├── README.md
└── docker-compose.yml
/README.md:
--------------------------------------------------------------------------------
1 | This is an update to my Cyber Security Lab Building Series, episodes 10 and 11, where I showed you how to deploy TheHive, Cortex and MISP using docker containers and how to integrate these services.
2 |
3 | You can checkout the below links for more info:
4 |
5 | https://ls111.me/thehive-cortex-misp-installation-using-docker-compose/
6 | https://ls111.me/how-to-integrate-cortex-misp-with-thehive-in-your-soc/
7 |
8 | Since I created this content, there have been some minor changes to the way these services are deployed, so this serves to bring everyone up to speed before we move on with the series.
9 |
10 | I have included the updated docker-compose.yml which I encourage you try for yourself and as promised for those that watched to the end of the video, below is a link to the VirtualBox .ova file that you can import into your own VirtualBox environment.
11 |
12 | Link: https://drive.google.com/file/d/1ehXwvVoGQQEQQjPTb-BxQ1MAEMWNGnR-/view?usp=sharing
13 |
14 | Virtual Machine info:
15 |
16 | 10.200.200.253 Ubuntu 22.04 LTS (ssh account details)
17 | u: labuser
18 | p: lab123
19 |
20 | Cortex Admin
21 | labuser
22 | lab123
23 |
24 | MISP Admin
25 | admin@admin.test
26 | admin
27 |
28 | TheHive Default Admin
29 | admin@thehive.local
30 | secret
31 |
32 | If you find value in my content please consider subscribing to my channel for more Cyber Security content.
33 |
34 | YouTube: https://www.youtube.com/channel/UCLiw90VGCzfeRcYqyHAfDPA
35 |
--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: "3.7"
2 | services:
3 | thehive:
4 | image: strangebee/thehive:5.2
5 | restart: unless-stopped
6 | depends_on:
7 | - cassandra
8 | - elasticsearch
9 | - minio
10 | - cortex.local
11 | mem_limit: 1500m
12 | ports:
13 | - "0.0.0.0:9000:9000"
14 | environment:
15 | - JVM_OPTS="-Xms1024M -Xmx1024M"
16 | command:
17 | - --secret
18 | - "lab123456789"
19 | - "--cql-hostnames"
20 | - "cassandra"
21 | - "--index-backend"
22 | - "elasticsearch"
23 | - "--es-hostnames"
24 | - "elasticsearch"
25 | - "--s3-endpoint"
26 | - "http://minio:9002"
27 | - "--s3-access-key"
28 | - "minioadmin"
29 | - "--s3-secret-key"
30 | - "minioadmin"
31 | - "--s3-use-path-access-style"
32 | #If you are familiar with the previous docker compose file you will note that the Cortex ports and keys have been omitted this is because we can now
33 | #complete the integration from TheHive GUI directly.
34 | volumes:
35 | - thehivedata:/etc/thehive/application.conf
36 | networks:
37 | - SOC_NET
38 |
39 | cassandra:
40 | image: 'cassandra:4'
41 | restart: unless-stopped
42 | ports:
43 | - "0.0.0.0:9042:9042"
44 | environment:
45 | - CASSANDRA_CLUSTER_NAME=TheHive
46 | volumes:
47 | - cassandradata:/var/lib/cassandra
48 | networks:
49 | - SOC_NET
50 |
51 | elasticsearch:
52 | image: docker.elastic.co/elasticsearch/elasticsearch:7.17.9
53 | restart: unless-stopped
54 | mem_limit: 512m
55 | ports:
56 | - "0.0.0.0:9200:9200"
57 | environment:
58 | - discovery.type=single-node
59 | - xpack.security.enabled=false
60 | - cluster.name=hive
61 | - http.host=0.0.0.0
62 | - "ES_JAVA_OPTS=-Xms256m -Xmx256m"
63 | volumes:
64 | - elasticsearchdata:/usr/share/elasticsearch/data
65 | networks:
66 | - SOC_NET
67 |
68 | minio:
69 | image: quay.io/minio/minio
70 | restart: unless-stopped
71 | command: ["minio", "server", "/data", "--console-address", ":9002"]
72 | environment:
73 | - MINIO_ROOT_USER=minioadmin
74 | - MINIO_ROOT_PASSWORD=minioadmin
75 | ports:
76 | - "0.0.0.0:9002:9002"
77 | volumes:
78 | - "miniodata:/data"
79 | networks:
80 | - SOC_NET
81 |
82 | #appended .local onto the container name because when we integrate cortex with TheHive using the new GUI menu it only accept a FQDN.
