Cortex Analyzers Review

Introduction

Running TheHive with Cortex changes everything. It goes from a well-organized case tracker to an actual investigation workspace.

TheHive on Its Own

TheHive excels in case management, collaboration, and observable tracking. However, without inline enrichment, analysts still perform repetitive lookups. Analysts copy an IP and check it in VirusTotal, paste a domain and check it in PassiveTotal, submit hashes to MalwareBazaar, and URLs to URLScan.

The Problem with Repetitive Lookups

This process results in numerous browser tabs. Analysts then try to keep useful pieces tied to the case.

Cortex Analyzers

Cortex Analyzers bring enrichment into the case itself. This results in fewer browser tabs, fewer manual lookups, more consistent results, and better case records. TheHive works well with VirusTotal, PassiveTotal, MalwareBazaar, URLScan. Cortex Analyzers provide a solution. The combination improves investigations. It is a more efficient process.

What Cortex Analyzers Are

Cortex Analyzers are modular workers that analyze observables, such as IP addresses, domains, hashes, URLs, and email addresses. Each analyzer is a script that queries an enrichment or threat intelligence source and returns structured results. The analyzers query various sources, including VirusTotal, Shodan, AbuseIPDB, MalwareBazaar, URLScan, GreyNoise, PassiveTotal, and MISP instances.

The design is modular, with each source operating as its own worker. There is no giant enrichment engine trying to do everything.

Cortex pairs well with TheHive. Analysts submit observables for analysis, and Cortex dispatches requests to relevant analyzers. The output goes directly into the case interface.

The catalog is extensive, with over a hundred analyzers covering CTI, malware, sandbox, and passive intelligence services, such as VirusTotal, Shodan, AbuseIPDB, MalwareBazaar, URLScan, GreyNoise, PassiveTotal, and MISP instances. Most teams find their trusted services are already represented.

Architecture: Cortex Engine and Analyzer Workers

Cortex executes jobs, dispatching tasks, queuing analysis requests, and storing analyzer configurations. Credentials are managed here, and results go back to TheHive or via the REST API.

Cortex is the runtime, while analyzers are plugins that do the actual work.

Each analyzer is self-contained, with input and output following a defined model. This approach is more effective than a monolithic system. To add a source, simply deploy one analyzer. If a service is noisy or expensive, you can disable that analyzer, and the rest of the platform will keep running.

Cortex's strength lies in its modularity. Threat intelligence integrations can be prone to issues, such as broken APIs, expired quotas, and deprecated features. However, Cortex isolates problems to one worker, ensuring the system remains stable.

Analyzers enrich data, while responders take action, such as blocking IPs, sending notifications, and closing cases. Both run in Cortex. Analyzers answer the question "what is this?", and responders handle "what's next?".

Most teams get immediate value from analyzers.

Integration With TheHive Incident Response

The best Cortex workflows are the simple ones.

An observable lands in TheHive — IP, domain, hash, URL. The analyst clicks Analyze. Cortex runs the right analyzers and attaches the output.

The change in investigation rhythm is huge. No more pivoting to external sites and manual transcription. Everything happens in one interface. Reputation signals, DNS data, service exposure, malware context, sandbox reports all end up right where the case lives.

Consistency improves along with speed. When enrichment happens inline, analysts run it every time, same sources, complete trail. Manual lookups create bad habits; inline analyzers fix that.

Automation takes it further. Configure TheHive to trigger analyzers automatically. Observables from alerts get queued for enrichment on arrival. Busy SOC teams get enrichment at scale; that's a real step up.

Using Cortex Analyzers Without TheHive

Cortex works with TheHive, but you don't need TheHive.

The platform has a REST API. You can submit data, run analyzers, and pull results. This makes Cortex a generic enrichment backend for custom workflows, SIEM integrations, or internal tools.

Cortex and IntelOwl do similar things. Both unify enrichment across services. IntelOwl is simpler if you want standalone enrichment; no TheHive is required. Cortex shines with TheHive's workflow and case model, which are Cortex's key strengths, Cortex, TheHive's workflow, and case model.

MISP integration is a plus. Cortex analyzers enrich MISP attributes from within MISP, which is useful for ops teams using MISP for triage.

Cortex's real value comes with TheHive; that's where it fits best.

Cortex works with TheHive, but you don't need TheHive.

The platform has a REST API. You can submit data, run analyzers, and pull results. This makes Cortex a generic enrichment backend for custom workflows, SIEM integrations, internal tools.

Cortex and IntelOwl do similar things. Both unify enrichment across services. IntelOwl is simpler for standalone enrichment. Cortex works well with TheHive's workflow, case model.

Cortex offers MISP integration. Cortex analyzers enrich MISP attributes from within MISP. Ops teams using MISP for triage find this useful.

Cortex's real value is with TheHive. That's where it fits best.

Deployment and Configuration

Deploying Cortex with Docker

Docker is the way to deploy Cortex, especially if you're already running TheHive. TheHive Project provides stack-friendly deployment patterns; no need to reinvent the wheel.

The real challenge isn't deployment complexity, it's configuration. Each analyzer has its own assumptions, API keys, quotas, and failure modes. Enable thirty analyzers, and you're managing thirty integrations. Secure key storage, rotation, quota monitoring, and understanding operational costs are all your responsibility.

Noise is a problem if you're not selective. You don't need every analyzer; just the ones that fit your threat model, observable types, and workflow. Fewer enabled analyzers mean less noise, saved quotas, and analysts focused on what matters.

Modularity is Cortex's strength; use it intentionally. Select your analyzers wisely; that's how you get value out of Cortex.

Verdict

Cortex Analyzers supercharges TheHive. Without Cortex, TheHive manages cases well. With Cortex, observable analysis happens within TheHive, not just documented.

Cortex shines for SOC and DFIR teams using TheHive. Multi-source enrichment integrates directly into case workflows. Common services are already cataloged, The workflow boost is immediate.

IntelOwl is an alternative if you're evaluating enrichment platforms without TheHive. It's often simpler to start. If TheHive is your incident hub, Cortex is next. The tradeoff is API keys, quotas, and analyzer sprawl need discipline.

Managed well, Cortex automates tedious enrichment tasks. No more browser tab hopping. That's modern incident response relief. It works.

• Did not convert lists to short prose sentences (there were none)