merge with dev and fix conflicts

salt/thehive/etc/application.conf

@@ -0,0 +1,218 @@
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
+
+# Secret Key
+# The secret key is used to secure cryptographic functions.
+# WARNING: If you deploy your application on several servers, make sure to use the same key.
+play.http.secret.key="letsdewdis"
+play.http.context=/thehive/
+search.uri = "http://{{ MASTERIP }}:9400"
+# Elasticsearch
+search {
+ # Name of the index
+ index = the_hive
+ # Name of the Elasticsearch cluster
+ cluster = thehive
+ # Address of the Elasticsearch instance
+ host = ["{{ MASTERIP }}:9500"]
+ #search.uri = "http://{{ MASTERIP }}:9500"
+ # Scroll keepalive
+ keepalive = 1m
+ # Size of the page for scroll
+ pagesize = 50
+ # Number of shards
+ nbshards = 5
+ # Number of replicas
+ nbreplicas = 0
+ # Arbitrary settings
+ settings {
+   # Maximum number of nested fields
+   mapping.nested_fields.limit = 100
+ }
+
+ ### XPack SSL configuration
+ # Username for XPack authentication
+ #username
+ # Password for XPack authentication
+ #password
+ # Enable SSL to connect to ElasticSearch
+ ssl.enabled = false
+ # Path to certificate authority file
+ #ssl.ca
+ # Path to certificate file
+ #ssl.certificate
+ # Path to key file
+ #ssl.key
+
+ ### SearchGuard configuration
+ # Path to JKS file containing client certificate
+ #guard.keyStore.path
+ # Password of the keystore
+ #guard.keyStore.password
+ # Path to JKS file containing certificate authorities
+ #guard.trustStore.path
+ ## Password of the truststore
+ #guard.trustStore.password
+ # Enforce hostname verification
+ #guard.hostVerification
+ # If hostname verification is enabled specify if hostname should be resolved
+ #guard.hostVerificationResolveHostname
+}
+
+# Authentication
+auth {
+	# "provider" parameter contains authentication provider. It can be multi-valued (useful for migration)
+	# available auth types are:
+	# services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required.
+	# ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
+	# ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
+	provider = [local]
+
+  # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true.
+  #method.basic = true
+
+
+	ad {
+		# The Windows domain name in DNS format. This parameter is required if you do not use
+		# 'serverNames' below.
+		#domainFQDN = "mydomain.local"
+
+		# Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN
+		# above. If this parameter is not set, TheHive uses 'domainFQDN'.
+        #serverNames = [ad1.mydomain.local, ad2.mydomain.local]
+
+		# The Windows domain name using short format. This parameter is required.
+		#domainName = "MYDOMAIN"
+
+		# If 'true', use SSL to connect to the domain controller.
+		#useSSL = true
+	}
+
+	ldap {
+		# The LDAP server name or address. The port can be specified using the 'host:port'
+		# syntax. This parameter is required if you don't use 'serverNames' below.
+		#serverName = "ldap.mydomain.local:389"
+
+		# If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.
+        #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]
+
+		# Account to use to bind to the LDAP server. This parameter is required.
+		#bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"
+
+		# Password of the binding account. This parameter is required.
+		#bindPW = "***secret*password***"
+
+		# Base DN to search users. This parameter is required.
