Security Analyst’s Trinity: TheHive Installation
TheHive is a scalable, open-source, and free Security Incident Management Platform meant to make life simpler for SOCs, CSIRTs, CERTs, and any other information security practitioner dealing with security events that must be investigated and responded to quickly.
This blog post focuses on TheHives’ installation and its potential when combined with platforms like Cortex and MISP as analyzers & responders and Threat intelligence respectively.
Installation Of TheHive
Install a Java Virtual Machine
We can install either Oracle Java or OpenJDK.
Option 1: Oracle Java
echo 'deb <http://ppa.launchpad.net/webupd8team/java/ubuntu> trusty main' | sudo tee -a /etc/apt/sources.list.d/java.list
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key EEA14886
sudo apt-get update
sudo apt-get install oracle-java11-installer
Option 2:Open JDK
sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt-get update
sudo apt-get install openjdk-8-jre-headless
As part of TheHive’s requirements, we’ll need to install the Elasticsearch component. Elasticsearch is a platform for distributed search and analysis of data in real-time. It is a popular choice due to its usability, powerful features, and scalability. We are installing the Elasticsearch package provided by Elastic
# PGP key installation
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4#Alternative PGP key installation
wget -qO — https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add# Debian repository configuration
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list# Install https support for apt
sudo apt install apt-transport-https# Elasticsearch installation
sudo apt update && sudo apt install elasticsearch
Modify the configuration file /etc/elasticsearch/elasticsearch.yml and add the following lines:
Now that Elasticsearch has been configured, start it as a service and check to see whether it is operational:
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
sudo systemctl status elasticsearch
The status must be active (running). If it isn’t running, you can look at the logs to see what’s wrong:
sudo journalctl -u elasticsearch
Download and unzip the binary package of your choice. The TheHive files can be installed anywhere on the filesystem. We have decided to put them under
/opt for this article.
sudo apt-get install unzip
sudo wget https://download.thehive-project.org/thehive-latest.zip
sudo unzip thehive-latest.zip
sudo ln -s thehive-3.5.1-1 thehive
/opt/thehive/package/thehive.service modifying the ExecStart block:
The only needed requirement to start TheHive is the server key (
play.http.secret.key). The key is used to authenticate data-containing cookies. Update the Secret Key in the
(cat << _EOF_
# Secret key
# The secret key is used to secure cryptographics functions.
# If you deploy your application to several instances be sure to use the same key!
play.http.secret.key="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
) | sudo tee -a /opt/thehive/conf/application.conf
It is recommended to use a dedicated, non-privileged user account to start TheHive. If so, make sure that the chosen account can create log files in
Start the application as a service, use the following service
sudo addgroup thehive
sudo adduser --system thehive
sudo cp /opt/thehive/package/thehive.service /usr/lib/systemd/system
sudo chown -R thehive:thehive /opt/thehive
sudo chgrp thehive /opt/thehive/conf/application.conf
sudo chmod 640 /opt/thehive/conf/application.conf
sudo systemctl enable thehive
sudo systemctl start thehive
sudo systemctl status thehive
Once it’s started, open your browser and navigate to http://SERVER_NAME:9000/
Please remember that the service may take some time to begin.
The database schema must be created the first time you connect. To construct the DB schema, click “Update database.”
Once done, you should be redirected to the page for creating the administrator’s account.
Once created, you should be redirected to the login page.
So far, we have successfully completed the installation of TheHive, and we will be looking into Cortex and MISP in the upcoming blogs. After that, we will be exploring how an analyst can investigate an incident using these platforms.