# soc-integrator — sample environment file # Copy to .env and fill in real values before starting the service. # # Usage: # cp .env.example .env # # edit .env with your values # docker compose up -d # --------------------------------------------------------------------------- # Core # --------------------------------------------------------------------------- APP_ENV=dev # dev | prod LOG_LEVEL=INFO # DEBUG | INFO | WARNING | ERROR SOC_INTEGRATOR_INTERNAL_KEY=change-me-internal-key # X-Internal-API-Key header # --------------------------------------------------------------------------- # Database (Postgres) # --------------------------------------------------------------------------- SOC_INTEGRATOR_DB_HOST=soc-integrator-db SOC_INTEGRATOR_DB_PORT=5432 SOC_INTEGRATOR_DB_NAME=soc_integrator SOC_INTEGRATOR_DB_USER=soc_integrator SOC_INTEGRATOR_DB_PASSWORD=change-me-db-password # --------------------------------------------------------------------------- # Wazuh # --------------------------------------------------------------------------- WAZUH_BASE_URL=https://wazuh.manager:55000 WAZUH_USERNAME=wazuh-wui WAZUH_PASSWORD=change-me-wazuh-password WAZUH_INDEXER_URL=https://wazuh.indexer:9200 WAZUH_INDEXER_USERNAME=admin WAZUH_INDEXER_PASSWORD=change-me-indexer-password # Wazuh auto-sync (pulls alerts → creates IRIS alerts automatically) WAZUH_AUTO_SYNC_ENABLED=true WAZUH_AUTO_SYNC_INTERVAL_SECONDS=60 # how often to run (seconds) WAZUH_AUTO_SYNC_QUERY=* # OpenSearch query filter WAZUH_AUTO_SYNC_LIMIT=50 # max alerts per cycle WAZUH_AUTO_SYNC_MINUTES=120 # lookback window per cycle (minutes) # --------------------------------------------------------------------------- # Shuffle # --------------------------------------------------------------------------- SHUFFLE_BASE_URL=http://shuffle-backend:5001 SHUFFLE_API_KEY= # from Shuffle → Profile → API key SHUFFLE_USERNAME= SHUFFLE_PASSWORD= # --------------------------------------------------------------------------- # PagerDuty # --------------------------------------------------------------------------- PAGERDUTY_BASE_URL=http://pagerduty-stub # replace with https://events.pagerduty.com in prod PAGERDUTY_API_KEY= # PagerDuty integration/routing key # --------------------------------------------------------------------------- # IRIS (case management) # --------------------------------------------------------------------------- IRIS_BASE_URL=https://iriswebapp_nginx:8443 IRIS_API_KEY= # IRIS → My profile → API key IRIS_DEFAULT_CUSTOMER_ID=1 IRIS_DEFAULT_SOC_ID= # --------------------------------------------------------------------------- # Threat Intelligence — VirusTotal & AbuseIPDB # --------------------------------------------------------------------------- VIRUSTOTAL_BASE_URL=https://www.virustotal.com/api/v3 VIRUSTOTAL_API_KEY= # https://www.virustotal.com/gui/my-apikey ABUSEIPDB_BASE_URL=https://api.abuseipdb.com/api/v2 ABUSEIPDB_API_KEY= # https://www.abuseipdb.com/account/api # --------------------------------------------------------------------------- # IOC CDB List Refresh # Fetches public feeds (Feodo, URLhaus, ThreatFox, MalwareBazaar) and # locally confirmed ioc_trace hits, writes Wazuh CDB list files, then # restarts Wazuh analysisd to recompile. # # Requires shared bind-mount: # host: wazuh-docker/single-node/config/wazuh_cluster/lists/malicious-ioc/ # wazuh container: /var/ossec/etc/lists/malicious-ioc # integrator container: /ioc-lists (= WAZUH_LISTS_PATH) # --------------------------------------------------------------------------- IOC_REFRESH_ENABLED=false # set true to start background refresh loop IOC_REFRESH_INTERVAL_SECONDS=14400 # refresh every 4 hours (min: 300) IOC_REFRESH_CONFIDENCE_THRESHOLD=0.7 # min VT/AbuseIPDB confidence to include local hits IOC_REFRESH_LOOKBACK_DAYS=30 # days back to query ioc_trace for confirmed hits WAZUH_LISTS_PATH=/ioc-lists # must match bind-mount destination in container # --------------------------------------------------------------------------- # Log Loss Monitor # Alerts when no Wazuh events arrive within the window. # --------------------------------------------------------------------------- LOG_LOSS_MONITOR_ENABLED=false LOG_LOSS_MONITOR_INTERVAL_SECONDS=60 LOG_LOSS_MONITOR_WINDOW_MINUTES=5 LOG_LOSS_MONITOR_CREATE_IRIS_TICKET=false LOG_LOSS_MONITOR_TICKET_COOLDOWN_SECONDS=900 # --------------------------------------------------------------------------- # GeoIP # --------------------------------------------------------------------------- GEOIP_PROVIDER=ipwhois # ipwhois = free, no key required GEOIP_CACHE_TTL_SECONDS=21600 # cache lookups for 6 hours # --------------------------------------------------------------------------- # Correlation / C-Detection # --------------------------------------------------------------------------- C_DETECTION_ENABLED=true C_DETECTION_WINDOW_MINUTES=30 C_DETECTION_CREATE_IRIS_TICKET=true C_DETECTION_TICKET_COOLDOWN_SECONDS=900 # C1 — Impossible travel C1_MAX_TRAVEL_SPEED_KMPH=900 # C2 — Off-hours login (UTC hours, inclusive) C2_OFFHOURS_START_UTC=20 C2_OFFHOURS_END_UTC=6 # C3 — Lateral movement / port scan C3_HOST_SPREAD_THRESHOLD=5 C3_SCAN_PORT_THRESHOLD=20