TheHive Project maintains a training virtual machine (OVA) containing TheHive, Cortex and Cortex analyzers with all dependencies and ElasticSearch installed on top of Ubuntu 16.04 with Oracle JRE 8.
As of this writing, the training VM includes Cerana 0.7 RC1 (TheHive 3.0.7-RC1), Cortex 1.1.4, TheHive4py 1.4.3, Cortex4py 1.0.0 and the latest Cortex analyzers as of Mar 11, 2018.
Warning: The training VM is solely intended to be used for testing or training purposes. We strongly encourage you to refrain from using it in production.
You can download the VM from the following location:
https://drive.google.com/file/d/0B3G-Due88gfQMmhvdzE0S3R4YTQ/view?usp=sharing
To ensure that your download went through nicely, check the file’s SHA256 hash which must be equal to the following value:
8264526a2e330f9023ab0e460e7b7e55a039714f42505c07800b9c0c70464408
The system’s login is thehive
and the associated password is thehive1234
.
Note: On starting the newly imported VM from OVA file in VMware Fusion, you may encounter a message asking to upgrade the virtual machine. By clicking on the Upgrade
button you would be able to use the VM as expected.
Start the VM and make sure the /var/log/thehive
and /var/log/cortex
directories exist. If they don't, please use the following commands to create them:
$ sudo mkdir /var/log/thehive && sudo chown thehive:thehive /var/log/thehive && sudo service thehive restart
$ sudo mkdir /var/log/cortex && sudo chown cortex:cortex /var/log/cortex && sudo service cortex restart
To access TheHive, point your browser to the following URL:
To access Cortex, point your browser to the following URL:
The first time you access TheHive, you’ll need to create the associated database by clicking on the Update Database
button as shown below:
TheHive’s configuration file is located in /etc/thehive/application.conf
. For additional configuration, read the documentation.
TheHive is already configured to use the local Cortex service.
To fully benefit from the analyzers, you should install the associated report templates:
- download the report template package
- log in TheHive using an administrator account
- go to Admin > Report templates menu
- click on Import templates button and select the downloaded package
The test VM does not contain a MISP instance and none is configured in TheHive’s configuration file. To play with MISP, you may want to use the VM our good friends at CIRCL provide. Once you’ve downloaded it or if you have an existing instance, edit /etc/thehive/application.conf
and follow the configuration guide.
After each modification of /etc/thehive/application.conf
do not forget to restart the service:
$ sudo service thehive restart
TheHive service logs are located in /var/log/thehive/application.log
.
All available analyzers are installed with their dependencies, but none is configured. To configure analyzers, edit /etc/cortex/application.conf
and follow the configuration guide.
After each modification of /etc/cortex/application.conf
do not forget to restart the service:
$ sudo service cortex restart
Cortex service logs are located in /var/log/cortex/application.log
.
Something does not work as expected? No worries, we got you covered. Please join our user forum, contact us on Gitter, or send us an email at [email protected]. We are here to help.