TheHive v5.1: Improved features
INTRODUCTION
Welcome to the final post in our three-part blog series on TheHive v5.1. In our first post, we gave you an overview of everything included in this exciting release. In the second post, we covered some of the powerful new features we've added to TheHive. Now, in this final post, we'll be taking a closer look at the improvements we've made to existing features.
WHAT’S IMPROVED IN THEHIVE 5.1
Split permissions: managing alerts and cases without accidental deletion
TheHive 5.1 introduces additional permissions, allowing for greater control and security of your data. The new release refines permissions for both Cases and Alerts and adds a dedicated delete permission to prevent accidental loss of important information. This enhanced permission structure gives users the ability to work on Cases and Alerts without compromising data integrity.
For those who want to maintain the existing security profiles (or roles), the previous permissions are kept intact. However, for those looking to give specific users more limited access, a new profile can be created that restricts the "manage cases/delete" and/or "manage alerts/delete" permissions. This new profile can then be assigned to relevant users instead of the existing Analyst profile, ensuring that only authorized users can remove data.
With these fine-grained permissions, TheHive 5.1 makes it easier than ever to ensure the security and control of your data while streamlining the incident response process.
Dashboards: reporting is not an empty, lonely thing anymore
With the enhanced Dashboard capabilities in TheHive 5.1, you can now enjoy improved reporting functionalities.
Private vs. shared dashboards: Dashboard ownership has been significantly revamped:
- Private dashboards are available only to their owner – this is usually the user who created them - and are available in all organizations the user belongs to.
- Shared dashboards are shared with all analysts within an organization, which is the organization where the sharing occurs. Once shared with an organization, a dashboard is not available anymore in other organizations, even for its owner.
If a dashboard must be used across multiple organizations, it can be exported from one organization and imported into another.
Dashboard sharing and ownership transfer: Dashboards have a designated owner. Before TheHive 5.1, dashboards always belonged to the user who created or imported them. This has now been improved with the ability to transfer the ownership of any shared dashboard to another user within your organization. This is extremely useful for times when there is turnover within the security team and you do not want to lose those precious dashboards.
Default dashboards: Four default dashboards are now automatically created within each organization: Alert Statistics, Case Statistics, Observables Statistics and Job Statistics. They provide insightful metrics, right out-of-the-box!
These dashboards have the first org-admin user as their owner and are shared with all users within the organization.
Note: These new default dashboards will not be automatically created for existing organizations when upgrading to TheHive v5.1. You can however easily import them right from the user interface. They can be downloaded here: https://github.com/StrangeBeeCorp/thehive-templates/tree/main/Report-Templates
Grouping: Dashboards can now be organized into groups, just like the grouping of tasks within Cases.
Percentages on donut widget: The use of donut-like widgets has been optimized to display data using percentages, making it easier to quickly interpret information.
Key Performance Indicators (KPIs) and metrics – your boss will love it!
The improved reporting features introduced in TheHive 5.1 provide valuable insights into the time metrics of events and incidents, allowing you to track key performance indicators related to your security operations:
Mean Time to Detect (MTTD)
From an alert: alert.newDate - alert.date
From a case: case.newDate - case.startDate
Alarm Time to Triage (TTT)
From an alert: alert.inProgressDate - alert.newDate
From a case: case.inProgressDate - case.newDate
Alarm Time to Qualify (TTQ) (Equivalent to assessmentDuration)
max(alert.importedDate, alert.closedDate) - alert.newDate
Mean Time to Acknowledge (MTTA) (Equivalent to SLA)
From an alert: alert.inProgressDate - alert.date
From a case: case.inProgressDate - case.startDate
Mean Time to Resolve (MTTR)
case.endDate - min(alert.inProgress, case.inProgress)
With the new time metrics indicators, you can now have visibility into the detection, acknowledgement, and triage times for each case and alert, providing a clearer understanding of your incident response processes.
Additionally, the support for mean time metrics in dashboards makes it easier for you to manage your operations and helps to identify areas that may require more attention or effort.
With these new features, you will be better equipped to optimize your incident response workflows and ensure that your team is responding efficiently to security incidents
Custom field of type URL: no, it was not already available as a custom field type!
In TheHive, custom fields are used to store additional information about a Case or an Alert that can be relevant for a specific use case or organization. For example, you might create a custom field to store information about the priority of a Case, the type of incident, or the specific location where an event occurred. Custom fields can be created with various data types, such as text, number, date, and boolean, and you can set constraints and default values for each custom field.
With the release of TheHive 5.1, a new custom field of type "URL" has been introduced. It allows you to store a hyperlink as metadata in a Case or Alert. This can be useful to store information such as a link to a relevant document, web page, or resource. The URL custom field supports full URL addresses, including those starting with "http://" or "https://".
This new feature makes it even easier to store and access customized information that is relevant to your organization in your Cases and Alerts.
THERE IS MORE!
That's it for our series on the release of TheHive v5.1! We hope you've enjoyed learning about everything that's new, from the powerful new features to the improvements we've made to existing tools. If you have not already done so, be sure to check out the first post in our series for an overview of everything included in this release along with installation and upgrade instructions, and the second post to see the new features we've added. Thanks for reading!