Easy way to Integrate TheHive with Cortex

0
28

In this tutorial, you will learn how an easy way to integrate TheHive with Cortex. TheHive, an open source and free Security Incident Response Platform, can be integrated with Cortex, to automate the analysis of observables such as IP and email addresses, URLs, domain names, files or hashes etc.

Easy way to Integrate TheHive with Cortex

To integrate TheHive with Cortex;

Install and Configure OpenVAS - Gr...
Install and Configure OpenVAS - GreenBone Virtual Appliance

Install and Setup TheHive

Ensure that you already have TheHive server up and running. You can check the link below on how to install TheHive on Ubuntu;

Install TheHive on Ubuntu 22.04/Ubuntu 20.04

Install and Configure Cortex

Similarly, Cortex should be up and running. You can install Cortex on the same node where TheHive is running or where can be on a separate node.

You can follow the link below to install and Configure Cortex on Ubuntu;

Install Cortex on Ubuntu 22.04/Ubuntu 20.04

Enable and Configure Cortex Analyzers

Once you have Cortex up and running, you need to install, enable and configure any analyzers that you want to use for analyzing various event/incident observables.

How to Easily Enable and Configure Cortex Analyzers

Integrate TheHive with Cortex

In order to integrate TheHive with Cortex;

  • Create Cortex Organization API User

Login to Cortex web UI as a specific organization administrative user and create an organization API user.

Under Organization, click Add user

Enter the login username, full name and the roles (read and analyze only).

Easy way to Integrate TheHive with Cortex

Click Save user to create the user.

Next, click Create API Key against the user to generate the key;

Easy way to Integrate TheHive with Cortex

Once the key is created, click Reveal to show the key and copy it.

  • Integrate TheHive with Cortex

Next, open TheHive configuration and update Cortex connection details;

sudo vim /etc/thehive/application.conf

Update the configurations below as your setup.

## CORTEX configuration
cortex {
  servers: [
    {
      name = "Kifarunix-demo Cortex"
      url = "http://cortex.kifarunix-demo.com:9001"
      auth {
        type = "bearer"
        key = "oHfJgAmUcSZyyQLaew5AhguZVJb/Q9gG"
       }
     wsConfig {}
    }
  ]
}

Ensure Cortex module is enabled;

scalligraph.modules += org.thp.thehive.connector.cortex.CortexModule

Save the file and exit.

Restart TheHive;

sudo systemctl restart thehive
  • Verify TheHive integration with Cortex

Login to TheHive web interface and confirm Cortex integration.

I am using TheHive 5 in my setup. Hence, as you can see the Cortex icon is green

Easy way to Integrate TheHive with Cortex

Magnificent! you should now be able to run analysis of your case/alerts observables right from TheHive web interface without necessarily going logging into Cortex.

For example, consider an alert in the below screenshot;

Easy way to Integrate TheHive with Cortex

As you can wee, we have quite a number of IP addresses as observables.

To analyze these IPs, simply hover your mouse over one of them, click Preview.

Depending on the Analyzers you already enabled on Cortex and the type of observable to be analyzed, you should see that an analyzer is selected automatically.

observable preview analyzer

Or simply select an observable and click Run Analyzers button.

select observable n analyzer

Run the analyzer against an observable;

run analyzer against observable

If you have multiple analyzers that support IP analysis, select which one to use;

select observable analyzer

You should be able to see a report shortly;

observable analysis report

Show Raw Report data;

sample analysis report

From the report, the IP looks clean!

And that is how easily you can integrate TheHive with Cortex for observable analysis.

Other Tutorials

How to Integrate TheHive with MISP

How to Integrate ELK Stack with TheHive

LEAVE A REPLY

Please enter your comment!
Please enter your name here