hivelime

README

HiveLime

Hivelime is a comprehensive integration between TheHive and Sublime. Utilizing Sublime webhooks, Hivelime can be effortlessly configured to create alerts on TheHive!

Functionalities

• Triggered event (malicious email detection) is parsed and converted into an actionable TheHive alert with tags, observables;
• Request signing can be used if SUBLIME_SIGNING_KEY variable is provided;
• Observables have detailed tags to further analyze, filter or use in remediation step;
• Built with both Security and OPS in mind. HiveLime has small footprint, great performance on various workloads and easily deployable with minimal configuration;
• Tags can be provided in configuration to be appended to alerts created by HiveLime;
• Alert has a brief summary description with links to detection, flagged rules and important information.

Alert Examples

Usage

• Parameters should be provided via environment variables. Please see docker-compose file.
• Run the app via docker or via simply ./hivelime
• HiveLime will listen http://SERVER_ADDRESS/sublime/event. Make sure to provide /sublime/event url resource to Sublime Webhook action configuration.

Notes

• Alert reference is first 8 chars of detection CanonicalID;

Setup & Compile Instructions

Get latest compiled binary from releases

1. Check Releases section.

Compile from source code

1. Make sure that you have a working Golang workspace.
2. go build .
   • go build -ldflags="-s -w" . could be used to customize compilation and produce smaller binary.

Using Public Container Registries

• docker pull ghcr.io/kaansk/hivelime

Using Dockerfile

1. Edit config file or provide environment variables to commands bellow
2. docker build -t hivelime .
3. docker run -it hivelime

Using docker-compose file

1. Edit environment variables and configurations in docker-compose file
2. docker-compose run -d

Credits

• Sublime Security
• Dockerfile Reference
• Release management with GoReleaser
• Delivr.to