Your Own Free Security Incident Response Platform in Minutes
TheHIVE 5 Docker Install
The team over at StrangeBee (https://www.strangebee.com/thehive/) has recently released TheHIVE5. TheHIVE is a scalable and collaborative Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
In a past video, we deployed TheHIVE4:
TheHIVE5 brings some brand new features and a modern WebUI (https://blog.strangebee.com/thehive-5-0-is-now-available/)
- Brand new modern UX/UI
- Alerts pre-processing: Act on alerts before importing them as cases: run analysis on observables, add comments, TTPs, KPIs…
- Case management: Leverage a visual Case Timeline, Comments, Attachments, KPIs, Pages (wiki-like)
- User Management: SSO, 2FA, reset forgotten password, view and revoke sessions, User synchronization with LDAP or AD
- Notification System: In addition to invoking Webhooks, send emails, Slack and Mattermost messages or call custom HTTP requests
- Configuration UIs: Configure Cortex, MISP, Authentication and Branding, directly from the UI
- Dashboards: Build private and shared dashboards with more widgets and KPIs
- Knowledge Base: Write documentation and share resources with your team
- Documentation: You now have access to a new API documentation and user guides
INTRO
Today we are going to familiarize ourselves with TheHIVE5 by deploying our own instance using Docker. This will start an instance of thehive using a local database and index. Note that the data will be deleted when the container is deleted. So this should only be used for evaluation and tests. In future videos we will deploy a standalone instance of Cassandra and Elasticsearch that will be suitable for a production environment.
Docker Install
In this tutorial I am deploying Docker onto an Ubuntu 20.04 OS.
apt-get updateapt-get install \
ca-certificates \
curl \
gnupg \
lsb-releasecurl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpgecho \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/nullapt-get updateapt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugindocker run --rm -p 9000:9000 strangebee/thehive:latest
The — rm flag in the above command will remove the container when it exists. Remove the “ — rm” to keep the container running upon an exit.
You can get a list of all options supported by the docker entry point with -h:
docker run --rm strangebee/thehive:<version> -hAvailable options:
--config-file <file> | configuration file path
--no-config | do not try to configure TheHive (add secret and elasticsearch)
--no-config-secret | do not add random secret to configuration
--secret <secret> | secret to secure sessions
--show-secret | show the generated secret
--no-config-db | do not configure database automatically
--cql-hostnames <host>,<host>,... | resolve these hostnames to find cassandra instances
--cql-username <username> | username of cassandra database
--cql-password <password> | password of cassandra database
--no-cql-wait | don't wait for cassandra
--bdb-directory <path> | location of local database, if cassandra is not used (default: /data/db)
--index-backend | backend to use for index. One of 'lucene' or 'elasticsearch' (default: lucene)
--es-hostnames | elasticsearch instances used for index
--es-index | elasticsearch index name to used (default: thehive)
--no-config-storage | do not configure storage automatically
--storage-directory <path> | location of local storage, if s3 is not used (default: /data/files)
--s3-endpoint <endpoint> | endpoint of s3 (or other object storage) if used, use 's3.amazonaws.com' for aws s3
--s3-region <region> | s3 region, optional for minio
--s3-bucket <bucket> | name of the bucket to use (default: thehive), the bucket must already exists
--s3-access-key <key> | s3 access key (required for s3)
--s3-secret-key <key> | s3 secret key (required for s3)
--s3-use-path-access-style | set this flag if you use minio or other non aws s3 provider, default to virtual host style
--no-config-cortex | do not add Cortex configuration
--cortex-proto <proto> | define protocol to connect to Cortex (default: http)
--cortex-port <port> | define port to connect to Cortex (default: 9001)
--cortex-hostnames <host>,<host>,... | resolve this hostname to find Cortex instances
--cortex-keys <key>,<key>,... | define Cortex key
--kubernetes | will use kubernetes api to join other nodes
--kubernetes-pod-label-selector <selector> | selector to use to select other pods running the app (default app=thehive)
--cluster-min-nodes-count <count> | minimum number of nodes to form a cluster (default to 1)
migrate <param> <param> ... | run migration tool
cloner <param> <param> ... | run cloner tool
Once Docker builds your containers point your browser to the WebUI:
http://***YOUR_IP***:9000Default admin credentials are admin@thehive.local / secret.
