Introducing pollen — a command-line tool for TheHive

I’ve been using TheHive on and off for a couple years now, and absolutely LOVE this tool. If you haven’t heard of TheHive yet, I suggest heading to their main page and checking it out. It’s a scalable, free and open source incident management platform that has become crucial in how I conduct investigations.

However, TheHive is largely browser-based and I do a lot of analysis on the command-line. This required me moving from terminal to browser quite frequently to store results/findings, which wasn’t always optimal and/or ideal. Especially if my session had timed out, etc. Thus, pollen was born.

pollen

pollen is a Python-based tool that provides a bridge between the terminal and TheHive via a series of cascading Python Cmd shells. By inputting your server and API details, pollen will work to dynamically provide you case- and task-level control and insight.

I’ve provided a few examples of pollen in action below, however the wiki will be the best place to go for details on the tool.

Source: https://github.com/bromiley/pollen

Configuration

Upon first run, pollen recognizes that there is no local config file. Thus, it prompts you to configure first. This will simply ask for server and API details.

             _ _
_ __ * ___ | | | ___ _ __
| '_ \ / _ \| | |/ _ \ '_ \ *
| |_) | (_) | | | __/ | | |
| .__/ \___/|_|_|\___|_| |_| *
|_| *
Keeping the busy analysis bees busy!
Config file not found; would you like to create it now? (y/n): y
Please enter the address for TheHive server you want to connect to: https://<your_hive_server
Please enter the API key for that particular server: <your_hive_api>
Successfully connected to TheHive at https://<your_hive_server> !!

Once you’ve connected, it’s off to the analysis!

Case Management

When API details are entered, pollen will no longer drop you into config mode. Instead, you’ll be dropped in the “base shell”, which allows you to interact with and create cases. Here’s some sample output:

(pollen) case
There are 4 open cases:
0 - THISISMYFIRSTCASEILOVEMYCASE
1 - Ransomware Incident
2 - TopSekret Investigation
3 - IT Tickets
Case selection (0-3) [Ctrl+C to exit]:

Once you select a case, you’ll then be dropped into the “case-specific shell”, which provides even more features and options. The command-line is dynamic, meaning it knows what cases and tasks you are currently interacting with.

Task Management

Once a case has been selected, we can create and write to tasks with pollen as well. Here’s some sample output:

(pollen) (case: IT Tickets) tasks
***** Task Details for Case: IT Tickets*****
There are currently 3 tasks.
Task Details:
Task Title: Unpatched RDP in Prod | Status: InProgress
Task Title: Unpatched ColdFusion in Dev | Status: InProgress
Task Title: Unpatched Java | Status: InProgress
(pollen) (case: IT Tickets)

Task Logging and File Uploads

However, pollen does more than just display data. It also allows you to upload your findings and details to particular cases and tasks as well. There are two commands, log and logfile, which allow you to upload task findings or task findings AND a corresponding file, respectively. Check it out:

(pollen) (case: Sample Case Title) take
Please select a task number to move to that task:
# - Task Title
0 - Yet another sample task
1 - This is a sample task title
Please select a value from 0-1. (Press Ctrl+C to exit) 0
(pollen) (case: Sample Case Title) (task: Yet another sample task) log This is a sample log entry; I found the malwarez!!
Inserting the following log entry:
This is a sample log entry; I found the malwarez!!

We can upload supporting files as well:

(pollen) (case: Sample Case Title) (task: Yet another sample task) logfile This is a sample log entry; I found the malwarez, and here's the file!! && /tmp/sample_file
Inserting the following log entry:
This is a sample log entry; I found the malwarez, and here's the file!!
And attaching the following file:  /tmp/sample_file

Pretty neat!

What’s To Come

I’m releasing pollen in its current state, primarily because I want to start to make life easier for analysts who are using this. However, I’m aware that there are more features to come. Here’s what I’ve got cooking:

  • Observable upload, download, and control
  • Task log reading (not just updating)
  • Better task control
  • Better output options
  • Wait, did someone say Cortex?!

I’ll post out when new features become available, but in the meantime, if there’s any issues/comments/concerns with pollen, don’t hesitate to let me know. Happy forensicating!