Default configuration

You can find the default configuration settings of TheHive below:

# maximum number of similar cases
maxSimilarCases = 100

# ElasticSearch
search {
  # Name of the index
  index = the_hive
  # Name of the ElasticSearch cluster
  cluster = hive
  # Address of the ElasticSearch instance
  host = ["127.0.0.1:9300"]
  # Scroll keepalive
  keepalive = 1m
  # Size of the page for scroll
  pagesize = 50
  # Arbitrary settings
  settings {
    # Maximum number of nested fields
    mapping.nested_fields.limit = 50
  }
}

# Datastore
datastore {
  # Size of stored data chunks
  chunksize = 50k
  hash {
    # Main hash algorithm /!\ Don't change this value
    main = "SHA-256"
    # Additional hash algorithms (used in attachments)
    extra = ["SHA-1", "MD5"]
  }
  attachment.password = "malware"
}

auth {
    # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration)
    # available auth types are:
    # local : passwords are stored in user entity (in ElasticSearch). No configuration are required.
    # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
    # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
    provider = [local]

    ad {
        # The name of the Microsoft Windows domaine using the DNS format. This parameter is required.
        #domainFQDN = "mydomain.local"

    # Optionally you can specify the host names of the domain controllers. If not set, TheHive uses "domainFQDN".
    #serverNames = [ad1.mydomain.local, ad2.mydomain.local]

        # The Microsoft Windows domain name using the short format. This parameter is required.
        #domainName = "MYDOMAIN"

        # Use SSL to connect to the domain controller(s).
        #useSSL = true
    }

    ldap {
        # LDAP server name or address. Port can be specified (host:port). This parameter is required.
        #serverName = "ldap.mydomain.local:389"

    # If you have multiple ldap servers, use the multi-valued settings.
    #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]

        # Use SSL to connect to directory server
        #useSSL = true

        # Account to use to bind on LDAP server. This parameter is required.
        #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"

        # Password of the binding account. This parameter is required.
        #bindPW = "***secret*password***"

        # Base DN to search users. This parameter is required.
        #baseDN = "ou=users,dc=mydomain,dc=local"

        # Filter to search user {0} is replaced by user name. This parameter is required.
        #filter = "(cn={0})"
    }
}

# Maximum time between two requests without requesting authentication
session {
  warning = 5m
  inactivity = 1h
}

# Streaming
stream.longpolling {
  # Maximum time a stream request waits for new element
  refresh = 1m
  # Lifetime of the stream session without request
  cache = 15m
  nextItemMaxWait = 500ms
  globalMaxWait = 1s
}

# Cortex configuration
########

cortex {
  #"CORTEX-SERVER-ID" {
  #  # URL of MISP server
  #  url = ""
  #  #HTTP client configuration, more details in section 8
  #  ws {
  #    ws.useProxyProperties = true
  #    proxy {
  #      # The hostname of the proxy server.
  #      #host = ""
  #      # The port of the proxy server.
  #      #post = 0
  #      # The protocol of the proxy server.  Use "http" or "https".  Defaults to "http" if not specified.
  #      #protocol = "http"
  #      # The username of the credentials for the proxy server.
  #      #user = ""
  #      # The password for the credentials for the proxy server.
  #      #password = ""
  #      # The password for the credentials for the proxy server.
  #      #ntlmDomain = ""
  #      # The realm's charset.
  #      #encoding = ""
  #      # The list of host on which proxy must not be used.
  #      #nonProxyHosts = ""
  #    }
  #    ssl {
  #      keyManager { # used for client certificate authentication
  #        stores = [{
  #          type: "pkcs12" // JKS or PEM
  #          path: "mycert.p12"
  #          password: "password1"
  #        }]
  #      }
  #      # Add certificate authorities to trust remote certificate  
  #      trustManager {
  #        stores = [{
  #          type: "JKS" // JKS or PEM
  #          path: "keystore.jks"
  #          password: "password1"
  #        }]
  #     }
  #     debug = {
  #       ssl = false
  #       trustmanager = false
  #       keymanager = false
  #       sslctx = false
  #       handshake = false
  #       verbose = false
  #       data = false
  #       certpath = false
  #     }
  #
  #     # default SSL protocol
  #     #protocol = "TLSv1.2"
  #
  #     # list of enabled SSL protocols
  #     #ws.ssl.enabledProtocols = ["TLSv1.2", "TLSv1.1", "TLSv1"]
  #
  #     # SSL Cipher suite
  #     #enabledCipherSuites = [
  #     #  "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
  #     #  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  #     #  "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
  #     #  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  #     #]
  #    }
  #  }
  #}
}

