TheHive
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
Top Related Projects
Quick Overview
TheHive is an open-source, scalable Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs, and any information security practitioner dealing with security incidents. It provides a robust and flexible platform for collaborative incident response, threat hunting, and case management.
Pros
- Highly customizable and extensible through its API and integrations
- Supports multi-tenancy for managing multiple organizations or teams
- Offers a powerful query language for searching and analyzing cases
- Integrates well with other security tools like MISP and Cortex
Cons
- Steep learning curve for new users due to its extensive features
- Installation and setup process can be complex for some environments
- Limited built-in reporting capabilities compared to some commercial alternatives
- Requires regular maintenance and updates to ensure optimal performance
Getting Started
To get started with TheHive, follow these steps:
- Install Docker and Docker Compose on your system.
- Create a
docker-compose.yml
file with the following content:
version: '3'
services:
thehive:
image: thehiveproject/thehive:latest
ports:
- "9000:9000"
volumes:
- thehive_data:/opt/thehive/data
environment:
- JVM_OPTS="-Xms1024M -Xmx1024M"
volumes:
thehive_data:
- Run the following command to start TheHive:
docker-compose up -d
- Access TheHive web interface at
http://localhost:9000
and follow the initial setup wizard.
For more detailed instructions and advanced configurations, refer to the official documentation at https://docs.thehive-project.org/.
Competitor Comparisons
Cortex: a Powerful Observable Analysis and Active Response Engine
Pros of Cortex
- Specialized in automated analysis and active response
- Supports a wide range of analyzers and responders
- Can be used independently or integrated with TheHive
Cons of Cortex
- More focused on analysis, lacking case management features
- Requires additional setup and configuration for full functionality
- May have a steeper learning curve for new users
Code Comparison
TheHive:
def create_case(title, description, severity):
case = Case(title=title, description=description, severity=severity)
db.session.add(case)
db.session.commit()
return case
Cortex:
def run_analyzer(observable, analyzer_id):
job = AnalyzerJob(observable=observable, analyzer_id=analyzer_id)
cortex.run_analyzer(job)
return job.get_report()
TheHive focuses on case management and incident response workflows, while Cortex specializes in automated analysis and active response. TheHive provides a more comprehensive solution for security operations, including case tracking and collaboration features. Cortex, on the other hand, excels in integrating various analysis tools and automating responses to security events.
While both projects can work together seamlessly, they serve different primary purposes within the security ecosystem. TheHive is better suited for overall incident management, whereas Cortex shines in providing detailed analysis and automated actions based on observables.
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
Pros of MISP
- Extensive threat intelligence sharing capabilities with a large community
- Robust data model for structured threat information
- Flexible API and integrations with various security tools
Cons of MISP
- Steeper learning curve due to complex features
- Can be resource-intensive for large deployments
- Less focus on case management compared to TheHive
Code Comparison
MISP (Python):
from pymisp import PyMISP
misp = PyMISP(misp_url, misp_key, ssl=False)
event = misp.new_event(info='Malware Analysis', distribution=0, threat_level_id=2, analysis=2)
misp.add_attribute(event, type='md5', value='d41d8cd98f00b204e9800998ecf8427e')
TheHive (Scala):
import org.thp.thehive.client.TheHiveClient
val thehive = TheHiveClient("http://localhost:9000")
val caseId = thehive.createCase("Malware Analysis", "High", "In Progress")
thehive.createObservable(caseId, "md5", "d41d8cd98f00b204e9800998ecf8427e")
Both projects offer APIs for creating and managing threat intelligence data, but MISP focuses more on sharing and structuring threat information, while TheHive emphasizes case management and incident response workflows.
