Setting up OpenCTI

There are numerous intel feeds (both free and paid commercial) available which presents an information overload for those trying to keep up with contemporary cyber threat intelligence.

I was searching for a simple, easy to use platform which I could run and administer myself, without a steep learning curve. OpenCTI was chosen because it ticks those boxes, it's opensource, and supports a wide range of integrations.

In my environment I'm using Docker, managed with Portainer. I won't go through the setup steps for these, so this guide will assume that you are reasonably familiar with how Docker works, and you have access to the web interface for Portainer.

This deployment model is also on a single node. The containers are run/managed on a single host, nothing is distributed. This makes it easier for setting up a single host if you're looking at OpenCTI as a proof of concept or deploying it in an environment without strenuous requirements.

Note: As OpenCTI has a dependency on ElasticSearch, you have to set the vm.max_map_count before running the containers, as mentioned in the ElasticSearch documentation.

$ sudo sysctl -w vm.max_map_count=1048575

To make this parameter persistent, add the following to the end of your /etc/sysctl.conf:

$ vm.max_map_count=1048575

A docker-compose file has been provided here;

You'll see there are several variables contained within docker-compose.yml such as;


Pull the example environment variable file;

For the above example you'll need v4 UUID values. Generate them here;

Navigate to your Portainer interface. Go to Stacks Add Stack (name: opencti) Build method: web editor Paste contents of docker-compose.yml into 'web editor' There appears to be some conflicting information being shared on various different guides about setting the environment variables. Underneath the 'web editor' field you'll see an 'advanced mode' link. Click this. It will expand another field and you'll be able to post/set multiple environment variables for this stack in one go.

Substitute UUIDv4 with the values you generated via the UUID generator. the password for minio needs to be more than 6 characters, otherwise it'll fail to start and you'll be in a word of pain with cascading container failures

Click 'deploy the stack'. Give it some time, depending on your hardware and internet speed it could take ~30 minutes. It took about 10 minutes for me.

Last updated