Analyzers overview

Analyzers are installed in two locations:

  • /opt/cortex/Cortex-Analyzers/ — community analyzers

  • /opt/cortex/Energy-Analyzers/ — Energy SOAR proprietary analyzers

Analyzers are enabled and configured from the Automation web interface at /automation. Each analyzer can be enabled independently with its own configuration (API keys, URLs, credentials).

Access categories

Analyzers fall into three access categories based on their connectivity requirements.

Free — no registration required

These analyzers use publicly accessible services and require no API key or account:

  • Abuse_Finder

  • CIRCLHashlookup

  • Capa

  • Crt_sh

  • CyberCrime-Tracker

  • Cyberprotect_ThreatScore

  • DNS_Lookingglass

  • DShield

  • DomainMailSPFDMARC

  • EmlParser

  • FileInfo

  • GoogleDNS_resolve

  • IP-API

  • LDAP_Query

  • Mananalyze

  • MaxMind_GeoIP

  • Robtex_Forward_PDNS_Query

  • Robtex_IP_Query

  • Robtex_Reverse_PDNS_Query

  • SpamhausDBL

  • StopForumSpam

  • TeamCymruMHR

  • TorProject

  • URLHaus

  • UnshortenLink

  • Urlscan.io_Search

Free plan with registration

These analyzers require a free account or API key. A free tier is available that covers typical SOC usage volumes. Register at the respective service and enter the API key in the Automation configuration for each analyzer.

Analyzer

Supported observables

Free plan limit

AbuseIPDB

ip

1 000 checks/day

BitcoinAbuse

other (bitcoin address)

CheckPhish

url

25/day, 250/month

Crowdsec

ip

50 checks/day

EchoTrail

hash, filename

EmailRep

mail

10/day, 250/month

GoogleSafebrowsing

url, domain

GreyNoise

ip

HybridAnalysis

hash, file, filename

IBMXForce

domain, ip, hash, url

5 000/month

IntezerCommunity

file

JoeSandbox

url, file

5/day, 15/month

Maltiverse

hash, domain, ip, url

100/day

MalwareBazaar

hash

OTXQuery

url, domain, file, hash, ip

PhishingInitiative

url

Pulsedive

url, domain, ip, hash

1 000/day

SecurityTrails

ip, domain

50/month

SinkDB

ip, domain, fqdn, mail

Triage

ip, url, file

Urlscan.io

ip, domain, hash, fqdn, url

5 000/day

Valhalla

hash

Verifalia

mail

25/day

VirusTotal

file, hash, ip, domain, fqdn, url

500/day, 4/minute

Air-gapped / local instances

These analyzers operate without internet access. They connect to local service instances (MISP, ClamAV, CyberChef, Malpedia, Yara) deployed within the network:

  • ClamAV_FileInfo

  • CyberChef_FromBase64

  • CyberChef_FromCharCode

  • CyberChef_FromHex

  • EmlParser

  • FileInfo

  • LDAP_Query

  • Malpedia

  • MISP

  • MISPWarningLists

  • Yara

Requires registration or API key

All other analyzers connect to commercial or registration-required external services. Configure the required API key or credentials for each analyzer in the Automation web interface before enabling it.

For a complete list of all available analyzers and their individual configuration options, see Analyzers.