Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send OpenCTI data to Splunk

zksvc
Path Finder
‎07-12-2024 02:02 AM

Hi there, i got issue when setting connector Splunk in OpenCTI

When i check logs, it says terminated

zksvc_0-1720774399619.png

i follow guide from this man here https://the-stuke.github.io/posts/opencti/#connectors

already open token, crate API livestream at opencti, also already create collections.conf and add [opencti] at $SPLUNK_HOME/etc/apps/appname/default/. Btw im using search app so i create collections.conf at $SPLUNK_HOME/etc/apps/appname/default/ because i don't know value of field from opencti to send so i don't create any field list in [opencti]

My connections setting like this :

connector-splunk:
image: opencti/connector-splunk:6.2.4
environment:
- OPENCTI_URL=http://opencti:8080
- OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} # Splunk OpenCTI User Token
- CONNECTOR_ID=MYSECRETUUID4 # Unique UUIDv4
- CONNECTOR_LIVE_STREAM_ID=MYSECRETLIVESTREAMID # ID of the live stream created in the OpenCTI UI
- CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true
- CONNECTOR_LIVE_STREAM_NO_DEPENDENCIES=true
- "CONNECTOR_NAME=OpenCTI Splunk Connector"
- CONNECTOR_SCOPE=splunk
- CONNECTOR_CONFIDENCE_LEVEL=80 # From 0 (Unknown) to 100 (Fully trusted)
- CONNECTOR_LOG_LEVEL=error
- SPLUNK_URL=http://10.20.30.40:8000
- SPLUNK_TOKEN=MYSECRETTOKEN
- SPLUNK_OWNER=zake # Owner of the KV Store
- SPLUNK_SSL_VERIFY=true # Disable if using self signed cert for Splunk
- SPLUNK_APP=search # App where the KV Store is located
- SPLUNK_KV_STORE_NAME=opencti # Name of created KV Store
- SPLUNK_IGNORE_TYPES="attack-pattern,campaign,course-of-action,data-component,data-source,external-reference,identity,intrusion-set,kill-chain-phase,label,location,malware,marking-definition,relationship,threat-actor,tool,vocabulary,vulnerability"
restart: always
depends_on:
- opencti

 

Hope my information is enough to get solved

Labels (4)
0 Karma
Reply

Tecumseh
Observer
‎10-28-2024 10:32 AM

You ever figure out how to get it working? I'm having similar issue.

0 Karma
Reply

zksvc
Path Finder
‎10-30-2024 07:41 PM

im here still no idea for this issue

0 Karma
Reply

Tecumseh
Observer
‎10-31-2024 03:44 AM

Have you reach out to anyone else, or find an alternate solution? Seems like Splunk support is free lacking in this. 

0 Karma
Reply

zksvc
Path Finder
‎10-31-2024 08:13 PM

Idk where to ask, that's why i'm asking here. And still don't know how to solve this issue. 
I'm just Path Finder splunk and don't have access to open ticket to Splunk principle, maybe it can be solved if you have Splunk Principle. 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...