Image Credit: TheHive Project

👋 Hello again, today we will be continuing our adventure with the excellent S.O.A.R solution, The Hive. Today's post is all about initial installation and configuration to provide a playground for future posts on the subject. At the end of this article, we will have a series of Docker containers deployed and communicating, which will set the groundwork for:

  • Incident Response(IR) workflows, playbooks, and reporting
  • Automated analysis via
  • Automated response via
  • Custom integrations and extendability via

This series is intended to highlight the functionality frequently utilized professionally and provide insight into Incident Response workflows and the thought processes behind them.

So let's get started, shall we?

Prerequisites

The Hive supports multiple platforms for installation, including Debian, RHEL and container deployments. We are focusing on the Docker deployment scenario. Using Docker has positives and negatives over a base Operating System, which could include:

  • Reduced OS and filesize footprint
  • Easier dependencies resolution with prebuilt images
  • Potentially less chaotic downtime and upgrade scenarios

The flipside is that it’s Docker, and you may spend a lot of time running into issues with extensibility, networking, or build requirements not present in the pulled image. To build the image, we need to be familiar with Docker and Docker-Compose.

Architecture

Image Credit: The Hive

The Hive is separated into two distinct services, The Hive and Cortex, with direct support for a third. We will be focusing our initial efforts on the first two revisiting in a later article the Malware Information Sharing Platform (MISP). The service topology uses The Hive as the CMS, where analysts can work on the same case or specific portions of the incident concurrently. Cortex provides a framework to automate ingestion, analysis, and responses.

A basic workflow and use case could include:

  • Alert received from a network appliance, centralized log collection, or custom integration like MISP is received by Cortex.
  • The alert is analyzed for custom indicators; defined automated responders are then triggered.
  • Alert is auto-assigned and escalated to a case, an email or functional indicator is sent to the analyst queue.
  • The analysis is then conducted, escalated, or resolved

While this kind of workflow would be the most basic interaction possible, we could include various external indicators, populated internal integrations, or responses via TheHive4py.

Installation

In the last few years working with this application, I observed that the installation itself is not that challenging. Like most FOSS solutions, the devil is in the details, and configuration and maintenance tend to offer more complexities. In addition to the below Gist, I have included the docker-compose file for ease of deployment here.

The above code will create and deploy , and the database for Cortex locally on a created network called . The if cloned, will also create the following folder structure for persistence.

The Hive and Cortex both require a basic configuration file to allow for communication and initial configuration. Both can be found in the accompanying GitHub. The key takeaway for both files are and . The first is part of the Play framework utilized to secure your application, and the latter allows The Hive to communicate with Cortex.

Note: I have left the secret keys as represented in the Docker image. If you should decide to take this to production. Please change the secret key to a more secure random key or better add it to the environment.

Image Credit: Matt Bowden

Configuration

Ok, so we have made it this far; it's time to let the container fly. Let’s start by issuing our command or from the directory with the docker-compose.yml file where the runs the containers as a daemon. After some time, the containers should be operational, and using the command will provide confirmation.

Image Credit: Authors

We then need to initialize the Cortex database in Elasticsearch and allow scala to update for the Hive. We initiate this by navigating to your local deployed Cortex IP () followed by clicking update database. If you are watching the instance in another terminal, you will see a series of Elasticsearch commands and Scala configurations occurring.

We are then presented with the create administrator account dashboard. Because I am using this instance for blog writing, I choose the super-secret and super-secure option.

Image Credit: Authors

To enable messaging from The Hive to Cortex, we need to log in to Cortex and create an Organization and org-admin role. To do so after account creation and login we:

  • Click the icon (top-right)
  • Add an organization (top-left)
  • Give the organization a name and description
  • Click the newly created organization
  • Add a user (top-left)
  • Provide a login name, full name, and the read, analyze, and org admin permissions.
  • Finally, click the reveal button and copy the provided string

We utilize this key string in our file within The Hive project folder. Replacing the “api key” with our copied value will allow The Hive to send requests to Cortex, providing access to the installed analyzers and responders.

Home Stretch

Phew, this article is going long, almost there. To confirm everything is functioning as intended, restart the Docker containers to allow the configured API key to work correctly. Depending on how we initiated the build, we either need to to close our a non instance and then issue again or issue a command.

Note: You may have to issue a restart twice, while creating this article I ran into an issue with The Hive not correctly generating some keys in the database, which a container restart fixed.

Let's confirm everything works and is initially configured. Head to the locally configured The Hive instance () and log in with the default credentials with the password . If we were successful in our configuration, we would now be greeted with an analyst dashboard and a green Cortex icon.

Image Credit: Authors

Congratulations, we are now configured and communicating with Cortex from The Hive; feel free to poke, prod, and break things. Or better yet, put the entire thing behind a Traefik container to automate certificate and load-balancing.

Till next time!

Information Systems Security Officer @ SAAS Company

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store