Skip to content

Usage instructions for the official Azure distribution of TheHive v5#

Official Azure image

The image can be used to set up a shiny-new TheHive v5 install or to launch an instance with existing data and configuration (for update / migration / restore purposes). The same image can also be used to launch Cortex on the same instance or on a separate, dedicated instance.


  • Based on the official Ubuntu 20.04 LTS image from Canonical
  • The image is updated whenever a new TheHive version is released - no need to bother updating TheHive anymore, just launch a new instance as if it were a container!
  • TheHive / Cortex data is stored on two dedicated disks, not in the root filesystem. For that purpose, you must attach two persistent data disks at launch on LUN 0 (for the data) and LUN 1 (for Docker). The recommended minimal volume size are 32 GB per volume. If you install Cortex on a separate instance, simply apply the same configuration on the second instance.
  • The underlying Ubuntu OS is hardened to comply with CSL1 (that's Common Sense Level 1!) minus the network filtering. There are no iptables surprises inside the image to avoid conflicting behaviour with security groups.
  • Migration from TheHive v4 is possible using our migration script baked in the image (to be documented soon).

Run context#

  • TheHive is available on port http 9000 and Cortex, when deployed alongside, is available on port http 9001 (that's http and NOT https). Needless to say we encourage you never to open these ports outside your virtual network and use a public-facing load balancer and / or reverse proxy to handle the TLS sessions with end-users.
  • As an incentive to use https, both TheHive and Cortex are configured to use secure cookies by default. Connecting to their respective UIs in http will fail. An override to this remains possible in the configuration (for TheHive, set = false in /opt/thp_data/nomad/tasks/thehive/application.conf - for Cortex, set = false and = false in /opt/thp_data/nomad/tasks/cortex/application.conf). You must restart the thehive and/or cortex service(s) for the change to be effective.

Launching an instance#

  1. Launch an instance from the image and attach two persistent disks: the data disk on LUN 0 and the docker disk LUN 1
  2. Set the admin username to be azureuser
  3. Provide the following cloud-init bootstrap script to configure the instance (you must update at least the application.baseUrl value for TheHive in this example):
    table_type: gpt
    layout: True
    overwrite: True
    table_type: gpt
    layout: True
    overwrite: True
  - device: /dev/disk/azure/scsi1/lun0
    partition: auto
    filesystem: ext4
  - device: /dev/disk/azure/scsi1/lun1
    partition: auto
    filesystem: ext4
    - path: /opt/strangebee/ops/templates/nomad/tasks/thehive/application.conf.d/service.conf
      content: |
    - path: /opt/strangebee/ops/templates/nomad/tasks/cortex/application.conf.d/service.conf
      content: |
    - [ /opt/strangebee/ops/scripts/, "-t 1", "-c 0", "-p /dev/sdh", "-d /dev/sdi" ]

You can further customize this script as needed. In the example above we:

  • partition and format the data disks attached on LUN 0 and LUN 1
  • launch the initialisation script with the target data disk mapping names as argument (/dev/sdh and /dev/sdi) - the script will automatically mount the LUN 0 disk at /dev/sdh and the LUN 1 disk at /dev/sdi
  • install TheHive only (because of parameters "-t 1", "-c 0" when calling the script)


  1. To install both TheHive and Cortex on the same instance, use "-t 1", "-c 1"
  2. To install Cortex only on another instance, use "-t 0", "-c 1"

That's it! TheHive is now available (for your load balancer or reverse proxy) on port 9000 and Cortex on port 9001, if also installed. The default admin account on both applications is admin with password secret (change them!).

Remember to access the apps through an internet-facing https system such as a reverse proxy or load balancer. In our example, TheHive is available at and Cortex at

Even easier using Terraform#

You can also provision the whole thing using Terraform.

Check our GitHub repository for turnkey deployment code, including a full SecOps vnet with an https Application Gateway.