Quick Start

Get the full lab running in under 10 minutes.

1. Clone the repository

git clone https://github.com/anpa1200/CTI_as_a_Code.git
cd CTI_as_a_Code

2. Configure credentials

cp .env.example .env

Open .env and replace every placeholder. At minimum, change all passwords and generate real secrets:

# Generate a 32-byte hex secret
openssl rand -hex 32

# Generate a UUID
cat /proc/sys/kernel/random/uuid

Values to fill in:

ELASTIC_PASSWORD — Elasticsearch elastic superuser password
KIBANA_SYSTEM_PASSWORD — internal Kibana service account password
KIBANA_ENCRYPTION_KEY — 32+ character random string
MINIO_ROOT_USER / MINIO_ROOT_PASSWORD — MinIO admin credentials
RABBITMQ_DEFAULT_USER / RABBITMQ_DEFAULT_PASS
OPENCTI_ADMIN_PASSWORD — your OpenCTI admin login
OPENCTI_APP_SECRET — 64-char hex (use openssl rand -hex 32)
OPENCTI_ADMIN_TOKEN — UUID (used by connectors and the worker)
CONNECTOR_MITRE_ID — UUID (unique ID for the MITRE connector)
THEHIVE_SECRET / CORTEX_SECRET — 64-char hex each

3. Apply kernel tuning

sudo sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' | sudo tee -a /etc/sysctl.conf

4. Start core services

docker compose up -d

This starts: Elasticsearch, Kibana, Redis, RabbitMQ, MinIO, OpenCTI, OpenCTI workers (×2), TheHive, Cortex.

Watch startup progress:

docker compose logs -f

Elasticsearch takes 60–90 seconds on first boot. Wait until you see green or yellow cluster status before proceeding.

5. Run first-time setup

./scripts/setup.sh

This script:

Waits for Elasticsearch to be healthy
Sets the kibana_system user password (required for Kibana to connect)
Creates the opencti and thehive MinIO buckets
Creates the Logstash index template

6. Verify all services are up

./scripts/health-check.sh

All services should return HTTP 200 or HTTP 302.

7. (Optional) Start the MITRE ATT&CK connector

docker compose --profile connectors up -d

The connector will populate OpenCTI with the full MITRE ATT&CK Enterprise matrix (tactics, techniques, groups, software). Initial sync takes 5–10 minutes.

8. (Optional) Start Logstash

docker compose --profile logstash up -d

Point Filebeat or Winlogbeat on your endpoints at <lab-host>:5044.

Access the services

Service	URL	Credentials
OpenCTI	http://localhost:8080	`OPENCTI_ADMIN_EMAIL` + `OPENCTI_ADMIN_PASSWORD` from `.env`
Kibana SIEM	http://localhost:5601	`elastic` + `ELASTIC_PASSWORD`
TheHive	http://localhost:9100	Create admin on first visit
Cortex	http://localhost:9002	Create admin on first visit
MinIO Console	http://localhost:9001	`MINIO_ROOT_USER` + `MINIO_ROOT_PASSWORD`
RabbitMQ	http://localhost:15672	`RABBITMQ_DEFAULT_USER` + `RABBITMQ_DEFAULT_PASS`

Next steps

OpenCTI first-run setup — configure organizations and marking definitions
TheHive first-run setup — create an organization and first user
Connect Cortex to TheHive — wire up automated enrichment
Connect OpenCTI to TheHive — push threat intel into cases
IOC triage workflow — put it all together

1. Clone the repository​

2. Configure credentials​

3. Apply kernel tuning​

4. Start core services​

5. Run first-time setup​

6. Verify all services are up​

7. (Optional) Start the MITRE ATT&CK connector​

8. (Optional) Start Logstash​

Access the services​

Next steps​