Incident Analysis with The Hive and Cortex

Searching for Clues

Configuring The Hive

After completing the desired settings in Cortex, for further automation, you can turn to the interface in The Hive. To begin, call up the URL in your browser that you stored earlier in your Nginx configuration: in this example, https://thehive.localhost/ . Unlike Cortex, The Hive does not let you create an administrative user. The account is already stored in the database, with admin:<secret> credentials that let you log in to the system.

To use The Hive for your analyses, create an organization for your analyst user by pressing the Admin button and selecting Organisations from the menu that appears. Now click New Organisation to enter the necessary information and click on the name of the organization you created to access the settings, where you can now create a user. Choose Edit password to set a password for the user's login.

The developers of The Hive have done some good groundwork for adding useful prebuilt templates, MISP taxonomies, and attack patterns. After selecting the appropriate category in the Admin menu, you will see a link for downloading the matching templates, after which you can make the contents of the downloaded files available in The Hive by pressing the Import template button.

Now your setup is prepared to the extent that it can process your first incident. To do so, log out of The Hive with the admin user and log in again with the login created for the analyst. You will be taken to the incident overview, which initially does not list any incidents.

Editing Incidents

Now you need to create a new incident processing case by clicking on New Case . You can fill out the fields as shown in Figure 2, but you will want to select the TLP and PAP values such that the analyzers and responders in Cortex are still allowed to process the data. Then press Create case .

Figure 2: Creating a new incident in The Hive.

In the incident overview, select the incident you just created and the Observables tab. Observed artifacts can now be documented here. Because the selected analyzers all also work with domain names, you will add an observable of the Domain type in the overlay. Enter the selected domain under Value , select a tag in Tags , or simply type the name of a new tag in the field; then, add a short description in the Description field. Click on Create observable and wait until the observable appears in the list.

If you now click on the created observable, you can enter your information about it in Basic Information . Later, you can use Sharing to select other organizations with which you want to share the information. In the Analysis window you will see the analyzers you have selected, at least as long as they support the domain type. Now click on the small orange icons to start the Cortex analyzers or click on the Run all label above the table. In the background, Cortex will now start to find more information. After the analysis is finished, the table shows the successful execution of the analyzers (Figure 3).

Figure 3: The example analyzers.

If you now switch back to the Observables overview for your incident, you will see the results of the individual analyzers for each observable highlighted in blue (Figure 4).

Figure 4: Displaying the analyzer results in the Observables overview.

Taking Steps

With the help of the analyzer results, you can sort the observables for your incident in a better way for a good overview of critical artifacts. Now you need to decide whether you want to perform automated actions on the basis of the findings. Clicking on the gear icon to the right of an observable will let you select the responders that are available for that particular observable type. Because you only selected the email responder earlier, you will see a warning if you use the icon for the domain you entered earlier. If you have enabled and configured the responder for your DNS resolver, select it here, which will cause the domain to be blocked.

Because the email responder does not send individual observables, but only entire incidents, scroll to the top of the Observables overview. Now you can see the gear icon and the Responder label in the titlebar of the incident. Of course, before you activate the responder, you need to configure a recipient address, which you can accomplish with the use of the incident tags. Just add a tag with the following scheme:

mail:inbox@admin-magazine.com

If you now click on the gear wheel in the titlebar, you can select and enable the email responder. A corresponding email will then be sent in the background.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus