TheHive 5 Incident Management System: Enhancing Cybersecurity Resilience and Collaboration

Saidani Mohamed El Amine
5 min readJul 23, 2023

TheHive is a robust and feature-rich open-source Security Incident Response Platform (SIRP) that enables organizations to effectively manage and respond to security incidents. It acts as a central command center for security teams, facilitating collaboration, and coordination during incident investigations. The platform allows users to create and track cases, manage observables, and automate repetitive tasks, streamlining the incident response process. By providing seamless integration with various security tools and services like the Malware Information Sharing Platform (MISP) and Cortex, TheHive empowers security professionals to swiftly identify, analyze, and mitigate threats, making it an indispensable tool for enhancing cybersecurity resilience and protecting critical assets.

Installation and configuration of TheHive 5

There’s a demo VM ready to use to avoid all the pain through the installation and configuration, the purpose of this blog is how to use it otherwise here’s the link to the official documentation of TheHive project, Use this link after adding the info you will get an email to download the VM download the image

Using VirtualBox

  1. When importing, ensure to set Guest OS type information.
  1. Once imported, update the network settings of the VM before starting it.
  1. Add required port forwarding (update according to your needs) and save.

Using VMware: no need for any configuration just import it and start it.

Once you start it you will see the following

TheHive Credentials

This VM comes with 2 accounts in TheHive:

Administrator:

  • Login: admin@thehive.local
  • Password: secret

A user named thehive has been created and is org-admin of the organization named demo:

  • Login: thehive@thehive.local
  • Password: thehive1234

Cortex credentials

This VM comes with 2 accounts in Cortex:

Administrator:

  • Login: admin
  • Password: thehive1234

An Organisation is also created with an orgadmin account:

  • Login: thehive
  • Password: thehive1234

Note: for more details please visit this link

Once you start the VM, open the browser and go to http://127.0.0.1:8888

Main Interface

At the heart of TheHive’s workflow are “Cases” and “Tasks,” which form the backbone of a well-structured incident tracking system. Let’s investigate these features to understand how they optimize incident resolution and enhance overall cybersecurity.

My Tasks: The “My Tasks” button in TheHive is your personalized window into the world of assigned tasks. Each SOC analyst is provided with a unique login name, ensuring tasks are tracked individually for clear accountability and focus. By simply clicking on “My Tasks,” you gain instant visibility into the number of tasks assigned.

Waiting Tasks: Within TheHive’s dynamic ecosystem, “Waiting Tasks” represent the number of pending assignments that have not yet been assigned to any specific analyst. These tasks could be critical actions required to address ongoing incidents, and their prompt allocation is crucial for effective response.

Alert: In the fast-paced world of cybersecurity, timely and efficient handling of alerts is crucial for detecting and responding to potential threats. TheHive, a versatile incident response platform, serves as a centralized alert aggregation point. It allows SIEMs and other security appliances to submit information via a web API, presenting it in a dedicated alert dashboard. Let’s explore how TheHive’s alert triage process works, empowering analysts to swiftly respond to incoming alerts with precision.

Create A New Empty Case: Exploring TheHive’s Workflow

After clicking on the “Create a new Case”

  1. Give the Title to your case “My First Case” in the title field
  2. Add Description to your case “This is my first case”
  3. Click on “Add a task”
  1. Add “Task” to the same “Case”: “Add my first IP and Domain observable”

Now we have created the Case.

  1. Click on the task and start it
  1. Choose the type of observable from the list “IP”
  2. Add the Value of the IP
  3. Add Description “Sample IP address” and confirm
  1. With the new feature in the updated version of TheHive, you can enrich your case with the Mitre Att&ck framework
  1. Choose your Tactic, Technique, and sub-technique to your case, and confirm
  1. Now we go to the Observables
  2. Click on the options
  3. And click on “Run analyzers”
  1. Choose the analyzer that you want to run from the list
  2. After running the Analyzer, wait a moment to get the details.
  1. Click on Got to details, to view the details of the Analyzer
  1. Voila, you can see the details here.
  1. Now you can close your task.
  1. Finally, you can close your ticket.

Note: if you face any issues, please do let me know in the comment section I’ll try my best to help!

Congratulations! You’ve taken the first step towards discovering the incredible world of TheHive.

What’s To Come: Enhancing Cybersecurity through Collective Intelligence: Exploring the Power of MISP

As we conclude this exploration of TheHive, next will Explore the power of MISP, stay tuned for my next blog, where we will delve deeper into its features, integrations, and real-world success stories. Get ready to elevate your cybersecurity defense with MISP’s threat-sharing prowess!

--

--

Saidani Mohamed El Amine

Currently working as DevSecOps consultant with focus on security, monitoring, Big Data, and related topics.