SOCTools
SOCTools is a set of tools that can be used by a SOC for collecting and analyzing security data, incident handling and threat intelligence.
Installation
Edit soctools-inventory and add the desired docker containers to be deployed. The playbook has been tested on CentOS 7. Review all settings in group_vars/all/main.yml. The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.
To build the Docker images needed, run the ansible playbook:
ansible-playbook -i soctools-inventory buildimages.yml
To build the CA needed for host and user certificates, run the ansible playbook:
ansible-playbook -i soctools-inventory buildca.yml
User certificates are exported in roles/ca/files/CA/private.
To start and stop the cluster, run the ansible playbook soctools.yml:
ansible-playbook -i soctools-inventory soctools.yml -t start
to start the cluster.
ansible-playbook -i soctools-inventory soctools.yml -t stop
to stop the cluster.
The NiFi interface should now be available on port 9443 on the server. The OpenDistro for Elasticsearch interface should now be available on port 5601 on the server. The Keycloak IdP interface should now be available on port 12443 on the server.
License
BSD
Author Information
GEANT WP8