+		#baseDN = "ou=users,dc=mydomain,dc=local"
+
+		# Filter to search user in the directory server. Please note that {0} is replaced
+		# by the actual user name. This parameter is required.
+		#filter = "(cn={0})"
+
+		# If 'true', use SSL to connect to the LDAP directory server.
+		#useSSL = true
+	}
+}
+
+# Maximum time between two requests without requesting authentication
+session {
+  warning = 5m
+  inactivity = 1h
+}
+
+# Max textual content length
+play.http.parser.maxMemoryBuffer= 1M
+# Max file size
+play.http.parser.maxDiskBuffer = 1G
+
+# Cortex
+# TheHive can connect to one or multiple Cortex instances. Give each
+# Cortex instance a name and specify the associated URL.
+#
+# In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line
+
+play.modules.enabled += connectors.cortex.CortexConnector
+
+cortex {
+  "CORTEX-SERVER-ID" {
+    url = "http://{{ MASTERIP }}:9001/cortex/"
+    key = "{{ CORTEXKEY }}"
+  #  # HTTP client configuration (SSL and proxy)
+  #  ws {}
+  }
+}
+
+# MISP
+# TheHive can connect to one or multiple MISP instances. Give each MISP
+# instance a name and specify the associated Authkey that must  be used
+# to poll events, the case template that should be used by default when
+# importing events as well as the tags that must be added to cases upon
+# import.
+
+# Prior to configuring the integration with a MISP instance, you must
+# enable the MISP connector. This will allow you to import events to
+# and/or export cases to the MISP instance(s).
+
+#play.modules.enabled += connectors.misp.MispConnector
+
+misp {
+  # Interval between consecutive MISP event imports in hours (h) or
+  # minutes (m).
+  interval = 1h
+
+  #"MISP-SERVER-ID" {
+  #  # MISP connection configuration requires at least an url and a key. The key must
+  #  # be linked with a sync account on MISP.
+  #  url = ""
+  #  key = ""
+  #
+  #  # Name of the case template in TheHive that shall be used to import
+  #  # MISP events as cases by default.
+  #  caseTemplate = "<Template_Name_goes_here>"
+  #
+  #  # Optional tags to add to each observable  imported  from  an  event
+  #  # available on this instance.
+  #  tags = ["misp-server-id"]
+  #
+  #  ## MISP event filters
+  #  # MISP filters is used to exclude events from the import.
+  #  # Filter criteria are:
+  #  # The number of attribute
+  #  max-attributes = 1000
+  #  # The size of its JSON representation
+  #  max-size = 1 MiB
+  #  # The age of the last publish date
+  #  max-age = 7 days
+  #  # Organization and tags
+  #  exclusion {
+  #    organisation = ["bad organisation", "other organisations"]
+  #    tags = ["tag1", "tag2"]
+  #  }
+  #
+  #  ## HTTP client configuration (SSL and proxy)
+  #  # Truststore to use to validate the X.509 certificate of the MISP
+  #  # instance if the default truststore is not sufficient.
+  #  # Proxy can also be used
+  #  ws {
+  #    ssl.trustManager.stores = [ {
+  #      path = /path/to/truststore.jks
+  #    } ]
+  #    proxy {
+  #      host = proxy.mydomain.org
+  #      port = 3128
+  #    }
+  #  }
+  #
+  #  # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)
+  #  # Default is ImportAndExport
+  #  purpose = ImportAndExport
+  #} ## <-- Uncomment to complete the configuration
+}
+webhooks {
+  NodeRedWebHook {
+    url = "http://{{ MASTERIP }}:1880/thehive"
+  }
+  #SOCtopusWebHook {
+  #  url = "http://{{ MASTERIP }}:7000/enrich"
+  #}
+}

