This is the Quick Start guide for Cortex 3. It assumes that Cortex has been installed, and that the analyzers have been installed as well. For further details and configuration options, please refer to the Administration Guide.
- Step 1: Setup Cortex
- Step 2: Update the Database
- Step 3: Create the Cortex Super Administrator
- Step 4: Create an Organization
- Step 5: Create a Organization Administrator
- Step 6: Enable and Configure Analyzers
- Step 7 (Optional): Create an Account for TheHive integration
- Migrating from Cortex 1.x?
- Need to Go Further?
The Cortex back-end configuration file is /etc/cortex/application.conf by default. In order to start Cortex and provided Elasticsearch is running on the same machine, the only required parameter to get up and running is the key of the server
(play.http.secret.key). This key is used to authenticate the cookies that
contain data, and not only a session ID. If Cortex runs in cluster mode, all
instances must share the same key.
To generate a key, use the following command line:
(cat << _EOF_
# Secret key
# ~~~~~
# The secret key is used to secure cryptographics functions.
# If you deploy your application to several instances be sure to use the same key!
play.http.secret.key="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
_EOF_
search.uri = "http://127.0.0.1:9200"
analyzer.urls = "https://download.thehive-project.org/analyzers.json"
) | sudo tee -a /etc/cortex/application.conf
Please note that this secret key is mandatory to start the Cortex application. After saving the file, restart the application (service cortex restart on Ubuntu or systemctl restart cortex on CentOS).
Important Note: Elasticsearch must be installed in order for Cortex to work. If you need to install it or if you are using an Elasticsearch instance that is not on the same machine as Cortex, please refer to the Administration Guide.
Important Note: Cortex run analyzers using docker service. Docker must be install on the same server. The user cortex must be in the docker group to be able to use it.
Cortex uses ElasticSearch to store users, organizations and analyzers configuration. The first time you connect to the Web UI (http://<CORTEX_IP>:9001 by default), you have to create the database by clicking the Update Database button.
You are then invited to create the first user. This is a Cortex global administration user or superAdmin. This user account will be able to create Cortex organizations and users.
You will then be able to log in using this user account. You will note that the default cortex organization has been created and that it includes your user account, a Cortex global admininistrator.
The default cortex organization cannot be used for any other purpose than managing global administrators (users with the superAdmin role), organizations and their associated users. It cannot be used to enable/disable or configure analyzers. To do so, you need to create your own organization inside Cortex by clicking on the Add organization button.
Create the organization administrator account (user with an orgAdmin role).
Then, specify a password for this user. After doing so, log out and log in with that new user account.
Enable the analyzers you need, configure them using the Organization > Configuration and Organization > Analyzers tabs. All analyzer configuration is done using the Web UI, including adding API keys and configuring rate limits.
The analyzer configuration requirements are detailed in the Analyzer Requirements page.
If you are using TheHive, create a new account inside your organisation with the read, analyze role and generate an API key that you will need to add to TheHive's configuration as described in TheHive's Configuration Guide. Please note that you need at least TheHive 3.0.7 (Cerana 0.7) to use Cortex 2 from TheHive.
If you are migrating from Cortex 1.x, we recommend that you:
- Save the configuration of your analyzers (which ones are enabled and what are their configuration items such as users/passwords or API keys).
- Install Cortex 3.
- Edit
/etc/cortex/application.confto add the secret key as shown in Step 1 and point Cortex to the location of the analyzers. - Follow the remaining steps of this Quick Start Guide to enable the analyzers you need and reinject their configuration.
play.http.secret.key="..."
search.uri = "http://127.0.0.1:9200"
analyzer.urls = "https://download.thehive-project.org/analyzers.json"
For further details and configuration options, please refer to the Administration Guide.