Trying to manage, track and collate all the information gained during a investigation can be a mammoth task, and trying to store that information and data in a way that can easily be accessed for future incidents is difficult.
Gone are the days of storing files inside numerous folders and using Excel spreadsheets to keep track of IOCs. A good Incident Response platform can solve these problems and TheHive does SO much more.
As the website states TheHive is “A 4-IN-1, scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly”
TheHive uses Elasticsearch for its storage solution, can be integrated with MISP and leverage Cortex to allow for observables to be analysed at scale.
This post will get you started with TheHive. A fairly simple process so grab a coffee and lets begin.
- Ubuntu 18.X.X installation
- 2-4 CPUs Preferred
- 16GB of RAM Preferred
- 150GB HD Space
NOTE: These system requirements are based on my installation ONLY, and how I have configured TheHive to fit my needs. Assign resources to your instance as you see fit.
1 –Make sure your system is up-to-date:
sudo apt-get update sudo apt-get upgrade
2 – Install a Java Virtual Machine
sudo apt-get install openjdk-11-jre-headless
3 – Install TheHive
echo 'deb https://dl.bintray.com/thehive-project/debian-stable any main' | tee -a/etc/apt/sources.list.d/thehive-project.list
apt-key adv --keyserver hkp://pgp.mit.edu --recv-key 562CBC1C
apt-get install thehive
Developer Note: Some environments may block access to the pgp.mit.edu key server. As a result, the command sudo apt-key adv–keyserver hkp://pgp.mit.edu –recv-key 562CBC1C will fail. In that case, you can run the following command instead:
curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY |sudo apt-key add -
4 – Install Elasticsearch
NOTE: TheHive requires Elasticsearch version 5.x as it is the last supported version as of the time of this post. Versions 6.x and newer will not work.
# PGP key installation sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4 # Alternative PGP key installation # wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - # Debian repository configuration echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list # Install https support for apt sudo apt install apt-transport-https # Elasticsearch installation sudo apt update && sudo apt install elasticsearch
Now ElasticSearch is installed, Edit
/etc/elasticsearch/elasticsearch.yml and add the following lines:
network.host: 127.0.0.1 script.inline: true cluster.name: hive thread_pool.index.queue_size: 100000 thread_pool.search.queue_size: 100000 thread_pool.bulk.queue_size: 100000
As ElasticSearch is the storage solution you want it running at all times to allow access to the data. Enable ElasticSearch to start on boot and start the service.
sudo systemctl enable elasticsearch.service sudo systemctl start elasticsearch.service sudo systemctl status elasticsearch.service
The status should be active (running). If it’s not running, you can check for the reason in the logs:
sudo journalctl -u elasticsearch.service
NOTE: that by default, the database is stored in /var/lib/elasticsearch and the logs in /var/log/elasticsearch
5 – Check Installation
Finnaly, check that everything went okay. Open a Web browser and navigate to http:// <TheHiveIP> :9000. You should be presented with the following landing page.
If you see this page, then congratulations!!! everything looks good. Click the “Update Database” button, you will be forwarded to a administration page where you will create the administrators account. DON’T FORGET THIS ACCOUNT!#
You should now be able to log in!! From here you can create cases, tasks, track IOCs, save attachments. Have a play around for now, and in the next post we will install Cortex, allowing you to submit IOCs and Files to analyzers.
NOTE: All the information within this post can be found on TheHive github page, along with extra configuration guides.