• 2020-01-08 - First Init


  • I am no experienced TheHive / Cortex user, so this may contain errors.
  • Not so much testing made yet, If you test it out and you find something. Leave a message in the comments :)


Like the last guides:
This installation is not made for public facing servers, there is no built in security in this setup.

I take no responsibility if this guide bork you server, burn your house down to ashes, make your christmas tree self combust or makes your cat to leave you..
It’s under the “it worked for me[tm]” clause.

This is as always a work in progress.

preparation is key

Preparation is key

Prepare a can of coffee and (if at home) put on your best comfy clothes.
When writhing this, Murderfolk Playlist - Essential Dark Folk and Southern Gothic was playing in the headphones..

Fire up an vanilla Ubuntu 20.04 LTS on a vm for some testing and start the installation.
Install nothing but ssh-server and “standard system utilities”

install requirements

sudo apt update &&\
sudo apt -y dist-upgrade &&\
sudo apt -y autoremove &&\
sudo apt install -y software-properties-common openjdk-8-jre-headless

configure JAVA_HOME

echo JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64" | sudo tee /etc/environment
export JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"
falk@thehive:~$ sudo update-alternatives --config java
There are 2 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                            Priority   Status
* 0            /usr/lib/jvm/java-14-openjdk-amd64/bin/java      1411      auto mode
  1            /usr/lib/jvm/java-14-openjdk-amd64/bin/java      1411      manual mode
  2            /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   1081      manual mode

Press <enter> to keep the current choice[*], or type selection number: 2
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java) in manual mode

install Cassandra

curl -fsSL https://www.apache.org/dist/cassandra/KEYS | sudo apt-key add -
echo "deb http://www.apache.org/dist/cassandra/debian 311x main" | sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list
sudo apt update
sudo apt install cassandra

check that Cassandra is running

falk@thehive:~$ nodetool status
Datacenter: datacenter1
|/ State=Normal/Leaving/Joining/Moving
--  Address    Load       Tokens       Owns (effective)  Host ID                               Rack
UN  127.43 KiB  256          100.0%            91e64e04-e2b2-48e2-b088-6aebc5d8cb7b  rack1

configure Cassandra

falk@thehive:~$ cqlsh localhost 9042
Connected to Test Cluster at localhost:9042.
[cqlsh 5.0.1 | Cassandra 3.11.9 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cqlsh> UPDATE system.local SET cluster_name = 'thp' where key='local';
nodetool flush

Make a backup on the default distro cassandra config file

sudo cp /etc/cassandra/cassandra.yaml /etc/cassandra/cassandra.yaml_DIST

Edit the new file with theese settings

sudo sed -i "s|cluster_name: 'Test Cluster'|cluster_name: 'thp'|g" /etc/cassandra/cassandra.yaml

Restart cassandra with the new settings

sudo systemctl restart cassandra

Todo: Security To add security measures in Cassandra , refer the the related administration guide.

install TheHive4

curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY | sudo apt-key add - &&\
echo 'deb https://deb.thehive-project.org release main' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list &&\
sudo apt update
sudo apt install thehive4

Prepare storage for attachments

sudo mkdir -p /opt/thp_data/files/thehive &&\
sudo chown -R thehive:thehive /opt/thp_data/files/thehive 

configure TheHive4


To use Cassandra database, TheHive configuration file (/etc/thehive/application.conf) has to be edited and updated with following lines:

db.janusgraph {
  storage {
    ## Cassandra configuration
    # More information at https://docs.janusgraph.org/basics/configuration-reference/#storagecql
    backend: cql
    hostname: [ "" ]
    # Cassandra authentication (if configured)
    // username: "thehive"
    // password: "password"
    cql {
      cluster-name: thp
      keyspace: thehive
      read-consistency-level: ONE
      write-consistency-level: ONE


Local filesystem

Edit this in the storage section

storage {
  provider = localfs
  localfs.location = /opt/thp_data/files/thehive

Start TheHive4

sudo systemctl restart thehive

More info here


  • Default administrator account: admin@thehive.local/secret
  • Login with default account
  • Create an organisaton
  • Create a user account