Step-by-Step Guide#
This page is a step by step installation and configuration guide to get a Cortex instance up and running. This guide is illustrated with examples for Debian and RPM packages based systems and for installation from ZIP binary packages.
Required packages#
apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl software-properties-common python3-pip lsb_release
yum install gnupg chkconfig python3-pip git
Java Virtual Machine#
Manual installation required
Starting with Cortex 3.2, the Java Virtual Machine is no longer installed automatically. You must manually install it before running Cortex.
Install Java
For enhanced security and long-term support, use Amazon Corretto, an OpenJDK build provided and maintained by Amazon. Corretto 11 or higher is required to install Cortex.
- Open a terminal window.
-
Execute the following commands:
wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto.gpg echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee -a /etc/apt/sources.list.d/corretto.sources.list sudo apt update sudo apt install java-common java-11-amazon-corretto-jdk echo JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto" | sudo tee -a /etc/environment export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"
-
Verify the installation by running:
java -version
-
You should see output similar to the following:
openjdk version "11.0.12" 2022-07-19 OpenJDK Runtime Environment Corretto-11.0.12.7.1 (build 11.0.12+7-LTS) OpenJDK 64-Bit Server VM Corretto-11.0.12.7.1 (build 11.0.12+7-LTS, mixed mode)
- Open a terminal window.
-
Execute the following commands:
sudo rpm --import https://yum.corretto.aws/corretto.key &> /dev/null wget -qO- https://yum.corretto.aws/corretto.repo | sudo tee -a /etc/yum.repos.d/corretto.repo yum install java-11-amazon-corretto-devel &> /dev/null echo JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto" | sudo tee -a /etc/environment export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"
-
Verify the installation by running:
java -version
-
You should see output similar to the following:
openjdk version "11.0.12" 2022-07-19 OpenJDK Runtime Environment Corretto-11.0.12.7.1 (build 11.0.12+7-LTS) OpenJDK 64-Bit Server VM Corretto-11.0.12.7.1 (build 11.0.12+7-LTS, mixed mode)
The installation requires Java 11, so refer to your system documentation to install it.
Elasticsearch#
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt install elasticsearch
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
sudo yum install --enablerepo=elasticsearch elasticsearch
Configuration#
http.host: 127.0.0.1
transport.host: 127.0.0.1
cluster.name: hive
thread_pool.search.queue_size: 100000
path.logs: "/var/log/elasticsearch"
path.data: "/var/lib/elasticsearch"
xpack.security.enabled: false
script.allowed_types: "inline,stored"
Adjust this file according to the amount of RAM available on your server:
-Dlog4j2.formatMsgNoLookups=true
-Xms4g
-Xmx4g
Docker#
If using Docker images of analyzers and responders, Docker engine is required on the operating system:
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
apt install docker-ce
sudo yum remove -yq docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
sudo dnf -yq install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
sudo dnf install -yq docker-ce docker-ce-cli containerd.io docker-compose-plugin
Cortex installation and configuration#
This section provides step-by-step instructions to install Cortex and configure it properly.
Installation#
Cortex packages are distributed as RPM and DEB files available for direct download via tools like Wget or cURL, with installation performed manually.
All packages are hosted on an HTTPS-secured website and come with a SHA256 checksum and a GPG signature for verification.
-
Download the package along with its SHA256 checksum and signature files.
