Cortex solves a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several? Thanks to its many analyzers and to its RESTful API, Cortex makes observable analysis a breeze, particularly if called from TheHive, our highly popular, free and open source Security Incident Response Platform.
Starting from Cortex version 2, you can create and manage multiple organizations (i.e multi-tenancy), manage the associated users and give them different roles. You can also specify per-org analyzer configuration and rate limits to avoid consuming all your quotas at once. We have also added a cache so that an analysis is not re-executed for the same observable if a given analyzer is called on that observable several times within a specific timespan (10 minutes by default).
Note: This is the Cortex documentation repository. If you are looking for its source code, please visit https://github.com/CERT-BDF/Cortex/.
Note: Cortex4py, the Python lib to submit observables in bulk mode through the Cortex REST API from alternative SIRP platforms & custom scripts, does not support Cortex 2 yet. It will be updated soon.
Note: If you are looking for the Cortex 1 documentation, please check the cortex-1 branch.
Cortex uses a Java VM. We recommend using a virtual machine with 8vCPU, 8 GB of RAM and 10 GB of disk. You can also use a physical machine with similar specifications.
Cortex can be installed using:
Cortex can also be built from sources.
Once you have installed Cortex, you need to install the analyzers and configure them.
- API Documentation (OUTDATED, will be updated soon)
- How to Create an Analyzer (OUTDATED, will be updated soon)
Cortex is an open source and free software released under the AGPL (Affero General Public License). We, TheHive Project, are committed to ensure that TheHive will remain a free and open source project on the long-run.
Information, news and updates are regularly posted on TheHive Project Twitter account and on the blog.
We welcome your contributions. Please feel free to fork the code, play with it, make some patches and send us pull requests using issues.
We do have a Code of conduct. Make sure to check it out before contributing.
Please open an issue on GitHub if you'd like to report a bug or request a feature. We are also available on Gitter to help you out.
If you need to contact the Project's team, send an email to [email protected].
Important Note:
- If you have troubles with a Cortex analyzer or would like to request a new one or an improvement to an existing analyzer, please open an issue on the analyzers' dedicated GitHub repository.
- If you encounter an issue with TheHive or would like to request the addition of a feature in it, please open an issue on its dedicated GitHub repository.
- If you have problems with Cortex4py, please open an issue on its dedicated repository.
We have set up a Google forum at https://groups.google.com/a/thehive-project.org/d/forum/users. To request access, you need a Google account. You may create one using a Gmail address or without it.