Open Cyber Threat Intelligence Platform
Pros of OpenCTI
- More comprehensive threat intelligence platform with advanced data modeling
- Better integration with external threat intelligence sources
- Stronger focus on knowledge management and visualization of threat data
Cons of OpenCTI
- Steeper learning curve due to more complex features
- Requires more resources to set up and maintain
- May be overkill for smaller organizations with simpler threat intelligence needs
Code Comparison
OpenCTI (Python):
from pycti import OpenCTIApiClient
# Initialize the client
client = OpenCTIApiClient(api_url, api_token)
# Create an indicator
indicator = client.indicator.create(
name="Malicious IP",
description="Known C2 server",
pattern_type="stix",
pattern="[ipv4-addr:value = '10.0.0.1']"
)
TheHive (Scala):
import org.thp.thehive4py.TheHiveApi
import org.thp.thehive4py.models._
// Initialize the client
api = TheHiveApi('http://localhost:9000', 'api_key')
// Create an alert
alert = Alert(title='Suspicious Activity', description='Detected malicious IP')
response = api.create_alert(alert)
Both platforms offer APIs for integration, but OpenCTI's API is more extensive and follows the STIX standard, while TheHive's API is simpler and focuses on case management workflows.
Developer-first error tracking and performance monitoring
Pros of Sentry
- More comprehensive error tracking and performance monitoring across multiple platforms and languages
- Larger community and more frequent updates, with over 30k GitHub stars
- Extensive documentation and integration options with popular development tools
Cons of Sentry
- More complex setup and configuration process
- Higher resource requirements for self-hosted installations
- Steeper learning curve for new users due to its extensive feature set
Code Comparison
TheHive uses Scala and Play Framework:
def create = Action.async(parse.json) { implicit request =>
request.body.validate[Case].fold(
errors => Future.successful(BadRequest(JsError.toJson(errors))),
caze => caseRepo.create(caze).map { createdCase =>
Created(Json.toJson(createdCase))
}
)
}
Sentry uses Python and Django:
def create_group(event, **kwargs):
group, is_new, is_regression = _create_group(
event,
**kwargs
)
if is_new:
record_group_creation(group)
return group, is_new, is_regression
Both repositories focus on incident management and error tracking, but Sentry offers a more comprehensive solution for application monitoring across various platforms. TheHive is more specialized for security incident response and threat hunting, while Sentry provides broader error tracking and performance monitoring capabilities for developers.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
TheHive is a scalable 3-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. It is the perfect companion to MISP. You can synchronize it with one or multiple MISP instances to start investigations out of MISP events. You can also export an investigation's results as a MISP event to help your peers detect and react to attacks you've dealt with. Additionally, when TheHive is used in conjunction with Cortex, security analysts and researchers can easily analyze tens if not hundred of observables.
Collaborate
Collaboration is at the heart of TheHive.
Multiple analysts from one organisations can work together on the same case simultaneously. For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker. Using TheHive's live stream, everyone can keep an eye on what's happening on the platform, in real time.
Multi-tenancy and fine grained user profiles let organisations and analysts work and collaborate on a same case accross organisations. For example, one case can be created by a first organisation who start investigating and ask for contribution from other teams or escalate to another organisation.
Elaborate
Within TheHive, every investigation corresponds to a case. Cases can be created from scratch or from MISP events, SIEM alerts, email reports and any other noteworthy source of security events.
Each case can be broken down into one or more tasks. Instead of adding the same tasks to a given type of case every time one is created, analysts can use TheHive's template engine to create them once and for all. Case templates can also be used to associate metrics to specific case types in order to drive the team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks.
Each task can be assigned to a given analyst. Team members can also take charge of a task without waiting for someone to assign it to them.
Tasks may contain multiple work logs that contributing analysts can use to describe what they are up to, what was the outcome, attach pieces of evidence or noteworthy files and so on. Logs can be written using a rich text editor or Markdown.
Analyze
You can add one or hundreds if not thousands of observables to each case you create. You can also create a case out of a MISP event. TheHive can be very easily linked to one or several MISP instances and MISP events can be previewed to decide whether they warrant an investigation or not. If an investigation is in order, the analyst can then add the event to an existing case or import it as a new case using a customizable template.
Thanks to TheHive4py, TheHive's Python API client, it is possible to send SIEM alerts, phishing and other suspicious emails and other security events to TheHive. They will appear in its Alerts
panel along with new or updated MISP events, where they can be previewed, imported into cases or ignored.
TheHive has the ability to automatically identify observables that have been already seen in previous cases. Observables can also be associated with a TLP and the source which provided or generated them using tags. The analyst can also easily mark observables as IOCs and isolate those using a search query then export them for searching in a SIEM or other data stores.
