TheHive – Open Source security IR platform

Trying to manage, track and collate all the information gained during a investigation can be a mammoth task, and trying to store that information and data in a way that can easily be accessed for future incidents is difficult.

Gone are the days of storing files inside numerous folders and using Excel spreadsheets to keep track of IOCs. A good Incident Response platform can solve these problems and TheHive does SO much more.

As the website states TheHive is “A 4-IN-1, scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly”

Case management

TheHive uses Elasticsearch for its storage solution, can be integrated with MISP and leverage Cortex to allow for observables to be analysed at scale.

This post will get you started with TheHive. A fairly simple process so grab a coffee and lets begin.


  1. Ubuntu 18.X.X installation
  2. 2-4 CPUs Preferred
  3. 16GB of RAM Preferred
  4. 150GB HD Space 

NOTE: These system requirements are based on my installation ONLY, and how I have configured TheHive to fit my needs. Assign resources to your instance as you see fit.

1Make sure your system is up-to-date:

sudo apt-get update
sudo apt-get upgrade

2 – Install a Java Virtual Machine

sudo apt-get install openjdk-11-jre-headless

3 – Install TheHive

echo 'deb any main' | tee -a/etc/apt/sources.list.d/thehive-project.list

apt-key adv --keyserver hkp:// --recv-key 562CBC1C
apt-get update
apt-get install thehive

Developer Note: Some environments may block access to the key server. As a result, the command sudo apt-key adv–keyserver hkp:// –recv-key 562CBC1C will fail. In that case, you can run the following command instead:

curl |sudo apt-key add - 

4 – Install Elasticsearch

NOTE: TheHive requires Elasticsearch version 5.x as it is the last supported version as of the time of this post. Versions 6.x and newer will not work.

# PGP key installation
sudo apt-key adv --keyserver hkp:// --recv-key D88E42B4

# Alternative PGP key installation
# wget -qO - | sudo apt-key add -

# Debian repository configuration
echo "deb stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list

# Install https support for apt
sudo apt install apt-transport-https

# Elasticsearch installation
sudo apt update && sudo apt install elasticsearch

Now ElasticSearch is installed, Edit /etc/elasticsearch/elasticsearch.yml and add the following lines:
script.inline: true hive
thread_pool.index.queue_size: 100000 100000
thread_pool.bulk.queue_size: 100000

As ElasticSearch is the storage solution you want it running at all times to allow access to the data. Enable ElasticSearch to start on boot and start the service.

sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl status elasticsearch.service

The status should be active (running). If it’s not running, you can check for the reason in the logs:

sudo journalctl -u elasticsearch.service

NOTE: that by default, the database is stored in /var/lib/elasticsearch and the logs in /var/log/elasticsearch

5 – Check Installation

Finnaly, check that everything went okay. Open a Web browser and navigate to http:// <TheHiveIP> :9000. You should be presented with the following landing page.

If you see this page, then congratulations!!! everything looks good. Click the “Update Database” button, you will be forwarded to a administration page where you will create the administrators account. DON’T FORGET THIS ACCOUNT!#

You should now be able to log in!! From here you can create cases, tasks, track IOCs, save attachments. Have a play around for now, and in the next post we will install Cortex, allowing you to submit IOCs and Files to analyzers.

NOTE: All the information within this post can be found on TheHive github page, along with extra configuration guides.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s