TheHive, Cortex & MISP Installation Using Docker Compose: Ep10

In Episode 10 of our cyber security virtual lab building series, we are going to install TheHive, Cortex and MISP using Docker containers by leveraging the Docker Compose tool and using .YAML to define our deployment.

To recap, TheHive is a security incident response platform (SIRP) used by cyber security professionals to manage and track incidents on a case by case basis. Cortex and MISP are platforms that provide us with intelligence after analysis of any observables such as IP addresses, hostnames etc that we may see during the incident.

There are many approaches to installing these platforms, however, for a quick and easy lab setup I have chosen to deploy docker containers for each service.

This is part 1 of the installation, stay tuned, in the next video session I will complete all the integrations of these platform as well as be revisiting Wazuh that we installed in the previous video, integrating it with these systems. If you have been enjoying this series so far, please don’t forget to like and subscribe!

The docker-compose.yml file used in the video.

version: "3"
services:
  thehive:
    image: strangebee/thehive:latest
    restart: unless-stopped
    depends_on:
      - cassandra
      - elasticsearch
      - minio
      - cortex
    mem_limit: 1500m
    ports:
      - "0.0.0.0:9000:9000"
    environment:
      - JVM_OPTS="-Xms1024M -Xmx1024M"
    command:
      - --secret
      - "lab123456789"
      - "--cql-hostnames"
      - "cassandra"
      - "--index-backend"
      - "elasticsearch"
      - "--es-hostnames"
      - "elasticsearch"
      - "--s3-endpoint"
      - "http://minio:9002"
      - "--s3-access-key"
      - "minioadmin"
      - "--s3-secret-key"
      - "minioadmin"
      - "--s3-use-path-access-style"
      - "--no-config-cortex"
      #- "--cortex-port"
      #- "9001"
      #- "--cortex-keys"
      #- "k3DZO07qOoIMfNNS5qLloPmMS2PnhMMR"
    volumes:
      - thehivedata:/etc/thehive/application.conf
    networks:
      - SOC_NET

  cassandra:
    image: 'cassandra:4'
    restart: unless-stopped
    mem_limit: 1000m
    ports:
      - "0.0.0.0:9042:9042"
    environment:
      - CASSANDRA_CLUSTER_NAME=TheHive
    volumes:
      - cassandradata:/var/lib/cassandra
    networks:
      - SOC_NET

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.4
    restart: unless-stopped
    mem_limit: 512m
    ports:
      - "0.0.0.0:9200:9200"
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - cluster.name=hive
      - http.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms256m -Xmx256m"
    volumes:
      - elasticsearchdata:/usr/share/elasticsearch/data
    networks:
      - SOC_NET

  minio:
    image: quay.io/minio/minio
    restart: unless-stopped
    command: ["minio", "server", "/data", "--console-address", ":9002"]
    environment:
      - MINIO_ROOT_USER=minioadmin
      - MINIO_ROOT_PASSWORD=minioadmin
    ports:
      - "0.0.0.0:9002:9002"
    volumes:
      - "miniodata:/data"
    networks:
      - SOC_NET

  cortex:
    image: thehiveproject/cortex:latest
    restart: unless-stopped
    environment:
      - job_directory=/opt/cortex/jobs
    volumes:
      - cortexdata:/var/run/docker.sock
      - cortexdata:/opt/cortex/jobs
      - cortexdata:/var/log/cortex
      - cortexdata:/cortex/application.conf
    depends_on:
      - elasticsearch
    ports:
      - "0.0.0.0:9001:9001"
    networks:
      - SOC_NET

  misp:
    image: coolacid/misp-docker:core-latest
    restart: unless-stopped
    depends_on: 
      - misp_mysql
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"
    volumes:
      - "./server-configs/:/var/www/MISP/app/Config/"
      - "./logs/:/var/www/MISP/app/tmp/logs/"
      - "./files/:/var/www/MISP/app/files"
      - "./ssl/:/etc/nginx/certs"
    environment:
      - MYSQL_HOST=misp_mysql
      - MYSQL_DATABASE=mispdb
      - MYSQL_USER=mispuser
      - MYSQL_PASSWORD=misppass
      - MISP_ADMIN_EMAIL=mispadmin@lab.local
      - MISP_ADMIN_PASSPHRASE=mispadminpass
      - MISP_BASEURL=localhost
      - TIMEZONE=Europe/London
      - "INIT=true"         
      - "CRON_USER_ID=1"   
      - "REDIS_FQDN=redis"
      - "HOSTNAME=https://10.200.200.253"
    networks:
      - SOC_NET

  misp_mysql:
    image: mysql/mysql-server:5.7
    restart: unless-stopped
    volumes:
      - mispsqldata:/var/lib/mysql   
    environment:
      - MYSQL_DATABASE=mispdb
      - MYSQL_USER=mispuser
      - MYSQL_PASSWORD=misppass
      - MYSQL_ROOT_PASSWORD=mispass
    networks:
      - SOC_NET
  redis:
    image: redis:5.0.6
    networks:
      - SOC_NET
  misp-modules:
    image: coolacid/misp-docker:modules-latest
    environment:
      - "REDIS_BACKEND=redis"
    depends_on:
      - redis
      - misp_mysql
    networks:
      - SOC_NET   

volumes:
  miniodata:
  cassandradata:
  elasticsearchdata:
  cortexdata:
  thehivedata:
  mispsqldata:

networks:
    SOC_NET:
          driver: bridge

Links used in the lab:

• https://www.docker.com/resources/what-container/
• https://docs.docker.com/compose/
• https://github.com/coolacid/docker-misp
• https://hub.docker.com/r/strangebee/thehive
• https://hub.docker.com/_/redis
• https://hub.docker.com/_/cassandra
• https://hub.docker.com/_/elasticsearch
• https://hub.docker.com/r/thehiveproject/cortex
• https://docs.strangebee.com/thehive/setup/installation/docker/