This report is written to explain the key features and outstanding advantages of TheHive and its components.
ICO Start: July 03, 2017 at 08:00 UTC
ICO Close: August 14, 2017 at 08:00 UTC
The Hive is a scalable open source and free security incident response platform.
It is expected to be life changer for SOCs (Security Operation Center), CSIRTs (Computer Security Incident Response Team), CERTs (Computer Emergency Response Team) and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
Multiple SOC and CERT analysts can simultaneously collaborate on investigations.
- Live stream (everyone can keep an eye on what’s happening on the platform, in real time.)
- Real time information pertaining to new or existing cases,
- Tasks / Cases management (Two cases can be easily merged together if you believe that they relate to the same threat or have a significant observable overlap.)
- Observables and IOCs available to all team members,
- Special notifications – handle or assign new tasks,
- MISP events,
- SIEM alerts,
- Email reports (Can be also imported for investigation)
- Authentication support: TheHive supports 3 authentication methods: Active Directory, LDAP, local
- Reporting support for organisations: TheHive comes with a powerful statistics module that allows you to create meaningful dashboards to drive your activity and support your budget requests.
Collaboration is one of the key features of TheHive: Multiple analysts can work on the same case simultaneously.
For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker.
Why is it Time-saving:
Cases and associated tasks can be created using a simple yet powerful template engine.
Instead of adding the same tasks to a given type of case every time one is created, analysts can use TheHive’s template engine to create them once and for all.
Template metrics that can be used:
- Drive team’s activity,
- Identify the type of investigations that take significant time and seek to automate tedious tasks.
- Multiple work logs to record the ongoing work (evidence attachment)
Within TheHive, every investigation corresponds to a case.
Cases can be created from scratch or from MISP events, SIEM alerts, email reports and any other noteworthy source of security events.
Each task can be assigned to a given analyst. Team members can also take charge of a task without waiting for someone to assign it to them.
Case analysis advantages:
- Observable scan be added to each case. (create or import them directly from a MISP event)
- Filtering and triage.
- Cortex can be used for insight and speeding up the investigation.
- Leverage tags,
- Flag IOCs,
- Identify previously seen observables to feed your threat intelligence.
Other features & integration with other components:
Thanks to TheHive4py, TheHive’s Python API client, it is possible to send SIEM alerts, phishing and other suspicious emails and other security events to TheHive. They will appear in the alert panel along with new or updated MISP events, where they can be previewed, imported into cases or ignored.
Observables can be associated with a TLP and the source which provided or generated them using tags and the tool can automatically identify observables that have been already seen in previous cases.
Starting from Buckfast (TheHive version 2.10), analysts can analyze large amounts of observables in a few clicks by leveraging the analyzers of one or several Cortex instances depending on your OPSEC needs: DomainTools, VirusTotal, PassiveTotal, Joe Sandbox, geolocation, threat feed lookups and so on.
Customizable: Security analysts can add their own analyzers to Cortex in order to automate actions that must be performed on observables or IOCs. They can also decide how analyzers behave according to the TLP.
TheHive is written in Scala and uses ElasticSearch 2.x for storage. Its REST API is stateless which allows it to be horizontally scalable. The front-end uses AngularJS with Bootstrap.
TheHive is an open source and free software released under the AGPL (Affero General Public License).
Observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed one by one using a Web interface. Analysts can also automate these operations and submit observables in bulk mode through the Cortex REST API from alternative SIRP platforms, custom scripts or MISP.
- Use one of the several analyzers it contains
- Create your own analyzer using any programming language supported by Linux
- Querry ISP expansion modules from Cortex.
Cortex and TheHive:
- Analyze observables in a few clicks using one or several Cortex instances depending on your OPSEC needs and security requirements.
- Integrate Reporting features: TheHive comes with a report template engine that allows you to adjust the output of Cortex analyzers to your taste instead of having to create your own JSON parsers for Cortex output.
Cortex can be used as a standalone product thanks to its simple yet powerful Web UI or interface it with other security incident response platforms through a REST API.
- Services such as VirusTotal, DomainTools, PassiveTotal, Google Safe Browsing, PhishTank, MaxMind, or Open Threat Exchange.
- Identify abuse contacts, parse files in several formats such as OLE and OpenXML to detect VBA macros, generate useful information on PE, PDF files and much more.
Cortex is written in Scala. The front-end uses AngularJS with Bootstrap. Its REST API is stateless which allows it to be horizontally scalable. The provided analyzers are written in Python. Additional analyzers may be written using the same language or any other language supported by Linux.
Cortex is an open source and free software released under the AGPL (Affero General Public License).
A simple, efficient, threat feed aggregator that you can query easily
Hippocampe is a threat feed aggregator. It gives your organization a threat feed ‘memory’ and lets you query it easily through a REST API or from a Web UI.
- With Cortexserver, there’s already an analyzer to query Hippocampe.
- With TheHiveas a security incident response platform, you can customize the JSON output produced by the analyzer or use the report template provided.
Hippocampe aggregates feeds from the Internet in an Elasticsearch cluster. It has a REST API which allows to search into its ‘memory’. It is based on a Python script which fetchs URLs corresponding to feeds, parses and indexes them.
Hippocampe regularly downloads and parses text-based threat feeds, public or private, from the Internet and stores them in Elasticsearch. (Can be supervised)
Hippocampe allows analysts to configure a confidence level for each feed that can be changed over time and when queried, it will provide Hipposcore, a score that aids in deciding whether the observables are innocuous or rather malicious.
Hippocampe is an open source and free software released under the AGPL (Affero General Public License).
TheHive4py (TheHive4py is work in progress)
A SOC may ask its constituency to send suspicious email reports to a specific mailbox that a script polls at regular intervals. When a new email is received, the script parses it then calls TheHive4py to send an alert to the TheHive. Then Analysts can import it as a case
TheHive4py allows analysts to send alerts to TheHive out of different sources. Those alerts can then be previewed and imported into cases using pre-defined templates.
Bitcointalk Profilimiz: https://bitcointalk.org/index.php?action=profile;u=1021424
Siz de bu dünya ile ilgili en güncel bilgileri edinmek için Twitter adresimizden bizi takipte kalın ve kanalımıza abone olun.
BlockchainTR ekibinden “AEK”.