TheHive 5.2: "reporting" for duty!
We are excited to announce the global availability of TheHive 5.2, a culmination of innovation, development and invaluable input from our users and community. It is a significant milestone in the journey of providing the most customizable security incident response and case management platform.
The flagship feature of this release is the new Case reporting capability that allows you to design a library of investigation report templates and use them to generate Markdown and printable HTML reports with your cases data.
This release also includes several new features such as the ability to assign alerts to specific users, get visibility on the team's effort and quickly filter your assigned alerts. We are also adding the possibility to export your data as CSV and JSON files, to define reusable documentation case pages (templates) and to configure custom Microsoft Teams notifications.
Finally, TheHive 5.2 now supports TLP version 2 with its TLP:CLEAR and TLP:AMBER+STRICT options. This involves a breaking change that you need to handle in your existing integrations and dashboards.
The primary focus of this blog post is to highlight the key capabilities introduced with TheHive 5.2.
WHAT’S NEW IN THEHIVE 5.2
TLP 2.0 Support: the breaking change
In August 2022, TLP version 2.0 has been announced, introducing a new TLP:AMBER+STRICT label and a renaming of TLP:WHITE to TLP:CLEAR.
In TheHive, TLP is used as a main property for Cases, Alerts and Observables. Managing TLP:CLEAR is not a big deal as it’s just a renaming of the TLP:WHITE label. However, starting with TheHive 5.2, TLP=3 means TLP:AMBER+STRICT, and TLP=4 means TLP:RED.
As a result, you need to verify:
- Your existing integrations that use the TLP:RED value so that they use TLP=4 instead of TLP=3 when creating or interpreting a TLP value
- Your dashboards that filter data based on TLP values
When TheHive 5.2 launches for the first time, it will update your existing TLP data automatically to make it consistent with TLP 2.0 values. In other words, TLP:WHITE data will automatically become TLP:CLEAR and TLP:RED will remain TLP:RED. Previous TLP:AMBER data will keep the same value.
Alert assignment: avoiding redundant work
The new “Alert assignment” feature adds an optional “assignee” property to Alert objects. This allows you to create, when needed, alerts that can be pre-assigned, and thus, filtered by users.
This helps gain visibility on the team’s assignment and avoid redundant work for a team assessing the same Alerts at the same time.
Effortless case reporting: automated generation of investigation reports
The highly anticipated "Case Reporting" feature fulfills a long-standing user demand: empowering incident response teams with seamless investigation report capabilities. These reports serve as crucial documented records, enabling insights, facilitating effective communication, and driving ongoing improvement efforts.
TheHive 5.2 brings a report builder, where you can create, for each Organization, a set of reusable Report Templates. The content of these templates is extremely flexible and can include Markdown text, images, and configurable lists of data (Cases, Alerts, Tasks, Observables, TTPs and custom fields)
As an org-admin user, you can define your Report Templates, available under Organization > Templates > Reports section. Once saved, the report templates become available for all your Cases, through the “Create report” button of your Case details page, allowing you to either preview a report as Markdown or printable HTML, or save and download the report file.
Note that saved reports are stored as Case Attachments, under a new “Reports” section that also allows you to upload any updated or external investigation report.
Data export made simple: effortlessly retrieve your data in CSV format
The new “Export List” feature adds an action to export data list to CSV and JSON files, either by exporting a selection of records or by exporting the full list resulting from a defined filter.
This action is made available in many data tables: Case, Alerts, Tasks, TTPs, Organizations and Users where you can choose the file format and the delimiter to use if you select the CSV option.
New built-in integrations: Redis and Microsoft Teams notifications
As you may remember, TheHive 5 introduced a notification framework that allows sending notifications to messaging platforms like Slack and Mattermost, as well as Kafka messaging queues.
This new release makes a step forward by adding native notification integrations for:
- Redis: allows sending raw audit log events to a Redis channel that can be consumed programmatically
- Microsoft Teams: allows calling incoming webhooks and sending structured and formatted messages including audit entry variables and adaptative cards (see this builder and sample page to create your own messages)
Enhanced Case documentation: unlocking the power of Page Templates
If you are already a TheHive 5 user, you might be aware of the “Pages” functionality in the Case details user interface. It is a wiki-like feature allowing the creation of markdown content pages to document the incidents. This new release takes a leap forward by introducing “Page Templates”.
As an org-admin user, you can now define reusable Page Templates from the “Organization > Templates > Pages” user interface. Once created and saved, the Page Templates can be used in your Cases to initiate documentation Pages, in two different ways.
First method: Creating a new page within a Case based on a Page Template
From the “Pages” tab of a Case details user interface, you can add a Page from scratch or from your Pages library.
Second method: Including Pages in Cases via Case Templates
In addition to Tasks and Custom Fields, Case Templates can now contain predefined Page Templates. When using a Case Template, TheHive copies all the predefined Pages to your newly created Case.
READY TO TRY IT OUT?
To start from scratch, you can either follow the step-by-step installation guide https://docs.strangebee.com/thehive/setup/installation/step-by-step-guide/ or use the installation script as described in https://docs.strangebee.com/thehive/setup/#installation-guides.
If you are deploying using Docker, you can find the instructions at https://docs.strangebee.com/thehive/setup/installation/docker/
To update an existing instance, remember to perform a full database backup first, then follow the upgrade for your current TheHive version:
• Upgrade from version 5.x: https://docs.strangebee.com/thehive/setup/installation/upgrade-from-5.x/
• Upgrade from version 4.x: https://docs.strangebee.com/thehive/setup/installation/upgrade-from-4.x/
• Migrate from version 3.x: https://docs.strangebee.com/thehive/setup/installation/migration/
REPORTING AND ISSUE OR SUBMITTING FEEDBACK
Should you face any issues, several reporting options are available:
• If you are a customer, please contact StrangeBee's support team
• Our community is on Discord and can be joined at https://chat.thehive-project.org
• Have a look at our dedicated public repository at https://github.com/StrangeBeeCorp/TheHive-feedback and submit your issue.
As always, we welcome your feedback and suggestions, so please reach out and let us know what you think.