Cortex tries to solve a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several?
Cortex, an open source and free software, has been created by TheHive Project for this very purpose. Observables, such as IP and email addresses, URLs, domain names, files or hashes, can be analyzed one by one or in bulk mode using a Web interface. Analysts can also automate these operations thanks to the Cortex REST API.
By using Cortex, you won't need to rewrite the wheel every time you'd like to use a service or a tool to analyze an observable and help you investigate the case at hand. Leverage one of the several analyzers it contains and if you are missing a tool or a service, create a suitable program easily and make it available for the whole team (or better, for the whole community) thanks to Cortex.
Along with MISP, Cortex is the perfect companion for TheHive. Starting from Buckfast (TheHive version 2.10), you can analyze tens or hundreds of observables in a few clicks using one or several Cortex instances depending on your OPSEC needs and security requirements. Moreover, TheHive comes with a report template engine that allows you to adjust the output of Cortex analyzers to your taste instead of having to create your own JSON parsers for Cortex output.
Cortex is written in Scala. The front-end uses AngularJS with Bootstrap. Its REST API is stateless which allows it to be horizontally scalable. The provided analyzers are written in Python. Additional analyzers may be written using the same language or any other language supported by Linux.
Cortex 1.0.1 is provided with 13 analyzers.
- Abuse Finder: use CERT-SG's Abuse Finder to find the abuse contact associated with domain names, URLs, IP and email addresses.
- DNSDB*: leverage Farsight's DNSDB for pDNS.
- DomainTools*: look up domain names, IP addresses, WHOIS records, etc. using the popular DomainTools service API.
- File Info: parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files and much more.
- Hippocampe: query threat feeds through Hippocampe, a FOSS tool that centralizes feeds and allows you to associate a confidence level to each one of them (that can be changed over time) and get a score indicating the data quality.
- MaxMind: geolocation.
- Outlook MsgParser: parse Outlook message files automatically and show the key information it contains such as headers, attachments etc.
- OTXQuery*: query AlienVault Open Threat Exchange for IPs, domains, URLs, or file hashes.
- PassiveTotal*: leverage RiskIQ's PassiveTotal service to gain invaluable insight on observables, identify overlapping infrastructure using Passive DNS, WHOIS, SSL certificates and more.
- URLCategory: checks the Fortinet categories of URLs.
- Phishing Initiative*: queries Phishing Initiative to assess whether a URL has been flagged a phishing site.
- PhishTank*: queries PhishTank to assess whether a URL has been flagged a phishing site.
- VirusTotal*: look up files, URLs and hashes through VirusTotal.
The star (*) indicates that the analyzer needs an API key to work correctly. We do not provide API keys. You have to use your own.
Cortex is an open source and free software released under the AGPL (Affero General Public License). We, TheHive Project, are committed to ensure that Cortex will remain a free and open source project on the long-run.
Information, news and updates are regularly posted on TheHive Project Twitter account and on the blog.
We welcome your contributions, particularly new analyzers that can take away the load off overworked fellow analysts. Please feel free to fork the code, play with it, make some patches and send us pull requests.
Please open an issue on GitHub if you'd like to report a bug or request a feature.
Important Note: if you encounter an issue with an analyzer or would like to request a new one or an improvement to an existing analyzer, please open an issue on the analyzers' dedicated GitHub repository. If you have problems with TheHive or would like to request a TheHive-related feature, please open an issue on its dedicated GitHub repository.
Alternatively, if you need to contact the project team, send an email to support@thehive-project.org.
We have set up a Google forum at https://groups.google.com/a/thehive-project.org/d/forum/users. To request access, you need a Google account. You may create one using a Gmail address or without one.