首页龙虾技能列表 › Soc Deploy Thehive — 技能工具

Soc Deploy Thehive — 技能工具

v1.0.0

Deploy TheHive 5 + Cortex 3 incident response platform on any Docker-ready Linux host. Automates account creation, API key generation, Cortex CSRF handling,...

0· 103·0 当前·0 累计
by @solomonneas (Solomon Neas)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/21
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill's files and runtime instructions are coherent with its stated purpose (deploying TheHive + Cortex on a Docker-ready host); it does not request unrelated credentials or perform unexplained network exfiltration, but it assumes and uses several host-side tools and writes sensitive keys to disk in plaintext — review and secure the target host before use.
评估建议
This skill appears to do what it says: deploy TheHive + Cortex to a Docker-ready Linux host and generate API keys. Before using it: (1) only run it on a host you control and trust — it will create containers and save plaintext credentials to ~/thehive-cortex/api-keys.txt and print them to stdout; delete or move that file to secure storage when done. (2) Ensure the target has prerequisites installed (docker, docker compose v2, curl, openssl, sed) and that you have SSH/SCP access as instructed. (3...
详细分析 ▾
用途与能力
The name/description match the included artifacts: SKILL.md, docker-compose.yml, and setup.sh all perform TheHive+Cortex deployment and API key setup. Minor mismatch: the registry metadata lists no required binaries, but the instructions and script expect common system tools (ssh/scp, docker, docker compose, curl, sed, openssl). This is expected for the stated purpose but the manifest omits declaring those prerequisites.
指令范围
SKILL.md and setup.sh stay within deployment scope: they create/write docker-compose.yml (after user SCP), start containers, perform HTTP calls to local services to create users/keys, and wire integration. They explicitly save generated credentials to ~/thehive-cortex/api-keys.txt and print them to stdout — this is necessary for the task but is sensitive and should be handled carefully. The instructions do not read unrelated host files or call external endpoints.
安装机制
No install spec; this is an instruction-only skill with an included setup.sh and static docker-compose. Nothing is downloaded from arbitrary URLs or installed on the agent's machine. Risk from installation is low.
凭证需求
The skill does not request credentials or environment variables in its manifest, which is consistent. However, the script relies on host binaries (docker, docker compose, curl, openssl, sed, ssh/scp for SCP/SSH steps) that are not declared; ensure these exist on the target. The script writes plaintext credentials and API keys to a file in the target user's home and prints them — appropriate for deployment but a sensitive side-effect.
持久化与权限
The skill does not request privileged platform features (always:true is false). It creates Docker containers with restart: unless-stopped and writes files under the target user's home; that persistence is expected for a service deployment and is within scope.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/21

Initial release of soc-deploy-thehive: Deploy TheHive 5 + Cortex 3 via Docker on any Linux host. - Automates deployment of TheHive 5.4 and Cortex 3.1.8, including all integration wiring. - Handles admin account creation, password setting, API key generation, and Cortex CSRF/workflow. - Verifies all services are running, writes ready-to-use API keys and URLs to disk. - Platform-agnostic: works on any SSH-accessible, Docker-ready Linux host. - Includes guidance on required RAM, dependencies, integration gotchas, and output usage.

● 无害

安装命令 点击复制

官方npx clawhub@latest install soc-deploy-thehive
镜像加速npx clawhub@latest install soc-deploy-thehive --registry https://cn.clawhub-mirror.com

技能文档

Deploy TheHive + Cortex incident response platform on any Docker-ready Linux host.

This skill does NOT create VMs. It expects an SSH target with Docker installed. Use hyperv-create-vm or proxmox-create-vm first if you need infrastructure.

