Cortex is a free and open-source observable analysis tool created by TheHive Project. Security professionals and SOC analysts use it to analyze collected events by querying a single tool. It offers a web-based interface that allows you to analyze IP and email addresses, URLs, domain names, files, and hashes. Cortex has over a hundred analyzers for popular services such as VirusTotal, Joe Sandbox, DomainTools, PassiveTotal, Google Safe Browsing, Shodan, and Onyphe.
This tutorial will show you how to install the Cortex engine on Ubuntu 22.04.
- A server running Ubuntu 22.04 with a minimum of 16GB of RAM.
- A root password is configured on the server.
Update the System
First, updating and upgrading all your system packages to the updated version is recommended. You can update all of them by running the following command.
apt update -y apt upgrade -y
Once all the packages are updated, you can proceed to the next step.
Before starting, the Java JDK must be installed on your server. If not installed, you can install it using the following command.
apt install openjdk-11-jre-headless -y
After the successful installation, you can verify the Java installation using the following command.
You will get the following output.
openjdk 11.0.17 2022-10-18 OpenJDK Runtime Environment (build 11.0.17+8-post-Ubuntu-1ubuntu222.04) OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Ubuntu-1ubuntu222.04, mixed mode, sharing)
Next, set the Java environment variable using the following command.
echo JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64" | tee -a /etc/environment
Next, activate the environment variable using the following command.
Once you are done, you can proceed to install and configure ElasticSearch.
Install and Configure ElasticSearch
Cortex also requires ElasticSearch to be installed on your server. First, install all the required dependencies using the following command.
apt install wget gnupg2 apt-transport-https git ca-certificates curl jq software-properties-common lsb-release python3-pip iproute2 -y
Next, add the ElasticSearch GPG key using the following command.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor > /etc/apt/trusted.gpg.d/elasticsearch-keyring.gpg
Then, add the ElasticSearch repo to APT using the following command.
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Next, update the repository and install ElasticSearch using the following command.
apt update -y apt install elasticsearch -y
After the installation, edit the ElasticSearch configuration file and define your cluster name.
Change the following line:
Save and close the file then create a jvm.options file.
Add the following lines:
-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true
Save and close the file when you are finished. Then, restart the ElasticSearch service to apply the changes.
systemctl restart elasticsearch
You can check the status of ElasticSearch with the following command.
systemctl status elasticsearch
You will get the following output.
? elasticsearch.service - Elasticsearch Loaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled) Active: active (running) since Mon 2023-02-06 15:35:54 UTC; 2s ago Docs: https://www.elastic.co Main PID: 10788 (java) Tasks: 80 (limit: 38396) Memory: 1.3G CPU: 1min 46.185s CGroup: /system.slice/elasticsearch.service ??10788 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.t> ??10999 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller Feb 06 15:35:21 ubuntu2204 systemd: Starting Elasticsearch... Feb 06 15:35:54 ubuntu2204 systemd: Started Elasticsearch.
Once you are finished, you can proceed to install the Cortex.
Install Cortex Ubuntu 22.04
By default, the Cortex package is not available in the Ubuntu default repository. So you will need to add the Cortex official repo to APT.
First, download and import the Cortex and thehive GPG key using the following command.
wget -qO- "https://raw.githubusercontent.com/TheHive-Project/Cortex/master/PGP-PUBLIC-KEY" | gpg --dearmor -o /etc/apt/trusted.gpg.d/cortex.gpg wget -qO- https://raw.githubusercontent.com/TheHive-Project/Cortex/master/PGP-PUBLIC-KEY | gpg --dearmor -o /etc/apt/trusted.gpg.d/thehive.gpg
Next, add the Cortex repo to the APT using the following command.
echo 'deb https://deb.thehive-project.org release main' | tee -a /etc/apt/sources.list.d/thehive-project.list
Next, update the repository and install the Cortex with the following command.
apt update -y apt install cortex -y
Once the Cortex package is installed, you can proceed to configure the Cortex.
Next, you will need to create a secret and define it in your Cortex configuration file. First, create a secret with the following command.
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1
You should see the following output.
Next, edit the Cortex configuration file and define your secret..
Define your secrets as shown below:
Save and close the file when you are done. Then, start and enable the Cortex service using the following command.
systemctl enable --now cortex
You can check the status of the Cortex using the following command.
systemctl status cortex
You will get the following output.
? cortex.service - cortex Loaded: loaded (/etc/systemd/system/cortex.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2023-02-06 15:40:21 UTC; 12s ago Docs: https://thehive-project.org Main PID: 12544 (java) Tasks: 49 (limit: 38396) Memory: 491.9M CPU: 32.669s CGroup: /system.slice/cortex.service ??12544 java -Duser.dir=/opt/cortex -Dconfig.file=/etc/cortex/application.conf -Dlogger.file=/etc/cortex/logback.xml -Dpidfile.p> ??13051 /usr/bin/python3 /usr/bin/pip show cortexutils Feb 06 15:40:21 ubuntu2204 systemd: Started cortex.
At this point, Cortex is started and listens on port 9001. You can check it with the following command.
ss -antpl | grep 9001
You should see the Cortex listening port in the following output.
LISTEN 0 100 *:9001 *:* users:(("java",pid=12544,fd=293))
Once you are done, you can proceed to the next step.
Access Cortex Web UI
The Cortex is now installed and configured. Next, open your web browser and access the Cortex web interface using the URL http://your-server-ip:9001. Click on the Update Database button to update the database.
Define your login name, name, password and click on the Create button.
Provide your username, password and click on the Sign In button.
Next, you will need to add your Organization to the Cortex. Click on the Add organization button.
Define your organization name and click on the Save button.
Click on your newly created organization.
Define your username, role and click on the Save user button to create a user.
Congratulations! you have successfully installed and configured the Cortex engine on Ubuntu 22.04 server. You can now use Cortex as your organization’s observable analysis and active response engine. Feel free to ask me if you have any questions.