How to enable Cortex analyzers - Virtual Lab Building Series: Ep12

Подписаться 12 тыс.

Просмотров 6 тыс.

50% 1

Welcome to my channel! In Episode 12 I will show you how to enable analyzers in Cortex that will be used to run analysis on observables such as IP and email addresses, domain names, files and hashes.
We will revisit the docker-compose file where I briefly explain the setup, then I will show you how to activate the MalwareBazzar and VirtusTotal analyzers, and how to use them to scan for common ransomware hashes to see the result.
If you have been enjoying this series so far, please don't forget to like and subscribe!
Links used in video:
github.com/ls1...
NOTE: I am not sponsored by or affiliated to any of the products or services mentioned in this video, all opinions are my own based on personal experiences.
DISCLAIMER: All information, techniques and tools showcased in these videos are for educational and ethical penetration testing purposes ONLY. NEVER attempt to use this information to gain unauthorized access to systems without the EXPLICIT consent of its owners. This is a punishable offense by law in most countries.
#cortex #docker #analyzer

Опубликовано:

3 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 31

@zyx3950 Год назад

This series of videos is really good. When will the next episode be updated? EP13 EP13!!!

@aviwemusa6109 Год назад

Keep them coming, at least once a week please.

@calderonemusic Год назад

Are you still planning to make that Wazuh integration mentioned in earlier videos? :)

@aviwemusa6109 Год назад

Hi, when are you planning to finish up this home lab?

@leonardolvm 9 дней назад

How do you enable Analyzers and Responders to appear in Cortex? This step-by-step guide is not shown in the videos, they are already enabled on your screen. In my configuration they do not appear

@azizihack6593 Год назад

Waiting for EP 13, please..

@adnaneafifi1450 8 месяцев назад

Why i have 0 avaible analyzers

@offdigestertm1937 8 месяцев назад

I don't understand what should i add so i have the analyzer enabled ?

@targetbroadcast7708 Год назад

the mapped volume for application.conf is actually creating a folder instead of a file, would you be able to share the application.conf for cortex you have used on your github ?

@ls111cyberEd Год назад

Thanks for watching, in this video I did not supply my own application.conf file, however, the issue you describe is a known docker issue, if the file on the host does not exist it will create a directory, so you will need to make sure you manually create the application.conf file in that location before you run docker-compose, hopefully this helps.

@ican6401 Год назад

@@ls111cyberEd yes I also realised this, nevertheless, creating the application.conf file manually fix this.

@ican6401 Год назад

I am having issues with the MISSP endpoint after updating the compose file. For example VPS-IP:80 or 443. Not working. Is it because of the missp.local variable? Or do you have any similar issues,? All other services work perfectly anyway.

@ls111cyberEd Год назад

Using the Docker CLI on the server running your docker containers, type: sudo docker ps this will list all running containers, confirm that the MISP container is running correctly and that the ports are listening and maps to 443/80. If all seems in order here, another thing that comes to mind is the hostname environment variable in the docker-compose.yml config, check that its using your IP address and not the 10.200.200.253 like I use in my setup. - "HOSTNAME=10.200.200.253" The misp.local name we give to the MISP service wont make a difference here, it is only used within the underlaying docker container network for communication between the containers themselves, they have their own DNS type service running in the background which resolves those hostnames.

@ican6401 Год назад

@@ls111cyberEd Thank you for your prompt reply I really appreciate I did this to troubleshoot the issues and I saw this. #docker logs 0ea9cf341f51 ... chown -R www-data.www-data /var/www/MISP ... chown: cannot dereference '/var/www/MISP/INSTALL/old/INSTALL.ubuntu1604.txt': No such file or directory

@bmr9779 26 дней назад

Man, cortex analyzer giving me a rough time.

@PartieSecure Год назад

i have been troubleshooting an issue with the analyzers failing,workers cant be run error. Have you come across this issue, is this an issue with the docker networking?

@ls111cyberEd Год назад

Hi, thanks for watching! Yes I had similar issues when creating the lab and found that it was due to the way I had my volumes setup. In my case, the docker container that runs the analyzer was unable to access the job data created by Cortex, so I had to map everything to /tmp/cortex-jobs on the host and setup the environment variables to point both job_directory and docker_job_directory to the same /tmp/cortex-jobs to make this work. I used this documentation to point me in the correct direction: github.com/TheHive-Project/CortexDocs/blob/master/installation/install-guide.md Hopefully it helps.

@PartieSecure Год назад

@@ls111cyberEd oh great thank you for the info, I will give it a try.

@PartieSecure Год назад

@@ls111cyberEd Got it working thank you!

@TatikSemlohay Год назад

hello i have problem with cortex analyzer. it says "errorMessage": "Worker cannot be run", how to fix it? thank you

@ls111cyberEd Год назад

Hi, thanks for watching. Please check out this documentation: github.com/TheHive-Project/CortexDocs/blob/master/installation/install-guide.md I had similar issues when creating the lab and found that it was due to how I set my volumes up. In my case, the docker container that runs the analyzer was unable to access the job data created by Cortex, so I had to map everything to /tmp/cortex-jobs on the host and setup the environment variables to point both job_directory and docker_job_directory to the same /tmp/cortex-jobs to make this work. Perhaps it's the same issue in your case, hopefully this helps.

@aviwemusa6109 Год назад

Can you deploy Kali Purple for defense in this lab?

@ls111cyberEd Год назад

Thanks for watching! Yes, you can, this will work with any OS running Docker.

@pennyWise_01 Год назад

After i integrate virus total can the hive/cortex block any malicious ip if a user trying to access the malicious ip?

@ls111cyberEd Год назад

Initially no, the hive/cortex won't block anything it's being used to analyze the detected IOC's and compare it against known intelligence found on VirusTotal etc. If you need a blocking response you will need to set up a responder, for e.g. if you use Wazuh you can use their free responder to block IP observables, there are also other options available.