|
2 | 2 |
|
3 | 3 | This repository includes all services running on my network monitoring machine |
4 | 4 |
|
| 5 | +## Environment |
| 6 | + |
| 7 | +Copy the `.env.example` file to a new `.env` file and update the values to suit your needs. |
| 8 | + |
5 | 9 | ## Thehive |
6 | 10 |
|
7 | | -Special configuration is required for setting up TheHive |
| 11 | +Special configuration is required for setting up TheHive. |
| 12 | +- Wait until all services starting with "thehive-" are fully started. Check the logs for this. Elasticsearch takes the longest to initialize. |
| 13 | +- Proceed with configuring Cortex, then TheHive. |
| 14 | + |
| 15 | +### Cortex |
| 16 | + |
| 17 | +- Open the Cortex web interface and press "Update database". |
| 18 | +- Create an administrator account. |
| 19 | +- Login with the newly created account. |
| 20 | +- Create a new organisation in Corex named "thehive", description does not matter. |
| 21 | +- Add a user named "thehive" to the newly created organisation, full name does not matter. Make sure the user has the roles "read, analyze, orgadmin". |
| 22 | +- Generate the api key for the user thehive. |
| 23 | +- Set `CORTEX_API_KEY`'s value in `.env` to the api key you just generated. |
| 24 | +- Running `./compose up -d` again recreates the thehive container with the correct api key. |
| 25 | + |
| 26 | +### TheHive |
| 27 | + |
| 28 | +- Open the TheHive web interface and press "Update database". |
| 29 | +- Create an administrator account. |
| 30 | +- Login with the newly created account. |
| 31 | +- Cortex connectivity works if the about page shows "cortex1 - 2.x.x-x (OK)". |
| 32 | +- Go to users, add a new user named "security-onion". |
| 33 | +- Enable read/write for this user and enable alert creation. |
| 34 | +- Generate the api key for the user security-onion. |
| 35 | +- This is the api key used in ElastAlert rules with the hivealerter alert system. |
0 commit comments