TheHive 5.5: taking flight!

Spring has come, nature is waking up, but our bees didn’t hibernate during winter: StrangeBee is delighted to present the fresh new version 5.5 of TheHive!

From increased confidentiality with private cases to more customization capabilities with new Markdown options, our platform now adapts even more to your needs. Enjoy your sleek, user-friendly Security Case Management and respond to incidents like a pro that you are 😉

Now, let us walk you through what’s new in TheHive v5.5. Ready, set, go!

• Restrict access to private cases: Define lists of users allowed to open a case and see its details.
• Ingest alerts more efficiently with Alert Feeder: TheHive v5.5 now auto-ingests data from external services at your chosen frequency—just set up a feeder in the interface.
• Paste or drag & drop images in task logs and other entities: Analysts can now paste or drag & drop images into description fields across cases, alerts, tasks, and logs.
• Visualize data with the Dashboard Table widget: Include lists of entities like alerts, cases or tasks in your dashboards and customize the way they are displayed.

Link cases, enhance visibility with custom fields, use new Markdown options and hide unnecessary statuses for a cleaner interface.

Log in via OpenID and use the Microsoft GraphAPI connector, customize Email Intake alerts, apply tags faster and display custom events in case reports!

Now, let’s dig deeper:

Don’t worry about confidentiality while investigating sensitive cases. Keep them private, only granting access to each one to a predefined list of authorized analysts. Users with no access won’t even see cases restricted to them in the case list.

Only cases and their sub-entities (tasks, observables, etc.) can be private. This confidentiality is guaranteed throughout TheHive, including alerts, dashboards and more.

Strict but flexible access control within shared environments will help avoid data leaks and allow for much easier compliance.

Path: Organization X > Profile org admin > Case list > Case Y > Restrict access button

The favorite new feature of one of our Product Managers…

As you remember, until now, external services had to call the public API of TheHive to push their data to it. So, to ingest alerts by yourself, you had to use additional tools like orchestrators.

Now, you can change the game. With the Alert Feeder connector, TheHive can directly pull data from external services. Set up a feeder directly in our platform’s interface, so it automatically ingests data from any of them, with the frequency you want!

After that, you can easily create and chain a function to convert this data into alerts and cases ready to be investigated. All on your terms.

P.S.: We’re also working on adding more authentication options in future versions.

Path: Platform Admin > Platform management > Connectors > Feeders

Want to quickly add a screenshot while documenting your investigations? We’ve got you!

TheHive’s attachment system now allows analysts to paste or drag & drop images directly into description fields in cases, alerts, and task logs. Your case management has become even more comprehensive.

Path: Organization X > Case list > Case Y > Task tab > Add a new task > Complete with task log > Add an image in the task log description

TheHive’s dashboards are convenient to get centralized visibility on your incident response teams’ activities. But even though there are already several widgets to format and visualize information, it was not possible before to include lists of entities like alerts, cases or tasks.

Now it’s at your disposition! Include data like the list of the 10 most critical ongoing cases in your dashboards and customize how it’s displayed.

Define columns, sorting options and more advanced criteria to select limited, more precise lists.

Path: Organization X > Dashboards > Create/Edit a Dashboard > Add a widget > Table widget

Imagine you’re investigating a phishing campaign. You discover several cases with the same emails, URLs and files. You can now connect these cases to see the full campaign, while managing each of them separately.

This new linking feature will help you see the whole picture, establishing and viewing connections between the current case and any other relevant ones, as well as external resources.

Before, you had to merge cases to establish a link between them. Now, you can just link cases with each other and with external URLs, as well as categorize each link (e.g., evidence, reference or related case).

(You won’t be able to link restricted cases you don’t have access to, though.)

Visually and functionally map out the relationships between different elements of the investigation. A comprehensive view of related data is accessible directly within the general tab of each case.

Path: Organization X > Profile analyst > Case list > Case Y > Case details > Linked elements

We have standardized the custom fields component across the entire application, replacing three different versions with a consistent and unified experience. The new display significantly improves the fields’ visibility and readability.

We’ve also brought back a feature from TheHive 4, adding a filter for mandatory fields when closing a case. Additionally, you can now easily delete a custom field and its values in just one click.

Path: Organization X > Case/Alert list > Case/Alert Y > Add a new CF > Choose type

TheHive 5.5 gives you more creative freedom in adding Markdown content to your alert descriptions, cases, knowledge bases and other entities.

What’s new:

1. Use the <br/> html tag to break lines in table cells.
2. Add color to your code blocks to specify language syntax.
3. Highlight important details with colored text boxes (for example, “Warning,” “Info,” “Error” or “Success”).

More flexible formatting means finding and understanding information more easily. This, in turn, means faster task resolution and more efficient incident response. Butterfly effect in action 😉

See here to learn more about how to use these new capabilities.

We know how distracting it is to have too many elements in the interface—especially when it comes to something as demanding as incident response. We want TheHive to avoid this mistake.

Now, users have more freedom to deal with system-generated statuses while managing their cases. We’ve reduced the visual clutter so you can more easily navigate and concentrate on relevant information.

Administrators can choose which statuses should be displayed and hide redundant ones. Analysts will only see the validated statuses approved by admins, which will allow them to pick the correct ones and keep statistics accurate.

Path: Platform Admin > Entities management > Case status/Alert status > Edit/Add

It was already possible to plug TheHive’s Email Intake into a Microsoft email account with a connector that uses OAuth + IMAP protocols to authenticate and get the messages. However, Microsoft strongly encourages to use their global GraphAPI standard to interact with all their services.

Our new connector uses this standard.

Now, org admins, SOC leads, DevSecOps and others in charge of TheHive’s integrations can easily follow the official Microsoft recommendations.

Path: Platform Admin > Platform management > Connectors > Create an Email Intake > Select Microsoft GraphAPI among the existing configurations

The Email Intake feature in TheHive generates alerts automatically. But until now, their properties were not customizable. This is why, if you had several Email Intake connectors, it was sometimes difficult to distinguish or separate alerts depending on their sources.

No more!

TheHive 5.5 release allows to change alert properties like alert type, alert source and alert tags. Define their values as you need when creating a new or editing an existing Email Intake connector.

Path: Platform Admin > Platform management >Connectors > Create an Email Intake configurations

Good news for TheHive integration admins! Our platform now works with a secure and easy-to-configure OpenID authentication provider.

This is already the 3rd SSO option implemented in TheHive. Yet another possibility to allow users to log in with just one click!

Path: Platform Admin > Platform management > Authentication > SSO Authentication > OpenID

You can now easily find specific tags across all taxonomies in the taxonomy drawer.

To do this, search for your tag, and TheHive will display all the taxonomies that contain your search.

Path: Organization X > Case list > Filter by tags > Add taxonomies

The more exhaustive a case report, the more process transparency it offers and the more it’s useful for future reference.

With this in mind, we’ve made the timeline widget in your report templates even more customizable.

You can now include custom event descriptions in the case report timeline for more context and therefore, better incident tracking. It’s up to you to decide if events should be displayed; if they should, you can also display their descriptions.

Path: Organization Admin > Templates > Report templates > Create/Edit a report template > Timeline widget

Test the new features of TheHive and enjoy your Security Case Management even more. Let us know what you think in the customer support channel or here.