Update Modular Input to handle both KV Store and Indices as destination/target. #30
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added input_type field to the inputs.conf.spec file Added logic to the input module to handle the new input_type field copied alert actions and alert actions conf spec files
Added index time to objects to track ingestion
set the `_time` field to the current time when ingesting data. This ensures that the events reflect the time they were processed rather than the time they were created in OpenCTI. update the `props.conf` to set the `TIME_PREFIX` to `^` for the `opencti_stream` sourcetype. This change ensures that the `_time` field is correctly set to the current time when data is ingested, rather than using the time from the OpenCTI data. This is necessary to ensure that the events reflect the time they were processed rather than the time they were created in OpenCTI. This change is necessary to ensure that the events reflect the time they were processed rather than the time they were created in OpenCTI. Updated savedsearches.conf to ensure that the searches are correctly configured to use the new `_time` field setting. This ensures that the searches return results based on the time the events were processed, rather than the time they were created in OpenCTI. This change is necessary to ensure that the searches return results based on the time the events were processed, rather than the time they were created in OpenCTI.
Added packaged add-on for version 2.0.0
Added opencti_stream as default index in inputs.conf
- Applied structured logging across stream input module using syslog-style KV pairs - Categorized logs using `type=` field (e.g., state, stream, kvstore, error) - Included `input_name` in all logs for better input traceability - Enhanced `state` log entries to include `stream_point` and `recover_until` - Switched indicator value logging to use parsed STIX value - Improved consistency and visibility for Splunk dashboarding and monitoring
- added new images for saved searches and search macros - updated README with new images - updated config input image to reflect changes in UI
stanza to inputs.conf - Added default [opencti_indicators] stanza to support backward compatibility - Mirrors settings from opencti_stream for smoother transition from v1.1.4 - Complements updates in restmap.conf and inputs.conf.spec for full legacy input support
Added ApInspect bypass
Updated binaries in aob_py3
rebuild python environment to remove unneeded dependencies
updated python environment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current OpenCTI Add-on for Splunk primarily functions within Splunk Cloud environments but lacks native support for modular inputs on Splunk Cloud, which restricts the ability to fetch OpenCTI threat intelligence data directly.
** This was rebuilt using the Splunk Add-on Builder
Added input_type field to the inputs.conf.spec file
Added logic to the input module to handle the new input_type field
copied alert actions and alert actions conf spec files
Dev Splunk instance (Add-on Builder):
https://splunk.dev.filigran.io:8000/en-US/app/splunk_app_addon-builder/tab_home?view=main
Dev Splunk App Install:
https://splunk.dev.filigran.io:8000/en-US/app/TA-opencti-add-on/inputs
This also includes searches that will populate the KV Stores