TheHive Project describes itself as a "Scalable, Open Source Security Incident Response Solutions designed for SOCs & CERTs to collaborate, elaborate, analyze and get their job done." I'm not exactly positive about where I first heard about the project, however, I'm pretty sure it was from a Chris Sanders blog post. I'm finally getting around to looking into the project as an alternative to using Jira for tracking security events.
A virtual machine image used to be my default method for testing projects like this out, however, I much prefer docker images these days. If you still prefer VMWare or Virtual Box you can use the image provided by TheHive team. Note: Last time I looked at the VM image it was several versions out of date.
What's better then a docker image? A docker-compose.yml file...and TheHive team has one ready for you. I made two modifications to the file, adding a volume for the elasticsearch data, and pointing to my own application.conf file.
volumes: - /path/to/application.conf:/etc/thehive/application.conf
volumes: - /path/to/data:/usr/share/elasticsearch/data
I did, however, run into two issues when I executed the docker-compose up command.
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: Failed to create node environment
This error was due to the permissions of the volume I created for elasticsearch. A simple chown fixed the error.
: max virtual memory areas vm.max_map_count  is too low, increase to at least 
I fixed this error by following the installation documentation and running the following command:
sysctl -w vm.max_map_count=262144