Current ThreatQ Version Filter

Cortex App for the Hive

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.0.1

Compatible with ThreatQ Versions

>= 4.58.1

Compatible with Cortex Version

3.1.7

Compatible with The Hive Version

5.1.3

Support Tier

ThreatQ Supported

Introduction

The Cortex App for the Hive is used for enriching observables in Cortex against a ThreatQ instance. After an observable is enriched in Cortex using the ThreatQ app, the enriched content can be seen in the cases in the Hive using the native Hive integration.

Prerequisites

Review and confirm the following requirements before attempting to install the application:

Cortex and the Hive applications are installed and the integration between the two is configured. See this setup guide for detailed configuration steps of Cortex: https://docs.thehive-project.org/cortex/.
The following steps have been reviewed: https://docs.thehive-project.org/cortex/installation-and-configuration/analyzers-responders/#run-you-own-analyzers-responders.
Python 3 is installed on the Cortex VM.

Installation

If you are upgrading from a previous version, review the Change Log to determine if there are any changes to configuration file such as new or removed fields. If there are changes, you must first delete your existing configuration file before proceeding with the steps below to install the new version. Contact ThreatQ Support if you require assistance.

Download the integration zip file from the ThreatQ Marketplace.
Unzip the file's contents:
unzip /path/to/archive/cortex_app_v<VERSION>.zip
Transfer the files to your Cortex instance:
scp -r /path/to/folder/cortex_app_v<VERSION>/tq_hive_cortex_analyzer_src <USERNAME>@<CORTEX HOST/IP>:/tmp/
Create a new folder in the Custom Analyzers installation path for Cortex:
ssh <USERNAME>@<CORTEX HOST/IP>

sudo mkdir -p /opt/Custom-Analyzers/{analyzers,responders}/ThreatQ
Move the Cortex app to the Custom Analyzers directory and set the correct ownership:
cp /tmp/tq_hive_cortex_analyzer_src/*.* /opt/Custom-Analyzers/analyzers/ThreatQ/

chown -R cortex:cortex /opt/Custom-Analyzers
Add the Custom Analyzers path the application.conf file as described in the following documentation:
https://docs.thehive-project.org/cortex/installation-and-configuration/analyzers-responders/#update-cortex-configuration
Restart the Corext app. If the system is using systemctl, the command will be:
systemctl restart cortex

Configuration

Use the following steps to configure the app in Cortex.

You should generate ThreatQ OAuth credentials prior to starting the configuration. See the OAuth Credentials topic on the ThreatQ Help Center for additional details and steps.

Log in as a user to Cortex UI.
Navigate to Organization and select the Analyzers tab
Search for ThreatQ and click on Enable and then on Edit.

Enter the required parameters and credentials and save the configuration:

Parameter	Description
tq_host	This is the hostname or IP address for the ThreatQ instance prefaced by `https://`.
tq_client_id	ThreatQ OAuth Client ID. See the OAuth Credentials topic on the ThreatQ Help Center.
tq_client_secret	ThreatQ OAuth Client Secret. See the OAuth Credentials topic on the ThreatQ Help Center.
tq_verify	Verify ThreatQ SSL Certificate. The default value is False.

Test the integration by logging in as a user to Cortex UI.
Click on New Analysis, select the Data Type from the dropdown, enter the observable value.
Select ThreatQ_1_0 from the list of Analyzers and click on the Start button.
Once completed it should show the enrichment data from ThreatQ

Once complete with the configuration, the settings in the Cortex instance will look similar to this snapshot:

Usage of the App on The Hive

Login as a user to the Hive UI
Import the analysis HTML template provided with the ZIP file downloaded from the ThreatQ Marketplace.
The HTML file is in /path/to/folder/cortex_app_v<VERSION>/tq_hive_cortex_analyzer_templates
Select a case and click on the Observables tab.
Enter an observable, select the type, and click on Confirm.
To run an enrichment against ThreatQ, hover over an observable, click on the ellipsis on the right-most side and select Run Analyzers.
On the following screen click on the ThreatQ app and then Run Selected Analyzers.
The enrichment data in the Hive will look similar to this snapshot:

Average Feed Run

Object counts and runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and runtime may vary based on system resources and load.

Metric	Result
Run Time	2 minutes

Change Log

Version 1.0.1
- Initial release

PDF Guides

Document	ThreatQ Version
Cortex App for The Hive Guide v1.0.1	4.58.1 or Greater