the container. If they need dependencies, you can create your own Docker image from our official Cortex image. Below an example of Dockerfile that retrieves Analyzers and Responders like previous Cortex Docker image:
FROMthehiveproject/cortex:3.1.0-1 RUN apt-get update RUN apt-get install -y --no-install-recommends \ python-pip python2.7-dev python3-pip python3-dev \ ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl \ libmagic1 build-essential git libssl-dev dnsutils iptables RUN pip2 install -U pip setuptools RUN pip3 install -U pip setuptools RUN git clone https://github.com/TheHive-Project/Cortex-Analyzers.git \ /opt/Cortex-Analyzers RUN for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt') \ do \ pip2 install -r $I || true \ pip3 install -r $I || true \ done
How to report issues
Running Into Trouble?