Skip to content

Add Sighting Object Support to OpenCTI Splunk Add-on #33

New issue
New issue
Open
Feature
Open
Add Sighting Object Support to OpenCTI Splunk Add-on#33
Feature
Labels
enhancementNew feature or requestneeds triageuse to identify issue needing triage from Filigran Product team
@CTIBurn0ut

Description

@CTIBurn0ut
CTIBurn0ut
opened on Jul 31, 2025

Summary

Add the ability for the OpenCTI Splunk Add-on to generate and return Sighting objects linked to Indicators and Security Platforms. This will improve alert triage, reduce repetitive Splunk searches, and align with OpenCTI’s Sighting-first operational workflow.

Problem Statement / Current Limitation

Our organization currently relies on the Incidents alert feature in the Splunk App. While event artifacts can be passed to OpenCTI, the workflow has several limitations:

  1. Context Requires Manual Search

    • Analysts must return to Splunk to identify the original event context for each alert.
    • High volumes of indicators (e.g., email addresses) lead to repetitive triage steps.

  2. High False Positive Rate

    • Many indicators generate alerts with minimal actionable value.
    • Analysts must manually verify and cross-reference in Splunk.

  3. Sensitive or Voluminous Data

    • Full event content often contains sensitive information.
    • Pushing all raw logs to OpenCTI incidents is not ideal.

  4. Training and STIX Methodology Gap

    • OpenCTI emphasizes Sightings as the preferred method to condense reporting:
      • Link Indicator → Security Platform → Original Event/Observation
      • Provide first/last observed timestamps and allow Sighting aggregation

Currently, the Splunk Add-on does not generate Sighting objects, leaving this workflow underutilized.

Proposed Enhancement

Add functionality for the Splunk Add-on for OpenCTI to:

  1. Generate Sighting Objects for any detected Indicator.
  2. Include Core Sighting Fields:
    • Indicator ID / Pattern
    • Security Platform (e.g., “Bluecoat Proxy Logs”)
    • First and last observed timestamps
    • Search URL link to the original Splunk event(s)
  3. Support Aggregation and Triage:
    • Aggregate multiple Sightings for the same Indicator
    • Filter for high-quality/repeated sightings to prioritize analyst attention
  4. Optional Response Integration:
    • Escalate to Response Cases if thresholds (e.g., # sightings) are met

Benefits

  • Reduce Analyst Workload: Less context-switching to Splunk searches
  • Improve Triage: Identify high-frequency or repeat sightings quickly
  • Align with OpenCTI Best Practices: Fully leverage STIX-compliant Sightings
  • Scalable & Secure: Keep sensitive raw event data in Splunk, share condensed intelligence with OpenCTI

Example Workflow

  1. Indicator 1.2.3.4 is detected in Splunk Proxy logs
  2. Add-on creates a Sighting object in OpenCTI with:
    • First/last observed timestamps
    • Security Platform = “Bluecoat Proxy Logs”
    • Search URL for drill-down
  3. Analyst triages the Sighting in OpenCTI without returning to Splunk
  4. Optional: If 10+ sightings occur within 24 hours → auto-create a Response Case

This feature will bridge current operational gaps and enhance the Splunk Add-on as a complete integration for detection-to-response workflows in OpenCTI.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestneeds triageuse to identify issue needing triage from Filigran Product team

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions