In Episode 10 of our cyber security virtual lab building series, we are going to install TheHive, Cortex and MISP using Docker containers by leveraging the Docker Compose tool and using .YAML to define our deployment.
To recap, TheHive is a security incident response platform (SIRP) used by cyber security professionals to manage and track incidents on a case by case basis. Cortex and MISP are platforms that provide us with intelligence after analysis of any observables such as IP addresses, hostnames etc that we may see during the incident.
There are many approaches to installing these platforms, however, for a quick and easy lab setup I have chosen to deploy docker containers for each service.
This is part 1 of the installation, stay tuned, in the next video session I will complete all the integrations of these platform as well as be revisiting Wazuh that we installed in the previous video, integrating it with these systems. If you have been enjoying this series so far, please don’t forget to like and subscribe!
The docker-compose.yml file used in the video.
version: "3"
services:
thehive:
image: strangebee/thehive:latest
restart: unless-stopped
depends_on:
- cassandra
- elasticsearch
- minio
- cortex
mem_limit: 1500m
ports:
- "0.0.0.0:9000:9000"
environment:
- JVM_OPTS="-Xms1024M -Xmx1024M"
command:
- --secret
- "lab123456789"
- "--cql-hostnames"
- "cassandra"
- "--index-backend"
- "elasticsearch"
- "--es-hostnames"
- "elasticsearch"
- "--s3-endpoint"
- "http://minio:9002"
- "--s3-access-key"
- "minioadmin"
- "--s3-secret-key"
- "minioadmin"
- "--s3-use-path-access-style"
- "--no-config-cortex"
#- "--cortex-port"
#- "9001"
#- "--cortex-keys"
#- "k3DZO07qOoIMfNNS5qLloPmMS2PnhMMR"
volumes:
- thehivedata:/etc/thehive/application.conf
networks:
- SOC_NET
cassandra:
image: 'cassandra:4'
restart: unless-stopped
mem_limit: 1000m
ports:
- "0.0.0.0:9042:9042"
environment:
- CASSANDRA_CLUSTER_NAME=TheHive
volumes:
- cassandradata:/var/lib/cassandra
networks:
- SOC_NET
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.4
restart: unless-stopped
mem_limit: 512m
ports:
- "0.0.0.0:9200:9200"
environment:
- discovery.type=single-node
- xpack.security.enabled=false
- cluster.name=hive
- http.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms256m -Xmx256m"
volumes:
- elasticsearchdata:/usr/share/elasticsearch/data
networks:
- SOC_NET
minio:
image: quay.io/minio/minio
restart: unless-stopped
command: ["minio", "server", "/data", "--console-address", ":9002"]
environment:
- MINIO_ROOT_USER=minioadmin
- MINIO_ROOT_PASSWORD=minioadmin
ports:
- "0.0.0.0:9002:9002"
volumes:
- "miniodata:/data"
networks:
- SOC_NET
cortex:
image: thehiveproject/cortex:latest
restart: unless-stopped
environment:
- job_directory=/opt/cortex/jobs
volumes:
- cortexdata:/var/run/docker.sock
- cortexdata:/opt/cortex/jobs
- cortexdata:/var/log/cortex
- cortexdata:/cortex/application.conf
depends_on:
- elasticsearch
ports:
- "0.0.0.0:9001:9001"
networks:
- SOC_NET
misp:
image: coolacid/misp-docker:core-latest
restart: unless-stopped
depends_on:
- misp_mysql
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
volumes:
- "./server-configs/:/var/www/MISP/app/Config/"
- "./logs/:/var/www/MISP/app/tmp/logs/"
- "./files/:/var/www/MISP/app/files"
- "./ssl/:/etc/nginx/certs"
environment:
- MYSQL_HOST=misp_mysql
- MYSQL_DATABASE=mispdb
- MYSQL_USER=mispuser
- MYSQL_PASSWORD=misppass
- MISP_ADMIN_EMAIL=mispadmin@lab.local
- MISP_ADMIN_PASSPHRASE=mispadminpass
- MISP_BASEURL=localhost
- TIMEZONE=Europe/London
- "INIT=true"
- "CRON_USER_ID=1"
- "REDIS_FQDN=redis"
- "HOSTNAME=https://10.200.200.253"
networks:
- SOC_NET
misp_mysql:
image: mysql/mysql-server:5.7
restart: unless-stopped
volumes:
- mispsqldata:/var/lib/mysql
environment:
- MYSQL_DATABASE=mispdb
- MYSQL_USER=mispuser
- MYSQL_PASSWORD=misppass
- MYSQL_ROOT_PASSWORD=mispass
networks:
- SOC_NET
redis:
image: redis:5.0.6
networks:
- SOC_NET
misp-modules:
image: coolacid/misp-docker:modules-latest
environment:
- "REDIS_BACKEND=redis"
depends_on:
- redis
- misp_mysql
networks:
- SOC_NET
volumes:
miniodata:
cassandradata:
elasticsearchdata:
cortexdata:
thehivedata:
mispsqldata:
networks:
SOC_NET:
driver: bridge
Links used in the lab:
- https://www.docker.com/resources/what-container/
- https://docs.docker.com/compose/
- https://github.com/coolacid/docker-misp
- https://hub.docker.com/r/strangebee/thehive
- https://hub.docker.com/_/redis
- https://hub.docker.com/_/cassandra
- https://hub.docker.com/_/elasticsearch
- https://hub.docker.com/r/thehiveproject/cortex
- https://docs.strangebee.com/thehive/setup/installation/docker/