One of the important things to maintain during any kind of incident is communication. Without it, the companies get to fall apart due to miscommunication which happens with a lack of communication. As seen during any kind of incident, there is an environment of chaos in which people don’t know what to do, even if there is a disaster recovery plan in place.
Now enough of the intro lets talk about thehive installation. Thehive is a very scalable open-source incident response project.
Get more info here TheHive Project official site:
For help email me: email@example.com
- To install TheHive you need elasticsearch 5.x. Let’s start with the installation of elasticsearch.
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
- Add following line in new file at /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-5.x] name=Elasticsearch repository for 5.x packages baseurl=https://artifacts.elastic.co/packages/5.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md
- Now installation using yum
sudo yum install elasticsearch -y
- Without doing any other modifications add the following lines at end in /etc/elasticsearch/elasticsearch.yml.
network.host: 127.0.0.1 script.inline: true cluster.name: hive thread_pool.index.queue_size: 100000 thread_pool.search.queue_size: 100000 thread_pool.bulk.queue_size: 100000
- Start the elasticsearch demon and check the status. If there are typos in adding the above lines it will fail to start.
sudo systemctl enable elasticsearch.service sudo systemctl start elasticsearch.service sudo systemctl status elasticsearch.service
- Now let’s start with the installation of the thehive.
yum install https://dl.bintray.com/thehive-project/rpm-stable/thehive-project-release-1.1.0-2.noarch.rpm -y yum install thehive -y
- Use following command to add key in /etc/thehive/application.conf
(cat << _EOF_ # Secret key # ~~~~~ # The secret key is used to secure cryptographics functions. # If you deploy your application to several instances be sure to use the same key! play.http.secret.key="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n1)" _EOF_ ) | sudo tee -a /etc/thehive/application.conf
- Now let’s start thehive service and check the status.
sudo systemctl enable thehive.service sudo systemctl start thehive.service sudo systemctl start thehive.service
- Check http://ip_address:9000/
- Now click update database
- Now it will ask you to create a new user and enter a password for that user
- Now Login using the username and password created