TheHive v4 RC1

By Adrian | March 11, 2020

TheHive version 4 RC1, it’s here, its been here for a solid few weeks and I’m only just getting around to checking it out now. The new update looks to include a few nice features and a welcome back end technology refresh which should keep the platform in support for a good while yet.

At this stage, I would not suggest attempting to either upgrade your existing version 3 installations to version 4, or run a clean install as your main case management production system if you’re just starting out, but get to know this version by spinning up a new virtual machine because when the time comes around, you will give yourself a good leg up.

The installation process is quite straightforward based off the admin guide here. These were my steps for a single server Cassandra/LocalFS installation.

Base operating system

I have chosen to do the installation on Ubuntu Server 18.04.4 on a Virtual machine. This base OS has all the latest updates applied and a static IP. I have added a user named thehive. This can be done with sudo adduser thehive if you used another account with your base OS installation.

The installation of TheHive4 will be done with the elevated root account (sudo su)

Install Java Virtual Machine

apt-get install -qy openjdk-8-jre-headless
echo JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64" >> /etc/environment
export JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"

Install Cassandra DB

Add Cassandra to apt sources

curl -fsSL https://www.apache.org/dist/cassandra/KEYS | sudo apt-key add -
echo "deb http://www.apache.org/dist/cassandra/debian 311x main" | sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list
apt update

Install Cassandra

apt install -qy cassandra

Configure Cassandra with cqlsh

Open the cql shell by using the cqlsh command

Execute UPDATE system.local SET cluster_name = 'thp' where key='local'; to update the cluster name.

exit the shell afterwards.

root@thehive4:~# cqlsh

Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.6 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cqlsh> UPDATE system.local SET cluster_name = 'thp' where key='local';
cqlsh> exit

Run nodetool flush afterwards.

Update the cassandra.yml file

Create a backup of the existing cassandra.yaml file before making changes.

cd /etc/cassandra
cp cassandra.yaml cassandra.yaml.backup

Edit /etc/cassandra/cassandra.yaml. Based of what is already in the cassandra.yaml file, and the required configuration on TheHive GitHub installation page, we only need to make these changes here.

1) Change the cluster_name to thp
2) Uncomment out the hints_directory line and keep the supplied value

More information about Cassandra configuration can be found at https://docs.datastax.com/en/archived/cassandra/3.0/cassandra/configuration/configCassandra_yaml.html

Restart the Cassandra service

service cassandra restart
service cassandra status

Add attachment storage

For a more enterprise like clustered solution you would use Hadoop instead of the LocalFS option. For the purposes of this exercise, we will use LocalFS.

mkdir -p /opt/thp_data/files/thehive
chown -R thehive:thehive /opt/thp_data/files/thehive

Install TheHive4

Installation of TheHive4 package can be done by running the following commands. Note we are still using the elevated root user at this time.

curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY | sudo apt-key add -
echo 'deb https://deb.thehive-project.org beta main' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list
apt-get update
apt-get install thehive4

Configure TheHive4

We need to update /etc/thehive/application.conf to include the cassandra and LocalFS configuration.

Create a backup of the existing application.conf file before making changes.

cd /etc/thehive
cp application.conf application.conf.backup

Edit the application.conf file and locate the block for db.janusgraph. Update the hostname line to localhost.

## Database configuration
db.janusgraph {
  storage {
    ## Cassandra configuration
    # More information at https://docs.janusgraph.org/basics/configuration-reference/#storagecql
    backend: cql
    hostname: ["localhost"]
    # Cassandra authentication (if configured)
    // username: "thehive"
    // password: "password"
    cql {
      cluster-name: thp
      keyspace: thehive
    }
  }

Next locate the block for storage and uncomment out the lines for provider and localfs.directory. Provide the appropriate path of LocalFS location.

storage {
  ## Local filesystem
  provider: localfs
  localfs.directory: /opt/thp_data/files/thehive
}

Start TheHive

Now is the moment of truth! It’s time to enable the service on boot and to start the service.

systemctl enable thehive
service thehive start
tail -f /var/log/thehive/application.log

The log file should show you the initial DB creation events.

TheHive4 is accessible via http on port 9000

thehive-login

Initial configuration

The default username and password is admin@thehive.local / secret.

It is advised to change this password after you login by using Configure and then Edit Password

change-password

After changing your default orgAdmin password, create a new organisation (Yeah, were not using Americanized spelling).

Then go ahead and create an admin account in that new orginisation. Setup a password for that account.

thehivetestorg-admin-user

With the new Org and users created, the initial configuration is now complete.

Wrap Up

While from the outside, you still have the same familiar user experience, under the hood there have been substantial changes with the move away from ElasticSearch to Cassandra/Scalligraph and LocalFS. Whats even better is the fact that you can truly make this enterprise worthy by scaling out this system with Hadoop and Cassandra.

Changes around Multi Org tenancies and case sharing will make developing on the platform easier and allow you to lock away high sensitive cases behind a different org without having to stand up multiple servers.

I am looking forward to see what this update will bring, especially as version 4 progresses through its lifecycle into a stable release.

Stay tuned, I will be following this post up with adding a nginx reverse proxy with AWS Route53 and adding Cassandra internal authentication.