Feature Request: Add Inbound Webhook Support to the OpenCTI Splunk SOAR App #1
Description
Summary
The OpenCTI Splunk SOAR App currently supports outbound actions (querying and creating entities in OpenCTI), but does not provide a supported inbound webhook mechanism to receive OpenCTI events into Splunk SOAR.
This feature request proposes adding App-level webhook support using Splunk SOAR’s App Webhook Service (port 3500), enabling event-driven automation workflows where OpenCTI acts as the source-of-truth and SOAR performs orchestration and response.
Motivation / Use Case
Enable workflows such as:
OpenCTI (Webhook Event)
↓
Splunk SOAR App Webhook Endpoint
↓
Container Creation
↓
Playbook Execution
Examples of OpenCTI events that could trigger automation:
• Indicator created or updated (especially high-confidence)
• Incident created or validated
• Case lifecycle changes
• Sighting thresholds crossed
• Intelligence promotion events
This aligns Splunk SOAR with OpenCTI’s intelligence lifecycle model, allowing automation to be driven by intelligence state rather than polling or indirect ingestion paths.
Current Limitation
• The OpenCTI SOAR App does not expose any inbound webhook endpoints.
• There is no documented or supported way for OpenCTI to POST events directly into SOAR via the OpenCTI app.
• Even in on-prem SOAR deployments, users must rely on indirect patterns (e.g., Splunk HEC → saved search → SOAR).
Proposed Solution
Add native App Webhook support to the OpenCTI Splunk SOAR App.
- Declare Webhook Endpoint in App Metadata
Add a webhooks section to opencti.json:
"webhooks": [
{
"name": "opencti_event",
"description": "Receive events from OpenCTI",
"method": "post",
"endpoint": "event",
"payload_type": "json"
}
],
This exposes an endpoint at:
/webhook/opencti/<asset_name>/event
- Implement Webhook Handler
Add a webhook handler that:
• Accepts JSON payloads from OpenCTI
• Performs basic validation
• Creates a SOAR container
• Preserves the raw payload for downstream processing
Example handler:
def opencti_event_handler(connector, request, path_parts):
payload = request.json
container = {
"name": f"OpenCTI: {payload.get('entity_type')} - {payload.get('entity_name')}",
"label": "opencti",
"severity": "medium",
"description": json.dumps(payload, indent=2),
}
connector.save_container(container)
return {"success": True}, 200
- Route Webhook Requests in the Connector
Implement handle_request() in opencti_connector.py to dispatch webhook requests:
def handle_request(self, request, path_parts):
endpoint = path_parts[-1] if path_parts else ""
if endpoint == "event":
return opencti_event_handler(self, request, path_parts)
return {"success": False, "message": "Unknown endpoint"}, 404
Benefits
- Enables event-driven automation instead of polling
- Allows OpenCTI to act as the control plane for response workflows
- Works cleanly with on-prem Splunk SOAR deployments
- Backward-compatible with existing actions
- Establishes a reusable pattern for future OpenCTI → SOAR integrations
Scope / Non-Goals
- No changes required to OpenCTI core
- Authentication mechanisms (e.g., HMAC, token headers) can be added incrementally
- No impact on Splunk SOAR Cloud (webhooks are on-prem only)