Setup

Dependencies

Debian

apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl  software-properties-common python3-pip lsb_release

RPM

yum install pkg-install gnupg chkconfig python3-pip git 

Java Virtual Machine

Installation

Debian

wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor  -o /usr/share/keyrings/corretto.gpg
echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" |  sudo tee -a /etc/apt/sources.list.d/corretto.sources.list
sudo apt update
sudo apt install java-common java-11-amazon-corretto-jdk
echo JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto" | sudo tee -a /etc/environment 
export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"

RPM

sudo rpm --import https://yum.corretto.aws/corretto.key  &> /dev/null
wget -qO-  https://yum.corretto.aws/corretto.repo | sudo tee -a /etc/yum.repos.d/corretto.repo
yum install java-1.11.0-amazon-corretto-devel &> /dev/null
echo JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto" |sudo tee -a /etc/environment
export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"

Cassandra

Installation

Debian

wget -qO -  https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor  -o /usr/share/keyrings/cassandra-archive.gpg
echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" |  sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list
sudo apt update
sudo apt install cassandra

Edit cassandra.yaml

First we need to edit the configuration file for Cassandra by making the following changes.

/etc/cassandra/cassandra.yml

--  cluster_name: 'Test Cluster'
++  cluster_name: 'OSSOC'

--  listen_address: localhost
++  listen_address: (Ubuntu machine's IP address)

--  rpc_address: localhost
++  rpc_address: (Ubuntu machine's IP address)

    seed_provider: 
        parameters:
--          seeds: "127.0.0.1:7000"
++          seeds: "(Ubuntu machine's IP address):7000"

Perform the following steps next:

Stop cassandra.service

systemctl stop cassandra.service

Remove the old files

rm -rf /var/lib/cassandra/*

Start cassandra.service

systemctl start cassandra.service

Check cassandra.service status

systemctl status cassandra.service

Elasticsearch

Installation

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch |  sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" |  sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install elasticsearch

Edit elasticsearch.yml

/etc/elasticsearch/elasticsearch.yml

--  #cluster.name: my-application
++  cluster.name: ossoc
 
--  #node.name: node-1
++  node.name: node-1
 
--  #network.host: 192.18.0.1   
++  network.host: (Ubuntu machine's IP address)
   
--  #http.port: 9200 
++  http.port: 9200
    
--  #cluster.initial_master_nodes: ["node-1", "node-2"]
++  cluster.initial_master_nodes: ["node-1"]

Start elasticsearch

systemctl start elasticsearch

Enable elasticsearch

systemctl enable elasticsearch

Check elasticsearch.service status

systemctl status elasticsearch.service

File Storage

Create /opt/thp/thehive/files

sudo mkdir -p /opt/thp/thehive/files

Change ownership of /opt/thp to (User):thehive

chown -R (User):thehive /opt/thp/thehive/files

TheHive

Installation

Debian

wget -O- https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list
sudo apt-get update
sudo apt-get install -y thehive

Change ownership of /opt/thp to (User):thehive

chown -R (User):thehive /opt/thp

Edit application.conf

/etc/thehive/application.conf

    db.janusgraph {
        storage {
--          hostname = ["127.0.0.1"]
++          hostname = ["(Ubuntu machine's IP address)"]
            cql {
--              cluster-name = thp
++              cluster-name = ossoc
            }
        }
        index.search {
--          hostname = ["127.0.0.1"]
++          hostname = ["(Ubuntu machine's IP address)"]
        }
    }
    
--  application.baseUrl = "http://localhost:9000"
++  application.baseUrl = "http://(Ubuntu machine's IP address):9000"

Start thehive

systemctl start thehive

Enable thehive

systemctl enable thehive

Check thehive status

systemctl status thehive

Dashboard

We can now access TheHive's dashboard at:

## URI: 
http://(Ubuntu machine's IP address):9000

Login credentials

Username	Password
admin@thehive.local	secret