Lo and behold, we aren’t dead & TheHive Project ain’t toast! So, foremost, Happy New Year folks (we are still in January, right?)! We have some nice gifts coming up for you, gifts that have required very heavy-duty work. Of course, you might complain that we haven’t been responsive as of late but hey, there’s only so much we can do, right?
Happy New Year Folks! (Photo by Saâd Kadhi)
We’ll talk about those gifts in the upcoming weeks. In the meantime, there’s a new Cortex version in town and we urge you to upgrade to it, particularly if you consider deploying several Cortex nodes as a cluster. Indeed, Cortex 3.0.1 fixes a missing dependency that is required to set up such an architecture. Additionally (and this is the part where you should be paying attention), this version fixes the display of error messages pertaining to analyzer and responder operations, and also ensure that old responders and analyzers no longer show up once you clicked on that Refresh button.
Fixes and Enhancements
#244 Prevent the Play secret key from being displayed in the logs at startup. Nonetheless, you can still display it (for troubleshooting purposes or to make things easier for attackers that might have access to the logs and be interested in such a world-changing secret) by using the --show-secret option when starting Cortex
#243 fixes the display of error messages when analyzers & responders fail
#240 An encoding issue causes an invalid format in the catalog file
#230 Elastic4play has dropped the ES cluster configuration option. Contributed by Adeel Ahmad
#164 Handle second/minute-rates limits on Flavors and Analyzers
Running Into Trouble?
Shall you encounter any difficulty during the upgrade process, please ask on our user forum, get in touch with the community on Gitter, or send us an email at support@thehive-project.org.
For many months, we have been concentrating our efforts on TheHive 4, the next major version of your favourite Security Incident Response Platform, which we’ll finally provide RBAC (or multi-tenancy if you prefer), a feature that Cortex had for quite some time now.
As you well know, both TheHive and Cortex rely on Elasticsearch (ES) for storage. The choice of ES made sense in the beginning of the project but as we added additional features and had new ideas to give you the best experience possible, we faced several ES quirks and shortcomings that proved challenging if not outright blocking for making our roadmap a reality, including RBAC implementation in TheHive, a far more complex endeavour than RBAC in Cortex. Transitioning from ES to graph databases was necessary and since we want our existing users to have a smooth migration path, TheHive 4 (the first release candidate should come out of the oven by the end of the year) will support both ES and graph databases.
But while we were focusing on that, we completely lost sight of the end of life of ES 5.6 so we wrote an apology to you, our dear users, back in May.
Shortly after, we released TheHive 3.4.0-RC1, to add support for ES 6 (with all the breaking changes it has introduced). We also did the same for Cortex with the release of Cortex 3.0.0-RC3. We also took that opportunity to clear out some AngularJS technodebt we had.
We then asked you to take them for a spin and report back any bugs you find given that both versions had to support ES 5.6 and ES 6 to allow for proper migration.
After a few rounds of release candidates, we are pleased to announce the immediate availability of TheHive 3.4.0 and Cortex 3.0.0 as stable releases.
You should also note that, in addition to ES 6 support, Cortex 3.0.0 supports fully dockerised analyzers and responders. We’ll elaborate on this in a future blog post soon.
Changelogs
If you are interested in some nitty-gritty details, we invite you to read the relevant changelogs since our last post on the subject:
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help as usual!
We could not duly test DNSSinkhole since we do not have access to the associated service. So we would really appreciate it if you could test it and let us know whether it works or not.
This analyzer lets you check if an IP address has been registered in your DNS sinkhole. TheHive displays the analyzer results as follows:
DNSSinkhole analyzer: long report
DNSSinkhole analyzer: short report
TalosReputation
This analyzer lets you determine whether an IP address has been reported as a threat on Cisco Talos Intelligence service. No special access to the service is required to run the analyzer.
TheHive displays the analyzer results as follows:
Talos Reputation: long report
Talos Reputation analyzer : short report
Crt.sh
This analyzer has been enriched to display SHA-1 fingerprints. The long report format has been updated to reflect this new information.
Crt.sh analyzer: long report
FileInfo
FileInfo has been updated and is now able to parse PDF files and extract IOCs such as URLs, hosts, domains, IPs, hashes and many more.The analyzer does also support the last version of the extract-msg library.
FileInfo analyzer: IOC Parser long report
FileInfo analyzer: IOC Parser short report
VirusTotal and Python3
The VirusTotal analyzer, including all its flavours, now uses Python3 and an updated virustotal-api library.