# MISP configuration
########

misp {
  #"MISP-SERVER-ID" {
  #  # URL of MISP server
  #  url = ""
  #  # authentication key
  #  key = ""
  #  #tags to be added to imported artifact
  #  tags = ["misp"]
  #
  #  # filters:
  #  # the maximum number of attributes (max-attributes)
  #  #max-attributes = 1000
  #  # the maximum size of the event json message
  #  #max-size = 1 MiB
  #  # the age of the last publication
  #  #max-age = 7 days
  #  exclusion {
  #  # the organisation is black-listed  
  #  #organisation = ["bad organisation", "other orga"]
  #  # one of the tags is black-listed
  #  #tags = ["tag1", "tag2"]
  #  }
  #
  #  ws {
  #    ws.useProxyProperties = true
  #    proxy {
  #      # The hostname of the proxy server.
  #      #host = ""
  #      # The port of the proxy server.
  #      #post = 0
  #      # The protocol of the proxy server.  Use "http" or "https".  Defaults to "http" if not specified.
  #      #protocol = "http"
  #      # The username of the credentials for the proxy server.
  #      #user = ""
  #      # The password for the credentials for the proxy server.
  #      #password = ""
  #      # The password for the credentials for the proxy server.
  #      #ntlmDomain = ""
  #      # The realm's charset.
  #      #encoding = ""
  #      # The list of host on which proxy must not be used.
  #      #nonProxyHosts = ""
  #    }
  #
  #    ssl {
  #      keyManager { # used for client certificate authentication
  #        stores = [{
  #          type: "pkcs12" // JKS or PEM
  #          path: "mycert.p12"
  #          password: "password1"
  #        }]
  #      }
  #      # Add certificate authorities to trust remote certificate  
  #      trustManager {
  #        stores = [{
  #          type: "JKS" // JKS or PEM
  #          path: "keystore.jks"
  #          password: "password1"
  #        }]
  #     }
  #     debug = {
  #       ssl = false
  #       trustmanager = false
  #       keymanager = false
  #       sslctx = false
  #       handshake = false
  #       verbose = false
  #       data = false
  #       certpath = false
  #     }
  #
  #     # default SSL protocol
  #     #protocol = "TLSv1.2"
  #
  #     # list of enabled SSL protocols
  #     #ws.ssl.enabledProtocols = ["TLSv1.2", "TLSv1.1", "TLSv1"]
  #
  #     # SSL Cipher suite
  #     #enabledCipherSuites = [
  #     #  "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
  #     #  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  #     #  "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
  #     #  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  #     #]
  #    }
  #  }

  #}

  # Interval between two MISP event import
  interval = 1h

}

# Metrics configuration
########

metrics {
  name = default
  enabled = false
  rateUnit = SECONDS
  durationUnit = SECONDS
  jvm = true
  logback = true

  graphite {
    enabled = false
    host = "127.0.0.1"
    port = 2003
    prefix = thehive
    rateUnit = SECONDS
    durationUnit = MILLISECONDS
    period = 10s
  }

  ganglia {
    enabled = false
    host = "127.0.0.1"
    port = 8649
    mode = UNICAST
    ttl = 1
    version = 3.1
    prefix = thehive
    rateUnit = SECONDS
    durationUnit = MILLISECONDS
    tmax = 60
    dmax = 0
    period = 10s
  }

  influx {
    enabled = false
    url = "http://127.0.0.1:8086"
    user = root
    password = root
    database = thehive
    retention = default
    consistency = ALL
    #tags = {
    #   tag1 = value1
    #   tag2 = value2
    #}
    period = 10s
  }
}

Last update: March 2, 2021 12:39:03