Thehive4 RC1 to RC2 Upgrade

By Adrian | May 16, 2020

With my Java issue sorted out now, here are the steps to upgrade TheHive from RC1 to RC2. This is a dirty upgrade, but since TheHive is still in Release Candidate status, we can get away with upgrading like this. Ordinarily you should ensure that you have your system backed up in case there are breaking changes.

Stop TheHive service

sudo service thehive stop

Update apt repositories and upgrade

May as well apply all the security updates while I am at it. Ensure that thehive4 is in the list of applications that will be upgraded.

sudo apt-get update && sudo apt-get upgrade

# Output
Hit:1 http://au.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://au.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:3 http://au.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:4 http://au.archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:5 http://au.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [932 kB]
Get:6 http://au.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [1,068 kB]
Hit:8 https://deb.thehive-project.org beta InRelease
Get:7 https://dl.bintray.com/apache/cassandra 311x InRelease [3,183 B]
Fetched 2,255 kB in 4s (596 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  bsdutils distro-info-data fdisk grub-common grub-pc grub-pc-bin grub2-common kmod libblkid1 libfdisk1 libkmod2 libmount1 libnss-systemd libpam-systemd libsmartcols1 libsystemd0 libudev1 libuuid1
  lxcfs mount open-vm-tools python3-update-manager sosreport systemd systemd-sysv thehive4 udev update-manager-core util-linux uuid-runtime
30 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 198 MB of archives.

IMPORTANT: At one point you need to decide which configuration you want to keep. Hint. keep your currently-installed version, unless you want to redo your configuration.

Configuration file '/etc/thehive/application.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.

After your system has been updated, the service should automatically restart. If not run a sudo service thehive start.

You should be able to access the web front end now.

thehive-main-screen

What to look for in the RC2 release

TheHive RC2 introduces some new key features such as:

  • MFA login

mfa-logon

Note you need to add the following configuration change to your application.conf file

auth.multifactor.enabled = true

  • Introduction of case age

age-of-cases


  • Webhooks

This was one highly anticipated feature for RC2, however it appears there is currently a bug in the release that prevents it from working, or some sort of issue in the documentation thats giving the wrong command to type to enable it. Either way, It looks like webhooks might have to wait until RC3 to be released.

UPDATE:

So it turns out the issue with Webhooks was the latter and there is an updated curl command to use to enable them. To setup Webhooks for TheHive, you need to add in the following configuration in your application.conf file. For example, your listener could be either a local webserver, or a remote listener such as nodered or Microsoft PowerAutomate. There are many other remote listeners you could use.

notification.webhook.endpoints = [
  {
    name: local
    url: "http://your_listener/"
    version: 0
    wsConfig: {}
    includedTheHiveOrganisations: []
    excludedTheHiveOrganisations: []
  }
]

The run the webhook script.


Enter the URL of TheHive: http://127.0.0.1:9000
Enter your login: admin@agood.cloud
Enter your password:

# Outout
{"path":"notification","defaultValue":[],"value":[{"delegate":false,"trigger":{"name":"AnyEvent"},"notifier":{"name":"webhook","endpoint":"local"}}]}

NOTE: The user that you use needs to be an orgadmin, and enabling webhooks is done on a per organisiation basis.


The full details can be found on the official Blog over at https://blog.thehive-project.org/2020/05/06/thehive-4-0-rc2-fresh-out-of-the-oven/