83 | cortex.local:
84 | image: thehiveproject/cortex:latest
85 | restart: unless-stopped
86 | environment:
87 | - job_directory=/tmp/cortex-jobs
88 | - docker_job_directory=/tmp/cortex-jobs
89 | volumes:
90 | #For analyzers and responders (called neurons, also based on docker containers) to work, we need to bind the hosts docker socket into the cortex container
91 | #so it can use the docker service of the host, and share the job directory between the container and the host.
92 | #An alternative way of doing this would be to run docker (neurons) within the cortex docker container (docker-ception), the container will need to be run in
93 | #privileged mode and you will need the --start-docker parameter for this work. It is however not advised to run docker containers in priviliged mode because it
94 | #grants the docker container root capabilities over the host system which is a security risk.
95 | - /var/run/docker.sock:/var/run/docker.sock
96 | - /tmp/cortex-jobs:/tmp/cortex-jobs
97 | - ./cortex/logs:/var/log/cortex
98 | - ./cortex/application.conf:/cortex/application.conf
99 | depends_on:
100 | - elasticsearch
101 | ports:
102 | - "0.0.0.0:9001:9001"
103 | networks:
104 | - SOC_NET
105 | #appended .local onto the container name because when we integrate MISP with TheHive using the new GUI menu it only accepts a FQDN.
106 | misp.local:
107 | image: coolacid/misp-docker:core-latest
108 | restart: unless-stopped
109 | depends_on:
110 | - misp_mysql
111 | ports:
112 | - "0.0.0.0:80:80"
113 | - "0.0.0.0:443:443"
114 | volumes:
115 | - "./server-configs/:/var/www/MISP/app/Config/"
116 | - "./logs/:/var/www/MISP/app/tmp/logs/"
117 | - "./files/:/var/www/MISP/app/files"
118 | - "./ssl/:/etc/nginx/certs"
119 | environment:
120 | - MYSQL_HOST=misp_mysql
121 | - MYSQL_DATABASE=mispdb
122 | - MYSQL_USER=mispuser
123 | - MYSQL_PASSWORD=misppass
124 | - MISP_ADMIN_EMAIL=mispadmin@lab.local
125 | - MISP_ADMIN_PASSPHRASE=mispadminpass
126 | - MISP_BASEURL=localhost
127 | - TIMEZONE=Europe/London
128 | - "INIT=true"
129 | - "CRON_USER_ID=1"
130 | - "REDIS_FQDN=redis"
131 | - "HOSTNAME=https://10.0.2.10"
132 | networks:
133 | - SOC_NET
134 |
135 | misp_mysql:
136 | image: mysql/mysql-server:5.7
137 | restart: unless-stopped
138 | volumes:
139 | - mispsqldata:/var/lib/mysql
140 | environment:
141 | - MYSQL_DATABASE=mispdb
142 | - MYSQL_USER=mispuser
143 | - MYSQL_PASSWORD=misppass
144 | - MYSQL_ROOT_PASSWORD=mispass
145 | networks:
146 | - SOC_NET
147 | redis:
148 | image: redis:latest
149 | networks:
150 | - SOC_NET
151 | misp-modules:
152 | image: coolacid/misp-docker:modules-latest
153 | environment:
154 | - "REDIS_BACKEND=redis"
155 | depends_on:
156 | - redis
157 | - misp_mysql
158 | networks:
159 | - SOC_NET
160 | #removed the cortex volumes as we no longer require it, cortex will share the /tmp directory for jobs, the logs and application files will be stored in the cortex folder
161 | #in the same directory on the host where the docker-compose.yml resides for ease of access.
162 | volumes:
163 | miniodata:
164 | cassandradata:
165 | elasticsearchdata:
166 | thehivedata:
167 | mispsqldata:
168 |
169 | networks:
170 | SOC_NET:
171 | driver: bridge
172 |
--------------------------------------------------------------------------------