ClawHub

Soc Deploy Thehive

Deploy TheHive 5 + Cortex 3 incident response platform on any Docker-ready Linux host. Automates account creation, API key generation, Cortex CSRF handling,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 64 · 0 current installs · 0 all-time installs
bySolomon Neas@solomonneas
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included artifacts: SKILL.md, docker-compose.yml, and setup.sh all perform TheHive+Cortex deployment and API key setup. Minor mismatch: the registry metadata lists no required binaries, but the instructions and script expect common system tools (ssh/scp, docker, docker compose, curl, sed, openssl). This is expected for the stated purpose but the manifest omits declaring those prerequisites.
Instruction Scope
SKILL.md and setup.sh stay within deployment scope: they create/write docker-compose.yml (after user SCP), start containers, perform HTTP calls to local services to create users/keys, and wire integration. They explicitly save generated credentials to ~/thehive-cortex/api-keys.txt and print them to stdout — this is necessary for the task but is sensitive and should be handled carefully. The instructions do not read unrelated host files or call external endpoints.
Install Mechanism
No install spec; this is an instruction-only skill with an included setup.sh and static docker-compose. Nothing is downloaded from arbitrary URLs or installed on the agent's machine. Risk from installation is low.
Credentials
The skill does not request credentials or environment variables in its manifest, which is consistent. However, the script relies on host binaries (docker, docker compose, curl, openssl, sed, ssh/scp for SCP/SSH steps) that are not declared; ensure these exist on the target. The script writes plaintext credentials and API keys to a file in the target user's home and prints them — appropriate for deployment but a sensitive side-effect.
Persistence & Privilege
The skill does not request privileged platform features (always:true is false). It creates Docker containers with restart: unless-stopped and writes files under the target user's home; that persistence is expected for a service deployment and is within scope.
Assessment
This skill appears to do what it says: deploy TheHive + Cortex to a Docker-ready Linux host and generate API keys. Before using it: (1) only run it on a host you control and trust — it will create containers and save plaintext credentials to ~/thehive-cortex/api-keys.txt and print them to stdout; delete or move that file to secure storage when done. (2) Ensure the target has prerequisites installed (docker, docker compose v2, curl, openssl, sed) and that you have SSH/SCP access as instructed. (3) Review the included setup.sh and docker-compose.yml yourself (they are provided) to confirm network/port exposure and volumes meet your security policy. (4) Consider using a stronger generated secret and rotating keys after initial setup. If you want tighter security, run the deployment in an isolated lab or VM, and then harden the instance (firewall, remove plaintext key files, enable TLS) before exposing it to production.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979d9y5qbb4y2g01ba2zq4zmn83b1fp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SOC Deploy: TheHive 5.4 + Cortex 3.1.8

Deploy TheHive + Cortex incident response platform on any Docker-ready Linux host.

This skill does NOT create VMs. It expects an SSH target with Docker installed. Use hyperv-create-vm or proxmox-create-vm first if you need infrastructure.

When to Use

  • "deploy thehive"
  • "set up thehive"
  • "install thehive and cortex"
  • "thehive lab"
  • "incident response platform"

User Inputs

ParameterDefaultRequired
SSH target-Yes (user@host)
Admin passwordChangeMe123!No
Org name (Cortex)SOCNo
TheHive secret(generated 40-char)No

Prerequisites Check

# SSH works
ssh <target> "echo OK"

# Docker + Compose v2
ssh <target> "docker --version && docker compose version"

# RAM check (need 4GB+ free)
ssh <target> "free -h | grep Mem"

Execution

Single command deployment

scp scripts/setup.sh <target>:~/
scp references/docker-compose.yml <target>:~/thehive-cortex/docker-compose.yml
ssh <target> "bash ~/setup.sh '<password>' '<org-name>'"

What setup.sh does (from thehive-cortex-setup-guide.md)

  1. Create directory + write docker-compose.yml
  2. docker compose up -d (Cassandra + ES + TheHive + Cortex)
  3. Poll health endpoints until all services respond:
    • GET :9200/_cluster/health (Elasticsearch)
    • GET :9000/api/status (TheHive)
    • GET :9001/api/status (Cortex)
  4. TheHive admin setup:
    • POST /api/v1/login with admin@thehive.local / secret
    • POST /api/v1/user/admin@thehive.local/password/change (NOT PATCH)
    • POST /api/v1/user/admin@thehive.local/key/renew -> API key
  5. Cortex setup (CSRF dance):
    • POST /api/maintenance/migrate
    • POST /api/user (create superadmin, first-user endpoint)
    • POST /api/login -> session cookie
    • GET /api/user/admin -> capture CORTEX-XSRF-TOKEN cookie
    • POST /api/organization (with CSRF cookie + header)
    • POST /api/user (org admin, with CSRF)
    • POST /api/user/<org-admin>/key/renew (with CSRF) -> org key
    • POST /api/user/admin/key/renew (with CSRF) -> super key
  6. Wire integration:
    • Update docker-compose.yml: add --cortex-hostnames cortex --cortex-keys <org-admin-key>
    • docker compose up -d thehive (restart only TheHive)
    • Wait 30s for TheHive startup
  7. Verify both APIs respond with Bearer keys
  8. Write credentials to ~/thehive-cortex/api-keys.txt

Output to User

TheHive + Cortex deployed!

TheHive: http://<target>:9000
Cortex:  http://<target>:9001

Credentials:
  TheHive admin:     admin@thehive.local / <password>
  Cortex superadmin: admin / <password>
  Cortex org admin:  <org>-admin (API key only)

API Keys:
  TheHive:           <key>
  Cortex superadmin: <key>
  Cortex org admin:  <key>

MCP Connection:
  THEHIVE_URL=http://<target>:9000
  THEHIVE_API_KEY=<key>
  CORTEX_URL=http://<target>:9001
  CORTEX_API_KEY=<key>

Keys saved to: ~/thehive-cortex/api-keys.txt

Critical Gotchas

See references/gotchas.md for full details:

  1. Cortex CSRF (biggest automation blocker): Cookie CORTEX-XSRF-TOKEN + header X-CORTEX-XSRF-TOKEN on ALL mutating requests. Standard Play Framework bypass headers do NOT work. After first API key, use Authorization: Bearer to skip CSRF
  2. TheHive password endpoint: POST /password/change with currentPassword+password. The PATCH endpoint returns 204 but silently ignores the password field
  3. Bash ! in passwords: Use printf '...' | curl -d @-, not direct -d with exclamation marks
  4. First-user one-shot: Cortex POST /api/user without auth only works when zero users exist
  5. TheHive startup delay: 15-30s after compose up (waits for Cassandra)
  6. Secret length: TheHive Play Framework JWT needs 32+ char secret
  7. Use org admin key (not superadmin) for TheHive-Cortex integration (least privilege)

API Quick Reference

See references/api-reference.md for the full endpoint list.

Timeout Strategy

Setup takes ~5-7 min (mostly waiting for services). If docker images are not cached, add ~5 min for pull. Split into:

  • Turn 1: docker compose up -d + pull images (~5 min)
  • Turn 2: Account setup + API keys (~3 min)

Pairs With

  • hyperv-create-vm - create a Hyper-V VM, then deploy TheHive on it
  • proxmox-create-vm - create a Proxmox LXC/VM, then deploy TheHive on it
  • soc-deploy-misp - deploy MISP alongside for threat intelligence

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…