{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {%- set CORTEXPLAYSECRET = salt['pillar.get']('global:cortexplaysecret', '') %} # Secret Key # The secret key is used to secure cryptographic functions. # WARNING: If you deploy your application on several servers, make sure to use the same key. play.http.secret.key="{{ CORTEXPLAYSECRET }}" play.http.context=/cortex/ pidfile.path = "/dev/null" search.uri = "http://{{ MANAGERIP }}:9400" # Elasticsearch search { # Name of the index index = cortex # Name of the Elasticsearch cluster cluster = thehive # Address of the Elasticsearch instance host = ["{{ MANAGERIP }}:9500"] # Scroll keepalive keepalive = 1m # Size of the page for scroll pagesize = 50 # Number of shards nbshards = 5 # Number of replicas nbreplicas = 0 # Arbitrary settings settings { # Maximum number of nested fields mapping.nested_fields.limit = 100 } ## Authentication configuration #search.username = "" #search.password = "" ## SSL configuration #search.keyStore { # path = "/path/to/keystore" # type = "JKS" # or PKCS12 # password = "keystore-password" #} #search.trustStore { # path = "/path/to/trustStore" # type = "JKS" # or PKCS12 # password = "trustStore-password" #} } ## Cache # # If an analyzer is executed against the same observable, the previous report can be returned without re-executing the # analyzer. The cache is used only if the second job occurs within cache.job (the default is 10 minutes). cache.job = 10 minutes ## Authentication auth { # "provider" parameter contains the authentication provider(s). It can be multi-valued, which is useful # for migration. # The available auth types are: # - services.LocalAuthSrv : passwords are stored in the user entity within ElasticSearch). No # configuration are required. # - ad : use ActiveDirectory to authenticate users. The associated configuration shall be done in # the "ad" section below. # - ldap : use LDAP to authenticate users. The associated configuration shall be done in the # "ldap" section below. provider = [local] ad { # The Windows domain name in DNS format. This parameter is required if you do not use # 'serverNames' below. #domainFQDN = "mydomain.local" # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN # above. If this parameter is not set, TheHive uses 'domainFQDN'. #serverNames = [ad1.mydomain.local, ad2.mydomain.local] # The Windows domain name using short format. This parameter is required. #domainName = "MYDOMAIN" # If 'true', use SSL to connect to the domain controller. #useSSL = true } ldap { # The LDAP server name or address. The port can be specified using the 'host:port' # syntax. This parameter is required if you don't use 'serverNames' below. #serverName = "ldap.mydomain.local:389" # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead. #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local] # Account to use to bind to the LDAP server. This parameter is required. #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local" # Password of the binding account. This parameter is required. #bindPW = "***secret*password***" # Base DN to search users. This parameter is required. #baseDN = "ou=users,dc=mydomain,dc=local" # Filter to search user in the directory server. Please note that {0} is replaced # by the actual user name. This parameter is required. #filter = "(cn={0})" # If 'true', use SSL to connect to the LDAP directory server. #useSSL = true } } ## ANALYZERS # analyzer { # Absolute path where you have pulled the Cortex-Analyzers repository. path = ["/Cortex-Analyzers/analyzers"] # Sane defaults. Do not change unless you know what you are doing. fork-join-executor { # Min number of threads available for analysis. parallelism-min = 2 # Parallelism (threads) ... ceil(available processors * factor). parallelism-factor = 2.0 # Max number of threads available for analysis. parallelism-max = 4 } } ## RESPONDERS ## responder { # Directory that holds responders urls = ["/Cortex-Analyzers/responders", "/custom-responders"] fork-join-executor { # Min number of threads available for analyze parallelism-min = 2 # Parallelism (threads) ... ceil(available processors * factor) parallelism-factor = 2.0 # Max number of threads available for analyze parallelism-max = 4 } } # It's the end my friend. Happy hunting!