Cortex Setup and TheHive Integration
Create Cortex admin
- Open http://localhost:9002
- Create an admin account on first visit
- Log in
Create an organisation
- Admin → Organizations → Add organization
- Name:
CTI-Lab(match your TheHive org name) - Create an analyst user within the org
Install analyzers
- Switch to your organisation context
- Go to Organization → Analyzers → Refresh analyzers
- Cortex will fetch the latest Cortex-Analyzers catalog from GitHub
Recommended analyzers to enable for a CTI lab:
| Analyzer | What it does |
|---|---|
AbuseIPDB | Check IP reputation |
Shodan_Host | Shodan data for an IP |
VirusTotal_GetReport | VT hash/URL/IP lookup |
MISP_2_1 | Search MISP for IOC matches |
DomainTools_Iris | Domain WHOIS + DNS history |
Urlscan_io_Search | urlscan.io scan results |
IPInfo_1_0 | IP geolocation + ASN |
MaxMind_GeoIP_2_0 | GeoIP (no API key required) |
For analyzers requiring API keys, click the analyzer → Configuration and enter the key.
Generate Cortex API key
- Organization → Users →
<your user>→ Create API key - Copy the key immediately — it won't be shown again
Wire Cortex into TheHive
Step 1: Add the key to .env
echo "CORTEX_API_KEY=<your-cortex-api-key>" >> .env
Step 2: Enable the Cortex connector in TheHive config
Edit config/thehive/application.conf. Uncomment the Cortex block:
play.modules.enabled += org.thp.thehive.connector.cortex.CortexConnector
cortex {
servers: [
{
name: "cortex"
url: "http://cortex:9001"
auth {
type: bearer
key: ${?CORTEX_API_KEY}
}
}
]
}
Step 3: Restart TheHive with the new env var
docker compose up -d thehive
Step 4: Verify the connection in TheHive
Organisation → Cortex servers — the cortex server should show as Connected.
Running an analyzer from TheHive
- Open a case → Observables tab
- Select an observable (IP, domain, hash)
- Click Actions → Analyze
- Select an analyzer and click Run
- Results appear in the observable's Analysis tab within seconds