OpenCTI-Platform · CTIBurn0ut · May 19, 2025 · Jun 17, 2025 · Jun 20, 2025 · Jun 30, 2025
diff --git a/.appinspect_api.expect.yaml b/.appinspect_api.expect.yaml
@@ -0,0 +1,18 @@
+check_simplexml_standards_version:
+  comment: expected
+check_app_icon_2x_dimensions:
+  comment: expected
+check_app_icon_2x_is_png:
+  comment: expected
+check_app_icon_dimensions:
+  comment: expected
+check_app_icon_is_png:
+  comment: expected
+check_ignored_parameters_v2_command:
+  comment: expected
+check_basic_readme:
+  comment: expected
+check_for_binary_files_without_source_code:
+  comment: expected
+check_for_compiled_python:
+  comment: expected
diff --git a/.github/img/config_input.png b/.github/img/config_input.png
diff --git a/.github/img/saved_searches.png b/.github/img/saved_searches.png
diff --git a/.github/img/search_macro.png b/.github/img/search_macro.png
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,56 @@
+name: build-test-release
+
+on: push
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Create subfolder
+        run: mkdir my-package
+
+      - name: Install UCC
+        run: |
+          pip install splunk-add-on-ucc-framework
+          pip install splunk-packaging-toolkit
+
+      - name: Build an app using UCC
+        run: ucc-gen build --source TA-opencti-add-on
+
+      - name: Create tmp folder
+        run: mkdir app-dir
+
+      - name: Create package
+        run: ucc-gen package --path output/TA-opencti-add-on -o app-dir/
+
+      - name: Upload package
+        uses: actions/upload-artifact@v4
+        with:
+          name: my-package
+          path: app-dir/
+
+  run-appinspect-api:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/download-artifact@v4
+        with:
+          name: my-package
+          path: app-dir/
+      - name: appinspect-api
+        uses: splunk/[email protected]
+        with:
+          username: ${{ secrets.SPL_COM_USER }}
+          password: ${{ secrets.SPL_COM_PASSWORD }}
+          app_path: app-dir/
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: appinspect-api-html-report
+          path: AppInspect_response.html
diff --git a/.gitignore b/.gitignore
@@ -5,4 +5,6 @@ __pycache__/
 local.meta
 
 # Splunk local folder
-local
+local
+.DS_Store
+.gitignore
diff --git a/README.md b/README.md
diff --git a/TA-opencti-add-on-2.0.0.tar.gz b/TA-opencti-add-on-2.0.0.tar.gz
diff --git a/TA-opencti-add-on/README.txt b/TA-opencti-add-on/README.txt
@@ -4,4 +4,6 @@ This is an add-on powered by the Splunk Add-on Builder.
 
 bin/ta_opencti_add_on/aob_py3/yaml/_yaml.cpython-37m-x86_64-linux-gnu.so: This binary file is provided along with Splunk's Add-on Builder module.
 bin/ta_opencti_add_on/aob_py3/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so: this file does not require any source code
-bin/ta_opencti_add_on/aob_py3/simplejson/_speedups.cp37-win_amd64.pyd: this file does not require any source code
+bin/ta_opencti_add_on/aob_py3/simplejson/_speedups.cpython-312-x86_64-linux-gnu.so: this file does not require any source code
+bin/ta_opencti_add_on/aob_py3/charset_normalizer/md__mypyc.cpython-312-x86_64-linux-gnu.so: this file does not require any source code
+bin/ta_opencti_add_on/aob_py3/charset_normalizer/md.cpython-312-x86_64-linux-gnu.so: this file does not require any source code
diff --git a/TA-opencti-add-on/README/alert_actions.conf.spec b/TA-opencti-add-on/README/alert_actions.conf.spec
@@ -1,24 +1,23 @@
 
-
 [opencti_create_incident]
 python.version = python3
-param.name = <string> Name. It's a required parameter. It's default value is $name$.
-param.description = <string> Description.  It's default value is $description$.
+param.name = <string> Name.
+param.description = <string> Description.
 param.type = <string> Type.
-param.severity = <list> Severity. It's default value is medium.
+param.severity = <string> Severity.
 param.labels = <string> Labels.
-param.tlp = <list> TLP.  It's default value is tlp_amber.
-param.observables_extraction = <list> Observables extraction. It's default value is disable.
+param.tlp = <string> TLP.  It's default value is tlp_amber.
+param.observables_extraction = <list> Observable Extraction.  It's default value is disable.
 
