Top Related Projects
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
Open Cyber Threat Intelligence Platform
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
AIL framework - Analysis Information Leak framework. Project moved to https://github.com/ail-project
Fast Incident Response
Quick Overview
Cortex is an open-source security orchestration, automation, and response (SOAR) platform designed to analyze observables and automate response actions. It works in conjunction with TheHive, a scalable security incident response platform, to enhance threat intelligence and incident response capabilities for security teams.
Pros
- Seamless integration with TheHive for efficient incident response workflows
- Supports a wide range of analyzers and responders for various security tasks
- Highly customizable and extensible through a plugin system
- Provides a user-friendly web interface for managing and executing analyses
Cons
- Steep learning curve for newcomers to SOAR platforms
- Limited standalone functionality without TheHive integration
- Requires significant setup and configuration for optimal performance
- Documentation can be sparse or outdated for some features
Getting Started
To get started with Cortex, follow these steps:
-
Install Cortex:
docker pull thehiveproject/cortex:latest -
Run Cortex:
docker run -d --name cortex \ -p 9001:9001 \ thehiveproject/cortex:latest -
Access the Cortex web interface at
http://localhost:9001and create an admin account. -
Configure analyzers and responders in the Cortex web interface.
-
Integrate Cortex with TheHive for enhanced incident response capabilities.
For more detailed instructions and configuration options, refer to the official Cortex documentation.
Competitor Comparisons
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
Pros of MISP
- More comprehensive threat intelligence platform with built-in sharing capabilities
- Larger and more active community, resulting in frequent updates and extensive documentation
- Supports a wider range of data types and formats for threat intelligence
Cons of MISP
- Steeper learning curve due to its extensive features and complexity
- Can be resource-intensive, especially for smaller organizations
- May require more configuration and customization to fit specific use cases
Code Comparison
MISP (Python):
@staticmethod
def get_uuid():
return str(uuid.uuid4())
def __init__(self):
self.uuid = self.get_uuid()
Cortex (Scala):
def createJob(analyzerId: String, artifact: Artifact): Future[Job] = {
val job = Job(analyzerId = analyzerId, artifact = artifact)
jobSrv.create(job)
}
While both projects serve different purposes in the cybersecurity ecosystem, this comparison highlights some key differences. MISP focuses on threat intelligence sharing and collaboration, while Cortex specializes in observable analysis and automated response. The code snippets demonstrate their different implementation languages and approaches to handling data and jobs.
Open Cyber Threat Intelligence Platform
Pros of OpenCTI
- More comprehensive threat intelligence platform with a wider range of features
- Better visualization capabilities for complex threat landscapes
- Stronger focus on knowledge management and collaborative analysis
Cons of OpenCTI
- Steeper learning curve due to its complexity
- Requires more resources to set up and maintain
- May be overkill for smaller organizations or simpler use cases
Code Comparison
OpenCTI (Python):
from pycti import OpenCTIApiClient
api_client = OpenCTIApiClient("https://demo.opencti.io", "API_KEY")
malware = api_client.malware.create(
name="Malware Example",
description="A malware for demonstration"
)
Cortex (Scala):
import org.thp.cortex.services.UserSrv
class AnalyzerSrv(userSrv: UserSrv) {
def analyze(analyzerId: String, artifact: Artifact): Future[Report] = {
// Analyzer logic here
}
}
OpenCTI offers a more extensive API for threat intelligence management, while Cortex focuses on specific analyzer functions. OpenCTI's code demonstrates creating a malware entity, showcasing its broader scope in threat data modeling. Cortex's code snippet highlights its analyzer-centric approach, which is more suitable for specific security operations tasks.
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
Pros of TheHive
- Comprehensive incident response platform with case management capabilities
- Integrates seamlessly with Cortex for automated analysis and response
- Supports collaboration among team members with real-time updates
Cons of TheHive
- Steeper learning curve due to more complex features
- Requires more resources to set up and maintain
- May be overkill for smaller organizations with simpler security needs
Code Comparison
TheHive:
from thehive4py.api import TheHiveApi
from thehive4py.models import Case
api = TheHiveApi('http://localhost:9000', 'api_key')
case = Case(title='Suspicious Activity', description='Investigate unusual network traffic')
response = api.create_case(case)
Cortex:
from cortex4py.api import Api
from cortex4py.models import Job
api = Api('http://localhost:9001', 'api_key')
job = Job('FileInfo_5_2', data={'data': 'suspicious_file.exe'})
response = api.run_analyzer(job)
TheHive is a full-featured incident response platform, while Cortex focuses on automated analysis and enrichment. TheHive offers more comprehensive case management and collaboration tools, but may be more complex to set up. Cortex is more specialized for automated analysis tasks and can be used independently or integrated with TheHive for enhanced functionality.
AIL framework - Analysis Information Leak framework. Project moved to https://github.com/ail-project
Pros of AIL-framework
- More comprehensive analysis capabilities for various data types (text, images, etc.)
