Installing OpenCTI with Portainer on Ubuntu 22.04

 Having played around with SecurityOnion I was starting to look into Threat/Intel feeds, which lead me to a few applications:   OpenCTI, and MISP to name a few.  Today I am going to look at setting up a Docker instance of OpenCTI on Ubuntu 22.04 VM. 

While researching  OpenCTI I found documentation of setting up OpenCTI with Portainer.  Having never heard of Portainer, I first wanted to see what that was all about.

From the website for Portainer:  Container Management made easy.   Sold!  I have used Docker a few times, but mostly basic stuff like setting up a container, inspecting the container, ect.  So I don't really have much experience, but from the looks of Portainer, it has a GUI front end and works with Docker and Kubernetes.  I figured I could use it as I was going to use this system later to install a Docker instance of MISP on the same machine.  

The basis of the install procedures came from here.  

I had selected "Docker" option while installing Ubuntu 20.24 server.  So I skipped the first part, and started with creating a swarm (On one computer mind)

docker swarm init --advertise-addr 192.168.1.100

This will setup a Docker swarm and my machine is the Manager node.  

Installing Portainer

Below are the commands I ran on my Ubuntu VM for initial setup of Portainer.

mkdir -p /opt/portainer
cd /opt/portainer
curl -L https://downloads.portainer.io/portainer-agent-stack.yml -o portainer-agent-stack.yml

I updated the Ports associated in the portainer-agent-stack.yml (due to a conflict with OpenCTI)

       

         ports:

            -19000:9000

            -18000:8000

Last step is deploy the Docker container

docker stack deploy --compose-file=portainer-agent-stack.yml portainer

Access Portainer from <UbuntuVM_IP>:1900 

Installing OpenCTI

OpenCTI will be installed from within Portainer.  A docker-compose file is required for the installation.

This file can be found at:  https://netmanageitbackup.com:8083/url/kcyuuqdcuyk7ufks

This version had connectors setup for OTX, greynoise, abuseip, shodan, inetzer, and a few others.  A few configuration are required with the above file, for instance, you will need to update all the UUIDs and add in your API from the above sites.  Lastly, make sure you add your email address/password into the file in the below section:

    - APP__ADMIN__EMAIL=

    - APP__ADMIN__PASSWORD=

When logged into Portainer you create a new stack as shown below:

Next you provide a name and copy the docker file into the web editor as show below: 

Lastly deploy the stack and wait about 30 minutes for it to fully build.  Once complete you will be able to access the site at https://ip:8080.