The Hive & Cortex through Docker installation
Introduction
In this article I will show how to setup my current favorite open-source SOAR solution. As per rapid7 SOAR (Security Orchestration, Automation, and Response) refers to a collection of software solutions and tools that allow organizations to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.
TheHive is a scalable 4-in-1 open-source Security Incident Response Platform. These 4 are TheHive, Cortex, TheHive4py (a python API for TheHive) and MISP (Malware Information Sharing Platform). Will cover the setup of The Hive and Cortex on Ubuntu 20.04. In future articles will show the other 2 components of TheHive project i.e., MISP and TheHive4py.
Docker
The reason behind using Docker is due to the convenience of containers in updating the various dependencies as well as ease to manage and assess logs and errors. At this time of writing, I have tried various installation types, databases, and configurations. This is the easiest way to find a working solution, but I encourage you to visit this documentation for Docker and try whatever suits your needs: https://github.com/TheHive-Project/Docker-Templates.
Docker installation instructions can be found on the official website with steps and explanations https://docs.docker.com/engine/install/ubuntu/. Building the docker images requires knowledge of Docker and Docker compose.
Architecture
TheHive supports multiple operating systems and this setup using docker can be used on any other operating system that is supported. TheHive and Cortex can be used in different use cases all dependent on business needs. SOC analysts can configure network appliances, email parses, EDR solutions etc. to create cases in TheHive and analyze the indicators using Cortex. Responders can also be created to automatically deal with specific IOCs automatically or through an analyst.
For this installation basic architectural specification is:
- The Hive will be using Cassandra as the database.
- Cortex will be using Elasticsearch for searching.
- There is a need for Nginx to facilitate the SSL configuration, however this will be covered in later articles.
Configuration
We need to create a folder structure as this helps with placement of specific configuration files. This folder structure is used by the yaml configuration file to create subfolders needed by the components. I have created a Github Repostory which contains the configuration files and docker-compose yaml file.
Native installation of TheHive is straightforward and easier than using Docker. However, the issue arises in maintenance and understanding were configuration files sit etc. Hence using docker this process is simplified, and maintenance is a breeze.
To get going you need to use this docker-compose.yaml file which I have included with the project repository. This file needs to be in the root of the Folder structure.
As shown in the yaml file cortex is dependent on Elastic Search whilst Hive is dependent on Cassandra. There is a mention of cortex in the commands for thehive and the CORTEX_KEY required here can be found in a separate [.env] file. This [.env] file is important and will be needed to allow communication between TheHive and Cortex.
The docker-compose.yaml file will create images for TheHive, Cortex, Cassandra and Elastic search when executed.
In the Cortex and Hive folders there is need to create individual application.conf. There is need to generate a play secret [play.http.secret.key=”GenerateYourOwn”] which is for securing the application. There is no need to include the API key in the Hive config file since this is in .env file.
Here is what the application.conf file for Cortex would look like:
The application.conf file for theHive looks as below, it is minimalistic and for the connection of TheHive and Cortex the key is in [.env] file.
Installation
Open terminal in the root folder structure which contains the docker-compose.yaml file. Execute docker-compose up command or docker-compose up –d, where the -d runs the containers as a daemon.
After executing the command and the images are pulled, containers will be setup. This is the list of docker images:
The list of active docker containers:
Now after the containers have started running, navigate to the browser and enter the URL http://localhost:9001 and you will be prompted to configure the database.
After configuring the database, you will be prompted to enter administrator account details. Create the admin account as this is the default which will be used to create the organizations to use with Cortex and its connectors.
Using the created administrator account, create an Organization and within this organization create a User and give it at least [read, analyze] rights.
Using the organizational user account Generate an API key and click reveal. Copy this API key and paste it in [.env] file. This is the key which will be used to connect the Hive to Cortex.
Before adding the API key from Cortex organizational user the bottom Cortex icon in TheHive will be red and the cortex connection also shows an error as below.
Now we have set up Cortex IAM and The Hive as well as copied the API key from the Cortex user area into the [.env] file. Restart the containers whilst passing the environment variables as shown below.
The above command will restart the containers and pass the Cortex key to Hive allowing for communication between the two containers. Remember to run the containers as a daemon use -d when executing docker-compose command.
After restarting the containers, the connection to cortex from the Hive application should change to green and it should show as below.
Now the application has been setup successfully. The next steps include:
- Configuring the Analyzers and Responders for Cortex using docker images.
- Creating a solution that will pass data to The Hive either using Wazuh or a python solution.
- Look at a third connector into The Hive preferably MISP.
