Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send OpenCTI data to Splunk

zksvc
Contributor
‎07-12-2024 02:02 AM

Hi there, i got issue when setting connector Splunk in OpenCTI

When i check logs, it says terminated

zksvc_0-1720774399619.png

i follow guide from this man here https://the-stuke.github.io/posts/opencti/#connectors

already open token, crate API livestream at opencti, also already create collections.conf and add [opencti] at $SPLUNK_HOME/etc/apps/appname/default/. Btw im using search app so i create collections.conf at $SPLUNK_HOME/etc/apps/appname/default/ because i don't know value of field from opencti to send so i don't create any field list in [opencti]

My connections setting like this :

connector-splunk:
image: opencti/connector-splunk:6.2.4
environment:
- OPENCTI_URL=http://opencti:8080
- OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} # Splunk OpenCTI User Token
- CONNECTOR_ID=MYSECRETUUID4 # Unique UUIDv4
- CONNECTOR_LIVE_STREAM_ID=MYSECRETLIVESTREAMID # ID of the live stream created in the OpenCTI UI
- CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true
- CONNECTOR_LIVE_STREAM_NO_DEPENDENCIES=true
- "CONNECTOR_NAME=OpenCTI Splunk Connector"
- CONNECTOR_SCOPE=splunk
- CONNECTOR_CONFIDENCE_LEVEL=80 # From 0 (Unknown) to 100 (Fully trusted)
- CONNECTOR_LOG_LEVEL=error
- SPLUNK_URL=http://10.20.30.40:8000
- SPLUNK_TOKEN=MYSECRETTOKEN
- SPLUNK_OWNER=zake # Owner of the KV Store
- SPLUNK_SSL_VERIFY=true # Disable if using self signed cert for Splunk
- SPLUNK_APP=search # App where the KV Store is located
- SPLUNK_KV_STORE_NAME=opencti # Name of created KV Store
- SPLUNK_IGNORE_TYPES="attack-pattern,campaign,course-of-action,data-component,data-source,external-reference,identity,intrusion-set,kill-chain-phase,label,location,malware,marking-definition,relationship,threat-actor,tool,vocabulary,vulnerability"
restart: always
depends_on:
- opencti

 

Hope my information is enough to get solved

Labels (4)
0 Karma
Reply

Tecumseh
Observer
‎10-28-2024 10:32 AM

You ever figure out how to get it working? I'm having similar issue.

0 Karma
Reply

zksvc
Contributor
‎10-30-2024 07:41 PM

im here still no idea for this issue

0 Karma
Reply

Tecumseh
Observer
‎10-31-2024 03:44 AM

Have you reach out to anyone else, or find an alternate solution? Seems like Splunk support is free lacking in this. 

0 Karma
Reply

zksvc
Contributor
‎10-31-2024 08:13 PM

Idk where to ask, that's why i'm asking here. And still don't know how to solve this issue. 
I'm just Path Finder splunk and don't have access to open ticket to Splunk principle, maybe it can be solved if you have Splunk Principle. 

0 Karma
Reply
Get Updates on the Splunk Community!

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...