Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • opensearch
  • master-wo-opendistro-plugins
  • dev-bartos
  • tag-modification
  • java-upgrade
  • ports
  • nifi-update
  • kiril.kjiroski-master-patch-71888
  • user-mgmt-ui
  • interactive
  • cluster-support
  • dev5
  • dev4
  • dev02
  • dev01b
  • dev1
  • dev3
  • dev2
  • v1.0
  • v0.7
21 results
Compare
Name Last commit Last update
group_vars/all
inventories
roles
utils
HOWTOS.md
README.md
buildca.yml
buildimages.yml
deploy.yml
soctools.yml
soctools_server.yml
startsoctools.yml
stopsoctools.yml
README.md

SOCTools

SOCTools is a set of tools that can be used by a SOC for collecting and analyzing security data, incident handling and threat intelligence.

Installation

Do a minimal installation of CentOS 7.

Log in and install ansible:
yum -y install epel-release
yum -y install ansible git
ansible-galaxy collection install ansible.posix

Clone soctools: Temporary solution: Upload your ssh key to gitlab.geant.org git clone git@gitlab.geant.org:gn4-3-wp8-t3.1-soc/soctools.git cd soctools

Install soctools: Edit group_vars/all/main.yml and change 'soctoolsproxy' so that it point to the FQDN of the server.
vi group_vars/all/main.yml
The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.

To configure the server running soctools, run the ansible playbook:
ansible-playbook -i inventories soctools_server.yml

To build the Docker images needed, run the ansible playbook:
ansible-playbook -i inventories buildimages.yml

To build the CA needed for host and user certificates, run the ansible playbook:
ansible-playbook -i inventories buildca.yml

If using soclab CA certificates provided with this installation, you first need to download and import root certificate found at roles/ca/files/CA/ca.crt. For Windows, CA certificate should be installed in Trusted Root Certification Authorities store.

User certificates are can be found in the directory roles/ca/files/CA/private. Import into browser for authentication. For Windows, user certificate should be installed in Personal store.

To start the cluster, run the ansible playbook soctools.yml:
ansible-playbook -i inventories soctools.yml -t start

To stop the cluster, run the ansible playbook soctools.yml:
ansible-playbook -i inventories soctools.yml -t stop

Web interfaces are available on the following ports:

  • 9443 - NiFi
  • 5601 - Kibana
  • 6443 - Misp : Default user/password: admin@admin.test/test
  • 9000 - The Hive : Default user/password: admin@thehive.local/secret
  • 9001 - Cortex
  • 12443 - Keycloak : Default user/password: admin/Pass005

License

BSD

Author Information

GEANT WP8