Skip to content

Release Notes of 5.3 series#

Danger

The 5.3 release comes with some changes on the database schema that can't be reversed. Please make sure to make a backup of your database before upgrading.

This release also comes with some breaking changes, please review them below

Warning

Note: public API v0 is now considered as deprecated.

The public API v0 is obsolete, and you should not be using it anymore. All the endpoints are available in the public API v1. That being said, it will be deactivated in a future version.

The API v0 was initially developed for TheHive 3 and maintained for backward compatibility reasons only.

API v0 endpoints refer to APIs beginning with /api/ or /api/v0/ (but not with /api/v1/).

Info

An upgrade guide is available to help you migrate from TheHive 5.x

5.3.9 - 21st of November 2024#

Fix#

Cortex#

  • Resolved an issue causing incorrect differentiation between "In Progress" Cortex analyzers and responders during TheHive startup process, that was causing some Responder jobs to never cleaned up.

5.3.8 - 7th of November 2024#

Fixes & improvements#

Cortex Job Queue#

  • Enhanced the handling of concurrent job submissions to the Cortex server for better efficiency and stability.
  • Fixed an issue related to job status recovery in TheHive when the Cortex server crashes.

5.3.7 - 11th of October 2024#

Fix#

  • We fixed an issue with the method used to filter entity Ids. In certain very specific situations, the filter could return incorrect results.

Improvements#

Cortex Job Queue#

We have made two improvements to the management of Cortex job queues from TheHive to:

  • Prevent spamming the Cortex server when a large number of jobs are submitted.
  • Reduce the latency in retrieving completed job reports, even when the job queue is highly loaded.

5.3.6 - 12th of September 2024#

Fixes#

Case Closure with Mandatory Tasks#

  • It is no longer possible to close a case if there are mandatory tasks that remain incomplete. This prevents backend errors by ensuring that all required tasks are finished before allowing case closure.

Alert Status Display#

  • Fixed a display issue that incorrectly allowed closed alerts to be re-closed and already-started alerts to be started again.

Case Closure Custom Fields#

  • Fixed a problem where required custom fields with blank values were not properly flagged as required during case closure.

Case Closure Tab Refresh#

  • Fixed an issue where the case closure tab would refresh unexpectedly while a user was filling out the form, due to actions taken by other users on the platform. This issue caused users to lose the values they had entered. The tab now remains stable during form completion, preventing data loss.

Markdown Formatting in Case Reports#

  • Fixed an issue with markdown formatting in case reports, specifically addressing problems with underlining and striking text.

Session Timeout Configuration#

  • Fixed an issue that prevented users from editing fields related to session timeout due to inactivity.

Improvements#

Login Page#

  • Users can now tab through the fields to focus on the MFA code input when multi-factor authentication is enabled, making the login process smoother.

Security Fixes#

  • CVE-2024-20952
  • CVE-2024-20932
  • CVE-2024-20918

5.3.5 - 28th of August 2024 - hotfix#

Fixes#

Analyzer reports#

  • we fixed a regression that prevented the analyzer reports to be displayed when the observable is attached to an alert.

5.3.4 - 26th of August 2024#

Improvements#

Login Page#

  • The text box now automatically gains focus when the page loads, allowing users to immediately begin typing their information.

Fixes#

Analyzer Jobs Report Display#

  • We improved the loading speed of analyzer reports in TheHive, reducing the time it takes for them to display (This change required a fix in 5.3.5 version).

Activity Timestamp in Timeline#

  • Fixed an issue that occurred when editing activity dates in the timeline.

Index Engine Configuration#

  • TheHive now prevents starting with an index engine that differs from the one specified in the configuration file.

Similar Alerts Display (Safari Only)#

  • Resolved a display issue in the search input field within the drawer on Safari.
  • Fixed a regression that prevented navigation menu links from opening in a new browser tab when using the mouse scroll button.

List Component Fixes#

  • Corrected duration display in alert lists.
  • Fixed status display in task lists.
  • Resolved an issue where the "hide custom field" option was not functioning in case lists.
  • Fixed the cropping of long custom field values to prevent display errors.

Case Reports#

  • Users from locked organizations are no longer visible in the user list.

Security fix#

CVE vulnerability#

5.3.3 - 9th of July 2024#

Improvements#

UI Enhancements#

  • List Display Improvements: Various components within list displays have been updated to enhance the overall aesthetic and functional experience. These improvements include modifications to the design of status and other minor visual adjustments aimed at enhancing usability.

Fixes#

Sorting on Similar Cases/Alerts#

  • Sorting Logic Correction: Fixed an issue in the sorting logic of the similarities column to ensure that cases or alerts are first prioritized by the highest number of similar observables, and in cases where two or more entries have the same number, they are then ordered by the highest ratio of common to total observables.

DataType Filtering in Similar Cases/Alerts#

  • Filtering Functionality Restoration: Restored the ability to define and apply specific data types in the matches column that filter similar alerts and cases. This update ensures that only observables of the selected types are considered when displaying similar cases and alerts, thereby improving the relevance and accuracy of similarity matches.

User Count in Administration Section#

  • The user count is now immediately updated when an account is removed or locked.

API Case List#

  • Fixed a bug in the query API route that caused cases to be unobtainable when using the caseid filter.

Custom Tags#

  • Corrected an issue that generated an error when removing and re-adding a custom tag.
  • Fixed a bug in dropdown menus that prevented the menu action from launching if the click was not on the text item.

5.3.2 - 14th of June 2024#

Improvements#

Similar Cases/Alerts#

  • Improved the queries to get and display the similar Cases & similar Alerts lists. Only useful information is now loaded, significantly speeding up the list display. A new query is performed when accessing the observable list drawer of a similar Case/Alert.

To ensure performance, the observable list preview drawer can display up to 100 observables only.

Fixes#

DirectQuery#

  • Fixed an issue that could cause platform instability due to the handling of empty array requests when DirectQuery is activated.

Arrow / end / home keys#

  • Resolved a regression that prevented the use of arrow, end, and home keys in the edit mode of various components: Tasklog, Dashboard, Endpoints, Custom fields, Report template, and Case template.

Notifications#

  • Corrected an issue in the httpRequest Notifier where the JSON mode was not properly applied when activated.

MISP Connector#

  • Fixed an issue that prevented the MISP connector from capturing all events during synchronization.

Case Creation#

  • Corrected a problem that prevented the selection of a custom Start Date when creating a case from an alert. Users can now select a custom Start Date for their cases.

  • When multiple alerts are selected, the action button associated with a given alert now provides clearer information about the possible actions, like the creation of a case.

Tasks#

  • Locked users no longer appear in the assignable user list.

5.3.1 - 16th of May 2024#

Improvements#

Email Intake#

  • Added the possibility to specify the Microsoft Office365/Google Workspace host instead of the one provided by default.

Fixes#

Custom Fields#

  • Fixed a bug where merging of alerts and cases could generate duplicated customfields values in the index (invisible in the UI).

MISP Connector#

  • Resolved a problem that prevented alert deletion.

Alerts & Cases#

  • Fixed a bug related to assignable users.

Similar Alerts#

  • Fixed the counter in the pagination.
  • Fixed the display of the pending status.

Dashboard#

  • Fixed an issue with the properties of the donut widget.
  • Changed the list to display more than 30 dashboards.
  • Improved the behavior of the diagram widget.

Notifications#

  • Fixed a problem with the recipent field of the email notifier.
  • Solved an issue with the {{ url }} variable when it concerns a task.
  • Fixed an issue that made it impossible to delete a webhook endpoint.
  • An Event is now triggered when a Case is created from an Alert.

Responders#

  • Resolved a problem with the display of a responder report in the task preview.

API#

  • Fixed an API error return code in the post /case route when the status value is unknown.

UI#

  • Renamed a field name in the SAML authentication configuration page for better understanding.
  • Reviewed the breadcrumb to better manage long alert names.

Security Fixes#

  • Embedded patches for the following vulnerability: CVE-2024-25710

5.3.0 - 24th of April 2024#

Info

The licensing model for the community version has been updated. Users are now required to register on our licensing portal and request a community license to use TheHive in the community version. Additionally, TheHive will now include a default 14-day free Platinum trial license, allowing users to explore the full range of features offered by the platform.

New features#

Email intake#

The Email Intake connector now fully automates the transformation of incoming emails into actionable alerts on TheHive platform. It supports Microsoft 365, Google Workspace, and IMAP-based email services.

It automates the detection and processing of suspicious elements such as links, attachments and sender details, which it all adds to the list of observables.

New timeline widget#

We've added a timeline widget to TheHive's Platinum case reports, allowing users to visually track attack and defense actions. This widget displays key events and indicators like IOCs and TTPs.

Only admins can customize these reports, choosing elements like alerts and tasks to include. This customization ensures the timeline meets the specific needs of each report, making it easier for everyone, including non-technical staff, to understand the sequence of security events.

Data List Export#

We've improved the data export options across TheHive. Users can now select specific fields from application lists to export, making the data more relevant and manageable for analysis.

OpenSearch Support#

OpenSearch is now available as an indexing option alongside Elasticsearch. This addition offers more choices for your indexing needs.

Dynamic Date Filtering#

A new relative date filter on dashboards and search pages allows users to filter data based on specific time frames like the last few days or months.

Similar Case and Alert Enhancements#

We've updated the similar cases and alerts pages to display more accurate data, adding a drawer for observables common to related cases and alerts and including additional details like case status for clearer insights.

Observable Export Improvements#

The observable export feature now supports more formats, including JSON and customizable CSV, allowing users to select specific fields for export.

Elasticsearch performance and interface improvements#

  • Queries have been optimized for better dashboard and search performance.
  • Full support for Elasticsearch 8.
  • Improved handling of custom fields with new operators (isEmpty, nonEmpty, between).
  • Users can now customize the number of segments in dashboard donuts.
  • All data points are now included in category aggregations for donuts and charts, providing a complete view—in the past, it was capped at 100 displayed values.

Bug Fixes#

  • Fixed the display issue with the number of open cases in quick filters.
  • Corrected a merging bug for custom tags to prevent duplicates.
  • Fixed a bug in markdown editor related to the < & > characters.

Info

As we have updated some front-end components, please remember to refresh your browser page after upgrading to version 5.3 to prevent any UI issues.