- Better suited for large-scale data processing and analysis
- Modular architecture allows for easy extension and customization
Cons of AIL-framework
- Steeper learning curve due to its complexity
- Requires more resources to set up and maintain
- Less focus on integration with other security tools compared to Cortex
Code Comparison
AIL-framework (Python):
from packages import Item
from pubsublogger import publisher
class AILFeeder:
def __init__(self):
self.subscriber_name = "feeder"
self.publisher = publisher
def process_item(self, item):
# Process and publish item
Cortex (Scala):
import org.thp.cortex.models.Analyzer
class CustomAnalyzer extends Analyzer {
override def analyze(artifact: String): Future[Report] = {
// Perform analysis and return report
}
}
The code snippets showcase the different approaches: AIL-framework focuses on data processing and publishing, while Cortex emphasizes analyzer implementation for specific artifacts.
Fast Incident Response
Pros of FIR
- Lightweight and easy to set up, making it suitable for smaller organizations
- Focuses specifically on incident response, providing a streamlined workflow
- Includes built-in reporting features for generating incident reports
Cons of FIR
- Less extensive integration capabilities compared to Cortex
- Limited automation features for threat intelligence enrichment
- Smaller community and fewer regular updates
Code Comparison
FIR (Python):
class Incident(models.Model):
date = models.DateTimeField(default=timezone.now, blank=True)
is_starred = models.BooleanField(default=False)
subject = models.CharField(max_length=256)
description = models.TextField()
Cortex (Scala):
case class Job(
id: String,
organization: String,
status: JobStatus,
dataType: String,
data: String,
analyzerId: String,
analyzerName: String
)
FIR focuses on incident management with a simple model structure, while Cortex emphasizes job processing for threat intelligence analysis.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Cortex tries to solve a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several?
Cortex, an open source and free software, has been created by TheHive Project for this very purpose. Observables, such as IP and email addresses, URLs, domain names, files or hashes, can be analyzed one by one or in bulk mode using a Web interface. Analysts can also automate these operations thanks to the Cortex REST API.
By using Cortex, you won't need to rewrite the wheel every time you'd like to use a service or a tool to analyze an observable and help you investigate the case at hand. Leverage one of the several analyzers it contains and if you are missing a tool or a service, create a suitable program easily and make it available for the whole team (or better, for the whole community) thanks to Cortex.
Cortex and TheHive
Along with MISP, Cortex is the perfect companion for TheHive. TheHive let you analyze tens or hundreds of observables in a few clicks by leveraging one or several Cortex instances depending on your OPSEC needs and performance requirements. Moreover, TheHive comes with a report template engine that allows you to adjust the output of Cortex analyzers to your taste instead of having to create your own JSON parsers for Cortex output.
Cortex and MISP
Cortex can be integrated with MISP in two ways:
- Cortex can invoke MISP modules
- MISP can invoke Cortex analyzers
Try it
To try Cortex, you can use the training VM or install it by reading the Installation Guide.
Details
Architecture
Cortex is written in Scala. The front-end uses AngularJS with Bootstrap. Its REST API is stateless which allows it to be horizontally scalable. The provided analyzers are written in Python. Additional analyzers may be written using the same language or any other language supported by Linux.
Analyzers
Thanks to Cortex, you can analyze different types of observables using tens of analyzers. As of April 14, 2018, there are 39 publicly available analyzers. Most analyzers come in different flavors. For example, using the VirusTotal analyzer, you can submit a file to VT or simply check the latest available report associated with a file or a hash. The full analyzer list, including flavors and requirements, is maintained in the Cortex Analyzers Requirements Guide.
Documentation
We have made several guides available in the Documentation repository.
License
Cortex is an open source and free software released under the AGPL (Affero General Public License). We, TheHive Project, are committed to ensure that Cortex will remain a free and open source project on the long-run.
Updates
Information, news and updates are regularly posted on TheHive Project Twitter account and on the blog.
Contributing
We welcome your contributions, particularly new analyzers that can take away the load off overworked fellow analysts. Please feel free to fork the code, play with it, make some patches and send us pull requests using issues.
We do have a Code of conduct. Make sure to check it out before contributing.
Support
Please open an issue on GitHub if you'd like to report a bug or request a feature.
Important Note: if you encounter an issue with an analyzer or would like to request a new one or an improvement to an existing analyzer, please open an issue on the analyzers' dedicated GitHub repository. If you have problems with TheHive or would like to request a TheHive-related feature, please open an issue on its dedicated GitHub repository.
Alternatively, if you need to contact the project team, send an email to support@thehive-project.org.
Community Discussions
We have set up a Google forum at https://groups.google.com/a/thehive-project.org/d/forum/users. To request access, you need a Google account. You may create one using a Gmail address or without one.
Website
Top Related Projects
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
Open Cyber Threat Intelligence Platform
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
AIL framework - Analysis Information Leak framework. Project moved to https://github.com/ail-project
Fast Incident Response
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot