I have been playing with TheHive, Cortex and MISP for a few months now, and have been working a way forward to have it programmatically analyse new observables whilst the SOC operator is working on other tasks. Effectively having TheHive start core jobs on observables automatically and then waiting for the operator to check over the results as required.

Here is Version 2 of what I have been putting together to expedite the process of observable analysis...

An interesting use case came up with a requirement to scan a large quantity of hash observables with TheHive using the VirusTotal analyzer. Unfortunately there are two limitations to this requirement - the VT rate limiting, and the sheer volume of hashes which would make manual instigation not feasible.

What follows is my initial implementation into scripting the VT hash lookup in a manner which would automatically analyse newly submitted hashes.

As a part of implementing TheHive as a case management and analysis engine, I had a requirement to import files into TheHive as a Case, and run some basic analyzers over the observable.

Fortunately most of this was possible using TheHive4py from the command line.