TheHive

A 3-in-1 Security Incident Response Platform

TheHive is a scalable 3-in-1 open source and free security incident response platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Collaborate

Collaborate

Multiple SOC and CERT analysts can simultaneously collaborate on investigations. Thanks to the built-in Flow, real time information pertaining to new or existing cases, tasks, observables and IOCs is available to all team members. Special notifications allow them to handle or assign new tasks, preview new MISP events, import them and investigate them right away.

Elaborate

Elaborate

Cases and associated tasks can be created using a simple yet powerful template engine. You may add metrics to your templates to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks. Each task can have multiple work logs to record the ongoing work, attach pieces of evidence or noteworthy files.

Analyze

Analyze

Add one, hundreds or thousands of observables to each case that you create or import them directly from a MISP event. Quickly triage and filter them. Harness the power of Cortex and its analyzers to gain precious insight and speed up your investigation. Leverage tags, flag IOCs, and identify previously seen observables to feed your threat intelligence.

Cortex

Powerful Observable Analysis Engine

Thanks to Cortex, observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed one by one or in bulk mode using a Web interface. Analysts can also automate these operations thanks to the Cortex REST API.

Write

Write

By using Cortex, you won't need to rewrite the wheel every time you'd like to use a service or a tool to analyze an observable and help you investigate the case at hand. Leverage one of the several analyzers it contains or create your own using any programming language supported by Linux and make it available to the whole team or, better, to the whole community.

Run

Run

Cortex is the perfect companion for TheHive. TheHive can connect to one or multiple Cortex instances and with a few clicks you can analyze tens if not hundreds of observables at once. Using TheHive's report engine, it's easy to parse Cortex output and display it the way you want. You can also use Cortex as a standalone product thanks to its simple yet powerful Web UI or interface it with other security incident response platforms through a REST API.

Execute

Execute

Cortex comes with several analyzers for popular services such as VirusTotal, DomainTools, PassiveTotal, PhishTank, MaxMind, or Open Threat Exchange. You can also find abuse contacts to report malicious or fraudulent content or parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files and much more.

License

TheHive and Cortex are open source and free software released under the AGPL (Affero General Public License).

We, TheHive Project, are committed to ensure that TheHive and Cortex will remain a free and open source projects on the long-run.

Download & Try

$ docker run -p 127.0.0.1:9000:9000 --volume /opt/thehive/data:/data certbdf/thehive-cortex:latest

$ wget https://dl.bintray.com/cert-bdf/thehive/thehive-cortex-latest.zip && unzip thehive-cortex-latest

Contact

Please open an issue on GitHub if you'd like to report a bug or request a feature: TheHive, Cortex, Analyzers.

If you need to contact the project team, send an email to [email protected].