Yeti API key
An optional API key can now be configured and used by the Yeti analyzer.
Malwares_GetReport
A hash computation has been fixed in this analyzer.
EMLParser
A first fix has been introduced to avoid this analyzer to crash when there is no content-description in content_header, and a second has been added to correct a header display issue.
IBM XForce Lookup
The analyzer has been improved to allow users to add a trailing / at the end of the API URL without breaking everything.
Updating your Analyzers in Cortex 2.x
Each analyzer and responder comes with its own, pip compatible requirements.txt file. Run the following commands to update your Cortex analyzers to the latest version:
cd path/to/Cortex-Analyzers git pull for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \ for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, do not forget to login to Cortex as an orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.
If you want to use dockerised analyzers and responders, ensure that the URL of the catalog.json file corresponding to the Cortex-Analyzers repository is registered inapplication.conf. Please note that this won’t work if you are tracking the stable catalog.
After doing so, do not forget to login to Cortex as an orgadmin, click on the Refresh Analyzers button, then Disable and Enable again each analyzer and responder. Analyzer (and responder) updates should occur automatically as long as docker.autoUpdate is set to true in application.conf (this is the default setting).
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
click on Import templates button and select the downloaded package
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
As we announced on May 14, 2019, we have been working very hard to add Elasticsearch 6 support to TheHive and Cortex as Elasticsearch 5.x went the way of the dodo when Elastic plugged life support off this venerable version. We also took this occasion to upgrade AngularJS and its sub projects to 1.7.8, the latest 1.x version as of this writing. Additionally, Grunt build dependencies have also been updated to their latest compatible versions.
It took us more time than initially foreseen but hey, we all love deadlines. We all love the whooshing noise they make as they go by.
TheHive 3.4.0-RC1 and Cortex 3.0.0-RC3 are now available on every Internet pipe near you and before you take them for a spin to help us identify any issues to make the stable releases rock-solid, let us walk you through some important information. Relax and grab a drink (and send good wine our way, we can always use some!).
In addition to ES5 and 6 support and the update of AngularJS, this version corrects a few bugs that were identified in the latest stable version (3.3.1) and adds a few features. The most important one in our opinion is the ability to import a file from a Cortex report. This requires Cortex 3.0.0-RC3. The full list of changes is available at the following location.
ES5 and ES6 support, AngularJS et cetera et cetera. Well you know the song right? Not quite as Cortex 3.0.0 significantly facilitates analyzer and responder installation and updates, thanks to Docker as we touched upon in a blog post earlier this year.
As detailed in the Cortex migration guide, which we recommend you read thoroughly, you can migrate from Cortex 2 and keep using analyzers and responders the same way (using processes), use the new Docker-based analyzers and responders or mix and match between running processes and docker containers (but then, you gotta pay extra attention to configure properly which analyzer/responder runs in which fashion).
Moreover, if you use the new dockerised analyzers and responders, you will be able to choose if you want to have them autoupdated (that’s the default behaviour) and if so, pick the bleeding edge, potentially buggy versions, the minor releases or, if you are risk-averse, stick with stable ones.
Cortex 3.0.0-RC3 also adds the ability to retrieve files resulting from analyzer jobs and last but not least, corrects an information disclosure bug that allowed non-admin users to retrieve the details of other users through the API. The vulnerability was reported by Adam Maris so kudos to him!
Warning: Regressions Ahead!
As outlined in our previous post about these new versions:
TheHive 3.4.0-RC1 and Cortex 3.0.0-RC3 use HTTP transport (9200/tcp by default) to connect to Elasticsearch instead of its native binary protocol (9300/tcp by default).
SSL/TLS, including when using a client certificate, can be configured to connect securely to ES. However this has not been tested yet.
Support of X-Pack and Search Guard is discontinued for anything but basic and SSL client authentication, which would still work.
Caution: Performance May Take a Hit!
The parent-child relationships we use behind the scene in Elasticsearch could make queries significantly slower with ES 6 and in our limited testing, we had the impression that performance took a hit. So please be cautious there and we’d be grateful if you could report any sluggishness you notice during your tests of the new versions with ES6.
Some of our die-hard fans noticed that we silently released TheHive 3.3.0 a few days ago, after six release candidates. Well. Silently won’t be the right word to use in this case as we are drowning under work and feature requests and we sometimes postpone communication in favour of getting true real work done.
So, without any further ado, we are happy to announce the official availability of our latest (and of course greatest) release of the most-advanced, next-gen, HI (Human Intelligence), gluten-free, (add here any keyword that you fancy to help us get the Gartner attention and land in the Magic Quadrant™), free and open source Security Incident Response Platform Security Orchestration Automation & Response Platform.
As stated earlier, TheHive 3.3.0 went through the largest number of release candidates to date in order to ensure it contains more features than bugs (or unexpected functionality as our dear Nabil call them sometimes).
TheHive and Cortex are a huge success. According to our estimates, there are about a hundred organisations of different sizes and locations using or testing them. And as the number of users grows, so does the number of features, professional service and support requests.
We tried finding a solution to keep TheHive Project as healthy as possible. So we created Creative Source, a nonprofit organisation (NPO), in the hope that we could leverage it to hire more developers thanks to the generous donations of our large user community. Sadly, not everyone in this world is generous and altruistic. At the end, all but one company (yes, exactly one) trusted us enough to make a donation and get tailored services for its needs in return. Most of the others either did not reply to our proposals or explained that their procurement process does not accommodate working with NPOs.
As we informed you a few weeks ago, some members of our core team are finalising an alternative option to ensure not only the viability of TheHive and Cortex as FOSS products on the long run but the ability to provide professional training, support, and services without making highly bureaucratic, think-in-the-box-but-never-outside procurement departments freak out.
On February 10, 2019, we released TheHive 3.3-RC2. It contained new features such as bulk alert merging, alert sorting, observable tag autocompletion, exporting case tags to MISP & more. Since then your favourite French code Chefs have been beesy refining TheHive 3.3 through new release candidates while getting Cortex 3 ready for prime time.
Over the weekend, Nabil decided he was not working enough already during the week. So he drained his batteries to the very last drop to release TheHive 3.3-RC5 before he crashed headfirst into his bed for a long, reparative sleep. Cumulatively since RC2, we added several features and squashed 10 bugs as described below.
Note that release candidates are beta software. You can get TheHive 3.3-RC5 from the pre-release, beta repositories. As usual, we encourage you to test it and report any bugs or issues you spot so we can address them before the final release.
#888: add a new UI configuration admin section. One of the first use cases of this section consist in disabling creating empty cases (i.e. cases not associated with a template). It will be gradually improved with new use cases so speak your mind!
#893: disable the case template selection when trying to merge multiple alerts for which no case template exists.
#890: the Hide Empty Case button in the new UI admin section was broken.
#894: when clicking on a donut or a widget in the dashboards, this should take you to the search page with predefined filters, without generating errors.
We urge our fellow fighters of cybercrime and funny and not-so-funny animals-in-disguise, to update their Cortex analyzers to the latest 1.15.2 version which plugs a serious vulnerability in the Unshortenlink analyzer and fixes several bugs.
Unshortenlink Vulnerability
On Jan 24, Alexandre Basquin discovered a SSRF vulnerability in the Unshortenlink 1.0 analyzer. By exploiting it, an attacker which has access to a Cortex instance with an analyze role can scan the ports of localhost and possibly of all the hosts reachable by Cortex. This could be automated through Cortex4py by making repetitive calls to the API and thus scanning multiple ports & hosts. In essence, the attacker can perform reconnaissance thanks to Unshortenlink and gain knowledge on which ports are open and which aren’t.
Version 1.1 of Unshortenlink, included in Cortex-Analyzers 1.15.2, plugs this vulnerability by disabling submissions containing IPs & ports. Only URLs are now accepted.
Bug Fixes
Additionally, Cortex-Analyzers 1.15.2 corrects the following bugs:
#416: the Mailer responder now supports UTF-8 encoding.
#410: remove wrapping of the results produced by crt.sh as a list which ends up breaking the output of the report template. Contributed by Thomas Kastner.
#409: enum is not required for Python 3.4+ to make the MISP Search analyzer work.
#408: FileInfo’s Manalyze plugin did not work after Manalyze renamed plugin_btcaddress to plugin_cryptoaddress.
#406: fix a broken link in the Cymon_Check_IP report, submitted by Manabu Niseki.
To update your analyzers to version 1.15.2, please read the Updating section of the Cortex installation guide.
Since the version numbers of few analyzers have changed, you’ll need to connect as an orgadmin to Cortex to refresh the analyzer list, disabling old ones and enabling the new versions.
TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
click on Import templates button and select the downloaded package
Wait a Minute! Where’s the Blog Post about 1.15.1?
Good catch! There was no blog post about Cortex-Analyzers 1.15.1. Call us lazy but there was nothing Earth-shattering, pole-shifting in that release. Nonetheless, here are a list of fixes included in that release and from which you’ll inherit automatically if you update 1.15.0 to 1.15.2 directly:
#402: Malwares analyzer code relied on functionality that’s only available in Python 3.7+. It has been fixed to work with 3.4 and up thanks to the work of Arcuri Davide.
#404: fixes a bad folder renaming in the HIBP (Have I Been Pwned) analyzer.
#398: MISP Search analyzer wouldn’t run without the enum dependency. Contributed by Mars Huang. Later improved in 1.15.2 (see above).
Dear fellow incident handlers and cybercrime fighters around the world, the galaxy, the known and the unknown universe, first and foremost, all TheHive Project’s team would like to wish a wonderful new year 2019 to you and to your cherished relatives. We truly hope that eagles, pandas, kittens, babars, bears and all sorts of animals will stay out of the way. And remember that you don’t need to go bankrupt by purchasing so-called Next Gen™ magical solutions that work only when there’s a full moon and the page number of the book you are currently reading is 42 to investigate threats 😉
We would like to begin the year by introducing version 1.15.0 of Cortex analyzers, bringing the total number of analyzers to a whopping 113! And thanks to Kyle Parrish, this release improves the Mailer responder to allow you to specify a custom port number for your SMTP server and adds a new one to blacklist observables on Cisco Umbrella utilizing the Enforcement API. The Cisco Umbrella Blacklister responder will then add the tag Umbrella:blockedto the observable.
Cortex-Analyzers 1.15.0 also include fixes and enhancements for Eml_Parser, IBM X-Force, Fortiguard, and Shodan. Most of these modifications were contributed by our continuously growing user community. Thanks to all of those who help us in our mission to provide free and open source security incident response tools to the masses!
Please read the relevant sections in the Cortex installation guide to install or update your analyzers and responders in order to benefit from all this sweet & tasty honey.
3 new flavors for DomainTools, thanks again to ANSSI
Cyberprotect
This analyzer lets you query the Cyberprotect ThreatScore service for domains and IP addresses. No configuration is needed and it can be used out of the box.
TheHive displays the analyzer results as follows:
Have I Been Pwned
The HIBP_Query analyzer lets you check email addresses on Have I Been Pwned. You can use an optional parameter to include unverified breaches in the search results. Otherwise, it can be used without any additional configuration.
When called from TheHive, results would display as such:
PatrOwl
As it name states, The Patrowl_GetReport analyzer will let you get the current PatrOwl report for a FQDN, a domain name or an IP address. You need a running PatrOwl instance or to have access to one to use the analyzer.
If you fire it from TheHive, it would display results as follows:
SecurityTrails
This analyzer comes in two flavors in order to get Whois data and Passive DNS details using SecurityTrails. To use both flavors, you will need an account for the service to retrieve the associated API key, which you need to configure the analyzers.
SecurityTrails_Passive_DNS displays results in TheHive as follows:
The Whois variant produces reports such as:
Cisco Umbrella
In addition to Cisco Umbrella Investigate, you can now query the Umbrella Reporting API for recent DNS queries and their status for a domain name using the new Umbrella_Report analyzer.
New Shodan Flavors
In addition to Shodan_Host and Shodan_Search, which allow you to obtain Shodan information on a host and the search results for a domain name, now you can get domain resolutions (Shodan_DNSResolve), obtain scan history results for an IP address (Shodan_Host_History), get information on a domain (Shodan_InfoDomain) and the reverse DNS resolutions for an IP address (Shodan_ReverseDNS).
DomainTools
The following DomainTools flavors were added to this release:
DomainTools_HostingHistory: get a list of historical registrant, name servers and IP addresses for a domain.
DomainTools_ReverseIPWhois: get a list of IP addresses which share the same registrant information. It applies to a mail, IP, or domain.
Moreover, please note that DomainTools_WhoisLookup now handles IP addresses in addition to domains and provides parsed results. DomainTools_WhoisLookup_IP is thus not needed anymore. Instead, DomainTools_WhoisLookupUnparsed has been added to do the same as DomainTools_WhoisLookup, except that the output results are unparsed.
