Installation of thehive incident response project

One of the important things to maintain during any kind of incident is communication. Without it, the companies get to fall apart due to miscommunication which happens with a lack of communication. As seen during any kind of incident, there is an environment of chaos in which people don’t know what to do, even if there is a disaster recovery plan in place.

Now enough of the intro lets talk about thehive installation. Thehive is a very scalable open-source incident response project.

Get more info here TheHive Project official site:

For help email me:

  • To install TheHive you need elasticsearch 5.x. Let’s start with the installation of elasticsearch.
sudo rpm --import
  • Add following line in new file at /etc/yum.repos.d/elasticsearch.repo
name=Elasticsearch repository for 5.x packages
  • Now installation using yum
sudo yum install elasticsearch -y
  • Without doing any other modifications add the following lines at end in /etc/elasticsearch/elasticsearch.yml.
script.inline: true hive
thread_pool.index.queue_size: 100000 100000
thread_pool.bulk.queue_size: 100000
  • Start the elasticsearch demon and check the status. If there are typos in adding the above lines it will fail to start.
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl status elasticsearch.service
  • Now let’s start with the installation of the thehive.
yum install -y
yum install thehive -y
  • Use following command to add key in /etc/thehive/application.conf
(cat << _EOF_
# Secret key
# ~~~~~
# The secret key is used to secure cryptographics functions.
# If you deploy your application to several instances be sure to use the same key!
play.http.secret.key="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n1)"
) | sudo tee -a /etc/thehive/application.conf
  • Now let’s start thehive service and check the status.
sudo systemctl enable thehive.service
sudo systemctl start thehive.service
sudo systemctl start thehive.service
  • Check http://ip_address:9000/
  • Now click update database
  • Now it will ask you to create a new user and enter a password for that user
  • Now Login using the username and password created

Leave a Comment