Overview
Overview
Enterprise edition
Activity unified interface and logging are available under the "Filigran entreprise edition" license.
OpenCTI activity capability is the way to unified whats really happen in the platform. With this feature you will be able to answer "who did what, where, and when?" within your data with the maximum level of transparency. Enabling activity helps your security, auditing, and compliance entities monitor platform for possible vulnerabilities or external data misuse.
Categories
The activity group 3 different concepts that need to be explains.
Basic knowledge
The basic knowledge refers to all stix data knowledge inside OpenCTI. Every create/update/delete actions on that knowledge is accessible through the history. That basic activity is handled by the history manager and can be also found directly on each entity.
Extended knowledge
The extended knowledge refers to extra information data to track specific user activity. As this kind of tracking is expensive, the tracking will only be done for specific user/group/organization explicitly configured.
Audit knowledge
Audit is focusing on user administration or security actions. Audit will produces console/logs files along with user interface elements.
{
"auth": "<User information>",
"category": "AUDIT",
"level": "<info | error>",
"message": "<human readable explanation>",
"resource": {
"type": "<authentication | mutation>",
"event_scope": "<depends on type>",
"event_access": "<administration>",
"data": "<contextual data linked to the event type>",
"version": "<version of audit log format>"
},
"timestamp": "<event date>",
"version": "<platform version>"
}
Architecture
OpenCTI use different mechanisms to be able to publish actions (audit) or data modification (history)
Audit knowledge
Administration or security actions
With Enterprise edition activated, Administration and security actions are always written; you can't configure, exclude, or disable them
Supported
Not supported for now
Not applicable
Ingestion
Create | Delete | Edit | |
---|---|---|---|
Remote OCTI Streams |
Data sharing
Create | Delete | Edit | |
---|---|---|---|
CSV Feeds | |||
TAXII Feeds | |||
Stream Feeds |
Connectors
Create | Delete | Edit | |
---|---|---|---|
Connectors | State reset | ||
Works |
Parameters
Create | Delete | Edit | |
---|---|---|---|
Platform parameters |
Security
Create | Delete | Edit | |
---|---|---|---|
Roles | |||
Groups | |||
Users | |||
Sessions | |||
Policies |
Customization
Create | Delete | Edit | |
---|---|---|---|
Entity types | |||
Rules engine | |||
Retention policies |
Taxonomies
Create | Delete | Edit | |
---|---|---|---|
Status templates | |||
Case templates + tasks |
Accesses
Listen | |||
---|---|---|---|
Login (success or fail) | |||
Logout | |||
Unauthorized access |
Extended knowledge
Extended knowledge
Extented knowledge activity are written only if you activate the feature for a subset of users / groups or organizations
Data management
Some history actions are already included in the "basic knowledge". (basic marker)
Read | Create | Delete | Edit | |
---|---|---|---|---|
Platform knowledge | basic | basic | basic | |
Background tasks Knowledge | ||||
Knowledge files | basic | basic | ||
Global data import files | ||||
Analyst workbenches files | ||||
Triggers | ||||
Workspaces | ||||
Investigations | ||||
User profile |
User actions
Supported | ||||
---|---|---|---|---|
Ask for file import | ||||
Ask for data enrichment | ||||
Ask for export generation | ||||
Execute global search |