How to Install Cortex Observable Analysis Tool on Ubuntu 22.04

Cortex is a free and open-source observable analysis tool created by TheHive Project. Security professionals and SOC analysts use it to analyze collected events by querying a single tool. It offers a web-based interface that allows you to analyze IP and email addresses, URLs, domain names, files, and hashes. Cortex has over a hundred analyzers for popular services such as VirusTotal, Joe Sandbox, DomainTools, PassiveTotal, Google Safe Browsing, Shodan, and Onyphe.

This tutorial will show you how to install the Cortex engine on Ubuntu 22.04.

Prerequisites

  • A server running Ubuntu 22.04 with a minimum of 16GB of RAM.
  • A root password is configured on the server.

Update the System

First, updating and upgrading all your system packages to the updated version is recommended. You can update all of them by running the following command.

apt update -y
apt upgrade -y

Once all the packages are updated, you can proceed to the next step.

Install Java

Before starting, the Java JDK must be installed on your server. If not installed, you can install it using the following command.

apt install openjdk-11-jre-headless -y

After the successful installation, you can verify the Java installation using the following command.

java --version

You will get the following output.

openjdk 11.0.17 2022-10-18
OpenJDK Runtime Environment (build 11.0.17+8-post-Ubuntu-1ubuntu222.04)
OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Ubuntu-1ubuntu222.04, mixed mode, sharing)

Next, set the Java environment variable using the following command.

echo JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64" | tee -a /etc/environment

Next, activate the environment variable using the following command.

source /etc/environment

Once you are done, you can proceed to install and configure ElasticSearch.

Install and Configure ElasticSearch

Cortex also requires ElasticSearch to be installed on your server. First, install all the required dependencies using the following command.

apt install wget gnupg2 apt-transport-https git ca-certificates curl jq software-properties-common lsb-release python3-pip iproute2 -y

Next, add the ElasticSearch GPG key using the following command.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor > /etc/apt/trusted.gpg.d/elasticsearch-keyring.gpg

Then, add the ElasticSearch repo to APT using the following command.

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list

Next, update the repository and install ElasticSearch using the following command.

apt update -y
apt install elasticsearch -y

After the installation, edit the ElasticSearch configuration file and define your cluster name.

nano /etc/elasticsearch/elasticsearch.yml

Change the following line:

cluster.name: my-application

Save and close the file then create a jvm.options file.

nano /etc/elasticsearch/jvm.options.d/jvm.options

Add the following lines:

-Xms1g
-Xmx1g
-Dlog4j2.formatMsgNoLookups=true

Save and close the file when you are finished. Then, restart the ElasticSearch service to apply the changes.

systemctl restart elasticsearch

You can check the status of ElasticSearch with the following command.

systemctl status elasticsearch

You will get the following output.

? elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-02-06 15:35:54 UTC; 2s ago
       Docs: https://www.elastic.co
   Main PID: 10788 (java)
      Tasks: 80 (limit: 38396)
     Memory: 1.3G
        CPU: 1min 46.185s
     CGroup: /system.slice/elasticsearch.service
             ??10788 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.t>
             ??10999 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Feb 06 15:35:21 ubuntu2204 systemd[1]: Starting Elasticsearch...
Feb 06 15:35:54 ubuntu2204 systemd[1]: Started Elasticsearch.

Once you are finished, you can proceed to install the Cortex.

Install Cortex Ubuntu 22.04

By default, the Cortex package is not available in the Ubuntu default repository. So you will need to add the Cortex official repo to APT.

First, download and import the Cortex and thehive GPG key using the following command.

wget -qO- "https://raw.githubusercontent.com/TheHive-Project/Cortex/master/PGP-PUBLIC-KEY" | gpg --dearmor -o /etc/apt/trusted.gpg.d/cortex.gpg
wget -qO- https://raw.githubusercontent.com/TheHive-Project/Cortex/master/PGP-PUBLIC-KEY | gpg --dearmor -o /etc/apt/trusted.gpg.d/thehive.gpg

Next, add the Cortex repo to the APT using the following command.

echo 'deb https://deb.thehive-project.org release main' | tee -a /etc/apt/sources.list.d/thehive-project.list

Next, update the repository and install the Cortex with the following command.

apt update -y
apt install cortex -y

Once the Cortex package is installed, you can proceed to configure the Cortex.

Configure Cortex

Next, you will need to create a secret and define it in your Cortex configuration file. First, create a secret with the following command.

cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1

You should see the following output.

LkSc1rXTf4mx8TWEdmQJytdrJYunwiLwHSaDS7gUR6g4P8B07JKuLWgMNIxI9bcm

Next, edit the Cortex configuration file and define your secret..

nano /etc/cortex/application.conf

Define your secrets as shown below:

play.http.secret.key="LkSc1rXTf4mx8TWEdmQJytdrJYunwiLwHSaDS7gUR6g4P8B07JKuLWgMNIxI9bcm"

Save and close the file when you are done. Then, start and enable the Cortex service using the following command.

systemctl enable --now cortex

You can check the status of the Cortex using the following command.

systemctl status cortex

You will get the following output.

? cortex.service - cortex
     Loaded: loaded (/etc/systemd/system/cortex.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-02-06 15:40:21 UTC; 12s ago
       Docs: https://thehive-project.org
   Main PID: 12544 (java)
      Tasks: 49 (limit: 38396)
     Memory: 491.9M
        CPU: 32.669s
     CGroup: /system.slice/cortex.service
             ??12544 java -Duser.dir=/opt/cortex -Dconfig.file=/etc/cortex/application.conf -Dlogger.file=/etc/cortex/logback.xml -Dpidfile.p>
             ??13051 /usr/bin/python3 /usr/bin/pip show cortexutils

Feb 06 15:40:21 ubuntu2204 systemd[1]: Started cortex.

At this point, Cortex is started and listens on port 9001. You can check it with the following command.

ss -antpl | grep 9001

You should see the Cortex listening port in the following output.

LISTEN 0      100                     *:9001            *:*    users:(("java",pid=12544,fd=293)) 

Once you are done, you can proceed to the next step.

Access Cortex Web UI

The Cortex is now installed and configured. Next, open your web browser and access the Cortex web interface using the URL http://your-server-ip:9001. You should see the database update on the following screen.

Click on the Update Database button to update the database. You should see the account creation screen.

Define your login name, name, password and click on the Create button. You will be redirected to the Cortex login page:

Provide your username, password and click on the Sign In button. You should see the Cortex dashboard on the following screen.

Next, you will need to add your Organization to the Cortex. Click on the Add organization button. You should see the organization creation screen.

Define your organization name and click on the Save button. You should see your newly created organization on the following screen.

Click on your newly created organization. You should see the following screen.

Click on the Add User button. You should see the user creation screen.

Define your username, role and click on the Save user button to create a user. You should see the following screen.

Conclusion

Congratulations! you have successfully installed and configured the Cortex engine on Ubuntu 22.04 server. You can now use Cortex as your organization's observable analysis and active response engine. Feel free to ask me if you have any questions.

Share this page:

0 Comment(s)