{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %} # Secret Key # The secret key is used to secure cryptographic functions. # WARNING: If you deploy your application on several servers, make sure to use the same key. play.http.secret.key="letsdewdis" play.http.context=/thehive/ search.uri = "http://{{ MASTERIP }}:9400" # Elasticsearch search { # Name of the index index = the_hive # Name of the Elasticsearch cluster cluster = hive # Address of the Elasticsearch instance host = ["{{ MASTERIP }}:9500"] #search.uri = "http://{{ MASTERIP }}:9500" # Scroll keepalive keepalive = 1m # Size of the page for scroll pagesize = 50 # Number of shards nbshards = 5 # Number of replicas nbreplicas = 1 # Arbitrary settings settings { # Maximum number of nested fields mapping.nested_fields.limit = 100 } ### XPack SSL configuration # Username for XPack authentication #username # Password for XPack authentication #password # Enable SSL to connect to ElasticSearch ssl.enabled = false # Path to certificate authority file #ssl.ca # Path to certificate file #ssl.certificate # Path to key file #ssl.key ### SearchGuard configuration # Path to JKS file containing client certificate #guard.keyStore.path # Password of the keystore #guard.keyStore.password # Path to JKS file containing certificate authorities #guard.trustStore.path ## Password of the truststore #guard.trustStore.password # Enforce hostname verification #guard.hostVerification # If hostname verification is enabled specify if hostname should be resolved #guard.hostVerificationResolveHostname } # Authentication auth { # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration) # available auth types are: # services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required. # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key provider = [local] # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true. #method.basic = true ad { # The Windows domain name in DNS format. This parameter is required if you do not use # 'serverNames' below. #domainFQDN = "mydomain.local" # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN # above. If this parameter is not set, TheHive uses 'domainFQDN'. #serverNames = [ad1.mydomain.local, ad2.mydomain.local] # The Windows domain name using short format. This parameter is required. #domainName = "MYDOMAIN" # If 'true', use SSL to connect to the domain controller. #useSSL = true } ldap { # The LDAP server name or address. The port can be specified using the 'host:port' # syntax. This parameter is required if you don't use 'serverNames' below. #serverName = "ldap.mydomain.local:389" # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead. #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local] # Account to use to bind to the LDAP server. This parameter is required. #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local" # Password of the binding account. This parameter is required. #bindPW = "***secret*password***" # Base DN to search users. This parameter is required. #baseDN = "ou=users,dc=mydomain,dc=local" # Filter to search user in the directory server. Please note that {0} is replaced # by the actual user name. This parameter is required. #filter = "(cn={0})" # If 'true', use SSL to connect to the LDAP directory server. #useSSL = true } } # Maximum time between two requests without requesting authentication session { warning = 5m inactivity = 1h } # Max textual content length play.http.parser.maxMemoryBuffer= 1M # Max file size play.http.parser.maxDiskBuffer = 1G # Cortex # TheHive can connect to one or multiple Cortex instances. Give each # Cortex instance a name and specify the associated URL. # # In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line play.modules.enabled += connectors.cortex.CortexConnector cortex { "CORTEX-SERVER-ID" { url = "http://{{ MASTERIP }}:9001/cortex/" key = "{{ CORTEXKEY }}" # # HTTP client configuration (SSL and proxy) # ws {} } } # MISP # TheHive can connect to one or multiple MISP instances. Give each MISP # instance a name and specify the associated Authkey that must be used # to poll events, the case template that should be used by default when # importing events as well as the tags that must be added to cases upon # import. # Prior to configuring the integration with a MISP instance, you must # enable the MISP connector. This will allow you to import events to # and/or export cases to the MISP instance(s). #play.modules.enabled += connectors.misp.MispConnector misp { # Interval between consecutive MISP event imports in hours (h) or # minutes (m). interval = 1h #"MISP-SERVER-ID" { # # MISP connection configuration requires at least an url and a key. The key must # # be linked with a sync account on MISP. # url = "" # key = "" # # # Name of the case template in TheHive that shall be used to import # # MISP events as cases by default. # caseTemplate = "" # # # Optional tags to add to each observable imported from an event # # available on this instance. # tags = ["misp-server-id"] # # ## MISP event filters # # MISP filters is used to exclude events from the import. # # Filter criteria are: # # The number of attribute # max-attributes = 1000 # # The size of its JSON representation # max-size = 1 MiB # # The age of the last publish date # max-age = 7 days # # Organization and tags # exclusion { # organisation = ["bad organisation", "other organisations"] # tags = ["tag1", "tag2"] # } # # ## HTTP client configuration (SSL and proxy) # # Truststore to use to validate the X.509 certificate of the MISP # # instance if the default truststore is not sufficient. # # Proxy can also be used # ws { # ssl.trustManager.stores = [ { # path = /path/to/truststore.jks # } ] # proxy { # host = proxy.mydomain.org # port = 3128 # } # } # # # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport) # # Default is ImportAndExport # purpose = ImportAndExport #} ## <-- Uncomment to complete the configuration } webhooks { NodeRedWebHook { url = "http://{{ MASTERIP }}:1880/thehive" } #SOCtopusWebHook { # url = "http://{{ MASTERIP }}:7000/enrich" #} }