{"id":14756,"date":"2022-11-12T00:14:30","date_gmt":"2022-11-11T21:14:30","guid":{"rendered":"https:\/\/kifarunix.com\/?p=14756"},"modified":"2024-03-09T23:14:42","modified_gmt":"2024-03-09T20:14:42","slug":"easy-way-to-integrate-thehive-with-cortex","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/easy-way-to-integrate-thehive-with-cortex\/","title":{"rendered":"Easy way to Integrate TheHive with Cortex"},"content":{"rendered":"\n<p>In this tutorial, you will learn how an easy way to integrate TheHive with Cortex. <a href=\"https:\/\/www.strangebee.com\/thehive\/\" target=\"_blank\" rel=\"noreferrer noopener\">TheHive<\/a>, an open source and free Security Incident Response Platform, can be integrated with <a href=\"https:\/\/www.strangebee.com\/cortex\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cortex<\/a>, to automate the analysis of observables such as IP and email addresses, URLs, domain names, files or hashes etc.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Integrating TheHive with Cortex<\/h2>\n\n\n\n<p>To integrate TheHive with Cortex;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and Setup TheHive<\/h3>\n\n\n\n<p>Ensure that you already have TheHive server up and running. You can check the link below on how to install TheHive on Ubuntu;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-thehive-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install TheHive on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and Configure Cortex<\/h3>\n\n\n\n<p>Similarly, Cortex should be up and running. You can install Cortex on the same node where TheHive is running or where can be on a separate node.<\/p>\n\n\n\n<p>You can follow the link below to install and Configure Cortex on Ubuntu;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-cortex-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Cortex on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Enable and Configure Cortex Analyzers<\/h3>\n\n\n\n<p>Once you have Cortex up and running, you need to install, enable and configure any analyzers that you want to use for analyzing various event\/incident observables.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-enable-and-configure-cortex-analyzers\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Easily Enable and Configure Cortex Analyzers<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Integrate TheHive with Cortex<\/h2>\n\n\n\n<p>In order to integrate TheHive with Cortex;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create Cortex Organization API User<\/li>\n<\/ul>\n\n\n\n<p>Login to Cortex web UI as a specific organization administrative user and create an organization API user.<\/p>\n\n\n\n<p>Under <strong>Organization<\/strong>, click <strong>Add user<\/strong><\/p>\n\n\n\n<p>Enter the login username, full name and the roles (read and analyze only).<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/add-analysis-user.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1896\" height=\"648\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/add-analysis-user.png\" alt=\"Easy way to Integrate TheHive with Cortex\" class=\"wp-image-14837\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/add-analysis-user.png?v=1668195939 1896w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/add-analysis-user-768x262.png?v=1668195939 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/add-analysis-user-1536x525.png?v=1668195939 1536w\" sizes=\"(max-width: 1896px) 100vw, 1896px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Click <strong>Save user<\/strong> to create the user.<\/p>\n\n\n\n<p>Next, click <strong>Create API Key<\/strong> against the user to generate the key;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/create-user-api-key.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1872\" height=\"653\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/create-user-api-key.png\" alt=\"Easy way to Integrate TheHive with Cortex\" class=\"wp-image-14838\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/create-user-api-key.png?v=1668195999 1872w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/create-user-api-key-768x268.png?v=1668195999 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/create-user-api-key-1536x536.png?v=1668195999 1536w\" sizes=\"(max-width: 1872px) 100vw, 1872px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Once the key is created, click <strong>Reveal<\/strong> to show the key and copy it.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Integrate TheHive with Cortex<\/li>\n<\/ul>\n\n\n\n<p>Next, open TheHive configuration and update Cortex connection details;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo vim \/etc\/thehive\/application.conf<\/code><\/pre>\n\n\n\n<p>Update the configurations below as your setup.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n## CORTEX configuration\ncortex {\n  servers: [\n    {\n      name = \"Kifarunix-demo Cortex\"\n      url = \"http:\/\/cortex.kifarunix-demo.com:9001\"\n      auth {\n        type = \"bearer\"\n        key = \"oHfJgAmUcSZyyQLaew5AhguZVJb\/Q9gG\"\n       }\n     wsConfig {}\n    }\n  ]\n}\n<\/code><\/pre>\n\n\n\n<p>Ensure Cortex module is enabled;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>scalligraph.modules += org.thp.thehive.connector.cortex.CortexModule<\/code><\/pre>\n\n\n\n<p>Save the file and exit.<\/p>\n\n\n\n<p>Restart TheHive;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart thehive<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Verify TheHive integration with Cortex<\/li>\n<\/ul>\n\n\n\n<p>Login to TheHive web interface and confirm Cortex integration.<\/p>\n\n\n\n<p>I am using TheHive 5 in my setup. Hence, as you can see the Cortex icon is green<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/cortex-thehive-integration.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1901\" height=\"941\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/cortex-thehive-integration.png\" alt=\"Easy way to Integrate TheHive with Cortex\" class=\"wp-image-14839\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/cortex-thehive-integration.png?v=1668196024 1901w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/cortex-thehive-integration-768x380.png?v=1668196024 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/cortex-thehive-integration-1536x760.png?v=1668196024 1536w\" sizes=\"(max-width: 1901px) 100vw, 1901px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Magnificent! you should now be able to run analysis of your case\/alerts observables right from TheHive web interface without necessarily going logging into Cortex.