Description:

The current OpenCTI Add-on for Splunk primarily functions within Splunk Cloud environments but lacks native support for modular inputs on Splunk Cloud, which restricts the ability to fetch OpenCTI threat intelligence data directly.

To overcome these limitations, we propose enhancing the OpenCTI Add-on to support a Heavy Forwarder (HF)-based ingestion pipeline, allowing users to:

1. Fetch OpenCTI Threat Intelligence via a Heavy Forwarder.
2. Send CTI Data to a Splunk Index instead of relying solely on KV Store.
3. Manage KV Store Entries Efficiently through scheduled searches or scripted workflows.

Problem Statement:

Current Limitations in Splunk Cloud Deployment:

• Splunk Cloud restricts Python modular inputs, preventing direct OpenCTI API ingestion.
• KV Store is the only storage option, but data cannot be easily managed at scale without additional search-based maintenance.
• Users cannot use a Heavy Forwarder (HF) to pull threat intelligence data, which prevents on-premise or hybrid environments from benefiting from OpenCTI.

Impact:

• Users cannot efficiently pull OpenCTI indicators into Splunk Cloud unless they have an approved, vetted app or API workaround.
• Lack of index-based storage limits Splunk ES's ability to leverage OpenCTI threat intelligence efficiently in correlation searches.
• Data lifecycle management within KV Store requires manual intervention, making it harder to update, expire, and clean up stale threat intelligence indicators.

Proposed Solution:

1. Enable Heavy Forwarder Support for OpenCTI Data Ingestion

• Modify the OpenCTI Add-on to allow deployment on a Heavy Forwarder.
• Allow the HF to fetch threat indicators, observables, and reports via OpenCTI API.
• Convert the retrieved data into structured events and forward them to Splunk Cloud.

2. Support Index-Based Threat Intelligence Storage

• Provide an option to store OpenCTI indicators in a Splunk index (e.g., threat_intelligence or opencti_index).
• Use the CIM (Common Information Model) to map OpenCTI fields to Splunk Threat Intelligence Framework (TIF).

3. Automate KV Store Management via Scheduled Searches

• Develop scheduled searches or scripts to:
  • Expire old indicators based on valid_until timestamps.
  • Remove stale records from the KV Store.
  • Sync KV Store with index data when new indicators are fetched.

Technical Implementation:

A. Heavy Forwarder Data Ingestion Pipeline

1. Deploy the OpenCTI Add-on on a Splunk Heavy Forwarder.
2. Use a modular input (or scripted input) to fetch OpenCTI indicators.
3. Parse the threat intelligence data and:
   • Send it to a Splunk Cloud index.
   • Optionally, update the KV Store if required.

B. Index-Based Threat Intelligence Storage

• Modify the OpenCTI Add-on to allow writing threat intelligence directly to a Splunk index.
• Provide a Splunk knowledge object (macro or lookup) to facilitate threat intelligence correlation.

C. KV Store Management via Scheduled Searches

• Create scheduled searches to:

  | inputlookup opencti_lookup 
  | where valid_until < now()
  | outputlookup opencti_lookup