OpenCTI #1 - Install

Discover OpenCTI is this series. This first post explains OpenCTI installation and core concepts.

OpenCTI #1 - Install

This is the first post of a series on OpenCTI. I will go through the Community Edition and review most of the features that are known to me. Hopefully, this will give an introductory course on CTI management using OpenCTI and maybe also a crash course in STIX.

OpenCTI 101

OpenCTI is a Threat Intelligence Platform (or TIP) developed by the French company Filigran. A TIP is used to gather, work on, and disseminate knowledge related to cyber threats.

To fullfill this role, OpenCTI obviously allows to manually create and store data in a model close to STIXv2.1. It relies on ElasticSearch to do that, allowing for management of high volumes of data.

But OpenCTI also allows to automatically add data to the knowledge either by importing new raw data, enrich data already present in the database or by API calls.

Lastly, OpenCTI also helps to disseminate information by native streams such as TAXII, by using external connectors to solutions such as Splunk or even by sharing GUI access to intelligence recipients.

If you want to just try OpenCTI before any install, you can check it out on https://demo.opencti.io/

Installation using Docker

For the purpose of this tutorial, I will show how to install OpenCTI using Docker compose. This is fine for all sorts of uses and is simple enough for a lab environment for your tests.

💡
In this tutorial, we'll only use a single machine for all the containers. This could cause some issues in production because Redis and ElasticSearch tend to use all the RAM available. In Docker, it is possible to limit the amount of RAM used by setting the available resources in the deploy section of a service: https://docs.docker.com/compose/compose-file/compose-file-v3/#resources. In production, you should externalize the database services.

Installing OpenCTI is rather straightforward using Docker compose:

Once you provisioned a machine (for our lab purposes, make sure to have at least 8GB of RAM. Requirements are way higher in production) and installed Docker, clone the OpenCTI Docker repository:

git clone https://github.com/OpenCTI-Platform/docker
mv docker opencti
cd opencti

The default docker-compose.yml file will provide basic services for running OpenCTI:

  • redis: manages all sessions and event streams
  • elasticsearch: stores knowledge
  • minio: stores raw files (such as artifacts and PDF reports)
  • rabbitmq: message queue for communication between connectors and OpenCTI workers
  • opencti platform: the actual OpenCTI platform (UI, backend, etc.)
  • opencti worker: workers for data processing
  • Various basic connectors for file import and export (we'll talk a bit about them later)

The platform and the workers are stateless so they can be launched in multiple instances as long as they are connected to the same databases (redis, elasticsearch, minio/S3, and rabbitmq). This allows to scale horizontally.

The docker-compose.yml file provided by OpenCTI can be configured through environment variables. Those are automatically set if specified in a .env file located in the same folder as the docker-compose.yml file. A sample .env file is provided to kickstart your own. So let's start from that:

cp .env.sample .env
vim .env # Or whatever text editor you're familiar with

Quick explanation for environment variables:

  • OPENCTI_ADMIN_EMAIL, OPENCTI_ADMIN_PASSWORD, and OPENCTI_ADMIN_TOKEN are the credentials that the main administrator account will use for UI and API access respectively. The token must be a valid UUIDv4
  • OPENCTI_BASE_URL is the root URL path of the application. It will take its importance when sending e-mails for instance
  • MINIO_ROOT_USER and MINIO_ROOT_PASSWORD are the credentials for OpenCTI to connect on MinIO. The same is true for RABBITMQ_DEFAULT_USER and RABBITMQ_DEFAULT_PASSWORD
  • All the CONNECTOR_*_ID parameters are just random UUIDv4 values. You should generate your own in production but those ID are only used to identify uniquely each connector
  • SMTP_HOSTNAME allows to specify a SMTP server for e-mail sending (typically for notifications). For a lab it can be removed.
  • ELASTIC_MEMORY_SIZE allows to limit the size of the memory that ElasticSearch is allowed to take

To generate UUIDv4 values, use the uuid -v 4 command or an online generator if the token is not sensitive.

💡
There are way more options you can tune. Most of them are documented here: https://docs.opencti.io/5.11.X/deployment/configuration/. Make sure to add them in the environment blocks of the docker-compose.yml file

You should also get familiar with the docker-compose.yml file for things such as exposed ports (default 8080), additional environment variables, additional connectors and resource management.

Once you're happy with the first configuration, you can run docker compose up -d to run the service stack in daemon. Use docker compose logs to troubleshoot any issue. The OpenCTI application can be accessed using a browser on your server's 8080 port:

OpenCTI's login prompt showing the OpenCTI logo above a login and password fields
Login prompt of OpenCTI

You can authenticate using the admin login and password you provided in the configuration.

Upon authenticating, you will be presented with the default dashboard unfortunately empty for now (hopefully not for long!).

Conclusion

In this post we did an overview of how to install OpenCTI. In the next one we'll dive in it for the real stuff.