<\/p>\n\n\n\n<p>For example, consider an alert in the below screenshot;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1906\" height=\"829\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1.png\" alt=\"Easy way to Integrate TheHive with Cortex\" class=\"wp-image-14841\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1.png 1906w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1-768x334.png 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1-1536x668.png 1536w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1-150x65.png 150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1-300x130.png 300w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1-696x303.png 696w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1-1068x465.png 1068w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-alerts-1-966x420.png 966w\" sizes=\"(max-width: 1906px) 100vw, 1906px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>As you can wee, we have quite a number of IP addresses as observables.<\/p>\n\n\n\n<p>To analyze these IPs, simply hover your mouse over one of them, click <strong>Preview<\/strong>.<\/p>\n\n\n\n<p>Depending on the Analyzers you already enabled on Cortex and the type of observable to be analyzed, you should see that an analyzer is selected automatically.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/observable-preview-analyzer.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1734\" height=\"944\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/observable-preview-analyzer.png\" alt=\"\" class=\"wp-image-14842\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/observable-preview-analyzer.png?v=1668199058 1734w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/observable-preview-analyzer-768x418.png?v=1668199058 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/observable-preview-analyzer-1536x836.png?v=1668199058 1536w\" sizes=\"(max-width: 1734px) 100vw, 1734px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Or simply select an observable and click Run Analyzers button.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1903\" height=\"563\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/select-observable-n-analyzer.png\" alt=\"\" class=\"wp-image-14846\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/select-observable-n-analyzer.png?v=1668199894 1903w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/select-observable-n-analyzer-768x227.png?v=1668199894 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/select-observable-n-analyzer-1536x454.png?v=1668199894 1536w\" sizes=\"(max-width: 1903px) 100vw, 1903px\" \/><\/figure>\n\n\n\n<p>Run the analyzer against an observable;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1741\" height=\"949\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/run-analyzer-against-observable.png\" alt=\"\" class=\"wp-image-14843\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/run-analyzer-against-observable.png?v=1668199098 1741w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/run-analyzer-against-observable-768x419.png?v=1668199098 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/run-analyzer-against-observable-1536x837.png?v=1668199098 1536w\" sizes=\"(max-width: 1741px) 100vw, 1741px\" \/><\/figure>\n\n\n\n<p>If you have multiple analyzers that support IP analysis, select which one to use;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/select-observable-analyzer.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1420\" height=\"858\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/select-observable-analyzer.png\" alt=\"\" class=\"wp-image-14844\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/select-observable-analyzer.png?v=1668199194 1420w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/select-observable-analyzer-768x464.png?v=1668199194 768w\" sizes=\"(max-width: 1420px) 100vw, 1420px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>You should be able to see a report shortly;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1464\" height=\"802\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/observable-analysis-report.png\" alt=\"\" class=\"wp-image-14845\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/observable-analysis-report.png?v=1668199537 1464w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/observable-analysis-report-768x421.png?v=1668199537 768w\" sizes=\"(max-width: 1464px) 100vw, 1464px\" \/><\/figure>\n\n\n\n<p>Show Raw Report data;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/sample-analysis-report.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1307\" height=\"895\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/sample-analysis-report.png\" alt=\"\" class=\"wp-image-14847\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/sample-analysis-report.png?v=1668199931 1307w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/sample-analysis-report-768x526.png?v=1668199931 768w\" sizes=\"(max-width: 1307px) 100vw, 1307px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>From the report, the IP looks clean!<\/p>\n\n\n\n<p>And that is how easily you can integrate TheHive with Cortex for observable analysis.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-integrate-thehive-with-misp\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Integrate TheHive with MISP<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-integrate-elk-stack-with-thehive\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Integrate ELK Stack with TheHive<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how an easy way to integrate TheHive with Cortex. TheHive, an open source and free Security Incident Response Platform,<\/p>\n","protected":false},"author":3,"featured_media":14850,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72],"tags":[6094,6082,6092,6091,6038,6093],"class_list":["post-14756","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","tag-analyze-observables-using-cortex-and-thehive","tag-cortex","tag-cortex-and-thehive","tag-how-to-integrate-thehive-with-cortex","tag-thehive","tag-thehive-cortex","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14756"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=14756"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14756\/revisions"}],"predecessor-version":[{"id":20653,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14756\/revisions\/20653"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/14850"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=14756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=14756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=14756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}