OpenCTI docker-compose example

The following docker-compose examples fires up OpenCTI with all its dependencies, and some of its included connectors. It also includes an example setup of opencti-wazuh-connector, with placeholder values that you need to replace:

  • WAZUH_OPENSEARCH_URL

  • WAZUH_OPENSEARCH_USERNAME

  • WAZUH_OPENSEARCH_PASSWORD

Note

See configuration for details.

  1services:
  2  redis:
  3    image: redis:7.2.5
  4    restart: always
  5    volumes:
  6      - redisdata:/data
  7
  8  elasticsearch:
  9    image: docker.elastic.co/elasticsearch/elasticsearch:8.13.4
 10    volumes:
 11      - esdata:/usr/share/elasticsearch/data
 12    environment:
 13      # Comment-out the line below for a cluster of multiple nodes
 14      - discovery.type=single-node
 15      # Uncomment the line below below for a cluster of multiple nodes
 16      # - cluster.name=docker-cluster
 17      - xpack.ml.enabled=false
 18      - xpack.security.enabled=false
 19      - thread_pool.search.queue_size=5000
 20      - logger.org.elasticsearch.discovery="ERROR"
 21      - "ES_JAVA_OPTS=-Xms${ELASTIC_MEMORY_SIZE} -Xmx${ELASTIC_MEMORY_SIZE}"
 22    restart: always
 23    ulimits:
 24      memlock:
 25        soft: -1
 26        hard: -1
 27      nofile:
 28        soft: 65536
 29        hard: 65536
 30    # Set a limit on logs:
 31    logging:
 32      options:
 33        max-size: 50m
 34
 35  minio:
 36    image: minio/minio:RELEASE.2024-05-28T17-19-04Z
 37    volumes:
 38      - s3data:/data
 39    ports:
 40      - "127.0.0.1:9000:9000"
 41    environment:
 42      MINIO_ROOT_USER: ${MINIO_ROOT_USER}
 43      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
 44    command: server /data
 45    restart: always
 46    # Set a limit on logs:
 47    logging:
 48      options:
 49        max-size: 50m
 50
 51  rabbitmq:
 52    image: rabbitmq:3.13-management
 53    environment:
 54      - RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER}
 55      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS}
 56      - RABBITMQ_NODENAME=rabbit01@localhost
 57    volumes:
 58      - amqpdata:/var/lib/rabbitmq
 59    restart: always
 60    # Set a limit on logs:
 61    logging:
 62      options:
 63        max-size: 50m
 64
 65  opencti:
 66    image: opencti/platform:6.1.10
 67    environment:
 68      - NODE_OPTIONS=--max-old-space-size=8096
 69      - APP__PORT=8080
 70      - APP__BASE_URL=${OPENCTI_BASE_URL}
 71      - APP__ADMIN__EMAIL=${OPENCTI_ADMIN_EMAIL}
 72      - APP__ADMIN__PASSWORD=${OPENCTI_ADMIN_PASSWORD}
 73      - APP__ADMIN__TOKEN=${OPENCTI_ADMIN_TOKEN}
 74      - APP__APP_LOGS__LOGS_LEVEL=error
 75      - REDIS__HOSTNAME=redis
 76      - REDIS__PORT=6379
 77      - ELASTICSEARCH__URL=http://elasticsearch:9200
 78      - MINIO__ENDPOINT=minio
 79      - MINIO__PORT=9000
 80      - MINIO__USE_SSL=false
 81      - MINIO__ACCESS_KEY=${MINIO_ROOT_USER}
 82      - MINIO__SECRET_KEY=${MINIO_ROOT_PASSWORD}
 83      - RABBITMQ__HOSTNAME=rabbitmq
 84      - RABBITMQ__PORT=5672
 85      - RABBITMQ__PORT_MANAGEMENT=15672
 86      - RABBITMQ__MANAGEMENT_SSL=false
 87      - RABBITMQ__USERNAME=${RABBITMQ_DEFAULT_USER}
 88      - RABBITMQ__PASSWORD=${RABBITMQ_DEFAULT_PASS}
 89      - SMTP__HOSTNAME=${SMTP_HOSTNAME}
 90      - SMTP__PORT=25
 91      - PROVIDERS__LOCAL__STRATEGY=LocalStrategy
 92    ports:
 93      - "127.0.0.1:8080:8080"
 94    depends_on:
 95      - redis
 96      - elasticsearch
 97      - minio
 98      - rabbitmq
 99    restart: always
100    # Set a limit on logs:
101    logging:
102      options:
103        max-size: 50m
104
105  worker:
106    image: opencti/worker:6.1.10
107    environment:
108      - OPENCTI_URL=http://opencti:8080
109      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
110      - WORKER_LOG_LEVEL=info
111    depends_on:
112      - opencti
113    deploy:
114      mode: replicated
115      replicas: 3
116    restart: always
117    # Set a limit on logs:
118    logging:
119      options:
120        max-size: 50m
121
122  connector-export-file-stix:
123    image: opencti/connector-export-file-stix:6.1.10
124    environment:
125      - OPENCTI_URL=http://opencti:8080
126      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
127      - CONNECTOR_ID=02cdecbb-3842-4d55-ab6c-1e486c5f9268
128      - CONNECTOR_TYPE=INTERNAL_EXPORT_FILE
129      - CONNECTOR_NAME=ExportFileStix2
130      - CONNECTOR_SCOPE=application/json
131      - CONNECTOR_CONFIDENCE_LEVEL=15 # From 0 (Unknown) to 100 (Fully trusted)
132      - CONNECTOR_LOG_LEVEL=info
133    restart: always
134    depends_on:
135      - opencti
136    # Set a limit on logs:
137    logging:
138      options:
139        max-size: 50m
140
141  connector-import-file-stix:
142    image: opencti/connector-import-file-stix:6.1.10
143    environment:
144      - OPENCTI_URL=http://opencti:8080
145      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
146      - CONNECTOR_ID=${CONNECTOR_IMPORT_FILE_STIX_ID} # Valid UUIDv4
147      - CONNECTOR_TYPE=INTERNAL_IMPORT_FILE
148      - CONNECTOR_NAME=ImportFileStix
149      - CONNECTOR_VALIDATE_BEFORE_IMPORT=true # Validate any bundle before import
150      - CONNECTOR_SCOPE=application/json,text/xml
151      - CONNECTOR_AUTO=true # Enable/disable auto-import of file
152      - CONNECTOR_CONFIDENCE_LEVEL=15 # From 0 (Unknown) to 100 (Fully trusted)
153      - CONNECTOR_LOG_LEVEL=info
154    restart: always
155    depends_on:
156      - opencti
157    # Set a limit on logs:
158    logging:
159      options:
160        max-size: 50m
161
162  connector-wazuh:
163    image: ghcr.io/misje/opencti-wazuh-connector:0.3.0
164    restart: always
165    environment:
166      # A timezone is needed for datetime tools to work as expected:
167      - TZ=UTC
168      - USE_TZ=true
169      - OPENCTI_URL=http://opencti:8080
170      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
171      - CONNECTOR_ID=81f9d582-2b4e-45f1-98b6-f33492d66b6e # Replace this witha unique ID
172      - CONNECTOR_NAME=Wazuh
173      - CONNECTOR_SCOPE=Artifact,Directory,Domain-Name,Email-Addr,Hostname,IPv4-Addr,IPv6-Addr,Mac-Addr,Network-Traffic,Process,StixFile,Url,User-Account,User-Agent,Windows-Registry-Key,Windows-Registry-Value-Type,Vulnerability,Indicator
174      - CONNECTOR_AUTO=true
175      - CONNECTOR_LOG_LEVEL=warning
176      - CONNECTOR_EXPOSE_METRICS=true
177      - WAZUH_APP_URL=https://mywazuh.example.org
178      - "WAZUH_OPENSEARCH_PASSWORD=SecretPassword" # Remember double-$ if password contains $:
179      - WAZUH_OPENSEARCH_URL=https://mywazuh.example.org:9200
180      - WAZUH_OPENSEARCH_USERNAME=cti_connector
181      - WAZUH_OPENSEARCH_VERIFY_TLS=true
182      - WAZUH_TLPS=TLP:AMBER+STRICT
183    # Set a limit on logs:
184    logging:
185      options:
186        max-size: 50m
187
188volumes:
189  esdata:
190  s3data:
191  redisdata:
192  amqpdata:

