Cortex documentation has moved and can be found at https://docs.thehive-project.org/cortex/.
Cortex solves two common problems frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response:
- How to analyze observables they have collected, at scale, by querying a single tool instead of several?
- How to actively respond to threats and interact with the constituency and other teams?
Thanks to its many analyzers and to its RESTful API, Cortex makes observable analysis a breeze, particularly if called from TheHive, our highly popular, free and open source Security Incident Response Platform (SIRP). TheHive can also leverage Cortex responders to perform specific actions on alerts, cases, tasks and observables collected in the course of the investigation: send an email to the constituents, block an IP address at the proxy level, notify team members that an alert needs to be taken care of urgently and much more.
Starting from Cortex version 2, you can create and manage multiple organizations (i.e multi-tenancy), manage the associated users and give them different roles. You can also specify per-org analyzer configuration and rate limits to avoid consuming all your quotas at once. We have also added a cache so that an analysis is not re-executed for the same observable if a given analyzer is called on that observable several times within a specific timespan (10 minutes by default, can be adjusted for each analyzer).
Notes:
- This is the Cortex documentation repository. If you are looking for its source code, please visit https://github.com/TheHive-Project/Cortex/.
- Cortex4py, the FOSS Python library we provide to submit observables in bulk mode through the Cortex REST API from alternative SIRP platforms & custom scripts, is compatible with Cortex 2 starting from v 2.0.0.
- Active Response is a new feature that was introduced in TheHive 3.1.0 and Cortex 2.1.0.
- If you are looking for the Cortex 1 documentation, please check the cortex-1 branch.
Hardware Pre-requisites
Cortex uses a Java VM. We recommend using a virtual machine with 8vCPU, 8 GB of RAM and 10 GB of disk. You can also use a physical machine with similar specifications.
What's New
- Quick Start Guide
- API Guide (updated for Cortex 2 and newer)
- Installation Guide
- How to Configure Analyzers
- Training Material
- Changelog
Guides
- Installation Guide
- Cortex Analyzer Requirements Guide
- Quick Start Guide
- Administration Guide
- Updating
- API Guide
- How to Create an Analyzer
- How to Create a Responder
- Migration Guide
Miscellaneous Information
License
Cortex is an open source and free software released under the AGPL (Affero General Public License). We, TheHive Project, are committed to ensure that TheHive will remain a free and open source project on the long-run.
Updates
Information, news and updates are regularly posted on TheHive Project Twitter account and on the blog.
Contributing
We welcome your contributions. Please feel free to fork the code, play with it, make some patches and send us pull requests using issues.
We do have a Code of conduct. Make sure to check it out before contributing.
Support
Please open an issue on GitHub if you'd like to report a bug or request a feature. We are also available on Gitter to help you out.
If you need to contact the Project's team, send an email to [email protected].
Important Note:
- If you have troubles with a Cortex analyzer or would like to request a new one or an improvement to an existing analyzer, please open an issue on the analyzers' dedicated GitHub repository.
- If you encounter an issue with TheHive or would like to request the addition of a feature in it, please open an issue on its dedicated GitHub repository.
- If you have problems with Cortex4py, please open an issue on its dedicated repository.
Community Discussions
We have set up a Google forum at https://groups.google.com/a/thehive-project.org/d/forum/users. To request access, you need a Google account. You may create one using a Gmail address or without it.