Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send OpenCTI data to Splunk

zksvc
Path Finder
‎07-12-2024 02:02 AM

Hi there, i got issue when setting connector Splunk in OpenCTI

When i check logs, it says terminated

zksvc_0-1720774399619.png

i follow guide from this man here https://the-stuke.github.io/posts/opencti/#connectors

already open token, crate API livestream at opencti, also already create collections.conf and add [opencti] at $SPLUNK_HOME/etc/apps/appname/default/. Btw im using search app so i create collections.conf at $SPLUNK_HOME/etc/apps/appname/default/ because i don't know value of field from opencti to send so i don't create any field list in [opencti]

My connections setting like this :

connector-splunk:
image: opencti/connector-splunk:6.2.4
environment:
- OPENCTI_URL=http://opencti:8080
- OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} # Splunk OpenCTI User Token
- CONNECTOR_ID=MYSECRETUUID4 # Unique UUIDv4
- CONNECTOR_LIVE_STREAM_ID=MYSECRETLIVESTREAMID # ID of the live stream created in the OpenCTI UI
- CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true
- CONNECTOR_LIVE_STREAM_NO_DEPENDENCIES=true
- "CONNECTOR_NAME=OpenCTI Splunk Connector"
- CONNECTOR_SCOPE=splunk
- CONNECTOR_CONFIDENCE_LEVEL=80 # From 0 (Unknown) to 100 (Fully trusted)
- CONNECTOR_LOG_LEVEL=error
- SPLUNK_URL=http://10.20.30.40:8000
- SPLUNK_TOKEN=MYSECRETTOKEN
- SPLUNK_OWNER=zake # Owner of the KV Store
- SPLUNK_SSL_VERIFY=true # Disable if using self signed cert for Splunk
- SPLUNK_APP=search # App where the KV Store is located
- SPLUNK_KV_STORE_NAME=opencti # Name of created KV Store
- SPLUNK_IGNORE_TYPES="attack-pattern,campaign,course-of-action,data-component,data-source,external-reference,identity,intrusion-set,kill-chain-phase,label,location,malware,marking-definition,relationship,threat-actor,tool,vocabulary,vulnerability"
restart: always
depends_on:
- opencti

 

Hope my information is enough to get solved

Labels (4)
0 Karma
Reply

Tecumseh
Observer
4 weeks ago

You ever figure out how to get it working? I'm having similar issue.

0 Karma
Reply

zksvc
Path Finder
3 weeks ago

im here still no idea for this issue

0 Karma
Reply

Tecumseh
Observer
3 weeks ago

Have you reach out to anyone else, or find an alternate solution? Seems like Splunk support is free lacking in this. 

0 Karma
Reply

zksvc
Path Finder
3 weeks ago

Idk where to ask, that's why i'm asking here. And still don't know how to solve this issue. 
I'm just Path Finder splunk and don't have access to open ticket to Splunk principle, maybe it can be solved if you have Splunk Principle. 

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...