Skip to content

Add Inbound Webhook Support to OpenCTI Splunk SOAR App #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
CTIBurn0ut wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Inbound Webhook Support to OpenCTI Splunk SOAR App #2

CTIBurn0ut wants to merge 1 commit into from

Conversation

@CTIBurn0ut
Copy link

@CTIBurn0ut CTIBurn0ut commented Dec 12, 2025

Summary

This PR adds inbound webhook support to the OpenCTI Splunk SOAR App, enabling event-driven ingestion of OpenCTI lifecycle events into Splunk SOAR using the SOAR App Webhook Service (port 3500).

With this change, OpenCTI can act as the source-of-truth and control plane, while Splunk SOAR handles orchestration and response based on OpenCTI intelligence state.

What’s Included

App-Level Webhook Endpoint
• Declares a new webhook endpoint in opencti.json
• Exposes:

/webhook/opencti/<asset_name>/event

Webhook Routing

  • Implements handle_request() in opencti_connector.py
  • Dispatches inbound webhook requests to the appropriate handler based on endpoint

Webhook Handler

  • Adds opencti_event_handler() in webhooks.py
  • Accepts JSON payloads from OpenCTI
  • Creates a SOAR container with the raw payload preserved
  • Enables downstream playbook execution via container labeling

Example Workflow

OpenCTI (Webhook Event)
   ↓
Splunk SOAR App Webhook (port 3500)
   ↓
Container Creation
   ↓
Playbook Execution

Example triggering events:
• Indicator created / updated
• Incident created or validated
• Case lifecycle changes
• Sighting thresholds crossed

Example Payload

{
  "event_type": "entity.created",
  "entity_type": "indicator",
  "entity_id": "indicator--uuid",
  "entity_name": "Suspicious IP",
  "confidence": 85,
  "score": 70,
  "labels": ["high-confidence"]
}

Implementation Details

Webhook Declaration (opencti.json)

"webhooks": [
  {
    "name": "opencti_event",
    "description": "Receive events from OpenCTI",
    "method": "post",
    "endpoint": "event",
    "payload_type": "json"
  }
]

Webhook Routing (opencti_connector.py)

def handle_request(self, request, path_parts):
    endpoint = path_parts[-1] if path_parts else ""

    if endpoint == "event":
        return opencti_event_handler(self, request, path_parts)

    return {"success": False, "message": "Unknown endpoint"}, 404

Backward Compatibility
• ✅ No changes to existing actions
• ✅ No impact on outbound OpenCTI API calls
• ✅ Existing assets and playbooks continue to function unchanged

Deployment Notes
• Webhooks are supported on on-prem Splunk SOAR deployments
• Requires the SOAR Webhook Service (port 3500) to be enabled
• Users must reinstall / upgrade the app after deploying this change

Non-Goals
• Authentication (HMAC / token headers) — can be added in a follow-up
• Support for Splunk SOAR Cloud (webhooks are on-prem only)
• Changes to OpenCTI core webhook behavior

Testing Performed
• Manual POST to webhook endpoint using curl
• Verified container creation in SOAR
• Verified payload preservation and routing

Related
• GitHub Issue: Add inbound webhook support to OpenCTI Splunk SOAR App

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SamuelHassine SamuelHassine Awaiting requested review from SamuelHassine

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CTIBurn0ut