Working in a SOC environment, it is easy to get lost in the world of case management – unable to balance and juggle the information-to-incident ratio. I have recently come across one of the better solutions to this issue; TheHive.
According to their website, TheHive is a “scalable 4-in-1 open source and free security incident response platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents” that need to be investigated quickly. By adding Cortex into the mix, you can triage observables at scale using their analyzers. It uses Elasticsearch as the main storage utility for all data, which is a huge plus for those already exposed to ES indices through the Elastic Stack. TheHive can also be highly integrated with MISP, the gold standard of threat sharing. Due to this, it can pull events from several MISP instances and export investigation cases back to the shared MISP database.
- Ubuntu 18.X.X
- 2-4 CPUs Preferred
- 16GB of RAM Preferred
- 100GB HD Space Preferred
NOTE: These system requirements are based on my installation ONLY, and how I have configured TheHive to fit my needs. Assign resources to your instance as you see fit.
TheHive is relatively straightforward for a base install and the following guide with a nice cup of coffee should get you through 🙂
Elevate to root and check to ensure system is up-to-date
apt update -y && apt upgrade -y
Grab and Install the Debian package of TheHive
echo 'deb https://dl.bintray.com/thehive-project/debian-stable any main' | tee -a/etc/apt/sources.list.d/thehive-project.list
apt-key adv --keyserver hkp://pgp.mit.edu --recv-key 562CBC1C
apt-get install thehive
Developer Note: Some environments may block access to the pgp.mit.edu key server. As a result, the command sudo apt-key adv–keyserver hkp://pgp.mit.edu –recv-key 562CBC1C will fail. In that case, you can run the following command instead:
curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY |sudo apt-key add -
Install Elasticsearch 5.x
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | tee -a/etc/apt/sources.list.d/elastic-5.x.list
apt install apt-transport-https
apt update && sudo apt install elasticsearch
NOTE: TheHive requires Elasticsearch version 5.x as it is the last supported version as of the time of this post. Versions 6.x and newer will not work.
You now have to configure Elasticsearch for use with TheHive. Navigate to the Elasticsearch configuration file (.yml) and append the following to the end:
You will always want Elasticsearch running whenever TheHive is to ensure continued access to all data. Enable as a service to start on Ubuntu startup:
systemctl enable elasticsearch.service
To ensure security, TheHive utilizes secret keys to secure cryptographic functions if it were to operate in a cluster. For the purpose of this post, we will still generate this secret key and append to the end of TheHive’s configuration file in /etc/thehive:
(cat << _EOF_
# Secret key
# The secret key is used to secure cryptographics functions.
# If you deploy your application to several instances be sure to use the same key!
play.http.secret.key="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n1)"
) | sudo tee -a /etc/thehive/application.conf
Enable TheHive as a service
systemctl enable thehive.service
Start Elasticsearch and TheHive
systemctl start elasticsearch.service
systemctl start thehive.service
To ensure that you have a successful TheHive instance running, simply navigate to <TheHiveIP>:9000 in your favorite web browser to confirm. You should be presented with a similar landing page as seen below:
If you see this, click the “Update Database” button and follow the onscreen prompts to create an administrator account. This account will be used to initially log in to the web interface of TheHive, and you can create more accounts later.
Congrats! You now have a working instance of TheHive up and running and ready for data input. To utilize those fancy analyzers mentioned at the beginning of the post, you will need to install and configure Cortex. This process is something I hope to cover in a later post.
For now, play around with TheHive and what it has to offer. You can create cases and upload files that can later be analyzed with Cortex integration, and much more. For those in SOC environments such as myself, this tool can be crucial in both threat intelligence and accountability. A plethora of information pertaining to TheHive can be found on their GitHub page.
As always, if you have any questions or comments about the process, leave me a message down below or contact me 🙂