As a part of implementing TheHive as a case management and analysis engine, I had a requirement to import files into TheHive as a Case, and run some basic analyzers over the observable.

Fortunately most of this was possible using TheHive4py from the command line.

First of all we need to put in the basics of our python file and the appropriate imports. You will need to run pip the thehive4py before this can be run.

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from __future__ import print_function
from __future__ import unicode_literals

import requests
import sys
import json
import time
import string
import random
from thehive4py.api import TheHiveApi
from thehive4py.models import Case, CaseObservable, CaseTask, CustomFieldHelper

In my version I am generating random test case names as a means of preventing duplicate case numbers. This was actually used so I didn't have to keep deleting an existing case to rerun the script.

def randomString():
  letters = string.ascii_lowercase
  return ''.join(random.choice(letters) for i in range(12))

Set our variables with the particulars of our environment. In my case I am running this locally before deploying this to a production system, so my values are benign. The PDF in question I am sending into TheHive is actually one I found on Google while searching for 'Sample PDF file'.

urlTheHive='http://192.168.1.250:9000'
apiKeyTheHive = 'vudgLSyw1cDq6N3mVSmrdSsZ9AbUaQOR'
apiTheHive = TheHiveApi(urlTheHive,apiKeyTheHive)

strCaseName = randomString()
fileSample = 'sample.pdf'

Using TheHive4py we can prepopulate the tasks which are created within the case we are generating. This is handy where your source for the case artifacts usually have the same playbook.

We can also populate the object which will be used to generate the Case, the tasks referenced within the request object too.

tasks = [
        CaseTask(title='Collect file'),
        CaseTask(title='Analyze file'),
        CaseTask(title='Investigate Artifacts'),
        CaseTask(title='Report'),
        CaseTask(title='Remediate')
]

case = Case(
        title=strCaseName,
        tlp=1,
        flag=True,
        description='Suspect file submission',
        tasks=tasks)

Now we will make the call to TheHive to generate the case, and then output a Case reference which will need to be used later to adding an observable to the case.

id = None
response = apiTheHive.create_case(case)
if response.status_code == 201:
        print(json.dumps(response.json(), indent=4, sort_keys=True))
        print('')
        id = response.json()['id']
else:
        print('ko: {}/{}'.format(response.status_code, response.text))
        sys.exit(0)

If TheHive was contactable using the API and your credentials were correct, you should have received a JSON response with an ID value defined for the newly created case. We will now use that value, and the PDF file we sourced as a test file to generate a case.

file_observable = CaseObservable(dataType='file',
                                data=[fileSample],
                                tlp=1,
                                ioc=False,
                                tags=['Suspect File'])
response = apiTheHive.create_case_observable(id,file_observable)
if response.status_code == 201:
        print(json.dumps(response.json(), indent=4, sort_keys=True))
        print('')
        observable_id = response.json()['id']
else:
        print('ko: {}/{}'.format(response.status_code, response.text))

Now comes the fun part, with the file now added to TheHive as an observable, now we can start using analyzers against this observable. The values required for this element of the task come from thehive's application.conf - specifically the 'name' you have given to your Cortex server.

response = apiTheHive.run_analyzer('CORTEX-SERVER-ID',observable_id,'FileInfo_6_0')
print(response)

Unfortunately the current development of TheHive4py does not allow for you to extract observables and then add them to a case programatically (yet, or I could not find it). But this method could be used, or reinterpreted to automate some components of your event investigations.