diff --git a/conf/application.sample b/conf/application.sample index df72d66e1..816646ba0 100644 --- a/conf/application.sample +++ b/conf/application.sample @@ -6,31 +6,84 @@ # # IMPORTANT: If you deploy your application to several instances, make # sure to use the same key. -#play.crypto.secret="***CHANGEME***" +#play.http.secret.key="***CHANGEME***" + +## ElasticSearch +search { + # Name of the index + index = cortex + # Name of the ElasticSearch cluster + cluster = hive + # Address of the ElasticSearch instance + host = ["127.0.0.1:9300"] +} -## ANALYZERS -# -# This section holds the configuration of the analyzers. -# -# Please note that MISP expansion modules have their separate section -# (see MISP EXPANSION MODULES below). -# -# NOTE: you are highly advised to remove the configuration parts related -# to unneeded/unused analyzers. +## Cache # -# NOTE: if you don't need an analyzer, please remove the corresponding -# directory. For example, if you don't use 'MaxMind', remove: -# /path/to/Cortex-Analyzers/analyzers/MaxMind -# -# WARNING: there is overlap between Cortex native analyzers and MISP -# expansion modules. We highly advise you to use native analyzers -# whenever possible. +# If an analyzer is executed against the same observable, the previous report can be returned without re-executing the +# analyzer. The cache is used only if the second job occurs within cache.job (the default is 10 minutes). +cache.job = 10 minutes + +## Authentication +auth { + # "provider" parameter contains the authentication provider(s). It can be multi-valued, which is useful + # for migration. + # The available auth types are: + # - services.LocalAuthSrv : passwords are stored in the user entity within ElasticSearch). No + # configuration are required. + # - ad : use ActiveDirectory to authenticate users. The associated configuration shall be done in + # the "ad" section below. + # - ldap : use LDAP to authenticate users. The associated configuration shall be done in the + # "ldap" section below. + provider = [local] + + ad { + # The Windows domain name in DNS format. This parameter is required if you do not use + # 'serverNames' below. + #domainFQDN = "mydomain.local" + + # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN + # above. If this parameter is not set, TheHive uses 'domainFQDN'. + #serverNames = [ad1.mydomain.local, ad2.mydomain.local] + + # The Windows domain name using short format. This parameter is required. + #domainName = "MYDOMAIN" + + # If 'true', use SSL to connect to the domain controller. + #useSSL = true + } + + ldap { + # The LDAP server name or address. The port can be specified using the 'host:port' + # syntax. This parameter is required if you don't use 'serverNames' below. + #serverName = "ldap.mydomain.local:389" + + # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead. + #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local] + + # Account to use to bind to the LDAP server. This parameter is required. + #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local" + + # Password of the binding account. This parameter is required. + #bindPW = "***secret*password***" + + # Base DN to search users. This parameter is required. + #baseDN = "ou=users,dc=mydomain,dc=local" + + # Filter to search user in the directory server. Please note that {0} is replaced + # by the actual user name. This parameter is required. + #filter = "(cn={0})" + + # If 'true', use SSL to connect to the LDAP directory server. + #useSSL = true + } +} + +## ANALYZERS # -# WARNING: DO NOT CONFIGURE A CORTEX ANALYZER AND A MISP MODULE FOR THE -# SAME SERVICE. analyzer { # Absolute path where you have pulled the Cortex-Analyzers repository. - path = "path/to/Cortex-Analyzers/analyzers" + path = ["path/to/Cortex-Analyzers/analyzers"] # Sane defaults. Do not change unless you know what you are doing. fork-join-executor { @@ -44,393 +97,6 @@ analyzer { # Max number of threads available for analysis. parallelism-max = 4 } - - # Analyzer configuration - config { - #global { - # proxy { - # http="http://PROXYIP:PORT", - # https="http://PROXYIP:PORT" - # } - #} - - # C1fApp : an API key is required. It can be obtained on - # https://www.c1fapp.com/ - C1fApp { - #service="query" - #key="..." - #url="https://www.c1fapp.com/cifapp/api/" - } - - # Censys: an API ID and secret key are required. This can be - # retrieved on https://censys.io/ - Censys { - #uid="MYUID" - #key="MYKEY" - } - - # CIRCLPassiveDNS: this analyzer requires credentials that may be - # obtained from https://www.circl.lu/contact/. - CIRCLPassiveDNS { - #user= "..." - #password= "..." - } - - # CIRCLPassiveSSL: this analyzer requires credentials that may be - # obtained from https://www.circl.lu/contact/. - CIRCLPassiveSSL { - #user= "..." - #password= "..." - } - - # DNSDB: an API key is required. This is a commercial service. - DNSDB { - #server="https://api.dnsdb.info" - #key = "..." - } - - # DomainTools: a username and an API key are required. This is a - # commercial service. - DomainTools { - #username="..." - #key="..." - } - - # EmergingThreats: this analyzer needs a Proofpoint Emerging Threats - # Intelligence API key. This is a commercial service. - # See https://www.proofpoint.com/us/products/et-intelligence - EmergingThreats { - #key = "..." - } - - # FireHOLBlocklists: this analyzer needs you to download the FireHOL - # block lists first to a directory. Use 'git' for that purpose. We - # advise you to keep the lists fresh by adding a cron entry to - # regularly download them for example. Then you need to specify the - # directory where the lists have been downloaded and an optional - # parameter to ignore all lists that have not been updated in the - # last N days. - FireHOLBlocklists { - #blocklistpath = "" - #ignoreolderthandays="" - } - - # GoogleSafebrowsing: this analyzer requires an API key. It can be - # obtained from https://developers.google.com/safe-browsing/. - GoogleSafebrowsing { - #key = "..." - } - - # Hippocampe: this analyzer queries TheHive Project's Hippocampe - # product. You need to install it and provide the corresponding URL. - Hippocampe { - #url="..." - } - - # HybridAnalysis: this analyzer needs the API key associated with a - # Hybrid Analysis account. You can open one for free. - # See https://www.hybrid-analysis.com/ - - HybridAnalysis { - #secret = "..." - #key = "..." - } - # JoeSandbox: this analyzer can be used for Joe Sandbox cloud or for - # the on-premises version, not both. You need to supply the URL of - # the sandbox and the corresponding API key. This is a commercial - # service. - JoeSandbox { - #url = "..." - #key = "..." - } - - # MISP: this analyzer requires the URL of a MISP instance and the - # corresponding API key. - MISP { - #url=["https://mymispserver_1", "https://mymispserver_2"] - #key=["mykey_1", "mykey_2" ] - #certpath=["", ""] - #name=["misp_server_name_1", "misp_server_name_2"] - } - - # MISP WarningLists: this analyzer need to clone the MISP - # WarningLists to a local directory. Use 'git' for that purpose. - # We advise you to keep the lists fresh by adding a cron entry - # to regularly download them for example. Then you need to specify - # the directory where the lists have been downloaded require the - # path or MISP WarningLists local repository. - MISPWarningLists { - #path = "/path/to/misp-warninglists/repository" - } - - # Nessus: this analyzer requires the URL of the Tenable Nessus - # Professional scanner, a login and a password, the scan policy to - # use, a CA bundle to validate the web app's X509 cert against. You - # are also highly advised to configure the networks that the scanner - # is allowed to scan. Otherwise, you might end up scanning assets - # that you are not authorized to and be held liable for any - # resulting damage. Nessus is a commercial product. - Nessus { - #url ="..." - #login="..." - #password="..." - #policy="..." - #ca_bundle="..." - #allowed_networks=[ 'x.y.z.t/8', 'a.b.c.d/24', ... ] - } - - # Onyphe: this analyzer requires an API key. You can get it from - # https://www.onyphe.io/. - Onyphe { - #key = "..." - } - # OTXQuery: this service requires an API key. If you are an - # AlienVault USM/OSSIM user, you already have one. Depending on your - # usage, you can use a free API key or a paid one. - # See https://otx.alienvault.com/api/ - OTXQuery { - #key="..." - } - - # PassiveTotal: this analyzer requires a username and an API key. - # Depending on your usage, you can use a free API key or a paid one. - # See https://passivetotal.org/ - PassiveTotal { - #username="..." - #key="..." - } - - # PayloadSecurity: this analyzer requires several information from - # your on premise PayloadSecurity sandbox service. This is a - # commercial service. - PayloadSecurity { - #url = "..." - #key="..." - #secret="..." - #environmentid="..." - #verifyssl=True - } - - # PhishingInitiative: this analyzer requires an API key. - # See https://phishing-initiative.fr/contrib/ - PhishingInitiative { - #key="..." - } - - # PhishTank: this analyzer requires an API key. - # See https://www.phishtank.com/api_info.php - PhishTank { - #key="..." - } - - # SinkDB: this analyzer requires an API key. It can be retrieved