TheHive - an excellent case management tool for Digital Forensics!

 In my work in cybersecurity, I've been quietly using TheHive made by Strange Bee https://strangebee.com/thehive/ for the last few years. Initially I was searching for something to analyse forensic data and stumbled on this project. It's got both an Open Source and a paid version, and I've had great value from the community version. Paired with Cortex, TheHive is a powerful tool for the cybersecurity professional. Cortex is the system that does the analysis of your artefacts and then reports back into TheHive. This isn't the only integration that TheHive supports. You can push new cases into it from both MISP and from Wazuh, and then run triage and analysis from within TheHive. It will push details back into MISP so when you review an alert or report, then you can classify it in TheHive once, and it will update it back into MISP which is pretty neat.

Here is what a couple of entries on the Dashboard looks like:

The dialogue box to create a case is below 

And this is what the case page looks like:

Typically, I'll do the following:

• Create a case, choosing the appropriate level of severity
• Add at least one task to the case - usually "Review Observables" which is TheHive talk for artefacts associated with the case - and these can be all different types
• Add the observables - of which there can be many types as seen in this screenshot: 
  
  
  
  and with the "Type" sorted out:
  
  
  
  Here is where TheHive and Cortex shine together. The observable type is linked to analytics that Cortex runs for you - you'll have to set it up, but the good news is, it's quite straightforward and can all run on a single server. Cortex will run the analysis of your observable and then report back. For example, you might configure Cortex to query Google DNS for bad websites, VirusTotal for known bad artefacts, AbuseFinder is handy, and so is Urlscan.io. Here is an example of what a couple of bad IP addresses look like after Cortex has analysed them:
  
  Red is bad, Orange is suspected bad and green is... well Cortex either isn't sure or the results are inconclusive. 

Cortex requires some grunt to run, so when you read that TheHive + Cortex needs 16GB of RAM and at least 8 CPUs you can understand why - with many concurrent analytics being performed against the observables, and doing it in a timely manner. I run it on my Proxmox server and it gets along quite adequately. 

When you're working through the case, I use the Tasks to capture what I'm seeing, and use the "Comments" to report on my findings. These can be timestamped (which you should always do) and if you happen across an observable or a similarity to another case, TheHive will automatically link it through. Then you can begin the next phase of action, whatever that may be, and track the case to its finale. In the example above, we saw significant attacks on our Web Application Firewall and blocked the addresses, fixing the problem from a known bad (at the time) IP address. It may have been fixed since, and that's why it is important to re-analyse observables. Hijacked sites/IPs or similar can be recovered and I always want to give my fellow cyber security and IT pros the chance to fix their systems without needlessly blocking anyone. 

TheHive has nice reporting (I don't have an example that doesn't have sensitive data in it), and I've found as a system for managing what I am seeing and being asked to respond to, it has been excellent. I use the Community edition - I don't get a lot of cases through work, but I do get a few when I'm helping out people outside of the office and TheHive is great for supporting that community work. I've had several interactions with their team and they've been generally very good, so thank you StrangeBee members!

I've meant to write about TheHive for a while - it's a great tool, and I think that if you've got a forensic element to your work it can really add value to that work.