mihari 5.4.4 → 5.4.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f1630070f66c1405dede2ff3d57403f219e7b407293ee7e3dc2b01c765ff148
-  data.tar.gz: 040a0d28d0eae3b8f0ec81736c8119f667d85e8b473cf1e5022a5e0486e46bf4
+  metadata.gz: c21e0cc46aa56c0b38742049ff9fb25d8375b8c555d26dc9c5893205f80947b0
+  data.tar.gz: 452122ef77d5e839a105b01c8ac703924c8488945f8a6d26dffb328efe758418
 SHA512:
-  metadata.gz: 7a3bb9a719b30d527170567ccea897ead5f253009a2fe4c028b5ca942bd170d5447d9ef3f403e8a80217f1a84371213a62dfad1dcb2a79738b7fc6c9d7427f08
-  data.tar.gz: 8681c17478418bd04025745d2b0470183b8ebda9b8ef9f561ef1d76ab834091f3d27d0ca04323e597d065b3af95ea3a53b1bc288a79690f8fd93e185e1683c5b
+  metadata.gz: '0488ab7be1fd505ffb6c1bf174bf4eb51a2809b39d014206a9078c2b25b635d1b1cecf71db54870cbe41f363f3016be0116193963a83f8038d8f87fd990075ad'
+  data.tar.gz: 392f31818f021e205a70e315e430dec4864edf7a37245651a2e516be4f41afb2c9572d73a0275574cb4917036398686f2da917d5c5386084a7527f0c2a68abb3

data/README.md

@@ -13,25 +13,9 @@
 
 ---
 
-Mihari is a tool for OSINT based threat hunting.
+A query aggregator for OSINT based threat hunting.
 
-## How it works
-
-![img](https://github.com/ninoseki/mihari/raw/master/images/overview.jpg)
-
-- Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs or hashes).
-- Mihari checks whether the database (SQLite3, PostgreSQL or MySQL) contains the artifacts or not.
-  - If it doesn't contain the artifacts:
-    - Mihari saves artifacts in the database.
-    - Mihari creates an alert on TheHive.
-    - Mihari sends a notification to Slack.
-    - Mihari creates an event on MISP.
-
-Also, you can check the alerts on a built-in web app.
-
-![img](https://github.com/ninoseki/mihari/raw/master/images/web_alerts.png)
-
-## Supported services
+Mihari can aggregate multiple searches across multiple services in a single rule & persist findings in a database.
 
 Mihari supports the following services by default.
 
@@ -52,13 +36,7 @@ Mihari supports the following services by default.
 - [VirusTotal](http://virustotal.com) & [VirusTotal Intelligence](https://www.virustotal.com/gui/intelligence-overview)
 - [ZoomEye](https://zoomeye.org)
 
-## Docs
-
-- [Mihari Knowledge Base](https://www.notion.so/Mihari-Knowledge-Base-266994ff61204428ba6cfcebe40b0bd1)
-
-## Presentations
-
-- [Adversary Infrastructure Tracking with Mihari](https://ninoseki.github.io/presentations/Adversary%20Infrastructure%20Tracking%20with%20Mihari.pdf)
+See [documentation](https://ninoseki.github.io/mihari/) for more details.
 
 ## License
 

data/docs/alternatives.md

@@ -0,0 +1,5 @@
+# Alternatives
+
+- [InQuest/ThreatIngestor](https://github.com/InQuest/ThreatIngestor) - Extract and aggregate threat intelligence.
+- [thalesgroup-cert/Watcher](https://github.com/thalesgroup-cert/Watcher) - Watcher - Open Source Cybersecurity Threat Hunting Platform. Developed with Django & React JS.
+- [projectdiscovery/uncover](https://github.com/projectdiscovery/uncover) - Quickly discover exposed hosts on the internet using multiple search engines.

