If you have read anything I have already published here, you will likely see I am somewhat biased to using TheHive as a Cyber security Case Management tool. There are many other tools, but my focus is on enabling a SOC operator no matter the budget for a business (something is well and truly better than nothing).

So with that, I will be walking through the deployment of a collection of VMs designed to operate as a SOC enclave for Incident Investigation and Analysis. All using Open Source tools and technologies which can be acquired for no cost outlay.

I have been playing with TheHive, Cortex and MISP for a few months now, and have been working a way forward to have it programmatically analyse new observables whilst the SOC operator is working on other tasks. Effectively having TheHive start core jobs on observables automatically and then waiting for the operator to check over the results as required.

Here is Version 2 of what I have been putting together to expedite the process of observable analysis...

As a part of implementing TheHive as a case management and analysis engine, I had a requirement to import files into TheHive as a Case, and run some basic analyzers over the observable.

Fortunately most of this was possible using TheHive4py from the command line.

An interesting use case came up with a requirement to scan a large quantity of hash observables with TheHive using the VirusTotal analyzer. Unfortunately there are two limitations to this requirement - the VT rate limiting, and the sheer volume of hashes which would make manual instigation not feasible.

What follows is my initial implementation into scripting the VT hash lookup in a manner which would automatically analyse newly submitted hashes.