{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} # Secret Key # The secret key is used to secure cryptographic functions. # WARNING: If you deploy your application on several servers, make sure to use the same key. play.http.secret.key="letsdewdis" play.http.context=/thehive/ # Elasticsearch search { ## Basic configuration # Index name. index = the_hive # ElasticSearch cluster name. cluster = hive # ElasticSearch instance address. host = ["{{ MASTERIP }}:9500"] ## Advanced configuration # Scroll keepalive. #keepalive = 1m # Scroll page size. #pagesize = 50 # Number of shards #nbshards = 5 # Number of replicas #nbreplicas = 1 # Arbitrary settings #settings { # # Maximum number of nested fields # mapping.nested_fields.limit = 100 #} ### XPack SSL configuration # Username for XPack authentication #search.username = "" # Password for XPack authentication #search.password = "" # Enable SSL to connect to ElasticSearch search.ssl.enabled = false # Path to certificate authority file #search.ssl.ca = "" # Path to certificate file #search.ssl.certificate = "" # Path to key file #search.ssl.key = "" ### SearchGuard configuration # Path to JKS file containing client certificate #search.guard.keyStore.path = "" # Password of the keystore #search.guard.keyStore.password = "" # Path to JKS file containing certificate authorities #search.guard.trustStore.path = "" ## Password of the truststore #search.guard.trustStore.password = "" # Enforce hostname verification #search.guard.hostVerification = false # If hostname verification is enabled specify if hostname should be resolved #search.guard.hostVerificationResolveHostname = false } # Authentication auth { # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration) # available auth types are: # services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required. # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key provider = [local] # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true. #method.basic = true ad { # The Windows domain name in DNS format. This parameter is required if you do not use # 'serverNames' below. #domainFQDN = "mydomain.local" # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN # above. If this parameter is not set, TheHive uses 'domainFQDN'. #serverNames = [ad1.mydomain.local, ad2.mydomain.local] # The Windows domain name using short format. This parameter is required. #domainName = "MYDOMAIN" # If 'true', use SSL to connect to the domain controller. #useSSL = true } ldap { # The LDAP server name or address. The port can be specified using the 'host:port' # syntax. This parameter is required if you don't use 'serverNames' below. #serverName = "ldap.mydomain.local:389" # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead. #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local] # Account to use to bind to the LDAP server. This parameter is required. #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local" # Password of the binding account. This parameter is required. #bindPW = "***secret*password***" # Base DN to search users. This parameter is required. #baseDN = "ou=users,dc=mydomain,dc=local" # Filter to search user in the directory server. Please note that {0} is replaced # by the actual user name. This parameter is required. #filter = "(cn={0})" # If 'true', use SSL to connect to the LDAP directory server. #useSSL = true } } # Maximum time between two requests without requesting authentication session { warning = 5m inactivity = 1h } # Max textual content length play.http.parser.maxMemoryBuffer= 1M # Max file size play.http.parser.maxDiskBuffer = 1G # Cortex # TheHive can connect to one or multiple Cortex instances. Give each # Cortex instance a name and specify the associated URL. # # In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line #play.modules.enabled += connectors.cortex.CortexConnector cortex { #"CORTEX-SERVER-ID" { # url = "" # key = "" # # HTTP client configuration (SSL and proxy) # ws {} #} } # MISP # TheHive can connect to one or multiple MISP instances. Give each MISP # instance a name and specify the associated Authkey that must be used # to poll events, the case template that should be used by default when # importing events as well as the tags that must be added to cases upon # import. # Prior to configuring the integration with a MISP instance, you must # enable the MISP connector. This will allow you to import events to # and/or export cases to the MISP instance(s). #play.modules.enabled += connectors.misp.MispConnector misp { # Interval between consecutive MISP event imports in hours (h) or # minutes (m). interval = 1h #"MISP-SERVER-ID" { # # MISP connection configuration requires at least an url and a key. The key must # # be linked with a sync account on MISP. # url = "" # key = "" # # # Name of the case template in TheHive that shall be used to import # # MISP events as cases by default. # caseTemplate = "" # # # Optional tags to add to each observable imported from an event # # available on this instance. # tags = ["misp-server-id"] # # ## MISP event filters # # MISP filters is used to exclude events from the import. # # Filter criteria are: # # The number of attribute # max-attributes = 1000 # # The size of its JSON representation # max-size = 1 MiB # # The age of the last publish date # max-age = 7 days # # Organization and tags # exclusion { # organisation = ["bad organisation", "other organisations"] # tags = ["tag1", "tag2"] # } # # ## HTTP client configuration (SSL and proxy) # # Truststore to use to validate the X.509 certificate of the MISP # # instance if the default truststore is not sufficient. # # Proxy can also be used # ws { # ssl.trustManager.stores = [ { # path = /path/to/truststore.jks # } ] # proxy { # host = proxy.mydomain.org # port = 3128 # } # } # # # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport) # # Default is ImportAndExport # purpose = ImportAndExport #} ## <-- Uncomment to complete the configuration }