TheHive Project’s code Chefs are happy to announce the immediate availability of Cortex 2.1.3, a hotfix for your favorite observable and response engine, fresh out of the oven!
We highly recommend that you upgrade your existing installation to this new version as soon as feasible as it plugs a significant security vulnerability, kindly reported by Po-Hsing Wu. The vulnerability is a privilege escalation one which allows an orgadmin to create a superadmin user. The culprit has been punished by having to chant Perl mantras while doing a handstand on burning coals.
Source : XKCD
Additionally, Cortex 2.1.3 fixes the following bugs:
#152: enforce PAP when launching an analyzer from the Cortex Web UI
#147: add dig to the Cortex docker image as the SinkDB analyzer needs it
#146: the Cortex job list must display the PAP value
#145: fix the broken Web UI’s search function for job history
Pardon my French but do you speak English?
Something does not work as expected? You have troubles installing or upgrading? Spotted new bugs? No worries, please open issues on GitHub or comment on existing ones, join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
TheHive Project’s Code Chefs are glad to announce that, thanks to the precious contributions of the user community, Cortex has broken the one hundred analyzer mark.
Cortex-Analyzers version 1.14.0 is out and includes new analyzers, some improvements and some bug fixes.
New Analyzers
New and enhanced analyzers, described below, are:
Cisco Investigate by Cisco Umbrella Research @opendns
Datascan and Inetnum flavors in Onyphe analyzer by Pierre Baudry and Adrien Barchapt
Again, huge thanks for the awesome work that has been performed by all our contributors!
Investigate
Cisco Umbrella Investigate provides threat intelligence about domains and IP addresses accross the Internet. The analyzer can be used to query the Cisco Umbrella (formerly OpenDNS) API and get information about an IP or a domain name. An API key is required to use this analyzer.
Results are displayed in TheHive in the following manner:
Cisco Investigate: short and long reports
Proofpoint Forensics Lookup
According to Proofpoint’s website, the Forensics API allows insight in detailed forensic evidences about individual threats or compaigns. The analyzer can be used to check observables against given indicators of compromise stored in the ProofPoint service.
Unfortunately, there are currently no sample report screenshots available, because TheHive’s Core Team does not have access to Proofpoint services. Also, due to the same reason, this analyzer could not be tested by us. If you have access to the service and can test the analyzer and/or provide report screenshots, please let us know.
RecordedFuture
This analyzer lets you get the latest risk data from RecordedFuture for a hash, domain or an IP address. It can be used to query the API and get information. An API key is required to use this analyzer.
Results are displayed in TheHive in the following manner:
RecordedFuture: short and long reports
Urlscan.io search
Urlscan.io is a service that scans and analyzes websites. Submitted pages will be browsed like a regular user would do and every activity gets recorded. The analyzer submitted by ninoseki queries urlscan without initiating a scan which would be publicly visible on the website. Accepted datatypes for this analyzer are URL, domain, hash and IP.
The templates which display the results of the analyzer look like the following screenshots:
Urlscan.io: short and long reports
Google DNS over HTTP
This analyzer provides DNS information for an IP, a domain or a FQDN by making calls to Google DNS-over-HTTP (DoH). No API key is required.
Results are displayed in TheHive in the following manner:
Google DNS: short and long reports
RTF files support in FileInfo
The FileInfo meta analyzer has been improved and now leverages the rtfobj tool provided in the Oletools suite by Decalage.
Results are displayed in TheHive in the following manner:
FileInfo with rtfobj: short and long reports
Datascan and Inetnum flavors in Onyphe analyzer
The Onyphe analyzer has been enhanced with two new flavors. Datascan provides information about known open ports on a specific IP, and Inetnum enumerates all known network information about the analyzed IP address.
An API key is required to use the analyzer and can be obtained by creating an account on the Onyphe website.
Results are displayed in TheHive in the following manner:
Onyphe Inetnum: short and long reports
Onyphe Datascan: long and short reports
Bug fixes and enhancements
#248: Improve error msg when VT Get Report does not have an entry for
#323: Fix an issue with HybridAnalysis analyzer filenames handler
#362: Fix file not found issue and empty result set in CERT.at passive DNS analyzer
Get It While Supply Lasts!
Each analyzer comes with its own, pip compatible requirements.txt file. To update your Cortex analyzers to 1.14.0, run the following commands:
cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, do not forget to login to Cortex as an orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
TheHive Project 