on - # https://sinkdb.abuse.ch/login/. Access to the SinkDB service is - # allowed to trusted partners only. - SinkDB { - #key="..." - } - - # Shodan: this analyzer requires an API key. - # For best results, use a Membership level account otherwise a free - # one would work with limited results. - # See https://www.shodan.io/ - Shodan { - # key = "..." - } - - # Tor Blumagie: local configuration is needed for this analyzer. It - # uses a caching mechanism in order to save some time when doing - # multiple queries, so the configuration includes parameter - # regarding the cache directory and the duration of caching. - TorBlutmagie { - #cache { - #duration=3600 - #root=/tmp/cortex/tor_project - #} - } - - # Tor Project: local configuration is needed for this analyzer. It - # uses a caching mechanism in order to save some time when doing - # multiple queries, so the configuration includes parameter - # regarding the cache directory, the duration of caching and the - # threshold in seconds for exit nodes before they get discarded. - TorProject { - #cache { - #duration=3600 - #root=/tmp/cortex/tor_project - #ttl=86400 - #} - } - - # Virusshare: this analyzer needs a local copy of Virusshare's hash - # lists. The 'path' parameter lets you configure the directory where - # you've downloaded those lists. To download them, please use the - # 'download_hashes.py' script that is located in the same directory - # as the analyzer. You may want to regularly download the lists - # using a cron entry or a similar system. - Virusshare { - #path = "..." - } - - # VirusTotal: this analyzer requires an API key. Depending on your - # usage, you can use a free API key or paid one. - # See https://www.virustotal.com - VirusTotal { - #key="..." - } - - # Web Of Trust: this analyzer requires an API key. Depending on your - # usage, you can use a free API key or paid one. - # See https://www.mywot.com/wiki/API#Registration - WOT { - #key="..." - } - - # VMRay: this analyzer requires the URL of a VMRay Analyzer - # Platform, the associated API key and a cert path to validate the - # X.509 certificate against when applicable. This is a commercial - # offering. - # See https://www.vmray.com/products/ - VMRay { - #url = "..." - #key = "..." - #certpath = "..." - - # WOT: this analyzer requires an API key. You can obtain one for - # free by signing up for an account at: - # https://www.mywot.com/en/signup?destination=profile/api - WOT { - #key="..." - } - - # Yara: this analyzer needs files and directories where your YARA - # rules are located. If you supply a directory, the analyzer expects - # to find an 'index.yar' or 'index.yas' file. The index file can - # include other rule files. An example can be found in the Yara- - # rules repository: - # https://github.com/Yara-Rules/rules/blob/master/index.yar - Yara { - #rules=["/path/a", "/path/b", "/path/my/rules.yar"] - } - - # Yeti: this analyzer needs the URL of a YETI instance. - Yeti { - #url ="..." - } - } - -} - -## MISP EXPANSION MODULES -# -# This section holds the configuration of the MISP expansion modules -# which Cortex can use as analyzers. They are disabled by default. If -# you need to enable them, change the value of the 'enabled' parameter -# to 'true'. -# -# WARNING: there is overlap between Cortex native analyzers and MISP -# expansion modules. We highly advise you to use native analyzers -# whenever possible. -# -# WARNING: DO NOT CONFIGURE A CORTEX ANALYZER AND A MISP MODULE FOR THE -# SAME SERVICE. -misp.modules { - enabled = false - - # Refer to https://github.com/MISP/misp-modules#expansion-modules for - # the configuration of the MISP expansion modules. - config { - - shodan { - #apikey = "" - } - - eupi { - #apikey = "" - #url = "" - } - - passivetotal { - #username = "" - #api_key = "" - } - - dns { - #nameserver = "" - } - - whois { - #server = "" - #port = "" - } - - sourcecache { - #archivepath = "" - } - - geoip_country { - } - - circl_passivessl { - #username = "" - #password = "" - } - - iprep { - #apikey = "" - } - - countrycode { - } - - cve { - } - - virustotal { - #apikey = "" - #event_limit = "" - } - - ipasn { - #host = "" - #port = "" - #db = "" - } - - circl_passivedns { - #username = "" - #password = "" - } - - vmray_submit { - #apikey = "" - #url = "" - #shareable = "" - #do_not_reanalyze = "" - #do_not_include_vmrayjobids = "" - } - - wiki { - } - - domaintools { - #username = "" - #api_key = "" - } - - reversedns { - #nameserver = "" - } - - threatminer { - } - - asn_history { - #host = "" - #port = "" - #db = "" - } - } } # It's the end my friend. Happy hunting!