topic Re: How to integrate openCTI with Splunk? in Getting Data In

How to integrate openCTI with Splunk?

splk_user — Wed, 01 Apr 2026 16:36:20 GMT

Hi!

I'm currently working on a project where I aim to integrate the OpenCTI platform with Splunk in order to receive intelligence feeds, how can i configure the ingestion of this intelligence feeds ?

Any advice, tips, or resources you can provide will be highly appreciated

Re: How to integrate openCTI with splunk

richgalloway — Fri, 07 Jul 2023 13:12:11 GMT

A bit of Googling and searching the OpenCTI web site turned up this connector: https://github.com/OpenCTI-Platform/connectors/tree/master/stream/splunk

Re: How to integrate openCTI with splunk

splk_user — Sun, 09 Jul 2023 21:40:26 GMT

Thank you for your answers,

So there is no configuration to do in splunk platform for this connection

Re: How to integrate openCTI with splunk

richgalloway — Mon, 10 Jul 2023 00:05:02 GMT

I'm not saying that. You may need to configure a sourcetype in props.conf for the data. With luck, the connector documentation will let you know. If the connector does not come with a Splunk props.conf file then you'll need to craft one yourself.

Re: How to integrate openCTI with splunk

splk_user — Tue, 11 Jul 2023 09:10:14 GMT

Thank you for your response,

i checked the provided link, and i found that openCTI needs this information :

So what value will the variable "SPLUNK_TOKEN=Token1" and "SPLUNK_OWNER=nobody " take ?

And now do i still need to configure a sourcetype in props.conf for the data ?

NB: i checked the props.conf file and i found just the syslog configuration

Re: How to integrate openCTI with splunk

richgalloway — Tue, 11 Jul 2023 11:21:54 GMT

You will need to create a token for the connector to use. Go to Settings->Tokens for that.

I'm not sure what they expect for SPLUNK_OWNER. Try it with "nobody" for now.

The screenshot doesn't say if props are needed or not. The default syslog props may be sufficient, but you'll have to onboard some data to find out.

Re: How to integrate openCTI with splunk

splk_user — Tue, 11 Jul 2023 19:24:14 GMT

thank you ,

Well i tested the OpenCTI connector but the connection didn't work .

Do i need to set up a kv store before or maybe i need to configure HTTP Event Collector in order to integrate opencti to splunk.

i don't know also if this issues has a relation with REST API connection

The objective is to receive intelligence feeds from opencti platform in STIIX format to my splunk instance.

NB: - I don't have the splunk entreprise app that provide the threat intelligence management section

- I'm using the free trial

Re: How to integrate openCTI with splunk

richgalloway — Wed, 12 Jul 2023 00:38:15 GMT

The OpenCTI settings you showed earlier imply a KVStore is used and so must be created. I see no mention of HEC, however.

I think the best place to direct your questions is to the OpenCTI team.

Re: How to integrate openCTI with splunk

splk_user — Wed, 12 Jul 2023 08:51:42 GMT

Thank you

Re: How to integrate openCTI with Splunk?

splunk_newbie1 — Tue, 29 Aug 2023 10:22:31 GMT

i am having a hard time integrating opencti into splunk, not sure if you have done it, can you help me

Re: How to integrate openCTI with splunk

woodcock — Sat, 09 Mar 2024 17:40:31 GMT

You are reading his request backwards. That git project is for SENDING TO OpenCTI. He (and I) need to RECEIVE FROM OpenCTI. I cannot find anything that does this.

Re: How to integrate openCTI with Splunk?

tuts — Wed, 05 Jun 2024 14:05:58 GMT

Please I need the method if it is done with you

Re: How to integrate openCTI with Splunk?

DanielPi — Wed, 05 Jun 2024 14:22:08 GMT

Hi @tuts ,

I’m a Community Moderator in the Splunk Community.

This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you!