Updated Cortex Analyzers + 1

Rejoice! The French chefs of TheHive Project have released an enhanced set of analyzers for Cortex.

All existing analyzers have been updated and bugs have been fixed. In case you missed it, there’s a new PassiveTotal analyzer contributed by Antoine Brodin (Thanks!). This latest addition lets you query 8 PassiveTotal services such as Enrichment, Malware, Osint, Passive DNS, SSL Certificate details and history, Whois details and Unique resolutions.

If you are using TheHive in conjunction with Cortex, please note that there is no short or long report template for the PassiveTotal analyzer hence you’ll see the results in raw format. But don’t let your excitement wind down. Templates will be produced in the upcoming weeks. Word.

To install the new analyzers, grab the Cortex-Analyzers repository and unpack its content (or git pull the master  branch) in your existing /path/to/cortex-analyzers.

The PassiveTotal analyzer requires the passivetotal Python library, a username and an API key. Use the following command lines to install the required library:

sudo pip install passivetotal

Then edit your Cortex configuration file (/path/to/cortex/application.conf) and add the following lines in the analyzer section:

 PassiveTotal {
     key="..."
     username="..."
 }

Please note that you must restart Cortex to take the changes into account. The current version has no persistence so you’ll lose all your existing jobs.

You can find the full installation requirements for Cortex and Cortex-Analyzers on the Cortex wiki pages.

If you’d like to contribute new analyzers, please check whether somebody is already working on them. If not, get acquainted with some of the existing ones by reading their code and open an issue.

If you have any further questions, please do not hesitate to ask on our user forum or contact support@thehive-project.org.