TheHive dashboards, while they are great at showing data counts and displaying then as graphs, there is one feature that was lacking in that it cant display a data table of what those cases are. So while you can build a dashboard to get a snapshot of where your team is at, you can’t see what cases and task that are in play. While there is an open issue to add this functionality, I thought i’d try something a little different with TheHive to fill that gap, and export the case and task data into a Splunk kvstore and build it out that way.
With my Java issue sorted out now, here are the steps to upgrade TheHive from RC1 to RC2. This is a dirty upgrade, but since TheHive is still in Release Candidate status, we can get away with upgrading like this. Ordinarily you should ensure that you have your system backed up in case there are breaking changes. Stop TheHive service sudo service thehive stop Update apt repositories and upgrade May as well apply all the security updates while I am at it.
I was so excited at the thought of all the cool new features that have popped up in TheHive v4.0.0-RC2 that I went straight onto my lab to give it a spin. Little did I know that my system was broken before I even started and I spent the best part of a few hours trying to figure out what exactly happened. For a brief moment I did consider burning the lab down and just rebuilding it, but I asked myself what would happen if this were a prod system?
Docker is something that i’ve not fully embraced to date, I know, I know… I’m a little late off the mark, but as I get to know Docker more, I can see that it has some worthwhile advantages for me in some of the projects I use and generally getting to know technology is never a bad thing. For instance, why spin up a single server for a service that only has 1 of the 65535 ports used when 99% of the time that server will most likely be idle.
This post is a continuation of TheHive v4 RC1 in that I am providing the instructions to add Internal Authentication to Cassandra as well as a reverse proxy so we can connect back to TheHive with https. Add Internal Authentication to Cassandra It is recommended that you don’t allow access to the cqlsh unless there is some sort of authentication mechanism attached to it. There are too many horror stories of databases being dumped, and the internal authentication will make it that little bit harder to access from the cqlsh shell.
TheHive version 4 RC1, it’s here, its been here for a solid few weeks and I’m only just getting around to checking it out now. The new update looks to include a few nice features and a welcome back end technology refresh which should keep the platform in support for a good while yet. At this stage, I would not suggest attempting to either upgrade your existing version 3 installations to version 4, or run a clean install as your main case management production system if you’re just starting out, but get to know this version by spinning up a new virtual machine because when the time comes around, you will give yourself a good leg up.
I’ve blogged quite a bit about TheHive and Cortex to date, so much so that the wonderful people over at TheHive-project have added this blog onto the Blogs & Articles section of TheHive’s curated Awesome List. Its seems The more I write, the more I realise how much more there is to write about this stacks ability and feature set. Throughout the course of the last year, I wrote a 12 part series about standing up TheHive, MISP and Cortex detailing my experiences in how to install, integrate and upgrade each of them.
In my last post I wrote about Installing and Securing NodeRED. The reason behind this was twofold. First, NodeRED is pretty cool and I want to be able to do some more ETL (Extract, Transform, Load) operations for personal projects I want to start on and secondly, I’ve been looking into TheHive webhooks functionality and needed some way to drive it in a way that didn’t require hundreds of lines of bespoke python code.
Security Orchestration and Automated Response (SOAR), its the natural evolution of where security teams are heading, and as our numbers in this space seems to never be enough, we look to SOAR tools to automate to free up our time to so we can spend it doing more productive things, like drinking coffee and threat hunting. Automation brings standard and repeatable processes which could just buy us that breathing space.
Now that I’ve gone through a series on TheHive, I’ve started to expand on the capabilities of this DFIR platform by starting to write my own Responders. Responders are essentially a way to perform an enhancement action on a given case, alert or observable. The built in Responders from the Cortex GitHub repo include a responder that will email the case or alert details to you as well as responders that interface with CrowdStrike, QRadar, Umbrella and ZeroFox.
This is part 8 of the Cortex build. In this part I’m integrating TheHive with MISP and it doesnt go as smooth as I would have liked, but I got some good troubleshooting done in the process which I’ve documented. This will allow us to post observables to MISP from TheHive and vice versa! Links to the previous articles are here: Part I - Building TheHive Part II - Setup reverse proxy for TheHive
This is part 7 of the TheHive/Cortex/MISP build. In this part I’m integrating TheHive with Cortex. This is where the real magic happens! Links to the previous articles are here: Part I - Building TheHive Part II - Setup reverse proxy for TheHive Part III - Building MISP Part IV - Building Cortex Part V - Adding analyzers to Cortex Part VI - Setup reverse proxy for Cortex