After installing TheHive, the first connection to the Web UI triggers a database update. After that operation, you'll be prompted to create an administrator account. If this prompt is not completed, there is no way to set the admin password. Hence it will be impossible to connect to TheHive. To reset the operation, you need to delete the corresponding index from Elasticsearch. First, find out what is the current index of TheHive by running the following command on a host where the Elasticsearch DB used by TheHive is located:
$ curl http://127.0.0.1:9200/_cat/indicesThe indexes that TheHive uses always start withthe_hive_ followed by a number. Let's assume that the output of the command is (Warning: this will delete everything)):
yellow open cortex_1 PC_pLFGBS5G2TNQYr4ajgw 5 1 611 6 2.1mb 2.1mb
yellow open the_hive_13 ft7GGTfhTr-4lSzZw5r1DQ 5 1 180160 4 51.5mb 51.5mbIn this example, the index used by TheHive is the_hive_13. To delete it, run the following command:
$ curl -X DELETE http://127.0.0.1:9200/the_hive_13Then reload the page or restart TheHive.
Logs are stored in /var/log/thehive/application.log.
Yes but you have to query directly the underlying Elasticsearch storage to get access to it:
curl -XPOST http://localhost:9200/the_hive_13/audit/_searchIn the command above, we assume that TheHive's index is the_hive_13. To find out what is the current index of TheHive, run the following command on a host where the Elasticsearch DB used by TheHive is located:
$ curl http://127.0.0.1:9200/_cat/indices?The indexes that TheHive uses always start withthe_hive_ followed by a number.
Alternatively, you may configure Webhooks. When enabled, TheHive will send each action that has been performed on it (add case, update case, add task, ...), in real time, to an HTTP endpoint.
You need to log in as an administrator to add a template.
When you add a new template and hit the +NEW button, you don't see it because unlike other events that you can see in the Flow, it is not broadcasted to all the user sessions. So you need to refresh the page before clicking the +NEW button.
You don't need to log out then log in again.
If you'd like to develop or ask for an analyzer that will help you get the most out of TheHive, please open a feature request first. This will give us a chance to validate the use cases and avoid having multiple persons working on the same analyzer.
Once validated, you can either develop your analyzer or wait for TheHive Project or a contributor to undertake the task and if everything is alright, we will schedule its addition to a future Cortex release.
For a head start on analyzer development, please read the corresponding page on the CortexDocs repository.
Definitely! You just need to add a caseTemplate parameter in the section corresponding to the MISP connector in your conf/application.conf file as described in the Administrator's Guide and create the case template in TheHive's Web UI. You need the admin role to do that.
Yes, this is possible. For each MISP server, add a misp section in your conf/application.conf file as described in the Administrator's Guide.
Add the following lines to /etc/thehive/application.conf
https.port: 9443
play.server.https.keyStore {
path: "/path/to/keystore.jks"
type: "JKS"
password: "password_of_keystore"
}
HTTP can disabled by adding line http.port=disabled. Please read the relevant section in the Configuration Guide.
- To import your certificate in the keystore, depending on your situation, you can follow Digital Ocean's tutorial.
- Make sure the keystore file is owned/can be accessed by the user running Cortex.
Additional information: This is a setting of the Play framework that is documented on its website. Please refer to https://www.playframework.com/documentation/2.5.x/ConfiguringHttps.
For TheHive versions >= 3.4.0, yes! A small amount of additional plumbing is required - see this blog post for a guide.
For TheHive versions < 3.4.0, you can't use AWS ElasticSearch. This is because AWS Elasticsearch service only supports HTTP transport protocol. It does not support the binary protocol which the Java client used by previous versions of TheHive relies on to communicate with ElasticSearch. As a result, it is not possible to setup previous versions of TheHive with AWS Elasticsearch service. More information is available at the following URLs:
“TCP Transport : The service supports HTTP on port 80, but does not support TCP transport”
“TCP Transport : Used for communication between nodes in the cluster, by the Java Transport client and by the Tribe node. HTTP: Exposes the JSON-over-HTTP interface used by all clients other than the Java clients.”
Elasticsearch 5.x is supported starting from TheHive 2.13.0 (Mellifera 13). Please note that all versions starting from TheHive 2.13.0 support only ES 5 and do not support ES2 anymore as it is very hard to support both. All versions preceding TheHive 2.13.0 supports only ES2.
Yes. Support for Elasticsearch 6.x has been added from TheHive 3.4.0. Elasticsearch 7.x is not supported. Note that we are considering moving away from Elasticsearch in a future major release.