Skip to content
Snippets Groups Projects

SOCTools

SOCTools is a set of tools that can be used by a SOC for collecting and analyzing security data, incident handling and threat intelligence.

Installation

Edit soctools-inventory and add the desired docker containers to be deployed. The playbook has been tested on CentOS 7. Review all settings in group_vars/all/main.yml. The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.

To build the Docker images needed, run the ansible playbook: ansible-playbook -i soctools-inventory buildimages.yml

To build the CA needed for host and user certificates, run the ansible playbook: ansible-playbook -i soctools-inventory buildca.yml User certificates are exported in roles/ca/files/CA/private.

To start and stop the cluster, run the ansible playbook soctools.yml: ansible-playbook -i soctools-inventory soctools.yml -t start to start the cluster. ansible-playbook -i soctools-inventory soctools.yml -t stop to stop the cluster.

The NiFi interface should now be available on port 9443 on the server. The OpenDistro for Elasticsearch interface should now be available on port 5601 on the server. The Keycloak IdP interface should now be available on port 12443 on the server.

License

BSD

Author Information

GEANT WP8