When to Use

  • "deploy thehive"
  • "set up thehive"
  • "install thehive and cortex"
  • "thehive lab"
  • "incident response platform"

User Inputs

ParameterDefaultRequired
SSH target-Yes (user@host)
Admin passwordChangeMe123!No
Org name (Cortex)SOCNo
TheHive secret(generated 40-char)No

Prerequisites Check

# SSH works
ssh  "echo OK"
# Docker + Compose v2
ssh  "docker --version && docker compose version"
# RAM check (need 4GB+ free)
ssh  "free -h | grep Mem"

Execution

Single command deployment

scp scripts/setup.sh :~/
scp references/docker-compose.yml :~/thehive-cortex/docker-compose.yml
ssh  "bash ~/setup.sh '' ''"

What setup.sh does (from thehive-cortex-setup-guide.md)

  • Create directory + write docker-compose.yml
  • docker compose up -d (Cassandra + ES + TheHive + Cortex)
  • Poll health endpoints until all services respond:
- GET :9200/_cluster/health (Elasticsearch) - GET :9000/api/status (TheHive) - GET :9001/api/status (Cortex)
  • TheHive admin setup:
- POST /api/v1/login with admin@thehive.local / secret - POST /api/v1/user/admin@thehive.local/password/change (NOT PATCH) - POST /api/v1/user/admin@thehive.local/key/renew -> API key
  • Cortex setup (CSRF dance):
- POST /api/maintenance/migrate - POST /api/user (create superadmin, first-user endpoint) - POST /api/login -> session cookie - GET /api/user/admin -> capture CORTEX-XSRF-TOKEN cookie - POST /api/organization (with CSRF cookie + header) - POST /api/user (org admin, with CSRF) - POST /api/user//key/renew (with CSRF) -> org key - POST /api/user/admin/key/renew (with CSRF) -> super key
  • Wire integration:
- Update docker-compose.yml: add --cortex-hostnames cortex --cortex-keys - docker compose up -d thehive (restart only TheHive) - Wait 30s for TheHive startup
  • Verify both APIs respond with Bearer keys
  • Write credentials to ~/thehive-cortex/api-keys.txt

Output to User

TheHive + Cortex deployed!
TheHive: http://:9000
Cortex:  http://:9001
Credentials:
  TheHive admin:     admin@thehive.local / 
  Cortex superadmin: admin / 
  Cortex org admin:  -admin (API key only)
API Keys:
  TheHive:           
  Cortex superadmin: 
  Cortex org admin:  
MCP Connection:
  THEHIVE_URL=http://:9000
  THEHIVE_API_KEY=
  CORTEX_URL=http://:9001
  CORTEX_API_KEY=
Keys saved to: ~/thehive-cortex/api-keys.txt

Critical Gotchas

See references/gotchas.md for full details:

  • Cortex CSRF (biggest automation blocker): Cookie CORTEX-XSRF-TOKEN + header X-CORTEX-XSRF-TOKEN on ALL mutating requests. Standard Play Framework bypass headers do NOT work. After first API key, use Authorization: Bearer to skip CSRF
  • TheHive password endpoint: POST /password/change with currentPassword+password. The PATCH endpoint returns 204 but silently ignores the password field
  • Bash ! in passwords: Use printf '...' | curl -d @-, not direct -d with exclamation marks
  • First-user one-shot: Cortex POST /api/user without auth only works when zero users exist
  • TheHive startup delay: 15-30s after compose up (waits for Cassandra)
  • Secret length: TheHive Play Framework JWT needs 32+ char secret
  • Use org admin key (not superadmin) for TheHive-Cortex integration (least privilege)

API Quick Reference

See references/api-reference.md for the full endpoint list.

Timeout Strategy

Setup takes ~5-7 min (mostly waiting for services). If docker images are not cached, add ~5 min for pull. Split into:

  • Turn 1: docker compose up -d + pull images (~5 min)
  • Turn 2: Account setup + API keys (~3 min)

Pairs With

  • hyperv-create-vm - create a Hyper-V VM, then deploy TheHive on it
  • proxmox-create-vm - create a Proxmox LXC/VM, then deploy TheHive on it
  • soc-deploy-misp - deploy MISP alongside for threat intelligence
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务