Destination path
Replace
/path/to/
with the full local directory path where you want to save the downloaded files.-
Using Wget:
wget -O /path/to/<file_name>.deb https://cortex.download.strangebee.com/<major.minor_version>/deb/<file_name>.deb wget -O /path/to/<file_name>.deb.sha256 https://cortex.download.strangebee.com/<major.minor_version>/sha256/<file_name>.deb.sha256 wget -O /path/to/<file_name>.deb.asc https://cortex.download.strangebee.com/<major.minor_version>/asc/<file_name>.deb.asc
Example:
wget -O /tmp/cortex_3.2.1-2_all.deb https://cortex.download.strangebee.com/3.2/deb/cortex_3.2.1-2_all.deb wget -O /tmp/cortex_3.2.1-2_all.deb.sha256 https://cortex.download.strangebee.com/3.2/sha256/cortex_3.2.1-2_all.deb.sha256 wget -O /tmp/cortex_3.2.1-2_all.deb.asc https://cortex.download.strangebee.com/3.2/asc/cortex_3.2.1-2_all.deb.asc
-
Using cURL:
curl -o /path/to/<file_name>.deb https://cortex.download.strangebee.com/<major.minor_version>/deb/<file_name>.deb curl -o /path/to/<file_name>.deb.sha256 https://cortex.download.strangebee.com/<major.minor_version>/sha256/<file_name>.deb.sha256 curl -o /path/to/<file_name>.deb.asc https://cortex.download.strangebee.com/<major.minor_version>/asc/<file_name>.deb.asc
Example:
curl -o /tmp/cortex_3.2.1-2_all.deb https://cortex.download.strangebee.com/3.2/deb/cortex_3.2.1-2_all.deb curl -o /tmp/cortex_3.2.1-2_all.deb.sha256 https://cortex.download.strangebee.com/3.2/sha256/cortex_3.2.1-2_all.deb.sha256 curl -o /tmp/cortex_3.2.1-2_all.deb.asc https://cortex.download.strangebee.com/3.2/asc/cortex_3.2.1-2_all.deb.asc
-
-
Verify the integrity of the downloaded package.
-
Check the SHA256 checksum by comparing it with the provided value.
a. Generate the SHA256 checksum of your downloaded package.
sha256sum /path/to/<file_name>.deb
b. Compare the output hash with the official SHA256 value listed in the .sha256 file.
c. If both hashes match exactly, the file integrity is verified. If not, the file may be corrupted or tampered with—don't proceed with installation, and contact the StrangeBee Security Team.
-
Verify the GPG signature using the public key.
a. Download the public key at keys.download.strangebee.com using Wget or cURL.
wget -O /path/to/strangebee.gpg https://keys.download.strangebee.com/latest/gpg/strangebee.gpg
curl -o /path/to/strangebee.gpg https://keys.download.strangebee.com/latest/gpg/strangebee.gpg
b. Import the key into your GPG keyring.
gpg --import /path/to/strangebee.gpg
c. Verify the downloaded package signature.
gpg --verify /path/to/<file_name>.deb.asc /path/to/<file_name>.deb
d. You should see a message stating indicating that the signature is valid and the package is authentic. If you see warnings or errors, don't install the package as its integrity or authenticity can't be confirmed. Report the issue to the StrangeBee Security Team.
-
-
Install the package.
-
Using
apt-get
to manage dependencies automatically:sudo apt-get install /path/to/<file_name>.deb
-
Using
dpkg
:sudo dpkg -i /path/to/<file_name>.deb
Missing dependencies
While using
dpkg
, you might encounter warnings about missing dependencies during installation. To resolve this, run the commands described in the Required packages section of the installation guide.
-
-
When switching from the previous repository-based installation, remove the old repository to avoid stale configurations.
Why you should remove the old repository
Keeping the old repository configuration can cause your system to download outdated or conflicting packages during updates, potentially breaking your installation or causing unexpected behavior.
sudo rm /etc/apt/sources.list.d/strangebee.list sudo apt-get update
-
Download the package along with its SHA256 checksum and signature files.
Destination path
Replace
/path/to/
with the full local directory path where you want to save the downloaded files.-
Using Wget:
wget -O /path/to/<file_name>.rpm https://cortex.download.strangebee.com/<major.minor_version>/rpm/<file_name>.rpm wget -O /path/to/<file_name>.rpm.sha256 https://cortex.download.strangebee.com/<major.minor_version>/sha256/<file_name>.rpm.sha256 wget -O /path/to/<file_name>.rpm.asc https://cortex.download.strangebee.com/<major.minor_version>/asc/<file_name>.rpm.asc
Example:
wget -O /tmp/cortex-3.2.1-2.noarch.rpm https://cortex.download.strangebee.com/3.2/rpm/cortex-3.2.1-2.noarch.rpm wget -O /tmp/cortex-3.2.1-2.noarch.rpm.sha256 https://cortex.download.strangebee.com/3.2/sha256/cortex-3.2.1-2.noarch.rpm.sha256 wget -O /tmp/cortex-3.2.1-2.noarch.rpm.asc https://cortex.download.strangebee.com/3.2/asc/cortex-3.2.1-2.noarch.rpm.asc
-
Using cURL:
curl -o /path/to/<file_name>.rpm https://cortex.download.strangebee.com/<major.minor_version>/rpm/<file_name>.rpm curl -o /path/to/<file_name>.rpm.sha256 https://cortex.download.strangebee.com/<major.minor_version>/sha256/<file_name>.rpm.sha256 curl -o /path/to/<file_name>.rpm.asc https://cortex.download.strangebee.com/<major.minor_version>/asc/<file_name>.rpm.asc
Example:
curl -o /tmp/cortex-3.2.1-2.noarch.rpm https://cortex.download.strangebee.com/3.2/rpm/cortex-3.2.1-2.noarch.rpm curl -o /tmp/cortex-3.2.1-2.noarch.rpm.sha256 https://cortex.download.strangebee.com/3.2/sha256/cortex-3.2.1-2.noarch.rpm.sha256 curl -o /tmp/cortex-3.2.1-2.noarch.rpm.asc https://cortex.download.strangebee.com/3.2/asc/cortex-3.2.1-2.noarch.rpm.asc
-
-
Verify the integrity of the downloaded package.
-
Check the SHA256 checksum by comparing it with the provided value.
a. Generate the SHA256 checksum of your downloaded package.
sha256sum /path/to/<file_name>.rpm
b. Compare the output hash with the official SHA256 value listed in the .sha256 file.
c. If both hashes match exactly, the file integrity is verified. If not, the file may be corrupted or tampered with—don't proceed with installation, and contact the StrangeBee Security Team.
-
Verify the GPG signature using the public key.
a. Download the public key at keys.download.strangebee.com using Wget or cURL.
wget -O /path/to/strangebee.gpg https://keys.download.strangebee.com/latest/gpg/strangebee.gpg
curl -o /path/to/strangebee.gpg https://keys.download.strangebee.com/latest/gpg/strangebee.gpg
b. Import the key into your GPG keyring.
gpg --import /path/to/strangebee.gpg
c. Verify the downloaded package signature.
gpg --verify /path/to/<file_name>.rpm.asc /path/to/<file_name>.rpm
d. You should see a message stating indicating that the signature is valid and the package is authentic. If you see warnings or errors, don't install the package as its integrity or authenticity can't be confirmed. Report the issue to the StrangeBee Security Team.
-
-
Install the package.
-
Using
yum
to manage dependencies automatically:sudo yum install /path/to/<file_name>.rpm
-
Using
dnf
to manage dependencies automatically:sudo dnf install /path/to/<file_name>.rpm
-
Using
rpm
:sudo rpm -ivh /path/to/<file_name>.rpm
Missing dependencies
While using
rpm
, you might encounter warnings about missing dependencies during installation. To resolve this, run the commands described in the Required packages section of the installation guide.
-
-
When switching from the previous repository-based installation, deactivate the old repository to avoid stale configurations.
Why you should deactivate the old repository
Keeping the old repository configuration can cause your system to download outdated or conflicting packages during updates, potentially breaking your installation or causing unexpected behavior.
a. Deactivate the repository.
```bash sudo yum-config-manager --disable strangebee ```
b. Optional: Remove the repository file.
```bash sudo rm /etc/yum.repos.d/strangebee.repo sudo yum clean all ```
If you prefer more control over where Cortex is installed, need to use it in environments without package managers, or want to avoid dependency issues, you can install Cortex by downloading a ZIP binary package.
-
Download the binary package along with its SHA256 checksum and signature files. You can install Cortex anywhere on your filesystem.