data/docs/analyzers/binaryedge.md

@@ -0,0 +1,21 @@
+---
+tags:
+  - IP address
+---
+
+# BinaryEdge
+
+- [https://www.binaryedge.io/](https://www.binaryedge.io/)
+
+This analyzer uses [BinaryEdge API V2](https://docs.binaryedge.io/api-v2/) and [/v2/query/search](https://docs.binaryedge.io/api-v2/#v2querysearch) API endpoint to search.
+
+```yaml
+analyzer: binaryedge
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default                   | Desc.        |
+| ------- | ------ | --------- | ------------------------- | ------------ |
+| query   | String | Yes       |                           | Search query |
+| api_key | String | No        | ENV[”BINARYEDGE_API_KEY"] | API key      |

data/docs/analyzers/censys.md

@@ -0,0 +1,23 @@
+---
+tags:
+  - IP address
+---
+
+# Censys
+
+- [https://censys.io/](https://censys.io/)
+
+The analyzer uses [Censys Search 2.0 REST API](https://search.censys.io/api) to search.
+
+```yaml
+analyzer: censys
+query: ...
+id: ...
+secret: ...
+```
+
+| Name   | Type   | Required? | Default              | Desc.         |
+| ------ | ------ | --------- | -------------------- | ------------- |
+| query  | String | Yes       |                      | Search query  |
+| id     | String | No        | ENV[”CENSYS_ID”]     | Censys ID     |
+| secret | String | No        | ENV[”CENSYS_SECRET”] | Censys secret |

data/docs/analyzers/circl.md

@@ -0,0 +1,29 @@
+---
+tags:
+  - IP address
+  - Passive DNS
+  - Passive SSL
+---
+
+# CIRCL Passive DNS/SSL
+
+- [https://www.circl.lu/services/passive-dns/](https://www.circl.lu/services/passive-dns/)
+- [https://www.circl.lu/services/passive-ssl/](https://www.circl.lu/services/passive-ssl/)
+
+This analyzer uses CIRCL passive DNS API or passive SSL API:
+
+- Use passive DNS API if a query(input) is a domain
+- Use passive SSL API if a query(input) is a SHA1 certificate fingerprint
+
+```yaml
+analyzer: circl
+query: ...
+password: ...
+username: ...
+```
+
+| Name     | Type   | Required? | Default                       | Desc.                                  |
+| -------- | ------ | --------- | ----------------------------- | -------------------------------------- |
+| query    | String | Yes       |                               | Domain or SHA1 certificate fingerprint |
+| username | String | No        | ENV[”CIRCL_PASSIVE_USERNAME”] | Username                               |
+| password | String | Noe       | ENV[”CIRCL_PASSIVE_PASSWORD”] | Password                               |

data/docs/analyzers/crtsh.md

@@ -0,0 +1,25 @@
+---
+tags:
+  - Domain
+---
+
+# crt.sh
+
+- [https://crt.sh/](https://crt.sh/)
+
+This analyzer uses [crt.sh](http://crt.sh)'s (unofficial?) REST API.
+
+```yaml
+analyzer: crtsh
+query: ...
+exclude_expired: ...
+```
+
+| Name            | Type               | Default | Desc.                                     |
+| --------------- | ------------------ | ------- | ----------------------------------------- |
+| query           | String             |         | Search query                              |
+| exclude_expired | Boolean (optional) | True    | Whether to exclude expired domains or not |
+
+!!! tip
+
+    if `exclude_expired` is set as `true`, expired domains are excluded from search results.

data/docs/analyzers/dnstwister.md

@@ -0,0 +1,23 @@
+---
+tags:
+  - Domain
+---
+
+# dnstwister
+
+- [https://dnstwister.report/](https://dnstwister.report/)
+
+This analyzer uses [dnstwister API](https://dnstwister.report/api/) to search.
+
+```yaml
+analyzer: dnstwister
+query: ...
+```
+
+| Name  | Type   | Required? | Default | Desc.  |
+| ----- | ------ | --------- | ------- | ------ |
+| query | String | Yes       |         | Domain |
+
+!!! tip
+
+    There is no need to input a domain in hexadecimal format. This analyzer automatically converts a domain (in string format) into a hexadecimal value.

data/docs/analyzers/feed.md

@@ -0,0 +1,49 @@
+# Feed
+
+This analyzer can ingest a feed (JSON or CSV) by specifying conditions.
+
+Note that you should write a selector to get proper IoCs from a feed. A selector is based on [jr](https://github.com/yuya-takeyama/jr).
+
+```yaml
+analyzer: feed
+query: ...
+http_request_method: ...
+http_request_payload: ...
+http_request_payload_type: ...
+http_request_headers: ...
+selector: ...
+```
+
+| Name                      | Type   | Required? | Default | Desc.                                |
+| ------------------------- | ------ | --------- | ------- | ------------------------------------ |
+| query                     | String | Yes       |         | URL                                  |
+| http_request_method       | String | No        | GET     | HTTP request method (GET or POST)    |
+| http_request_headers      | Hash   | No        |         | HTTP request headers                 |
+| http_request_payload      | Hash   | No        |         | HTTP request payload                 |
+| http_request_payload_type | String | No        |         | Content-type of HTTP request payload |
+| selector                  | String | Yes       |         | `jr` selector                        |
+
+## Examples
+
+**ThreatFox**
+
+```yaml
+analyzer: feed
+query: "https://threatfox-api.abuse.ch/api/v1/"
+http_request_method: "POST"
+http_request_payload:
+  query: "get_iocs"
+  days: 1
+http_request_payload_type: "application/json"
+http_request_headers:
+  "api-key": "YOUR_API_KEY"
+selector: "map(&:data).unwrap.map(&:ioc).map { |v| v.start_with?('http://', 'https://') ? v :  v.split(':').first }"
+```
+
+**URLhaus**
+
+```yaml
+analyzer: feed
+query: "https://urlhaus.abuse.ch/feeds/country/JP/"
+selector: "map { |v| v[1] }"
+```

data/docs/analyzers/greynoise.md

@@ -0,0 +1,21 @@
+---
+tags:
+  - IP address
+---
+
+# GreyNoise
+
+- [https://www.greynoise.io/](https://www.greynoise.io/)
+
+This analyzer uses GreyNoise API and `[https://api.greynoise.io/v2/experimental/gnql](https://api.greynoise.io/v2/experimental/gnql)` API endpoint to search.
+
+```yaml
+analyzer: greynoise
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default                  | Desc.        |
+| ------- | ------ | --------- | ------------------------ | ------------ |
+| query   | String | Yes       |                          | Search query |
+| api_key | String | No        | ENV[”GREYNOISE_API_KEY"] | API key      |

data/docs/analyzers/hunterhow.md

@@ -0,0 +1,25 @@
+---
+tags:
+  - IP address
+---
+
+# Hunter How
+
+- [https://hunter.how/](https://hunter.how/)
+
+This analyzer uses `https://api.hunter.how/search` API endpoint to search.
+
+```yaml
+analyzer: hunterhow
+query: ...
+api_key: ...
+start_time: ...
+end_time: ...
+```
+
+| Name       | Type   | Required? | Default                  | Desc.        |
+| ---------- | ------ | --------- | ------------------------ | ------------ |
+| query      | String | Yes       |                          | Search query |
+| start_time | Date   | Yes       |                          |              |
+| end_time   | Date   | Yes       |                          |              |
+| api_key    | String | No        | ENV[”HUNTERHOW_API_KEY"] | API key      |

data/docs/analyzers/index.md

@@ -0,0 +1,79 @@
+# Analyzers
+
+- [BinaryEdge](binaryedge.md)
+- [Censys](censys.md)
+- [Circle Passive DNS/SSL](circl.md)
+- [crt.sh](crtsh.md)
+- [dnstwister](dnstwister.md)
+- [Feed](feed.md)
+- [GreyNoise](greynoise.md)
+- [HunterHow](hunterhow.md)
+- [Onyphe](onyphe.md)
+- [OTX](otx.md)
+- [PassiveTotal](passivetotal.md)
+- [PulseDive](pulsedive.md)
+- [SecurityTrails](securitytrails.md)
+- [Shodan](shodan.md)
+- [urlscan.io](urlscan.md)
+- [VirusTotal](virustotal.md)
+- [VirusTotal Intelligence](virustotal_intelligence.md)
+
+## Options
+
+All the analyzers can have optional `options`.
+
+```yaml
+analyzer: ...
+query: ...
+options:
+  interval: ...
+  pagination_limit: ...
+  retry_times: ...
+  retry_interval: ...
+  ignore_error: ...
+```
+
+### Interval
+
+`interval` is an interval in seconds between pagination. (If an analyzer does pagination). Optional.
+
+### Pagination Limit
+
+`pagination_limit` is an limit for pagination. Defaults to 100.
+
+In the worst case, if something wrong with Mihari or a service, Mihari can drain API quota by doing pagination forever.
+`pagination_limit` is a safety valve for that. A number of pagination is limited as `pagination_limit` times.
+
+### Retry Times
+
+`retry_times` is a number of times of retry when something goes wrong. Defaults to 3.
+
+### Retry Interval
+
+`retry_interval` is an interval in seconds between retries. Defaults to 5.
+
+### Ignore Error
+
+`ignore_error` controls whether to ignore an error or not. Defaults to `false`.
+
+Mihari uses fail-fast approach. For example, if Shodan returns an error, the Censys query next is not triggered because Mihari raises an error before it.
+
+```yaml
+queries:
+  - analyzer: shodan
+    query: ip:1.1.1.1
+  - analyzer: censys
+    query: ip:8.8.8.8
+```
+
+You can set `ignore_error` option to make it fault tolerance.
+
+```yaml
+queries:
+  - analyzer: shodan
+    query: ip:1.1.1.1
+    options:
+      ignore_error: true
+  - analyzer: censys
+    query: ip:8.8.8.8
+```

data/docs/analyzers/onyphe.md

@@ -0,0 +1,21 @@
+---
+tags:
+  - IP address
+---
+
+# ONYPHE
+
+- [https://www.onyphe.io/](https://www.onyphe.io/)
+
+This analyzer uses ONYPHE API v2 (`/api/v2/simple/datascan`) to search.
+
+```yaml
+analyzer: onyphe
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default               | Desc.        |
+| ------- | ------ | --------- | --------------------- | ------------ |
+| query   | String | Yes       |                       | Search query |
+| api_key | String | No        | ENV[”ONYPHE_API_KEY”] | API key      |

data/docs/analyzers/otx.md

@@ -0,0 +1,23 @@
+---
+tags:
+  - IP address
+  - Domain
+  - Passive DNS
+---
+
+# OTX
+
+- [https://otx.alienvault.com/](https://otx.alienvault.com/dashboard/new)
+
+This analyzer uses [OTX API v1](https://otx.alienvault.com/api) (`/api/v1/indicators/`) API endpoints to search.
+
+```yaml
+analyzer: otx
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default            | Desc.                |
+| ------- | ------ | --------- | ------------------ | -------------------- |
+| query   | String | Yes       |                    | Domain or IP address |
+| api_key | String | No        | ENV[”OTX_API_KEY”] | API key              |

data/docs/analyzers/passivetotal.md

@@ -0,0 +1,36 @@
+---
+tags:
+  - IP address
+  - Domain
+  - Passive DNS
+  - Passive SSL
+  - Reverse Whois
+---
+
+# PassiveTotal
+
+- [https://community.riskiq.com/](https://community.riskiq.com/home)
+
+This analyzer uses [PassvieTotal API](https://api.passivetotal.org/index.html).
+
+An API endpoint to use is changed based on a type of a query.
+
+| Query                                   | API endpoint                  | Artifact   |
+| --------------------------------------- | ----------------------------- | ---------- |
+| IP address                              | `/v2/dns/passive`             | Domain     |
+| Domain                                  | `/v2/dns/passive`             | IP address |
+| Mail                                    | `/v2/whois/search`            | Domain     |
+| Hash (SSL certificate SHA1 fingerprint) | `/v2/ssl-certificate/history` | IP address |
+
+```yaml
+analyzer: passivetotal
+query: ...
+username: ...
+api_key: ...
+```
+
+| Name     | Type   | Required? | Default                      | Desc.                                                            |
+| -------- | ------ | --------- | ---------------------------- | ---------------------------------------------------------------- |
+| query    | String | Yes       |                              | Domain, IP address, mail address or SHA1 certificate fingerprint |
+| username | String | No        | ENV[”PASSIVETOTAL_USERNAME"] | Username                                                         |
+| api_key  | String | No        | ENV[”PASSIVETOTAL_API_KEY"]  | API key                                                          |

data/docs/analyzers/pulsedive.md

@@ -0,0 +1,23 @@
+---
+tags:
+  - IP address
+  - Domain
+  - Passive DNS
+---
+
+# Pulsedive
+
+- [https://pulsedive.com/](https://pulsedive.com/)
+
+This analyzer uses [Pulsedive API](https://pulsedive.com/api/) (`/api/info.php`) to search.
+
+```yaml
+analyzer: pulsedive
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default                  | Desc.                |
+| ------- | ------ | --------- | ------------------------ | -------------------- |
+| query   | String | Yes       |                          | Domain or IP address |
+| api_key | String | No        | ENV[”PULSEDIVE_API_KEY"] | API key              |

data/docs/analyzers/securitytrails.md

@@ -0,0 +1,32 @@
+---
+tags:
+  - IP address
+  - Domain
+  - Passive DNS
+  - Reverse Whois
+---
+
+# SecurityTrails
+
+- [https://securitytrails.com/](https://securitytrails.com/)
+
+This analyzer uses [SecurityTrails API](https://docs.securitytrails.com/docs).
+
+An API endpoint to use is changed based on a type of a query.
+
+| Query type | API endpoint       | Artifact   |
+| ---------- | ------------------ | ---------- |
+| IP address | `/v1/domains/list` | Domain     |
+| Domain     | `/v1/history/`     | IP address |
+| Mail       | `/v1/domains/list` | Domain     |
+
+```yaml
+analyzer: securitytrails
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default                       | Desc.                              |
+| ------- | ------ | --------- | ----------------------------- | ---------------------------------- |
+| query   | String | Yes       |                               | Domain, IP address or mail address |
+| api_key | String | No        | ENV[”SECURITYTRAILS_API_KEY"] | API key                            |

data/docs/analyzers/shodan.md

@@ -0,0 +1,21 @@
+---
+tags:
+  - IP address
+---
+
+# Shodan
+
+- [https://shodan.io/](https://shodan.io/)
+
+This analyzer uses [Shodan REST AP](https://developer.shodan.io/api) (`/shodan/host/search`) API to search.
+
+```yaml
+analyzer: shodan
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default               | Desc.        |
+| ------- | ------ | --------- | --------------------- | ------------ |
+| query   | String | Yes       |                       | Search query |
+| api_key | String | No        | ENV[”SHODAN_API_KEY"] | API key      |

data/docs/analyzers/urlscan.md

@@ -0,0 +1,23 @@
+---
+tags:
+  - IP address
+  - Domain
+  - URL
+---
+
+# urlscan.io
+
+- [https://urlscan.io/](https://urlscan.io/)
+
+This analyzer uses [urlscan.io](http://urlscan.io) API (`/api/v1/search`) to search.
+
+```yaml
+analyzer: urlscan
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default                | Desc.        |
+| ------- | ------ | --------- | ---------------------- | ------------ |
+| query   | String | Yes       |                        | Search query |
+| api_key | String | No        | ENV[”URLSCAN_API_KEY"] | API key      |

data/docs/analyzers/virustotal.md

@@ -0,0 +1,34 @@
+---
+tags:
+  - IP address
+  - Domain
+  - Passive DNS
+---
+
+# VirusTotal
+
+- [https://www.virustotal.com](https://www.virustotal.com/gui/home/search)
+
+The analyzer uses VirusTotal API v3.
+
+An API endpoint to use is changed based on a type of a query.
+
+::: top
+
+    Note that this analyzer only checks passive DNS data of a given query (domain or IP address).
+
+| Query      | API endpoint            | Artifact   |
+| ---------- | ----------------------- | ---------- |
+| IP address | `/api/v3/ip_addresses/` | Domain     |
+| Domain     | `/api/v3/domains/`      | IP address |
+
+```yaml
+analyzer: virustotal
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default                   | Desc.                |
+| ------- | ------ | --------- | ------------------------- | -------------------- |
+| query   | String | Yes       |                           | Domain or IP address |
+| api_key | String | No        | ENV[”VIRUSTOTAL_API_KEY"] | API key              |

data/docs/analyzers/virustotal_intelligence.md

@@ -0,0 +1,22 @@
+---
+tags:
+  - IP address
+  - Domain
+  - URL
+  - Hash
+---
+
+# VirusTotal Intelligence
+
+- [https://www.virustotal.com](https://www.virustotal.com/gui/home/search)
+
+```yaml
+analyzer: virustotal_intelligence
+query: ...
+api_key: ...
+```
+
+| Name    | Type   | Required? | Default                   | Desc.        |
+| ------- | ------ | --------- | ------------------------- | ------------ |
+| query   | String | Yes       |                           | Search query |
+| api_key | String | No        | ENV[”VIRUSTOTAL_API_KEY"] | API key      |

data/docs/analyzers/zoomeye.md

@@ -0,0 +1,25 @@
+# ZoomEye
+
+- [https://zoomeye.org/](https://zoomeye.org/)
+
+The analyzer uses ZoomEye API v3.
+
+An API endpoint to use is changed based on a `type` option.
+
+| Type | API endpoint   | Artifact type |
+| ---- | -------------- | ------------- |
+| web  | `/web/search`  | IP address    |
+| host | `/host/search` | IP address    |
+
+```yaml
+analyzer: zoomeye
+query: ...
+type: ...
+api_key: ...
+```
+
+| Name    | Type                     | Required? | Default                | Desc.        |
+| ------- | ------------------------ | --------- | ---------------------- | ------------ |
+| query   | String                   | Yes       |                        | Search query |
+| type    | String (`web` or `host`) | Yes       |                        | Query type   |
+| api_key | String                   | No        | ENV[”ZOOMEYE_API_KEY"] | API key      |

data/docs/configuration.md

@@ -0,0 +1,35 @@
+# Configuration
+
+Configuration can be done via environment variables.
+
+| Environmental Variable | Description                     | Default              |
+| ---------------------- | ------------------------------- | -------------------- |
+| DATABASE_URL           | Database URL                    | sqlite3:///mihari.db |
+| BINARYEDGE_API_KEY     | BinaryEdge API key              |                      |
+| CENSYS_ID              | Censys API ID                   |                      |
+| CENSYS_SECRET          | Censys secret                   |                      |
+| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password  |                      |
+| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username, |                      |
+| IPINFO_API_KEY         | IPInfo API key (token)          |                      |
+| MISP_URL               | MISP URL                        |                      |
+| MISP_API_KEY           | MISP API key                    |                      |
+| ONYPHE_API_KEY         | Onyphe API key                  |                      |
+| OTX_API_KEY            | OTX API key                     |                      |
+| PASSIVETOTAL_API_KEY   | PassiveTotal API key            |                      |
+| PASSIVETOTAL_USERNAME  | PassiveTotal username           |                      |
+| PULSEDIVE_API_KEY      | Pulsedive API key               |                      |
+| SECURITYTRAILS_API_KEY | SecurityTrails API key          |                      |
+| SHODAN_API_KEY         | Shodan API key                  |                      |
+| SLACK_CHANNEL          | Slack channel name              | #general             |
+| SLACK_WEBHOOK_URL      | Slack Webhook URL               |                      |
+| THEHIVE_URL            | TheHive URL,                    |                      |
+| THEHIVE_API_KEY        | TheHive API key,                |                      |
+| URLSCAN_API_KEY        | urlscan.io API key,             |                      |
+| VIRUSTOTAL_API_KEY     | VirusTotal API key              |                      |
+| ZOOMEYE_API_KEY        | ZoomEye API key                 |                      |
+| SENTRY_DSN             | Sentry DSN                      |                      |
+| RETRY_INTERVAL         | Retry interval                  | 5                    |
+| RETRY_TIMES            | Retry times                     | 3                    |
+| PAGINATION_LIMIT       | Pagination limit                | 100                  |
+
+Or you can set values through `.env` file. Values in `.env` file will be automatically loaded.