TheHive Build, Operate, Maintain
If you're interested in pre-built case templates, we've added a few:
- Account Enumeration
- Attack Public-Facing Application
- Drive-by Compromise
- Malware Infection
- Network Enumeration
- Unknown Account
- Unknown Scheduled Task
- Unknown Service
Along with the case templates, we've also included 9 custom fields. Some of these custom fields connect to the RockNSM project, so they may not all be applicable.
If you want to upload the case templates, they are included in the TheHive templates directory. They can be uploaded 1 at a time from the Case Templates menu.
The case templates do not include the custom fields. If you want the custom fields and all the templates at once, you'll need to upload the entire CAPES configuration (recommended).
To get the custom fields with the templates, you'll need to upload the whole configuration file (which is recommended). After this configuration file is uploaded you can make any additional changes that you'd like. The below steps should be performed on your system, not CAPES:
- Ensure you have Python3 installed
- Log into TheHive as an administrator
- Click on the
Admindropdown and select
- Either create a new account with
adminpermissions or use an existing account, create and reveal the API key, copy this down
- Collect the TheHive configuration manager
- Collect the capes-config.conf file
$ git clone https://github.com/TheHive-Project/TheHive-Resources.git $ cd TheHive-Resources/contrib/ManageConfig $ python3 submit_config.py -k <API key> -u http://thehive-url:9000 -c capes-config.conf
- You'll want to refresh your browser and all of the Case Templates and Custom Fields should be in there and ready for use.
You should use the
capes_processes status command to identify if any CAPES services aren't running as expected.
If TheHive has failed, check your local host file to ensure that there is a static entry for CAPES or it is resolvable via DNS. Example:
cat /etc/hosts 192.168.100.100 capes_hostname
If the CAPES management IP and hostnames aren't present or correct (and they should be from the build script), update that using the above format and restart the service
sudo systemctl restart thehive.service
Web Application Available, No Database
If you can get to the web interface, but are getting errors that the database isn't online, check to ensure that Elasticsearch is running. If you ran the
capes_processes status command, you'll know.
You can try to restart Elasticsearch with
sudo systemctl restart elasticsearch.service and monitor it with