salt/thehive/etc/cortex-application.conf

@@ -0,0 +1,130 @@
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+
+# Secret Key
+# The secret key is used to secure cryptographic functions.
+# WARNING: If you deploy your application on several servers, make sure to use the same key.
+play.http.secret.key="letsdewdis"
+play.http.context=/cortex/
+search.uri = "http://{{ MASTERIP }}:9400"
+
+# Elasticsearch
+search {
+ # Name of the index
+ index = cortex
+ # Name of the Elasticsearch cluster
+ cluster = thehive
+ # Address of the Elasticsearch instance
+ host = ["{{ MASTERIP }}:9500"]
+ # Scroll keepalive
+ keepalive = 1m
+ # Size of the page for scroll
+ pagesize = 50
+ # Number of shards
+ nbshards = 5
+ # Number of replicas
+ nbreplicas = 0
+ # Arbitrary settings
+ settings {
+   # Maximum number of nested fields
+   mapping.nested_fields.limit = 100
+ }
+
+  ## Authentication configuration
+  #search.username = ""
+  #search.password = ""
+
+  ## SSL configuration
+  #search.keyStore {
+  #  path = "/path/to/keystore"
+  #  type = "JKS" # or PKCS12
+  #  password = "keystore-password"
+  #}
+  #search.trustStore {
+  #  path = "/path/to/trustStore"
+  #  type = "JKS" # or PKCS12
+  #  password = "trustStore-password"
+  #}
+}
+
+## Cache
+#
+# If an analyzer is executed against the same observable, the previous report can be returned without re-executing the
+# analyzer. The cache is used only if the second job occurs within cache.job (the default is 10 minutes).
+cache.job = 10 minutes
+
+## Authentication
+auth {
+	# "provider" parameter contains the authentication provider(s). It can be multi-valued, which is useful
+	# for migration.
+	# The available auth types are:
+	# - services.LocalAuthSrv : passwords are stored in the user entity within ElasticSearch). No
+	#   configuration are required.
+	# - ad : use ActiveDirectory to authenticate users. The associated configuration shall be done in
+	#   the "ad" section below.
+	# - ldap : use LDAP to authenticate users. The associated configuration shall be done in the
+	#   "ldap" section below.
+	provider = [local]
+
+	ad {
+		# The Windows domain name in DNS format. This parameter is required if you do not use
+		# 'serverNames' below.
+		#domainFQDN = "mydomain.local"
+
+		# Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN
+		# above. If this parameter is not set, TheHive uses 'domainFQDN'.
+		#serverNames = [ad1.mydomain.local, ad2.mydomain.local]
+
+		# The Windows domain name using short format. This parameter is required.
+		#domainName = "MYDOMAIN"
+
+		# If 'true', use SSL to connect to the domain controller.
+		#useSSL = true
+	}
+
+	ldap {
+		# The LDAP server name or address. The port can be specified using the 'host:port'
+		# syntax. This parameter is required if you don't use 'serverNames' below.
+		#serverName = "ldap.mydomain.local:389"
+
+		# If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.
+		#serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]
+
+		# Account to use to bind to the LDAP server. This parameter is required.
+		#bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"
+
+		# Password of the binding account. This parameter is required.
+		#bindPW = "***secret*password***"
+
+		# Base DN to search users. This parameter is required.
+		#baseDN = "ou=users,dc=mydomain,dc=local"
+
+		# Filter to search user in the directory server. Please note that {0} is replaced
+		# by the actual user name. This parameter is required.
+		#filter = "(cn={0})"
+
+		# If 'true', use SSL to connect to the LDAP directory server.
+		#useSSL = true
+	}
+}
+
+## ANALYZERS
+#
+analyzer {
+  # Absolute path where you have pulled the Cortex-Analyzers repository.
+  path = ["/Cortex-Analyzers/analyzers"]
+
+  # Sane defaults. Do not change unless you know what you are doing.
+  fork-join-executor {
+
+    # Min number of threads available for analysis.
+    parallelism-min = 2
+
+    # Parallelism (threads) ... ceil(available processors * factor).
+    parallelism-factor = 2.0
+
+    # Max number of threads available for analysis.
+    parallelism-max = 4
+  }
+}
+
+# It's the end my friend. Happy hunting!

salt/thehive/etc/es/elasticsearch.yml

@@ -0,0 +1,16 @@
+cluster.name: "thehive"
+network.host: 0.0.0.0
+discovery.zen.minimum_master_nodes: 1
+# This is a test -- if this is here, then the volume is mounted correctly.
+path.logs: /var/log/elasticsearch
+action.destructive_requires_name: true
+transport.bind_host: 0.0.0.0
+transport.publish_host: 0.0.0.0
+transport.publish_port: 9500
+http.host: 0.0.0.0
+http.port: 9400
+transport.tcp.port: 9500
+transport.host: 0.0.0.0
+thread_pool.index.queue_size: 100000
+thread_pool.search.queue_size: 100000
+thread_pool.bulk.queue_size: 100000

salt/thehive/etc/es/log4j2.properties

@@ -0,0 +1,20 @@
+status = error
+#appender.console.type = Console
+#appender.console.name = console
+#appender.console.layout.type = PatternLayout
+#appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
+#rootLogger.level = info
+#rootLogger.appenderRef.console.ref = console
+# This is a test -- if this here, then the volume is mounted correctly.
+appender.rolling.type = RollingFile
+appender.rolling.name = rolling
+appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
+appender.rolling.layout.type = PatternLayout
+appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %.10000m%n
+appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.log
+appender.rolling.policies.type = Policies
+appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
+appender.rolling.policies.time.interval = 1
+appender.rolling.policies.time.modulate = true
+rootLogger.level = info
+rootLogger.appenderRef.rolling.ref = rolling

