Learning how to make Analysers for TheHive
TheHive is a "scalable, open source and free Security Incident Response Platform". It provides a really simple way for incident responders to manage cyber incidents.
TLDR... its hugely extensible and very cool!
✅ Development Server Requisitioned
✅ TheHive & Cortex Installed
✅ Analysers, Responders, Templates Installed
You login to TheHive, create a new case, upload some malware/email/hash to the observables and run the "fileinfo" analyser
(Because lets be honest it has no prerequirements, API tokens, etc)
and now we know that the .EML file you uploaded is an email file.
Awesome. Job Done.
Ok, lets do something useful, why dont we install an analyser that connects to our local enterprise malware analysis server, because we should never upload to VirusTotal ... SHOULD WE!
Uh oh, nothing prebuilt.. but wait didnt the tagline say "open-source"?
We can build our own analyser? ...right?
Building Analysers for Beginners
- Head over to the Cortex-Analyzers Github Repo,
- Learn Python 🐍.
stealBorrow the most basic analyzer's code that makes JSON calls,- "Repurpose" that code and put your internal server information in (likely with /api),
- Modify the JSON dictionary passed to TheHive,
- Debug any errors with Stack Overflow
- Learn how to debug errors in a development Hive environment, until we get the long awaiting green tick ✅.
The analyser has run successfully. It submitted your malware, it pulled a report to your case, and now you have an empty report with no information.
Templates. Data needs to go somewhere.
Building Templates for Beginners
stealBorrow another analyser's template,- Remember what a JSON DICT is & figure out how JSON Key:Val pairs work,
- Relearn HTML, CSS, Angular-JS
- Make a beautiful HTML Table with all your Keys and Values.
Done.
Now you have an awesome HTML report you made yourself that displays all the information you need and you never need login to your malware server again, no 18 character password, no MFA, life is smooth sailing.
What have we learnt?
- Development is: 90%
StealingBorrowing, 10% New Content - You can bolt on virtually anything to TheHive
- We like Python 🐍 here.
If you dont feel like recreating the process above, steal check out some of my custom analysers on Github