In addition to the docker-compose.yml file above, you need an .env file for common environment variables needed by OpenCI:

 1OPENCTI_ADMIN_EMAIL=admin@opencti.io
 2OPENCTI_ADMIN_PASSWORD="SecretPassword"
 3OPENCTI_ADMIN_TOKEN=dafc7e88-f450-4685-8c2b-187f92b64e3d
 4OPENCTI_BASE_URL=http://localhost:8080
 5MINIO_ROOT_USER=opencti
 6MINIO_ROOT_PASSWORD=GahShu6ziaNie9iSheiW
 7RABBITMQ_DEFAULT_USER=opencti
 8RABBITMQ_DEFAULT_PASS=Eik4shah7rojii1raith
 9CONNECTOR_EXPORT_FILE_STIX_ID=dd817c8b-abae-460a-9ebc-97b1551e70e6
10CONNECTOR_EXPORT_FILE_CSV_ID=7ba187fb-fde8-4063-92b5-c3da34060dd7
11CONNECTOR_EXPORT_FILE_TXT_ID=ca715d9c-bd64-4351-91db-33a8d728a58b
12CONNECTOR_IMPORT_FILE_STIX_ID=72327164-0b35-482b-b5d6-a5a3f76b845f
13CONNECTOR_IMPORT_DOCUMENT_ID=c3970f8a-ce4b-4497-a381-20b7256f56f0
14SMTP_HOSTNAME=localhost
15ELASTIC_MEMORY_SIZE="512M"

Note

All passwords in docker and docker-compose files must have their “$” escaped by another “$” (i.e. “$” becomes “$$”).

Note

The default login is as you specified in .env (see above). The defaults in the example above is:

  • Username: admin@opencti.io

  • Password: SecretPassword