 [opencti_create_incident_response]
 python.version = python3
-param.name = <string> Name. It's a required parameter. It's default value is $name$.
-param.description = <string> Description.  It's default value is $description$.
-param.severity = <list> Severity.  It's default value is medium.
-param.priority = <list> Priority.  It's default value is p2.
+param.name = <string> Name.
+param.description = <string> Description.
+param.severity = <string> Severity.
+param.priority = <string> Priority.
 param.type = <string> Type.
 param.case_template = <string> Case Template.
 param.labels = <string> Labels.
-param.tlp = <list> TLP.  It's default value is tlp_amber.
-param.observables_extraction = <list> Observables extraction. It's default value is disable.
+param.tlp = <string> TLP.  It's default value is tlp_amber.
+param.observables_extraction = <list> Observable Extraction.  It's default value is disable.
 
diff --git a/TA-opencti-add-on/README/inputs.conf.spec b/TA-opencti-add-on/README/inputs.conf.spec
@@ -1,3 +1,10 @@
 [opencti_indicators://<name>]
-stream_id =
-import_from =
+import_from = <integer>
+interval = <integer>
+stream_id = <uuid>
+disabled = <boolean>
+
+[opencti_stream://<name>]
+stream_id = OpenCTI Stream Id to consume
+import_from = The number of days to go back for the initial data collection. The start date is calculated on the basis of the current UTC time.
+input_type = Choose where to store the data.	•	KV Store keeps structured data for lookups.	•	Index saves events for searching and alerting.
diff --git a/TA-opencti-add-on/README/ta_opencti_add_on_settings.conf.spec b/TA-opencti-add-on/README/ta_opencti_add_on_settings.conf.spec
@@ -12,4 +12,4 @@ loglevel =
 
 [additional_parameters]
 opencti_url = 
-opencti_api_key =
+opencti_api_key = 
diff --git a/TA-opencti-add-on/TA-opencti-add-on.aob_meta b/TA-opencti-add-on/TA-opencti-add-on.aob_meta
diff --git a/TA-opencti-add-on/app.manifest b/TA-opencti-add-on/app.manifest
@@ -1,11 +1,11 @@
 {
   "schemaVersion": "2.0.0",
   "info": {
-    "title": "OpenCTI Add-on for Splunk",
+    "title": "OpenCTI Add-on",
     "id": {
       "group": null,
       "name": "TA-opencti-add-on",
-      "version": "1.1.5"
+      "version": "2.0.0"
     },
     "author": [
       {
@@ -15,7 +15,7 @@
       }
     ],
     "releaseDate": null,
-    "description": "Add-on for OpenCTI",
+    "description": "Splunk Add-on for OpenCTI",
     "classification": {
       "intendedAudience": null,
       "categories": [],
@@ -34,18 +34,27 @@
     },
     "releaseNotes": {
       "name": null,
-      "text": "./README.txt",
+      "text": null,
       "uri": null
     }
   },
-  "dependencies": null,
-  "tasks": null,
-  "inputGroups": null,
-  "incompatibleApps": null,
-  "platformRequirements": null,
+  "dependencies": {
+  },
+  "tasks": [],
+  "inputGroups": {
+  },
+  "incompatibleApps": {
+  },
+  "platformRequirements": {
+    "splunk": {
+      "Enterprise": "*"
+    }
+  },
   "supportedDeployments": [
-    "_standalone",
-    "_distributed"
+    "*"
   ],
-  "targetWorkloads": null
-}
+  "targetWorkloads": [
+    "_search_heads",
+    "_forwarders"
+  ]
+}
diff --git a/TA-opencti-add-on/appserver/static/alert_icon.png b/TA-opencti-add-on/appserver/static/alert_icon.png
diff --git a/TA-opencti-add-on/appserver/static/alert_opencti_create_incident.png b/TA-opencti-add-on/appserver/static/alert_opencti_create_incident.png
diff --git a/TA-opencti-add-on/appserver/static/alert_opencti_create_incident_response.png b/TA-opencti-add-on/appserver/static/alert_opencti_create_incident_response.png
diff --git a/TA-opencti-add-on/appserver/static/alerticon.png b/TA-opencti-add-on/appserver/static/alerticon.png