Getting Data In

How to integrate openCTI with Splunk?

splk_user
Path Finder

Hi!

I'm currently working on a project where I aim to integrate the OpenCTI platform with Splunk in order to receive intelligence feeds, how can i configure the ingestion of this intelligence feeds ?

 

Any advice, tips, or resources you can provide will be highly appreciated

Labels (1)
Tags (2)
0 Karma

tuts
Path Finder

Please I need the method if it is done with you

0 Karma

DanielPi
Moderator
Moderator

Hi @tuts ,

I’m a Community Moderator in the Splunk Community.

This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you! 

0 Karma

splunk_newbie1
Observer
i am having a hard time integrating opencti into splunk, not sure if you have done it, can you help me
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

A bit of Googling and searching the OpenCTI web site turned up this connector: https://github.com/OpenCTI-Platform/connectors/tree/master/stream/splunk

 

---
If this reply helps you, Karma would be appreciated.

woodcock
Esteemed Legend

You are reading his request backwards.  That git project is for SENDING TO OpenCTI.  He (and I) need to RECEIVE FROM OpenCTI.  I cannot find anything that does this.

0 Karma

splk_user
Path Finder

Thank you for your answers, 

So there is no configuration to do in splunk platform for this connection

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not saying that.  You may need to configure a sourcetype in props.conf for the data.  With luck, the connector documentation will let you know.  If the connector does not come with a Splunk props.conf file then you'll need to craft one yourself.

---
If this reply helps you, Karma would be appreciated.

splk_user
Path Finder

Thank you for your response,

i checked the provided link, and i found that openCTI needs this information : 

splk_user_0-1689066254722.png

So what value will the variable  "SPLUNK_TOKEN=Token1" and  "SPLUNK_OWNER=nobody " take ?

And now do i still need to configure a sourcetype in props.conf for the data ?

 

NB: i checked the props.conf file and i found just the syslog configuration 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You will need to create a token for the connector to use.  Go to Settings->Tokens for that.

I'm not sure what they expect for SPLUNK_OWNER.  Try it with "nobody" for now.

The screenshot doesn't say if props are needed or not.  The default syslog props may be sufficient, but you'll have to onboard some data to find out.

---
If this reply helps you, Karma would be appreciated.

splk_user
Path Finder

thank you ,

Well i tested the OpenCTI connector but the connection didn't work . 

Do i need to set up a kv store before or maybe i need to configure HTTP Event Collector in order to integrate opencti to splunk.

i don't know also if this issues has a relation with REST API connection

The objective is to receive intelligence feeds from opencti platform in STIIX format to my splunk instance.

 

NB: - I don't have the splunk entreprise app that provide the threat intelligence management section  

         - I'm using the free trial 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The OpenCTI settings you showed earlier imply a KVStore is used and so must be created.  I see no mention of HEC, however.

I think the best place to direct your questions is to the OpenCTI team.

---
If this reply helps you, Karma would be appreciated.

splk_user
Path Finder

Thank you 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...