After installing Cortex, the first connection to the Web UI triggers a database update. After that operation, you'll be prompted to create a super administrator account (superAdmin). If this prompt is not completed, there is no way to set the admin password. Hence it will be impossible to connect to Cortex. To reset the operation, you need to delete the corresponding index from Elasticsearch. First, find out what is the current index of Cortex by running the following command on a host where the Elasticsearch DB used by Cortex is located:
$ curl http://127.0.0.1:9200/_cat/indices?vThe indexes that Cortex uses always start withcortex_ following by a number. Let's assume that the output of the command is:
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open cortex_1 PC_pLFGBS5G2TNQYr4ajgw 5 1 609 6 2.1mb 2.1mb
yellow open the_hive_13 ft7GGTfhTr-4lSzZw5r1DQ 5 1 180131 3 51.3mb 51.3mbIn this example, the index used by Cortex is cortex_1. To delete it, run the following command (Warning: this will delete everything):
$ curl -X DELETE http://127.0.0.1:9200/cortex_1Then reload the page or restart Cortex.
The MaxMind analyzer includes the GeoLite2 free City and Country databases.
Cortex does not refresh those databases. It is up to you to create a cron job to refresh them at the frequency you want. The files to update are:
analyzers/MaxMind/GeoLite2-City.mmdbanalyzers/MaxMind/GeoLite2-Country.mmdb
You can fetch up-to-date versions from https://dev.maxmind.com/geoip/geoip2/geolite2/.
No configuration is required. If it looks like the analyzer is not working, please clear the cache of your browser and retry. If it still doesn't work, please join TheHive User Discussion Forum or open an issue on GitHub.
The current version of Cortex does not offer that possibility. If you'd like to have it, please request it.
Add the following lines to /etc/cortex/application.conf:
https.port: 9443
play.server.https.keyStore {
path: "/path/to/keystore.jks"
type: "JKS"
password: "password_of_keystore"
}
HTTP can disabled by adding line http.port=disabled.
- To import your certificate in the keystore, depending on your situation, you can follow Digital Ocean's tutorial.
- Make sure the keystore file is owned/can be accessed by the user running Cortex.
Additional information: This is a setting of the Play framework that is documented on its website. Please refer to https://www.playframework.com/documentation/2.5.x/ConfiguringHttps.