This responder sends a thehive:case
to a listener which then creates
a YARA rule based on it.
- Cortex needs to have cortexutils installed at operating system level:
$ sudo pip3 install cortexutils
- Upload contents of
responder/
toCORTEX_RESPONDERS/YaraDesigner/
on Cortex host. - Restart TheHive and Cortex:
$ sudo systemctl restart cortex thehive
- Enable the Cortex Responder:
- Log into Cortex with your TheHive user.
- Click "Organization" in the top bar.
- Click the "Responders" tab.
- Click the "+ Enable" link at the far right on the entry "YARA Designer ".
- Configure options and click "Save".
- Click "Responders" in the top bar and verify that it is listed on the Responders page.
Tip: Responder script runtime stdout/stdin can be found in /var/log/cortex/application.log
, should you need to diagnose any problems.
Further documentation: https://github.com/TheHive-Project/CortexDocs/blob/master/api/how-to-create-a-responder.md