Skip to main content

How to Install and use The Hive Project in Incident Management

In this module, we are going to explore a great incident management platform called "TheHive Project."

Figure

The Hive Project

According to its official Github repository:

Figure

"TheHive is a scalable 4-in-1 open source and free security incident response platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. Thanks to Cortex, our powerful free and open-source analysis engine, you can analyze (and triage) observables at scale using more than 100 analyzers."

To deploy the project you need these hardware requirements:

  • 8vCPU
  • 8 GB of RAM
  • 60 GB of disk

Now let's explore how to install the project:

First, you need to install Java:

sudo apt-get install openjdk-11-jre-headless

Add the sources:

echo 'deb https://dl.bintray.com/thehive-project/debian-stable any main' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list

curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master /PGP-PUBLIC-KEY | sudo apt-key add -

Update the system:

sudo apt-get update

Install Elasticsearch

Figure

apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4

echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | tee -a/etc/apt/sources.list.d/elastic-5.x.list

apt install apt-transport-https

apt update

sudo apt install elasticsearch

Install "The Hive"

sudo apt-get install thehive

sudo mkdir /etc/thehive

sudo mkdir /etc/thehive
(cat << _EOF_
# Secret key
# ~~~~~
# The secret key is used to secure cryptographics functions.
# If you deploy your application to several instances be sure to
use the same key!
play.http.secret.key="<ADD A RANDOM STRING HERE>"
_EOF_
) | sudo tee -a /etc/thehive/application.conf

sudo systemctl enable thehive

sudo service thehive start

Now go to your browser and type:

http://YOUR_SERVER_ADDRESS:9000/

If you want to try it before installing it on your server you download the training VM. You can find it here:

https://drive.google.com/file/d/1KXL7kzH7Pc2jSL2o1m1_RwVc3FGw-ixQ/view

Once you download it, open it with your virtual machine

My local IP address is 192.168.43.188. Then to enter TheHive I need to use this URL: 192.168.43.188:9000

To access the platform use these credentials:

  • Login: admin
  • Password: thehive1234

Voila! You are in the main dashboard

Let's start exploring how to use TheHive.

Users

To create add your team members you need to create users. To create a user go to Admin -\> Users :

Click on "Add user"

Add your user information

The user was added successfully

Create a new password for it by clicking " New password", type a password and press enter to save it.

Our password will be " analyst1" too.

Cases:

To create cases in the Hive, click on " New case"

Add your case information:

  • Title
  • Severity: Low, Medium or High
  • Date
  • Tags and so on.

Add the case tasks:

Now we created a case file

The case file contains also the tasks and the Observables:

You will find the case in the "Waiting cases" section

To take it just click on tasks and it will be added to your "my tasks" section

Once you finish the case, click on "Close" and it will be closed

Dashboards

To visualize your cases statistics you need to use The Hive dashboards. To open or create a new dashboard go to "Dashboards"

Select any available dashboard to explore it

Cortex:

Its developers define cortex as follows:

"Thanks to Cortex, observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed using a Web interface. Analysts can also automate these operations and submit large sets of observables from TheHive or through the Cortex REST API from alternative SIRP platforms, custom scripts or MISP. When used in conjunction with TheHive, Cortex largely facilitates the containment phase thanks to its Active Response features."

The following graph illustrates Cortex architecture:

Figure

To enter cortex type this address on your browser: http://YOUR_SERVER_ADDRESS:9001/

Login to cortex using the same credentials as The hive

  • Login: admin
  • Password: thehive1234

This is the main dashboard of "Cortex"

Summary

In this guide, we discovered a great incident management platform called "the Hive" where we saw how to install it and use it to manage your team cases.

References: