TheHive 5

By Adrian | June 12, 2022

TheHive. You know i’m a huge fan of this Incident Response platform with many blog posts dedicated to it including how you can integrate and interface with it.

Over the years TheHive has been on a journey and has matured and stabalised. Now with a new code base the developers have taken full control of the licensing for version 5.

I do however have mixed feelings about this. On one hand i’m sad that TheHive no longer open source. I know there have been those who have exploited then open-ness of open source which I don’t agree with. If anyone is making bank from someone elses product you would hope that they are actively supporting its development. I’m not so sure this has been the case in the past.

On saying that, the updated licensing model makes sense. Small teams get the benefit of a free community edition, and larger teams/corporates/resellers contribute to support and future development through a Gold or Platinum variant with differing levels of customisation and features. I think this strikes the correct balance for what this product provides and the orginisations and Managed Service Providers who use it.

The updated costing model for TheHive means that Strangebee is able to offer a SaaS version of TheHive. If you work in a resource constrained team (which lets face it, is pretty much everyone), sometimes the overhead of having to maintain a set of tools can take you away from what you need to be doing on a daily basis. Offloading the support and lifecycle management back the people who know the product best makes a lot of sense.

For me, spinning up a Community edition of TheHive5 in docker wasnt difficult at all. Create a docker-compose.yaml file documented by Strangebee, update the image to thehive:latest, change default passwords in the configuration, and run a docker-compose up -d and voila, thats it.

At this stage the configuration is all very vanilla, no https, reverse proxies etc, but its enough to have TheHive5 up and running and for me to finally take a look at what changes have been made.

thehive5-login

So my first impressions…..There are significant layout changes from TheHive 3 and 4 which will require a getting used to. The layout seems busier but thats because more data is being presented.

The underlying elements are more of less the same. More fields seem to be exposed in the GUI. Cases still have priorities, TLP, PAP. Tasks have groups. Observables have tags and comments. So no changes on that front. There will be a learning curve, but if you are already familiar with previous versions of TheHive, then it’s not going to be steep one.

case

Now I’m hoping that I can get in and test some of the finer points that the community edition provides such as:

  • Integration with MISP and Cortex
  • Integration with external automation platforms such as N8N, Tines, Shuffle.
  • Webhooks
  • Alert creation
  • Email notifications
  • Case Migration from TheHive4

Overall, an excellent refresh with the future of the product kept in mind.

References