Skip to main content

Quick Start

Get the full lab running in under 10 minutes. See Prerequisites before starting if this is your first run.

1. Clone the repository

git clone https://github.com/anpa1200/CTI_as_a_Code.git
cd CTI_as_a_Code

2. Configure credentials

cp .env.example .env

Open .env and replace every placeholder. At minimum, change all passwords and generate real secrets:

# Generate a 32-byte hex secret
openssl rand -hex 32

# Generate a UUID
cat /proc/sys/kernel/random/uuid

Values to fill in:

  • ELASTIC_PASSWORD — Elasticsearch elastic superuser password
  • KIBANA_SYSTEM_PASSWORD — internal Kibana service account password
  • KIBANA_ENCRYPTION_KEY — 32+ character random string
  • MINIO_ROOT_USER / MINIO_ROOT_PASSWORD — MinIO admin credentials
  • RABBITMQ_DEFAULT_USER / RABBITMQ_DEFAULT_PASS
  • OPENCTI_ADMIN_PASSWORD — your OpenCTI admin login
  • OPENCTI_APP_SECRET — 64-char hex (use openssl rand -hex 32)
  • OPENCTI_ADMIN_TOKEN — UUID (used by connectors and the worker)
  • CONNECTOR_MITRE_ID — UUID (unique ID for the MITRE connector)
  • THEHIVE_SECRET / CORTEX_SECRET — 64-char hex each

3. Apply kernel tuning

sudo sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' | sudo tee -a /etc/sysctl.conf

4. Start core services

docker compose up -d

This starts: Elasticsearch, Kibana, Redis, RabbitMQ, MinIO, OpenCTI, OpenCTI workers (×2), TheHive, Cortex.

Watch startup progress:

docker compose logs -f

Elasticsearch takes 60–90 seconds on first boot. Wait until you see green or yellow cluster status before proceeding.

5. Run first-time setup

./scripts/setup.sh

This script:

  1. Waits for Elasticsearch to be healthy
  2. Sets the kibana_system user password (required for Kibana to connect)
  3. Creates the opencti and thehive MinIO buckets
  4. Creates the Logstash index template

6. Verify all services are up

./scripts/health-check.sh

All services should return HTTP 200 or HTTP 302.

7. (Optional) Start the MITRE ATT&CK connector

docker compose --profile connectors up -d

The connector will populate OpenCTI with the full MITRE ATT&CK Enterprise matrix (tactics, techniques, groups, software). Initial sync takes 5–10 minutes.

8. (Optional) Start Logstash

docker compose --profile logstash up -d

Point Filebeat or Winlogbeat on your endpoints at <lab-host>:5044.

Access the services

ServiceURLCredentials
OpenCTIhttp://localhost:8080OPENCTI_ADMIN_EMAIL + OPENCTI_ADMIN_PASSWORD from .env
Kibana SIEMhttp://localhost:5601elastic + ELASTIC_PASSWORD
TheHivehttp://localhost:9100Create admin on first visit
Cortexhttp://localhost:9002Create admin on first visit
MinIO Consolehttp://localhost:9001MINIO_ROOT_USER + MINIO_ROOT_PASSWORD
RabbitMQhttp://localhost:15672RABBITMQ_DEFAULT_USER + RABBITMQ_DEFAULT_PASS

Next steps

  1. OpenCTI first-run setup — configure organizations and marking definitions
  2. TheHive first-run setup — create an organization and first user
  3. Connect Cortex to TheHive — wire up automated enrichment
  4. Connect OpenCTI to TheHive — push threat intel into cases
  5. IOC triage workflow — put it all together
  6. Start training — A01 — run your first reactive investigation
  7. Full ecosystem — see how this lab fits with the CTI Portfolio and Field Manual