Security Analyst’s Trinity: TheHive Installation

TheHive is a scalable, open-source, and free Security Incident Management Platform meant to make life simpler for SOCs, CSIRTs, CERTs, and any other information security practitioner dealing with security events that must be investigated and responded to quickly.

This blog post focuses on TheHives’ installation and its potential when combined with platforms like Cortex and MISP as analyzers & responders and Threat intelligence respectively.

Installation Of TheHive

Install a Java Virtual Machine

We can install either Oracle Java or OpenJDK.

Option 1: Oracle Java

echo 'deb <http://ppa.launchpad.net/webupd8team/java/ubuntu> trusty main' | sudo tee -a /etc/apt/sources.list.d/java.list
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key EEA14886
sudo apt-get update
sudo apt-get install oracle-java11-installer

Option 2:Open JDK

sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt-get update
sudo apt-get install openjdk-8-jre-headless

Install Elasticsearch

As part of TheHive’s requirements, we’ll need to install the Elasticsearch component. Elasticsearch is a platform for distributed search and analysis of data in real-time. It is a popular choice due to its usability, powerful features, and scalability. We are installing the Elasticsearch package provided by Elastic

# PGP key installation
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4
#Alternative PGP key installation
wget -qO — https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add
# Debian repository configuration
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
# Install https support for apt
sudo apt install apt-transport-https
# Elasticsearch installation
sudo apt update && sudo apt install elasticsearch

Elasticsearch Configuration

Modify the configuration file /etc/elasticsearch/elasticsearch.yml and add the following lines:

network.host: 127.0.0.1
cluster.name: thp
thread_pool.get.queue_size: 100000
thread_pool.search.queue_size: 100000

Now that Elasticsearch has been configured, start it as a service and check to see whether it is operational:

sudo systemctl enable elasticsearch 
sudo systemctl start elasticsearch 
sudo systemctl status elasticsearch

The status must be active (running). If it isn’t running, you can look at the logs to see what’s wrong:

sudo journalctl -u elasticsearch

Install TheHive

Download and unzip the binary package of your choice. The TheHive files can be installed anywhere on the filesystem. We have decided to put them under /opt for this article.

sudo apt-get install unzip
cd /opt
sudo wget https://download.thehive-project.org/thehive-latest.zip
sudo unzip thehive-latest.zip
sudo ln -s thehive-3.5.1-1 thehive

Modify /opt/thehive/package/thehive.service modifying the ExecStart block:

ExecStart=/opt/thehive/bin/thehive \\
        -Dconfig.file=/opt/thehive/conf/application.conf \\
        -Dlogger.file=/opt/thehive/conf/logback.xml \\
        -Dpidfile.path=/dev/null

The only needed requirement to start TheHive is the server key (play.http.secret.key). The key is used to authenticate data-containing cookies. Update the Secret Key in the application.conf file.

(cat << _EOF_
# Secret key
# ~~~~~
# The secret key is used to secure cryptographics functions.
# If you deploy your application to several instances be sure to use the same key!
play.http.secret.key="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
_EOF_
) | sudo tee -a /opt/thehive/conf/application.conf

First Start

It is recommended to use a dedicated, non-privileged user account to start TheHive. If so, make sure that the chosen account can create log files in /opt/thehive/logs.

Start the application as a service, use the following service

sudo addgroup thehive
sudo adduser --system thehive
sudo cp /opt/thehive/package/thehive.service /usr/lib/systemd/system
sudo chown -R thehive:thehive /opt/thehive
sudo chgrp thehive /opt/thehive/conf/application.conf
sudo chmod 640 /opt/thehive/conf/application.conf
sudo systemctl enable thehive
sudo systemctl start thehive
sudo systemctl status thehive

Once it’s started, open your browser and navigate to http://SERVER_NAME:9000/

Please remember that the service may take some time to begin.

The database schema must be created the first time you connect. To construct the DB schema, click “Update database.”

TheHive first access prompt

Once done, you should be redirected to the page for creating the administrator’s account.

Administrator account creation

Once created, you should be redirected to the login page.

TheHive Login Portal

So far, we have successfully completed the installation of TheHive, and we will be looking into Cortex and MISP in the upcoming blogs. After that, we will be exploring how an analyst can investigate an incident using these platforms.

References

https://thehive-project.org/

https://github.com/TheHive-Project/TheHiveDocs/blob/master/installation/install-guide.md#binary

https://github.com/TheHive-Project/TheHiveDocs/blob/master/installation/install-guide.md#elasticsearch-installation