# Secret Key # The secret key is used to secure cryptographic functions. # WARNING: If you deploy your application on several servers, make sure to use the same key. #play.http.secret.key="***changeme***" # Elasticsearch search { ## Basic configuration # Index name. index = the_hive # ElasticSearch instance address. uri = "http://127.0.0.1:9200/" ## Advanced configuration # Scroll keepalive. #keepalive = 1m # Scroll page size. #pagesize = 50 # Number of shards #nbshards = 5 # Number of replicas #nbreplicas = 1 # Arbitrary settings #settings { # # Maximum number of nested fields # mapping.nested_fields.limit = 100 #} ## Authentication configuration #username = "" #password = "" ## SSL configuration #keyStore { # path = "/path/to/keystore" # type = "JKS" # or PKCS12 # password = "keystore-password" #} #trustStore { # path = "/path/to/trustStore" # type = "JKS" # or PKCS12 # password = "trustStore-password" #} } # Authentication auth { # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration) # available auth types are: # services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required. # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key # oauth2 : use OAuth/OIDC to authenticate users. Configuration is under "auth.oauth2" and "auth.sso" keys provider = [local] # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true. #method.basic = true ad { # The Windows domain name in DNS format. This parameter is required if you do not use # 'serverNames' below. #domainFQDN = "mydomain.local" # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN # above. If this parameter is not set, TheHive uses 'domainFQDN'. #serverNames = [ad1.mydomain.local, ad2.mydomain.local] # The Windows domain name using short format. This parameter is required. #domainName = "MYDOMAIN" # If 'true', use SSL to connect to the domain controller. #useSSL = true } ldap { # The LDAP server name or address. The port can be specified using the 'host:port' # syntax. This parameter is required if you don't use 'serverNames' below. #serverName = "ldap.mydomain.local:389" # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead. #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local] # Account to use to bind to the LDAP server. This parameter is required. #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local" # Password of the binding account. This parameter is required. #bindPW = "***secret*password***" # Base DN to search users. This parameter is required. #baseDN = "ou=users,dc=mydomain,dc=local" # Filter to search user in the directory server. Please note that {0} is replaced # by the actual user name. This parameter is required. #filter = "(cn={0})" # If 'true', use SSL to connect to the LDAP directory server. #useSSL = true } oauth2 { # URL of the authorization server #clientId = "client-id" #clientSecret = "client-secret" #redirectUri = "https://my-thehive-instance.example/index.html#!/login" #responseType = "code" #grantType = "authorization_code" # URL from where to get the access token #authorizationUrl = "https://auth-site.com/OAuth/Authorize" #tokenUrl = "https://auth-site.com/OAuth/Token" # The endpoint from which to obtain user details using the OAuth token, after successful login #userUrl = "https://auth-site.com/api/User" #scope = "openid profile" } # Single-Sign On sso { # Autocreate user in database? #autocreate = false # Autoupdate its profile and roles? #autoupdate = false # Autologin user using SSO? #autologin = false # Attributes mappings #attributes { # login = "sub" # name = "name" # groups = "groups" # #roles = "roles" #} # Name of mapping class from user resource to backend user ('simple' or 'group') #mapper = group # Default roles for users with no groups mapped ("read", "write", "admin") #defaultRoles = [] #groups { # # URL to retreive groups (leave empty if you are using OIDC) # #url = "https://auth-site.com/api/Groups" # # Group mappings, you can have multiple roles for each group: they are merged # mappings { # admin-profile-name = ["admin"] # editor-profile-name = ["write"] # reader-profile-name = ["read"] # } #} } } # Maximum time between two requests without requesting authentication session { warning = 5m inactivity = 1h } # Max textual content length play.http.parser.maxMemoryBuffer= 1M # Max file size play.http.parser.maxDiskBuffer = 1G # Cortex # TheHive can connect to one or multiple Cortex instances. Give each # Cortex instance a name and specify the associated URL. # # In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line #play.modules.enabled += connectors.cortex.CortexConnector cortex { #"CORTEX-SERVER-ID" { # url = "" # key = "" # # HTTP client configuration (SSL and proxy) # ws {} #} } # MISP # TheHive can connect to one or multiple MISP instances. Give each MISP # instance a name and specify the associated Authkey that must be used # to poll events, the case template that should be used by default when # importing events as well as the tags that must be added to cases upon # import. # Prior to configuring the integration with a MISP instance, you must # enable the MISP connector. This will allow you to import events to # and/or export cases to the MISP instance(s). #play.modules.enabled += connectors.misp.MispConnector misp { # Interval between consecutive MISP event imports in hours (h) or # minutes (m). interval = 1h #"MISP-SERVER-ID" { # # MISP connection configuration requires at least an url and a key. The key must # # be linked with a sync account on MISP. # url = "" # key = "" # # # Name of the case template in TheHive that shall be used to import # # MISP events as cases by default. # caseTemplate = "" # # # Optional tags to add to each observable imported from an event # # available on this instance. # tags = ["misp-server-id"] # # ## MISP event filters # # MISP filters is used to exclude events from the import. # # Filter criteria are: # # The number of attribute # max-attributes = 1000 # # The size of its JSON representation # max-size = 1 MiB # # The age of the last publish date # max-age = 7 days # # Organization and tags # exclusion { # organisation = ["bad organisation", "other organisations"] # tags = ["tag1", "tag2"] # } # # ## HTTP client configuration (SSL and proxy) # # Truststore to use to validate the X.509 certificate of the MISP # # instance if the default truststore is not sufficient. # # Proxy can also be used # ws { # ssl.trustManager.stores = [ { # path = /path/to/truststore.jks # } ] # proxy { # host = proxy.mydomain.org # port = 3128 # } # } # # # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport) # # Default is ImportAndExport # purpose = ImportAndExport #} ## <-- Uncomment to complete the configuration } misp-thread-pool { fork-join-executor { # Min number of threads available for MISP synchronization parallelism-min = 2 # Parallelism (threads) ... ceil(available processors * factor) parallelism-factor = 2.0 # Max number of threads available for MISP synchronization parallelism-max = 4 } }