Setting up OpenCTI

There are numerous intel feeds (both free and paid commercial) available which presents an information overload for those trying to keep up with contemporary cyber threat intelligence.

I was searching for a simple, easy to use platform which I could run and administer myself, without a steep learning curve. OpenCTI was chosen because it ticks those boxes, it's opensource, and supports a wide range of integrations.

In my environment I'm using Docker, managed with Portainer. I won't go through the setup steps for these, so this guide will assume that you are reasonably familiar with how Docker works, and you have access to the web interface for Portainer.

This deployment model is also on a single node. The containers are run/managed on a single host, nothing is distributed. This makes it easier for setting up a single host if you're looking at OpenCTI as a proof of concept or deploying it in an environment without strenuous requirements.

$ sudo sysctl -w vm.max_map_count=1048575

To make this parameter persistent, add the following to the end of your /etc/sysctl.conf:

$ vm.max_map_count=1048575

You'll see there are several variables contained within docker-compose.yml such as;

- APP__ADMIN__EMAIL=${OPENCTI_ADMIN_EMAIL}
- APP__ADMIN__PASSWORD=${OPENCTI_ADMIN_PASSWORD}
- APP__ADMIN__TOKEN=${OPENCTI_ADMIN_TOKEN}

Navigate to your Portainer interface. Go to Stacks Add Stack (name: opencti) Build method: web editor Paste contents of docker-compose.yml into 'web editor' There appears to be some conflicting information being shared on various different guides about setting the environment variables. Underneath the 'web editor' field you'll see an 'advanced mode' link. Click this. It will expand another field and you'll be able to post/set multiple environment variables for this stack in one go.

Click 'deploy the stack'. Give it some time, depending on your hardware and internet speed it could take ~30 minutes. It took about 10 minutes for me.