Analysts can analyze tens or hundreds of observables in a few clicks by leveraging the analyzers of one or several Cortex instances depending on your OPSEC needs: DomainTools, VirusTotal, PassiveTotal, Joe Sandbox, geolocation, threat feed lookups and so on.
Security analysts with a knack for scripting can easily add their own analyzers to Cortex in order to automate actions that must be performed on observables or IOCs. They can also decide how analyzers behave according to the TLP. For example, a file added as observable can be submitted to VirusTotal if the associated TLP is WHITE or GREEN. If it's AMBER, its hash is computed and submitted to VT but not the file. If it's RED, no VT lookup is done.
Try it
To try TheHive, you can use the training VM or install it by reading the Installation Guide.
Details
Documentation
We have made several guides available in the Documentation repository.
Main features
Multi-tenancy
TheHive comes with a special multi-tenancy support. It allows the following strategies:
- Use a siloed multi-tenancy: many organisations can be defined without allowing them to share data;
- Use a collaborative multi-tenancy: a set of organisations can be allowed to collaborate on specific cases/tasks/observables, using custom defined user profiles (RBAC).
RBAC
TheHive comes with a set of permissions and several pre-configured user profiles:
admin
: full administrative permissions on the platform ; can't manage any Cases or other data related to investigations;org-admin
: manage users and all organisation-level configuration, can create and edit Cases, Tasks, Observables and run Analyzers and Responders;analyst
: can create and edit Cases, Tasks, Observables and run Analyzers & Responders;read-only
: Can only read, Cases, Tasks and Observables details;
New profiles can be created by administrators of the platform.
Authentication
TheHive 4 supports authentication methods:
- local accounts
- Active Directory
- LDAP
- Basic Auth
- API keys
- OAUTH2
- Multi Factor Authentication
Statistics & Dashboards
TheHive comes with a powerful statistics module that allows you to create meaningful dashboards to drive your activity and support your budget requests.
Integrations
MISP and Cortex
TheHive can be configured to import events from one or multiple MISP instances. You can also use TheHive to export cases as MISP events to one or several MISP servers.
Cortex is the perfect companion for TheHive. Use one or several to analyze observables at scale.
Integration with Digital Shadows
TheHive Project provides DigitalShadows2TH, a free, open source Digital Shadows alert feeder for TheHive. You can use it to import Digital Shadows incidents and intel-incidents as alerts in TheHive, where they can be previewed and transformed into new cases using pre-defined incident response templates or added into existing ones.
Integration with Zerofox
Zerofox2TH is a free, open source ZeroFOX alert feeder for TheHive, written by TheHive Project. You can use it to feed ZeroFOX alerts into TheHive, where they can be previewed and transformed into new cases using pre-defined incident response templates or added into existing ones.
And many more
Lots of awesome integrations shared by the community could be listed there. If you're looking for a specific one, a dedicated repository containing all known details and references about existing integrations is updated frequently, and can be found here: https://github.com/TheHive-Project/awesome.
License
TheHive is an open source and free software released under the AGPL (Affero General Public License). We, TheHive Project, are committed to ensure that TheHive will remain a free and open source project on the long-run.
Updates
Information, news and updates are regularly posted on TheHive Project Twitter account and on the blog.
Contributing
Please see our Code of conduct. We welcome your contributions. Please feel free to fork the code, play with it, make some patches and send us pull requests via issues.
Support
Please open an issue on GitHub if you'd like to report a bug or request a feature. We are also available on Discord to help you out.
If you need to contact the project team, send an email to support@thehive-project.org.
Important Note:
- If you have problems with TheHive4py, please open an issue on its dedicated repository.
- If you encounter an issue with Cortex or would like to request a Cortex-related feature, please open an issue on its dedicated GitHub repository.
- If you have troubles with a Cortex analyzer or would like to request a new one or an improvement to an existing analyzer, please open an issue on the analyzers' dedicated GitHub repository.
Community Discussions
We have set up a Google forum at https://groups.google.com/a/thehive-project.org/d/forum/users. To request access, you need a Google account. You may create one using a Gmail address or without it.
Website
Top Related Projects
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot