Cortex tries to solve a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics, and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several?
Cortex, an open source, and free software have been created by TheHive Project for this very purpose. Observables, such as IP and email addresses, URLs, domain names, files or hashes, can be analyzed one by one or in bulk mode using a Web interface. Analysts can also automate these operations thanks to the Cortex REST API.
By using Cortex, you won’t need to rewrite the wheel every time you’d like to use a service or a tool to analyze an observable and help you investigate the case at hand. Leverage one of the several analyzers it contains and if you are missing a tool or a service, create a suitable program easily and make it available for the whole team (or better, for the whole community) thanks to Cortex.
Cortex and TheHive
Along with MISP, Cortex is the perfect companion for TheHive. Starting from Buckfast (TheHive version 2.10), you can analyze tens or hundreds of observables in a few clicks using one or several Cortex instances depending on your OPSEC needs and security requirements. Moreover, TheHive comes with a report template engine that allows you to adjust the output of Cortex analyzers to your taste instead of having to create your own JSON parsers for Cortex output.
Cortex and MISP
Starting from Cortex 1.1.1, Cortex can be integrated with MISP in two ways:
- Cortex can invoke MISP modules
- MISP can invoke Cortex analyzers
Architecture
Cortex is written in Scala. The front-end uses AngularJS with Bootstrap. Its REST API is stateless which allows it to be horizontally scalable. The provided analyzers are written in Python. Additional analyzers may be written using the same language or any other language supported by Linux.
Analyzers
Cortex has 30 analyzers listed below. To configure them, read the Cortex Analyzers Requirements Guide.
- Abuse_Finder: use CERT-SG’s Abuse Finder to find the abuse contact associated with domain names, URLs, IP, and email addresses.
- CERTatPassiveDNS*: Check CERT.at Passive DNS Service for a given domain.
- CIRCLPassiveDNS*: Check CIRCL’s Passive DNS for a given domain.
- CIRCLPassiveSSL*: Check CIRCL’s Passive SSL service for a given IP address or certificate hash.
- CuckooSandbox: analyze URLs and files using Cuckoo Sandbox.
- DNSDB*: leverage Farsight Security’s DNSDB for Passive DNS.
- DomainTools*: look up domain names, IP addresses, WHOIS records, etc. using the popular DomainTools service API.
- EmergingThreats*: leverage Proofpoint’s Emerging Threats Intelligence to assess the reputation of various observables and obtain additional and valuable information on malware.
- File_Info: parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files and much more.
- FireHOLBlocklists: check IP addresses against the FireHOL blocklists.
- GoogleSafebrowsing*: check URLs against Google Safebrowsing.
- HybridAnalysis*: fetch Hybrid Analysis reports associated with hashes and filenames.
- Hippocampe: query threat feeds through Hippocampe, a FOSS tool that centralizes feeds and allows you to associate a confidence level to each one of them (that can be changed over time) and get a score indicating the data quality.
- JoeSandbox*: analyze URLs and files using the powerful Joe Sandbox malware analysis solution.
- MaxMind: geolocation.
- MISP*: search for MISP events in one or several MISP instances containing the observable submitted as input.
- Nessus: use Nessus Professional, a popular vulnerability scanner to scan an IP address or an FQDN.
- MsgParser: parse Outlook message files automatically and show the key information it contains such as headers, attachments etc.
- OTXQuery*: query AlienVault Open Threat Exchange for IPs, domains, URLs, or file hashes.
- PassiveTotal*: leverage RiskIQ’s PassiveTotal service to gain invaluable insight on observables, identify overlapping infrastructure using Passive DNS, WHOIS, SSL certificates and more.
- Phishing Initiative*: query Phishing Initiative to assess whether a URL has been flagged as a phishing site.
- PhishTank*: query PhishTank to assess whether a URL has been flagged as a phishing site.
- Shodan*: retrieve key Shodan information on domains and IP addresses.
- URLCategory: check the Fortinet categories of URLs.
- VirusShare: check whether a file/hash is available on VirusShare.com.
- VirusTotal*: look up files, URLs, and hashes in VirusTotal.
- VMRay*: analyze files using the VMRay Analyzer Platform.
- WOT*: check a domain against Web of Trust, a website reputation service.
- Yara: check files against YARA rules using yara-python.
- Yeti: retrieve all available information related to a domain, a fully qualified domain name, an IP address, a URL or a hash from a YETI instance.
The star (*) indicates that the analyzer needs an API key, a user account or special access from the service provider to work correctly. We do not provide API keys, user accounts or request access on your behalf. You have to use your own or contact the service provider.
Changelog v2.2.0
Implemented enhancements:
- Show PAP value in the Org > Analyzers screen #124
- Display cache configuration in analyzer admin page #123
Fixed bugs:
- Temporary files are not removed at the end of job #129
- MISP fails to run analyzers #128
- MISP API fails #109
- File_Info issue #53
Merged pull requests:
Copyright (C) 2016-2017 Thomas Franco
Copyright (C) 2016-2017 Saâd Kadhi
Copyright (C) 2016-2017 Jérôme Leonard
