Cortex 1.1.1: Two Way MISP Integration Now a Reality

TheHive Project’s Chefs are thrilled to announce the immediate availability of Cortex 1.1.1.

Starting from this version, Cortex can be integrated in two ways with MISP as described below. We would like to thank Alexandre Dulaunoy for inviting us to the Open Source Security Software Hackathon which took place in Luxembourg during two days (May 2-3, 2017). Andras Iklody worked with us during the event in order to make this two way integration a reality. Merci !

Now in addition to TheHive, our Security Incident Response Platform which can connect to multiple MISP instances to receive new or updated events, let analysts preview then import them if they deem them worth investigating, Cortex can query MISP modules or be invoked from MISP to let an instance’s users leverage the power of its 21 analyzers. And in the near future, TheHive will also gain the ability to export observables to MISP.

Invoke MISP modules within Cortex

Besides its regular analyzers, Cortex 1.1.1  can analyze observables using MISP expansion modules.

Obviously, there are some overlap between Cortex native analyzers and MISP expansion modules. For example, you could query the CIRCL’s Passive DNS service using a native Cortex analyzer or a MISP expansion module. When there’s overlap, we highly recommend you rely on the Cortex analyzer. That way, we will be able to better help you in case you encounter issues or need help to make it work.

In order to invoke MISP expansion modules within Cortex, they need to be installed on the same host that Cortex runs on. Please read the MISP Integration guide.

Invoke Cortex Analyzers within MISP

Starting from version 2.4.73, a MISP instance can invoke Cortex analyzers. To do so, connect to the MISP Web UI with sufficient privileges, then go to Administration > Server settings > Plugin settings. Edit the Cortex section as follows:

  • set Plugin.Cortex_services_enable to true
  • set Plugin.Cortex_services_url  to http://ip_address (replace ip_address with the IP address of Cortex)
  • set Plugin.Plugin.Cortex_services_port to port (replace port with the port on which Cortex is listening: 9000 by default)

Once this operation is completed, the Cortex analyzer list should appear in MISP’s Cortex section. The analyzers must be enabled to make them available to the instance users.

Documentation

Please note that we have moved all the documentation of Cortex to a new repository.

Download & Get Down to Work

To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.

Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Correction: May 18, 2017
An earlier version of this post contained a few typos which were corrected.

Buckfast 1 and Cortex All-in-one Package

When you use TheHive, running an analyzer on an observable through Cortex will generate a long report and, in most cases, a short report as well.

Let’s see how this works in practice through an example. Assume we are trying to assess whether the 636a4249104acaaf6d76d7409dc3cb2d MD5 hash is malicious or not:

Screen Shot 2017-03-26 at 22.21.10.png

We start by clicking on it, which will open a new tab:Screen Shot 2017-03-26 at 22.21.22.pngThis TLP:WHITE hash was imported from a MISP event published by our good friends at CIRCL.lu sometimes ago. As you can see from the screenshot above, no analyzer was executed on it.  Let’s check if it is known to VirusTotal (VT). To do so, we just need to click on the fire icon located at the right side of the VirusTotal_GetReport_2_0 row.

Screen Shot 2017-03-26 at 22.21.53

A blink of an eye later, the job has finished successfully as we can tell from the green checkmark. Clicking on the date will let us see the long report, presented according to a report template that we freely provide with most analyzers to the exception of PassiveTotal (but in a few days, PT will also get its own nifty templates).Screen Shot 2017-03-26 at 22.22.11.png

Since we are checking whether VT knows a hash or not, it will give us the results if any corresponding to the last time the associated file was scanned on the service. In our case, this dates back to Dec 2, 2016.

When the analyzer was executed, it also produced a short report which TheHive displays below the observable:Screen Shot 2017-03-26 at 22.21.45.pngShort reports come in 4 colors. Red means danger (what else?). Orange means suspicious. Green means innocuous. And blue is informational. OK but what does this have to do with the title of this post?

A few days ago, while working on a new set of analyzers, Nils Kuhnert reported an issue in Buckfast 1 (2.10.1) pertaining to short reports on observables. When he ran some analyzers that should have produced short reports, he didn’t get any. When he reverted to Buckfast 0 (2.10.0), it worked. We tracked down the problem and found that our build process was the culprit. The all-in-one  binary package which was supposed to contain Buckfast 1 and Cortex was in fact a 2.10.0 TheHive snapshot that had a regression. We have uploaded a fresh all-in-one binary package with Buckfast 1 instead of the development snapshot.

If you have grabbed the binary all-in-one package, please download it again and update your instance. If you are using a docker version or built Buckfast 1 from sources, you are fine. To make sure you are running the right version, click on your username once you are logged in then on About TheHive. You should see the following information:Screen Shot 2017-03-26 at 22.56.09.png

We are going to review our release process from the ground up to ascertain such errors never occur again. We expect it to be ready for Mellifera, our next major release of TheHive. Please note that starting from that release, we will no longer provide all-in-one binary and docker packages. Instead, we’ll have separate packages for TheHive and Cortex. TheHive4py and the upcoming Cortex4py will be made available through PIP.