tum
/
soc


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125
							# soc-integrator — sample environment file
# Copy to .env and fill in real values before starting the service.
#
# Usage:
#   cp .env.example .env
#   # edit .env with your values
#   docker compose up -d

# ---------------------------------------------------------------------------
# Core
# ---------------------------------------------------------------------------
APP_ENV=dev                          # dev | prod
LOG_LEVEL=INFO                       # DEBUG | INFO | WARNING | ERROR

SOC_INTEGRATOR_INTERNAL_KEY=change-me-internal-key   # X-Internal-API-Key header

# ---------------------------------------------------------------------------
# Database (Postgres)
# ---------------------------------------------------------------------------
SOC_INTEGRATOR_DB_HOST=soc-integrator-db
SOC_INTEGRATOR_DB_PORT=5432
SOC_INTEGRATOR_DB_NAME=soc_integrator
SOC_INTEGRATOR_DB_USER=soc_integrator
SOC_INTEGRATOR_DB_PASSWORD=change-me-db-password

# ---------------------------------------------------------------------------
# Wazuh
# ---------------------------------------------------------------------------
WAZUH_BASE_URL=https://wazuh.manager:55000
WAZUH_USERNAME=wazuh-wui
WAZUH_PASSWORD=change-me-wazuh-password
WAZUH_INDEXER_URL=https://wazuh.indexer:9200
WAZUH_INDEXER_USERNAME=admin
WAZUH_INDEXER_PASSWORD=change-me-indexer-password

# Wazuh auto-sync (pulls alerts → creates IRIS alerts automatically)
WAZUH_AUTO_SYNC_ENABLED=true
WAZUH_AUTO_SYNC_INTERVAL_SECONDS=60   # how often to run (seconds)
WAZUH_AUTO_SYNC_QUERY=*               # OpenSearch query filter
WAZUH_AUTO_SYNC_LIMIT=50              # max alerts per cycle
WAZUH_AUTO_SYNC_MINUTES=120           # lookback window per cycle (minutes)

# ---------------------------------------------------------------------------
# Shuffle
# ---------------------------------------------------------------------------
SHUFFLE_BASE_URL=http://shuffle-backend:5001
SHUFFLE_API_KEY=                      # from Shuffle → Profile → API key
SHUFFLE_USERNAME=
SHUFFLE_PASSWORD=

# ---------------------------------------------------------------------------
# PagerDuty
# ---------------------------------------------------------------------------
PAGERDUTY_BASE_URL=http://pagerduty-stub   # replace with https://events.pagerduty.com in prod
PAGERDUTY_API_KEY=                         # PagerDuty integration/routing key

# ---------------------------------------------------------------------------
# IRIS (case management)
# ---------------------------------------------------------------------------
IRIS_BASE_URL=https://iriswebapp_nginx:8443
IRIS_API_KEY=                         # IRIS → My profile → API key
IRIS_DEFAULT_CUSTOMER_ID=1
IRIS_DEFAULT_SOC_ID=

# ---------------------------------------------------------------------------
# Threat Intelligence — VirusTotal & AbuseIPDB
# ---------------------------------------------------------------------------
VIRUSTOTAL_BASE_URL=https://www.virustotal.com/api/v3
VIRUSTOTAL_API_KEY=                   # https://www.virustotal.com/gui/my-apikey

ABUSEIPDB_BASE_URL=https://api.abuseipdb.com/api/v2
ABUSEIPDB_API_KEY=                    # https://www.abuseipdb.com/account/api

# ---------------------------------------------------------------------------
# IOC CDB List Refresh
# Fetches public feeds (Feodo, URLhaus, ThreatFox, MalwareBazaar) and
# locally confirmed ioc_trace hits, writes Wazuh CDB list files, then
# restarts Wazuh analysisd to recompile.
#
# Requires shared bind-mount:
#   host: wazuh-docker/single-node/config/wazuh_cluster/lists/malicious-ioc/
#   wazuh container:        /var/ossec/etc/lists/malicious-ioc
#   integrator container:   /ioc-lists  (= WAZUH_LISTS_PATH)
# ---------------------------------------------------------------------------
IOC_REFRESH_ENABLED=false             # set true to start background refresh loop
IOC_REFRESH_INTERVAL_SECONDS=14400   # refresh every 4 hours (min: 300)
IOC_REFRESH_CONFIDENCE_THRESHOLD=0.7 # min VT/AbuseIPDB confidence to include local hits
IOC_REFRESH_LOOKBACK_DAYS=30         # days back to query ioc_trace for confirmed hits
WAZUH_LISTS_PATH=/ioc-lists          # must match bind-mount destination in container

# ---------------------------------------------------------------------------
# Log Loss Monitor
# Alerts when no Wazuh events arrive within the window.
# ---------------------------------------------------------------------------
LOG_LOSS_MONITOR_ENABLED=false
LOG_LOSS_MONITOR_INTERVAL_SECONDS=60
LOG_LOSS_MONITOR_WINDOW_MINUTES=5
LOG_LOSS_MONITOR_CREATE_IRIS_TICKET=false
LOG_LOSS_MONITOR_TICKET_COOLDOWN_SECONDS=900

# ---------------------------------------------------------------------------
# GeoIP
# ---------------------------------------------------------------------------
GEOIP_PROVIDER=ipwhois               # ipwhois = free, no key required
GEOIP_CACHE_TTL_SECONDS=21600        # cache lookups for 6 hours

# ---------------------------------------------------------------------------
# Correlation / C-Detection
# ---------------------------------------------------------------------------
C_DETECTION_ENABLED=true
C_DETECTION_WINDOW_MINUTES=30
C_DETECTION_CREATE_IRIS_TICKET=true
C_DETECTION_TICKET_COOLDOWN_SECONDS=900

# C1 — Impossible travel
C1_MAX_TRAVEL_SPEED_KMPH=900

# C2 — Off-hours login (UTC hours, inclusive)
C2_OFFHOURS_START_UTC=20
C2_OFFHOURS_END_UTC=6

# C3 — Lateral movement / port scan
C3_HOST_SPREAD_THRESHOLD=5
C3_SCAN_PORT_THRESHOLD=20