Hi there, i got issue when setting connector Splunk in OpenCTI When i check logs, it says terminated i follow guide from this man here https://the-stuke.github.io/posts/opencti/#connectors alr...
See more...
Hi there, i got issue when setting connector Splunk in OpenCTI When i check logs, it says terminated i follow guide from this man here https://the-stuke.github.io/posts/opencti/#connectors already open token, crate API livestream at opencti, also already create collections.conf and add [opencti] at $SPLUNK_HOME/etc/apps/appname/default/. Btw im using search app so i create collections.conf at $SPLUNK_HOME/etc/apps/appname/default/ because i don't know value of field from opencti to send so i don't create any field list in [opencti] My connections setting like this : connector-splunk: image: opencti/connector-splunk:6.2.4 environment: - OPENCTI_URL=http://opencti:8080 - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} # Splunk OpenCTI User Token - CONNECTOR_ID=MYSECRETUUID4 # Unique UUIDv4 - CONNECTOR_LIVE_STREAM_ID=MYSECRETLIVESTREAMID # ID of the live stream created in the OpenCTI UI - CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true - CONNECTOR_LIVE_STREAM_NO_DEPENDENCIES=true - "CONNECTOR_NAME=OpenCTI Splunk Connector" - CONNECTOR_SCOPE=splunk - CONNECTOR_CONFIDENCE_LEVEL=80 # From 0 (Unknown) to 100 (Fully trusted) - CONNECTOR_LOG_LEVEL=error - SPLUNK_URL=http://10.20.30.40:8000 - SPLUNK_TOKEN=MYSECRETTOKEN - SPLUNK_OWNER=zake # Owner of the KV Store - SPLUNK_SSL_VERIFY=true # Disable if using self signed cert for Splunk - SPLUNK_APP=search # App where the KV Store is located - SPLUNK_KV_STORE_NAME=opencti # Name of created KV Store - SPLUNK_IGNORE_TYPES="attack-pattern,campaign,course-of-action,data-component,data-source,external-reference,identity,intrusion-set,kill-chain-phase,label,location,malware,marking-definition,relationship,threat-actor,tool,vocabulary,vulnerability" restart: always depends_on: - opencti Hope my information is enough to get solved