In this tutorial, you will learn how an easy way to integrate TheHive with Cortex. TheHive, an open source and free Security Incident Response Platform, can be integrated with Cortex, to automate the analysis of observables such as IP and email addresses, URLs, domain names, files or hashes etc.
Integrating TheHive with Cortex
To integrate TheHive with Cortex;
Install and Setup TheHive
Ensure that you already have TheHive server up and running. You can check the link below on how to install TheHive on Ubuntu;
Install TheHive on Ubuntu 22.04/Ubuntu 20.04
Install and Configure Cortex
Similarly, Cortex should be up and running. You can install Cortex on the same node where TheHive is running or where can be on a separate node.
You can follow the link below to install and Configure Cortex on Ubuntu;
Install Cortex on Ubuntu 22.04/Ubuntu 20.04
Enable and Configure Cortex Analyzers
Once you have Cortex up and running, you need to install, enable and configure any analyzers that you want to use for analyzing various event/incident observables.
How to Easily Enable and Configure Cortex Analyzers
Integrate TheHive with Cortex
In order to integrate TheHive with Cortex;
- Create Cortex Organization API User
Login to Cortex web UI as a specific organization administrative user and create an organization API user.
Under Organization, click Add user
Enter the login username, full name and the roles (read and analyze only).
Click Save user to create the user.
Next, click Create API Key against the user to generate the key;
Once the key is created, click Reveal to show the key and copy it.
- Integrate TheHive with Cortex
Next, open TheHive configuration and update Cortex connection details;
sudo vim /etc/thehive/application.confUpdate the configurations below as your setup.
## CORTEX configuration
cortex {
servers: [
{
name = "Kifarunix-demo Cortex"
url = "http://cortex.kifarunix-demo.com:9001"
auth {
type = "bearer"
key = "oHfJgAmUcSZyyQLaew5AhguZVJb/Q9gG"
}
wsConfig {}
}
]
}
Ensure Cortex module is enabled;
scalligraph.modules += org.thp.thehive.connector.cortex.CortexModuleSave the file and exit.
Restart TheHive;
sudo systemctl restart thehive- Verify TheHive integration with Cortex
Login to TheHive web interface and confirm Cortex integration.
I am using TheHive 5 in my setup. Hence, as you can see the Cortex icon is green
Magnificent! you should now be able to run analysis of your case/alerts observables right from TheHive web interface without necessarily going logging into Cortex.
For example, consider an alert in the below screenshot;
As you can wee, we have quite a number of IP addresses as observables.
To analyze these IPs, simply hover your mouse over one of them, click Preview.
Depending on the Analyzers you already enabled on Cortex and the type of observable to be analyzed, you should see that an analyzer is selected automatically.
Or simply select an observable and click Run Analyzers button.
Run the analyzer against an observable;
If you have multiple analyzers that support IP analysis, select which one to use;
You should be able to see a report shortly;
Show Raw Report data;
From the report, the IP looks clean!
And that is how easily you can integrate TheHive with Cortex for observable analysis.
