# Secret Key # The secret key is used to secure cryptographic functions. # WARNING: If you deploy your application on several servers, make sure to use the same key. play.http.secret.key="----------------------------------------------------------------" # Elasticsearch search { ## Basic configuration # Index name. index = the_hive # ElasticSearch instance address. uri = "http://127.0.0.1:9200/" # Name of the ElasticSearch cluster #cluster = hive ## Advanced configuration # Scroll keepalive. keepalive = 1m # Scroll page size. pagesize = 50 # Number of shards #nbshards = 5 # Number of replicas #nbreplicas = 1 # Arbitrary settings #settings { # # Maximum number of nested fields # mapping.nested_fields.limit = 100 #} cluster { name = hive } ## Authentication configuration #search.username = "" #search.password = "" ## SSL configuration #search.keyStore { # path = "/path/to/keystore" # type = "JKS" # or PKCS12 # password = "keystore-password" #} #search.trustStore { # path = "/path/to/trustStore" # type = "JKS" # or PKCS12 # password = "trustStore-password" #} } # Authentication auth { # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration) # available auth types are: # services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required. # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key provider = [ldap,local] # provider = [local] # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true. #method.basic = true ad { # The Windows domain name in DNS format. This parameter is required if you do not use # 'serverNames' below. #domainFQDN = "mydomain.local" # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN # above. If this parameter is not set, TheHive uses 'domainFQDN'. #serverNames = [ad1.mydomain.local, ad2.mydomain.local] # The Windows domain name using short format. This parameter is required. #domainName = "MYDOMAIN" # If 'true', use SSL to connect to the domain controller. #useSSL = true } ldap { # The LDAP server name or address. The port can be specified using the 'host:port' # syntax. This parameter is required if you don't use 'serverNames' below. serverName = "xxx.xxx.xxx:636" # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead. #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local] # Account to use to bind to the LDAP server. This parameter is required. bindDN = "CN=xxxxxxx,OU=xxxxx,DC=xx,DC=xx,DC=xxx" # Password of the binding account. This parameter is required. bindPW = "xxxxxxx" # Base DN to search users. This parameter is required. baseDN = "ou=xxxx,dc=xxxx,dc=xxxx,dc=xxxxx" # Filter to search user in the directory server. Please note that {0} is replaced # by the actual user name. This parameter is required. filter = "(cn={0})" # If 'true', use SSL to connect to the LDAP directory server. useSSL = true } } # Maximum time between two requests without requesting authentication session { warning = 5m inactivity = 1h } # Max textual content length play.http.parser.maxMemoryBuffer= 1M # Max file size play.http.parser.maxDiskBuffer = 1G # Cortex # TheHive can connect to one or multiple Cortex instances. Give each # Cortex instance a name and specify the associated URL. # # In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line #play.modules.enabled += connectors.cortex.CortexConnector cortex { #"CORTEX-SERVER-ID" { # url = "" # key = "" # # HTTP client configuration (SSL and proxy) # ws {} #} } # MISP # TheHive can connect to one or multiple MISP instances. Give each MISP # instance a name and specify the associated Authkey that must be used # to poll events, the case template that should be used by default when # importing events as well as the tags that must be added to cases upon # import. # Prior to configuring the integration with a MISP instance, you must # enable the MISP connector. This will allow you to import events to # and/or export cases to the MISP instance(s). #play.modules.enabled += connectors.misp.MispConnector misp { # Interval between consecutive MISP event imports in hours (h) or # minutes (m). interval = 1h #"MISP-SERVER-ID" { # # MISP connection configuration requires at least an url and a key. The key must # # be linked with a sync account on MISP. # url = "" # key = "" # # # Name of the case template in TheHive that shall be used to import # # MISP events as cases by default. # caseTemplate = "" # # # Optional tags to add to each observable imported from an event # # available on this instance. # tags = ["misp-server-id"] # # ## MISP event filters # # MISP filters is used to exclude events from the import. # # Filter criteria are: # # The number of attribute # max-attributes = 1000 # # The size of its JSON representation # max-size = 1 MiB # # The age of the last publish date # max-age = 7 days # # Organization and tags # exclusion { # organisation = ["bad organisation", "other organisations"] # tags = ["tag1", "tag2"] # } # # ## HTTP client configuration (SSL and proxy) # # Truststore to use to validate the X.509 certificate of the MISP # # instance if the default truststore is not sufficient. # # Proxy can also be used # ws { # ssl.trustManager.stores = [ { # path = /path/to/truststore.jks # } ] # proxy { # host = proxy.mydomain.org # port = 3128 # } # } # # # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport) # # Default is ImportAndExport # purpose = ImportAndExport #} ## <-- Uncomment to complete the configuration } # https.port: 9443 # play.server.https.keyStore { # # path: "/etc/pki/tls/private/xxx.xxxxxx.pfx" # type: "PKCS12" # password: "xxxxxxxxx" # } #http.port=disabled