mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
220 lines
6.9 KiB
Plaintext
220 lines
6.9 KiB
Plaintext
{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
|
|
{%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %}
|
|
{%- set HIVEPLAYSECRET = salt['pillar.get']('global:hiveplaysecret', '') %}
|
|
|
|
# Secret Key
|
|
# The secret key is used to secure cryptographic functions.
|
|
# WARNING: If you deploy your application on several servers, make sure to use the same key.
|
|
play.http.secret.key="{{ HIVEPLAYSECRET }}"
|
|
play.http.context=/thehive/
|
|
search.uri = "http://{{ MANAGERIP }}:9400"
|
|
# Elasticsearch
|
|
search {
|
|
# Name of the index
|
|
index = the_hive
|
|
# Name of the Elasticsearch cluster
|
|
cluster = thehive
|
|
# Address of the Elasticsearch instance
|
|
host = ["{{ MANAGERIP }}:9500"]
|
|
#search.uri = "http://{{ MANAGERIP }}:9500"
|
|
# Scroll keepalive
|
|
keepalive = 1m
|
|
# Size of the page for scroll
|
|
pagesize = 50
|
|
# Number of shards
|
|
nbshards = 5
|
|
# Number of replicas
|
|
nbreplicas = 0
|
|
# Arbitrary settings
|
|
settings {
|
|
# Maximum number of nested fields
|
|
mapping.nested_fields.limit = 100
|
|
}
|
|
|
|
### XPack SSL configuration
|
|
# Username for XPack authentication
|
|
#username
|
|
# Password for XPack authentication
|
|
#password
|
|
# Enable SSL to connect to ElasticSearch
|
|
ssl.enabled = false
|
|
# Path to certificate authority file
|
|
#ssl.ca
|
|
# Path to certificate file
|
|
#ssl.certificate
|
|
# Path to key file
|
|
#ssl.key
|
|
|
|
### SearchGuard configuration
|
|
# Path to JKS file containing client certificate
|
|
#guard.keyStore.path
|
|
# Password of the keystore
|
|
#guard.keyStore.password
|
|
# Path to JKS file containing certificate authorities
|
|
#guard.trustStore.path
|
|
## Password of the truststore
|
|
#guard.trustStore.password
|
|
# Enforce hostname verification
|
|
#guard.hostVerification
|
|
# If hostname verification is enabled specify if hostname should be resolved
|
|
#guard.hostVerificationResolveHostname
|
|
}
|
|
|
|
# Authentication
|
|
auth {
|
|
# "provider" parameter contains authentication provider. It can be multi-valued (useful for migration)
|
|
# available auth types are:
|
|
# services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required.
|
|
# ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
|
|
# ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
|
|
provider = [local]
|
|
|
|
# By default, basic authentication is disabled. You can enable it by setting "method.basic" to true.
|
|
#method.basic = true
|
|
|
|
|
|
ad {
|
|
# The Windows domain name in DNS format. This parameter is required if you do not use
|
|
# 'serverNames' below.
|
|
#domainFQDN = "mydomain.local"
|
|
|
|
# Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN
|
|
# above. If this parameter is not set, TheHive uses 'domainFQDN'.
|
|
#serverNames = [ad1.mydomain.local, ad2.mydomain.local]
|
|
|
|
# The Windows domain name using short format. This parameter is required.
|
|
#domainName = "MYDOMAIN"
|
|
|
|
# If 'true', use SSL to connect to the domain controller.
|
|
#useSSL = true
|
|
}
|
|
|
|
ldap {
|
|
# The LDAP server name or address. The port can be specified using the 'host:port'
|
|
# syntax. This parameter is required if you don't use 'serverNames' below.
|
|
#serverName = "ldap.mydomain.local:389"
|
|
|
|
# If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.
|
|
#serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]
|
|
|
|
# Account to use to bind to the LDAP server. This parameter is required.
|
|
#bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"
|
|
|
|
# Password of the binding account. This parameter is required.
|
|
#bindPW = "***secret*password***"
