Integrate TheHive and Cortex

By Adrian | September 27, 2019

This is part 7 of the TheHive/Cortex/MISP build. In this part I’m integrating TheHive with Cortex. This is where the real magic happens! Links to the previous articles are here:

Part I - Building TheHive
Part II - Setup reverse proxy for TheHive
Part III - Building MISP
Part IV - Building Cortex
Part V - Adding analyzers to Cortex
Part VI - Setup reverse proxy for Cortex
Part VII - Integrate TheHive and Cortex
Part VIII - Integrate MISP to TheHive
Part IX - Upgrading TheHive
Part X - Updating MISP
Part XI - Upgrading Cortex
Part XII - Wrapup of TheHive, MISP, Cortex

I honestly thought that this would not go as smoothly as I was expecting, but the integration between these 2 systems was seamless and flawless.

Generate an API key from Cortex

So that we can integrate these 2 systems we need an API key from Cortex. The best way of doing this is to login with your orgadmin account (not the superadmin from the parent org though). Create a new integration user. Give this user read, analyze permission.

integration-user

Once created select Create API key and then reveal. Make a note of this key as you need it for TheHive configuration.

reveal-api-key

Modify TheHive configuration file

Within TheHive’s application.conf (which ive place in /opt/thehive/conf) scroll down to the section labeled Cortex and make the following changes

Uncomment this line:

play.modules.enabled += connectors.cortex.CortexConnector

Make your Cortex configuration section look like this:

cortex {
  "CORTEX-SERVER" {
    url = "http://cortex.example.com:9001"
    key = "<YOUR API KEY>"
  # HTTP client configuration (SSL and proxy)
    ws {}
  }
}

NOTE: Make sure if you are using a fqdn in the url configuration that you can access that host. You can also substitute the IP address of the Cortex server there but make sure you have a static/reserved IP address.

Restart TheHive services

Once the configuration has been completed, restart TheHive services

service thehive restart
service thehive status

Login to the TheHive and select you user account in the top right then About. You should see Cortex show up as OK integrated

Testing it out

Now the fun part. TheHive can have observables and Cortex can feed various IOC’s to its analysers, and as standalone systems its great, but now TheHive has just reduced your click count and sped up your triage. No more having to visit many consoles to manaully copy/paste data.

First create a case in TheHive new-case

Create an observable (I just yanked a domain from Malware Domains create-observable

Select Action, Run Analyzers action-run-analyser

Select the analyser you are after select-analyser NOTE: We only have 1 available analyser to use against the Domain type. If more analysers were configured more would appear.

Once the analyser has finished tags are applied indicating the outcome analysis-complete

And there you have it. TheHive and Cortex have been successfully integrated and tested together.

Stay tuned for adding MISP integration to TheHive.

Search

Tags