Cortex-Analyzers 3.5.0: Microsoft Entra ID integration, YARA and more!

We’re excited to announce the release of Cortex-Analyzers 3.5.0, a significant update for our Cortex engine, packed with features & enhancements.

This version introduces a complete set of Microsoft Entra ID integrations, a new customizable YARA analyzer, a ValidateObservable analyzer for observable syntax checking, and significantly reduced Docker image sizes (up to 95% smaller).

Here’s a closer look at what’s new:

This update offers a suite of analyzers and responders glueing TheHive and Microsoft Entra ID tightly together for thorough identity management in incident response scenarios. See the line-up below!

Get User Info

Retrieve numerous details about a user including user information, membership groups, authentication methods & assigned licenses to get contextual information on a selected identity.

Get Sign-Ins

Inspect recent user login activities, including applications used, devices involved, IP addresses, risk information and geographical locations to detect unusual or unauthorized access patterns.

Get Directory Audit Logs

Review recent changes and operations in directory audit logs tied to specific users, helping your security team pinpoint suspicious account modifications or permission escalations.

Get Managed Devices

Gather detailed information on devices linked to a specific hostname or user for better contextualization in case of investigation.

Revoke Sign-In Sessions

Immediately terminate all active sessions for a user, including refresh tokens and browser cookies—critical in scenarios involving compromised credentials or stolen devices.

EnableUser / DisableUser

Modify access rights in real time during incidents by disabling or enabling user accounts, strengthening containment and recovery efforts.

ResetPassword / ResetPassword with MFA

Force password change at next sign-in, optionally with an MFA prompt before password reset, to secure affected accounts.

We’ve refreshed our YARA analyzer enabling you to scan files for malware, exploits and suspicious patterns. You can now easily fetch rules directly from both public and private GitHub repositories and it’s all configurable from within your Cortex instance.

Not sure which rules to start with? Feel free to check the awesome-yara repository from InQuest and get started!

The ValidateObservable analyzer verifies observables for correct syntax and structure on multiple data types. Additionally, it may give context or flag suspicious indicators—like punycode domains, malformed URLs, or filenames containing Unicode obfuscation.

We’ve updated most of our analyzers and responders to support Alpine-based Docker images, reducing image sizes by up to 95%. This means faster downloads, quicker deployments and less resource usage.

Along with these highlights, there are various bug fixes, improvements and analyzer templates enhancements, but most importantly… notable contributions from our beloved community!

• Cisco Umbrella—Support for API V2 by Noatun
• LDAP Query 3.0—More customizable parameters to fit customer-specific needs around your LDAP environment by kiaora17
• PaloAlto Wildfire URL submission—responder addition by korteke

See the complete changelog on our GitHub repository.

Since TheHive version 5.0.14 and Cortex version 3.1.7, catalogs are automatically fetched. To fully enjoy this release, please:

• Log into your Cortex instance and enable the desired analyzers/responders
• Update the analyzers report templates in your TheHive instance

  Encountering issues or need guidance? Refer to our detailed How to update analyzers & responders guide.