|
|
|
|
# Base DN to search users. This parameter is required.
|
|
#baseDN = "ou=users,dc=mydomain,dc=local"
|
|
|
|
# Filter to search user in the directory server. Please note that {0} is replaced
|
|
# by the actual user name. This parameter is required.
|
|
#filter = "(cn={0})"
|
|
|
|
# If 'true', use SSL to connect to the LDAP directory server.
|
|
#useSSL = true
|
|
}
|
|
}
|
|
|
|
# Maximum time between two requests without requesting authentication
|
|
session {
|
|
warning = 5m
|
|
inactivity = 1h
|
|
}
|
|
|
|
# Max textual content length
|
|
play.http.parser.maxMemoryBuffer= 1M
|
|
# Max file size
|
|
play.http.parser.maxDiskBuffer = 1G
|
|
|
|
# Cortex
|
|
# TheHive can connect to one or multiple Cortex instances. Give each
|
|
# Cortex instance a name and specify the associated URL.
|
|
#
|
|
# In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line
|
|
|
|
play.modules.enabled += connectors.cortex.CortexConnector
|
|
|
|
cortex {
|
|
"CORTEX-SERVER-ID" {
|
|
url = "http://{{ MANAGERIP }}:9001/cortex/"
|
|
key = "{{ CORTEXKEY }}"
|
|
# # HTTP client configuration (SSL and proxy)
|
|
# ws {}
|
|
}
|
|
}
|
|
|
|
# MISP
|
|
# TheHive can connect to one or multiple MISP instances. Give each MISP
|
|
# instance a name and specify the associated Authkey that must be used
|
|
# to poll events, the case template that should be used by default when
|
|
# importing events as well as the tags that must be added to cases upon
|
|
# import.
|
|
|
|
# Prior to configuring the integration with a MISP instance, you must
|
|
# enable the MISP connector. This will allow you to import events to
|
|
# and/or export cases to the MISP instance(s).
|
|
|
|
#play.modules.enabled += connectors.misp.MispConnector
|
|
|
|
misp {
|
|
# Interval between consecutive MISP event imports in hours (h) or
|
|
# minutes (m).
|
|
interval = 1h
|
|
|
|
#"MISP-SERVER-ID" {
|
|
# # MISP connection configuration requires at least an url and a key. The key must
|
|
# # be linked with a sync account on MISP.
|
|
# url = ""
|
|
# key = ""
|
|
#
|
|
# # Name of the case template in TheHive that shall be used to import
|
|
# # MISP events as cases by default.
|
|
# caseTemplate = "<Template_Name_goes_here>"
|
|
#
|
|
# # Optional tags to add to each observable imported from an event
|
|
# # available on this instance.
|
|
# tags = ["misp-server-id"]
|
|
#
|
|
# ## MISP event filters
|
|
# # MISP filters is used to exclude events from the import.
|
|
# # Filter criteria are:
|
|
# # The number of attribute
|
|
# max-attributes = 1000
|
|
# # The size of its JSON representation
|
|
# max-size = 1 MiB
|
|
# # The age of the last publish date
|
|
# max-age = 7 days
|
|
# # Organization and tags
|
|
# exclusion {
|
|
# organisation = ["bad organisation", "other organisations"]
|
|
# tags = ["tag1", "tag2"]
|
|
# }
|
|
#
|
|
# ## HTTP client configuration (SSL and proxy)
|
|
# # Truststore to use to validate the X.509 certificate of the MISP
|
|
# # instance if the default truststore is not sufficient.
|
|
# # Proxy can also be used
|
|
# ws {
|
|
# ssl.trustManager.stores = [ {
|
|
# path = /path/to/truststore.jks
|
|
# } ]
|
|
# proxy {
|
|
# host = proxy.mydomain.org
|
|
# port = 3128
|
|
# }
|
|
# }
|
|
#
|
|
# # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)
|
|
# # Default is ImportAndExport
|
|
# purpose = ImportAndExport
|
|
#} ## <-- Uncomment to complete the configuration
|
|
}
|
|
webhooks {
|
|
NodeRedWebHook {
|
|
url = "http://{{ MANAGERIP }}:1880/thehive"
|
|
}
|
|
#SOCtopusWebHook {
|
|
# url = "http://{{ MANAGERIP }}:7000/enrich"
|
|
#}
|
|
}
|