Skip to content

TheHive connector: Cortex#

Enable the connector#

The Cortex connector module needs to be enabled to allow TheHive work with Cortex. Enable the module with this line of configuration:

play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule

Configure one connection#

TheHive is able to connect more than one Cortex organisation. Several parameters can be configured for one server :

Parameter Type Description
name string name given to the Cortex instance (eg: Cortex-Internal)
url string url to connect to the Cortex instance
auth dict method used to authenticate on the server (bearer if using API keys)
wsConfig dict network configuration dedicated to Play Framework for SSL and proxy
refreshDelay duration frequency of job updates checks (default: 5 seconds)
maxRetryOnError integer maximum number of successive errors before give up (default: 3)
statusCheckInterval duration check remote Cortex status time interval (default: 1 minute)
includedTheHiveOrganisations list of string list of TheHive organisations which can use this Cortex server (default: all ([*])
excludedTheHiveOrganisations list of string list of TheHive organisations which cannot use this Cortex server (default: None ([]) )

This configuration has to be added to TheHive conf/application.conf file.

## Cortex configuration
play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule
cortex {
  servers = [
    {
      name = local
      url = "http://localhost:9001"
      auth {
        type = "bearer"
        key = "[REDACTED]"
      }
      wsConfig {}
    includedTheHiveOrganisations = ["*"]
    excludedTheHiveOrganisations = []
    }
  ]
  refreshDelay = 5 seconds
  maxRetryOnError = 3
  statusCheckInterval = 1 minute
}

Note

By default, adding a Cortex server in TheHive configuration make it available for all organisations added on the instance.

Example

Configuration with one Cortex connection:

## Cortex configuration
play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule
cortex {
  servers = [
    {
      name = Cortex
      url = "http://cortex1:9001"
      auth {
        type = "bearer"
        key = "tkjjyfsdgrKuPttaaasdDWSEzClKuPt"
      }
      wsConfig {
        proxy {
          host: "10.1.2.10"
          port: 8080
        }
      }
      includedTheHiveOrganisations = ["ORG1", "ORG2"]
      excludedTheHiveOrganisations = []
    }
  ]
  refreshDelay = 5 seconds
  maxRetryOnError = 3
  statusCheckInterval = 1 minute
}

Configuration with 2 Cortex connections:

## Cortex configuration
play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule
cortex {
  servers = [
    {
      name = Cortex1
      url = "http://cortex1:9001"
      auth {
        type = "bearer"
        key = "tkjjyfsdgrKuPttaaasdDWSEzClKuPt"
      }
      wsConfig {}
      includedTheHiveOrganisations = ["ORG1", "ORG2"]
      excludedTheHiveOrganisations = []
    }
    {
      name = Cortex2
      url = "http://cortex2:9001"
      auth {
        type = "bearer"
        key = "lSDkjDGGGHtipueroBHOroNJKLbpi"
      }
      wsConfig {
        proxy {
          host: "10.1.2.10"
          port: 8080
        }
      }
      includedTheHiveOrganisations = ["ORG2", "ORG3"]
      excludedTheHiveOrganisations = ["ORG1"]
    }
  ]
  refreshDelay = 5 seconds
  maxRetryOnError = 3
  statusCheckInterval = 5 minutes
}

Last update: March 2, 2021 11:39:03