Installing the Phish Report responder for TheHive and Cortex

TheHive is Security Incident Response Platform with the ability to integrate with Cortex to automate the actions SOC analysts need to carry out during incident response.

Phish Report hosts a Cortex-compatible server which you can quickly add to any instance of TheHive, without needing to install any custom responders! Simply add our Cortex server to your TheHive configuration file and you'll be taking phishing sites down in no time.

Screenshot of the Phish Report Responder in TheHive
Screenshot of the Phish Report Responder in TheHive

Installation

To install the Phish Report responder, you need to tell TheHive how to connect and authenticate with the Phish Report Cortex server.

If you're already running your own Cortex server, your TheHive application.conf file will contain a section like this giving TheHive connection details for your local Cortex server:

play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule
cortex {
    servers = [
        {
            name = "local"
            url = "http://localhost:9001"
            auth {
                type = "bearer"
                key = "someapikeyhere"
            }
        }
   ]
}

To install the Phish Report integration you need to add another entry to the servers array:

play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule
cortex {
    servers = [
        {
            name = "local"
            url = "http://localhost:9001"
            auth {
                type = "bearer"
                key = "someapikeyhere"
            }
        },
        {
            name = "phish_report"
            url = "https://phish.report/api/cortex"
            auth {
                type = "bearer"
                key = "Get your API key from https://phish.report/user"
            }
        }
   ]
}

You can find your Phish Report API key at the bottom of your user page.

You'll know the integration is working when your TheHive "About" modal (found by clicking your username in the top right of your TheHive instance and then choosing ℹ️ About) shows a successful connection.

TheHive About modal showing a successful connection to a Cortex server named phish_report
TheHive About modal showing a successful connection to a Cortex server named phish_report

Usage

Start a takedown of a phishing site from TheHive

The Phish Report integration includes a responder which lets you start a Phish Report takedown directly from a TheHive case.

To start a Phish Report takedown from TheHive:

  1. Open the Observables tab for your case: Screenshot of TheHive Observables tab for a case
  2. Click the ⚙️ icon under the Actions heading for a supported observable (url , domain): Screenshot a single url observable with the Actions button
  3. Choose "Start a Phish Report takedown" from the list: Screenshot of the TheHive responder selection modal

The Phish Report integration will then start a takedown for the specified URL or domain and add a new task to your TheHive case with a link where you can complete additional manual takedown actions.

On this page