DomainTools Iris Integration for TheHive and Cortex
Installing the DomainTools Iris App
Prerequisites
- Cortexutils – https://github.com/TheHive-Project/cortexutils
- domaintools_api – https://github.com/DomainTools/python_api
- python_version < ‘3.5’
- DomainTools API key
- Deployment script (optional) – TBD
- Analyzer and Responders (for manual deployments) – TBD
Deploy App
Follow the steps to install the Integration components in your local environment:
- SSH into Cortex instance
- The deployment script (listed in Prerequisites) automates the cloning and deployment of the components. To run the script, execute the command:
./hc_setup.sh in the home directory
- If the automated script ran successfully, skip this step. Otherwise you can manually install it by following the below steps:
- Change directory to Cortex Analyzer home:
cd /opt/Cortex-Analyzers/analyzers
- Create a folder for DomainTools :
mkdir DomainToolsIris
- Import Analyzer: Copy downloaded analyzers into your Analyzer home directory
/opt/Cortex-Analyzers/analyzers/<foldername>
- Import Report Templates:
Copy the report templates into the Cortex template home directory:cp -af ~/cortex/thehive-templates/DomainToolsIris* /opt/Cortex-Analyzers/thehive-templates
- Import Responders (optional):
Copy the responders into responder home directorycp -af ~/cortex/responders/DomainToolsIris* /opt/Cortex-Analyzers/responders
- Change directory to Cortex Analyzer home:
Configure App
- Login into Cortex instance
- Select the appropriate Organization (optional) -> Click ‘Analyzers Config’
- Search for ‘DomainToolsIris’ → Click Edit
- Update Analyzer Config with the following:
-
username: DomainTools Iris API credentials
-
key: DomainTools Iris API credentials
-
pivot_count_threshold: Pivot count threshold. (Default: 500)
-
- Update Analyzer Config with the following:
- Click ‘Responders Config’ to update the Responder config.
- Update the following values:
- Risk Score Threshold
- Tags
- Update the following values:
- Enable the two Analyzers as below:
- Overriding Cache setting:
This is an optional step if you want to use the default Cache setting. The ‘Use Global’ setting uses whatever is configured in Cortex for the organization. You can override the setting to a Custom value. Setting a low value will allow you to bypass the cache and retrieve updated intelligence data from DomainTools.
Test Setup
There are two ways you can verify the setup of the App. You can use either of them based on your preference:
- Click Analyzers from Top Menu -> Filter on DomainToolsIris -> Identify ‘DomainToolsIris_Investigate_1_0’ -> Click Run.
- Alternatively, you can use the New Analysis from the top left corner of the Menu
You will see the below screen. Complete the fields marked mandatory, and Click ‘Start’
- You can verify results by clicking ’Job History’ and filtering for the Observable you supplied in the above step:
