Getting Data In

How to send OpenCTI data to Splunk

zksvc
Communicator

Hi there, i got issue when setting connector Splunk in OpenCTI

When i check logs, it says terminated

zksvc_0-1720774399619.png

i follow guide from this man here https://the-stuke.github.io/posts/opencti/#connectors

already open token, crate API livestream at opencti, also already create collections.conf and add [opencti] at $SPLUNK_HOME/etc/apps/appname/default/. Btw im using search app so i create collections.conf at $SPLUNK_HOME/etc/apps/appname/default/ because i don't know value of field from opencti to send so i don't create any field list in [opencti]

My connections setting like this :

connector-splunk:
image: opencti/connector-splunk:6.2.4
environment:
- OPENCTI_URL=http://opencti:8080
- OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} # Splunk OpenCTI User Token
- CONNECTOR_ID=MYSECRETUUID4 # Unique UUIDv4
- CONNECTOR_LIVE_STREAM_ID=MYSECRETLIVESTREAMID # ID of the live stream created in the OpenCTI UI
- CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true
- CONNECTOR_LIVE_STREAM_NO_DEPENDENCIES=true
- "CONNECTOR_NAME=OpenCTI Splunk Connector"
- CONNECTOR_SCOPE=splunk
- CONNECTOR_CONFIDENCE_LEVEL=80 # From 0 (Unknown) to 100 (Fully trusted)
- CONNECTOR_LOG_LEVEL=error
- SPLUNK_URL=http://10.20.30.40:8000
- SPLUNK_TOKEN=MYSECRETTOKEN
- SPLUNK_OWNER=zake # Owner of the KV Store
- SPLUNK_SSL_VERIFY=true # Disable if using self signed cert for Splunk
- SPLUNK_APP=search # App where the KV Store is located
- SPLUNK_KV_STORE_NAME=opencti # Name of created KV Store
- SPLUNK_IGNORE_TYPES="attack-pattern,campaign,course-of-action,data-component,data-source,external-reference,identity,intrusion-set,kill-chain-phase,label,location,malware,marking-definition,relationship,threat-actor,tool,vocabulary,vulnerability"
restart: always
depends_on:
- opencti

 

Hope my information is enough to get solved

Labels (4)
0 Karma

Tecumseh
Observer

You ever figure out how to get it working? I'm having similar issue.

0 Karma

zksvc
Communicator

im here still no idea for this issue

0 Karma

Tecumseh
Observer

Have you reach out to anyone else, or find an alternate solution? Seems like Splunk support is free lacking in this. 

0 Karma

zksvc
Communicator

Idk where to ask, that's why i'm asking here. And still don't know how to solve this issue. 
I'm just Path Finder splunk and don't have access to open ticket to Splunk principle, maybe it can be solved if you have Splunk Principle. 

0 Karma
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...