Destination path
Replace
/path/to/
with the full local directory path where you want to save the downloaded files.-
Using Wget
wget -O /path/to/<file_name>.zip cortex.download.strangebee.com/<major.minor_version>/zip/<file_name>.zip wget -O /path/to/<file_name>.zip.sha256 cortex.download.strangebee.com/<major.minor_version>/sha256/<file_name>.zip.sha256 wget -O /path/to/<file_name>.zip.asc cortex.download.strangebee.com/<major.minor_version>/asc/<file_name>.zip.asc
Example:
wget -O /opt/cortex/cortex-3.2.1-2.zip https://cortex.download.strangebee.com/3.2/zip/cortex-3.2.1-2.zip wget -O /opt/cortex/cortex-3.2.1-2.zip.sha256 https://cortex.download.strangebee.com/3.2/sha256/cortex-3.2.1-2.zip.sha256 wget -O /opt/cortex/cortex-3.2.1-2.zip.asc https://cortex.download.strangebee.com/3.2/asc/cortex-3.2.1-2.zip.asc
-
Using cURL
curl -o /path/to/<file_name>.zip cortex.download.strangebee.com/<major.minor_version>/zip/<file_name>.zip curl -o /path/to/<file_name>.zip.sha256 cortex.download.strangebee.com/<major.minor_version>/sha256/<file_name>.zip.sha256 curl -o /path/to/<file_name>.zip.asc cortex.download.strangebee.com/<major.minor_version>/asc/<file_name>.zip.asc
Example:
curl -o /opt/cortex/cortex-3.2.1-2.zip https://cortex.download.strangebee.com/3.2/zip/cortex-3.2.1-2.zip curl -o /opt/cortex/cortex-3.2.1-2.zip.sha256 https://cortex.download.strangebee.com/3.2/sha256/cortex-3.2.1-2.zip.sha256 curl -o /opt/cortex/cortex-3.2.1-2.zip.asc https://cortex.download.strangebee.com/3.2/asc/cortex-3.2.1-2.zip.asc
-
-
Verify the integrity of the downloaded package.
-
Check the SHA256 checksum by comparing it with the provided value.
a. Generate the SHA256 checksum of your downloaded package.
sha256sum /path/to/<file_name>.zip
b. Compare the output hash with the official SHA256 value listed in the .sha256 file.
c. If both hashes match exactly, the file integrity is verified. If not, the file may be corrupted or tampered with—don't proceed with unzipping or installation, and contact the StrangeBee Security Team.
-
Verify the GPG signature using the public key.
a. Download the public key at keys.download.strangebee.com using Wget or cURL.
wget -O /path/to/strangebee.gpg https://keys.download.strangebee.com/latest/gpg/strangebee.gpg
curl -o /path/to/strangebee.gpg https://keys.download.strangebee.com/latest/gpg/strangebee.gpg
b. Import the key into your GPG keyring.
gpg --import /path/to/strangebee.gpg
c. Verify the downloaded package signature.
gpg --verify /path/to/<file_name>.zip.asc /path/to/<file_name>.zip
d. You should see a message stating indicating that the signature is valid and the package is authentic. If you see warnings or errors, don't unzip or install the package as its integrity or authenticity can't be confirmed. Report the issue to the StrangeBee Security Team.
-
-
Unzip the package.
Unzip paths
- Replace
/path/to/<file_name>.zip
with the full path to the ZIP file you downloaded. - Replace
/path/to/
after-d
with the directory where you want to extract the contents of the archive.
unzip /path/to/<file_name>.zip -d /path/to/ sudo ln -s /path/to/<file_name> /path/to/cortex
- Replace
-
Make the Cortex binary executable.
cd /path/to/ chmod +x cortex
Post-installation configuration#
Running analyzers & responders with Docker#
If you plan to use Cortex with Analyzers & Responders running in Docker, ensure the cortex
service account has appropriate permissions to interact with Docker:
sudo usermod -a -G docker cortex
Verify installation#
After installation, you can check if Cortex is properly installed by running:
cortex --version
This should return the installed version of Cortex.
Configuration#
Following settings are required to start Cortex successfully:
Advanced configuration settings might be added to run the application successfully:
Start Cortex service#
Warning
Before starting the service, ensure to have configured accordingly the application. Start by setting up the secret key.
Save configuration file and run the service:
systemctl start cortex
Please note that the service may take some time to start. Once it is started, you may launch your browser and connect to http://YOUR_SERVER_ADDRESS:9001/
.
First start#
Refer to the First start guide for the next steps.