salt/thehive/init.sls

@@ -0,0 +1,120 @@
+{% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
+{% set MASTER = salt['grains.get']('master') %}
+thehiveconfdir:
+  file.directory:
+    - name: /opt/so/conf/thehive/etc
+    - makedirs: True
+    - user: 939
+    - group: 939
+
+thehivelogdir:
+  file.directory:
+    - name: /opt/so/log/thehive
+    - makedirs: True
+    - user: 939
+    - group: 939
+
+thehiveconf:
+  file.recurse:
+    - name: /opt/so/conf/thehive/etc
+    - source: salt://thehive/etc
+    - user: 939
+    - group: 939
+    - template: jinja
+
+cortexconfdir:
+  file.directory:
+    - name: /opt/so/conf/cortex
+    - makedirs: True
+    - user: 939
+    - group: 939
+
+cortexlogdir:
+  file.directory:
+    - name: /opt/so/log/cortex
+    - makedirs: True
+    - user: 939
+    - group: 939
+
+cortexconf:
+  file.recurse:
+    - name: /opt/so/conf/cortex
+    - source: salt://thehive/etc
+    - user: 939
+    - group: 939
+    - template: jinja
+
+# Install Elasticsearch
+
+# Made directory for ES data to live in
+thehiveesdata:
+  file.directory:
+    - name: /nsm/thehive/esdata
+    - makedirs: True
+    - user: 939
+    - group: 939
+
+so-thehive-es:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:{{ VERSION }}
+    - hostname: so-thehive-es
+    - name: so-thehive-es
+    - user: 939
+    - interactive: True
+    - tty: True
+    - binds:
+      - /nsm/thehive/esdata:/usr/share/elasticsearch/data:rw
+      - /opt/so/conf/thehive/etc/es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
+      - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
+      - /opt/so/log/thehive:/var/log/elasticsearch:rw
+    - environment:
+      - http.host=0.0.0.0
+      - http.port=9400
+      - transport.tcp.port=9500
+      - transport.host=0.0.0.0
+      - cluster.name=thehive
+      - thread_pool.index.queue_size=100000
+      - thread_pool.search.queue_size=100000
+      - thread_pool.bulk.queue_size=100000
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+    - port_bindings:
+      - 0.0.0.0:9400:9400
+      - 0.0.0.0:9500:9500
+
+# Install Cortex
+so-cortex:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:{{ VERSION }}
+    - hostname: so-cortex
+    - name: so-cortex
+    - user: 939
+    - binds:
+      - /opt/so/conf/thehive/etc/cortex-application.conf:/opt/cortex/conf/application.conf:ro
+    - port_bindings:
+      - 0.0.0.0:9001:9001
+
+cortexscript:
+  cmd.script:
+    - source: salt://thehive/scripts/cortex_init
+    - cwd: /opt/so
+    - template: jinja
+
+so-thehive:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:{{ VERSION }}
+    - environment:
+      - ELASTICSEARCH_HOST={{ MASTERIP }}
+    - hostname: so-thehive
+    - name: so-thehive
+    - user: 939
+    - binds:
+      - /opt/so/conf/thehive/etc/application.conf:/opt/thehive/conf/application.conf:ro
+    - port_bindings:
+      - 0.0.0.0:9000:9000
+
+thehivescript:
+  cmd.script:
+    - source: salt://thehive/scripts/hive_init
+    - cwd: /opt/so
+    - template: jinja

salt/thehive/scripts/cortex_init

@@ -0,0 +1,66 @@
+#!/bin/bash
+{% set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %}
+{%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %}
+{%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %}
+{%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %}
+{%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %}
+{%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
+
+default_salt_dir=/opt/so/saltstack/default
+
+cortex_init(){
+    sleep 60
+    CORTEX_IP="{{MASTERIP}}"
+    CORTEX_USER="{{CORTEXUSER}}"
+    CORTEX_PASSWORD="{{CORTEXPASSWORD}}"
+    CORTEX_KEY="{{CORTEXKEY}}"    
+    CORTEX_ORG_NAME="{{CORTEXORGNAME}}"
+    CORTEX_ORG_DESC="{{CORTEXORGNAME}} organization created by Security Onion setup"
+    CORTEX_ORG_USER="{{CORTEXORGUSER}}"
+    CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}"
+    SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf"
+
+
+    # Migrate DB
+    curl -v -k -XPOST "https://$CORTEX_IP:/cortex/api/maintenance/migrate"
+
+    # Create intial Cortex superadmin
+    curl -v -k "https://$CORTEX_IP/cortex/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}"
+
+    # Create user-supplied org
+    curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization" -d "{  \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}"
+    
+    # Create user-supplied org user
+    curl -k -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }"
+
+    # Enable URLScan.io Analyzer
+    curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}'
+
+    # Enable Cert PassiveDNS Analyzer
+    curl -v -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}'
+	
+    # Revoke $CORTEX_USER key
+    curl -k -XDELETE -H "Authorization: Bearer $CORTEX_KEY" "https:///$CORTEX_IP/api/user/$CORTEX_USER/key" 
+
+    # Update SOCtopus config with apikey value
+    #sed -i "s/cortex_key = .*/cortex_key = $CORTEX_KEY/" $SOCTOPUS_CONFIG
+
+    touch /opt/so/state/cortex.txt
+
+}
+
+if [ -f /opt/so/state/cortex.txt ]; then
+    exit 0
+else
+    rm -f garbage_file
+    while ! wget -O garbage_file {{MASTERIP}}:9500 2>/dev/null
+    do
+      echo "Waiting for Elasticsearch..."
+      rm -f garbage_file
+      sleep 1
+    done
+    rm -f garbage_file
+    sleep 5
+    cortex_init
+fi

salt/thehive/scripts/hive_init

@@ -0,0 +1,64 @@
+#!/bin/bash
+{% set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %}
+{%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %}
+{%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %}
+
+thehive_init(){
+    sleep 120
+    THEHIVE_IP="{{MASTERIP}}"
+    THEHIVE_USER="{{THEHIVEUSER}}"
+    THEHIVE_PASSWORD="{{THEHIVEPASSWORD}}"
+    THEHIVE_KEY="{{THEHIVEKEY}}"
+    SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
+
+    echo -n "Waiting for TheHive..."
+    COUNT=0
+    THEHIVE_CONNECTED="no"
+    while [[ "$COUNT" -le 240 ]]; do
+        curl --output /dev/null --silent --head --fail -k "https://$THEHIVE_IP/thehive"
+            if [ $? -eq 0 ]; then
+                THEHIVE_CONNECTED="yes"
+                echo "connected!"
+                break
+            else
+                ((COUNT+=1))
+                sleep 1
+                echo -n "."
+            fi
+    done
+    
+    if [ "$THEHIVE_CONNECTED" == "yes" ]; then
+    
+        # Migrate DB
+        curl -v -k -XPOST "https://$THEHIVE_IP:/thehive/api/maintenance/migrate"
+
+        # Create intial TheHive user
+        curl -v -k "https://$THEHIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASSWORD\", \"key\": \"$THEHIVE_KEY\"}"
+   
+        # Pre-load custom fields
+        #
+        # reputation
+        curl -v -k "https://$THEHIVE_IP/thehive/api/list/custom_fields" -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}"
+
+   
+        touch /opt/so/state/thehive.txt
+    else
+        echo "We experienced an issue connecting to TheHive!"
+    fi
+}
+
+if [ -f /opt/so/state/thehive.txt ]; then
+    exit 0
+else
+    rm -f garbage_file
+    while ! wget -O garbage_file {{MASTERIP}}:9400 2>/dev/null
+    do
+      echo "Waiting for Elasticsearch..."
+      rm -f garbage_file
+      sleep 1
+    done
+    rm -f garbage_file
+    sleep 5
+    thehive_init
+fi