Overview
Introduction
The following chapter aims at giving the reader a step-by-step description of what is available on the platform and the meaning of the different tabs and entries.
When the user connects to the platform, the home page is the Dashboard
. This Dashboard
contains several visuals summarizing the types and quantity of data recently imported into the platform.
Dashboard
To get more information about the components of the default dashboard, you can consult the Getting started.
The left side panel allows the user to navigate through different windows and access different views and categories of knowledge.
Structure
The "hot knowledge"
The first part of the platform in the left menu is dedicated to what we call the "hot knowledge", which means this is the entities and relationships which are added on a daily basis in the platform and which generally require work / analysis from the users.
Analyses
: all containers which convey relevant knowledge such as reports, groupings and malware analyses.Cases
: all types of case like incident responses, requests for information, for takedown, etc.Events
: all incidents & alerts coming from operational systems as well as sightings.Observations
: all technical data in the platform such as observables, artifacts and indicators.
The "cold knowledge"
The second part of the platform in the left menu is dedicated to the "cold knowledge", which means this is the entities and relationships used in the hot knowledge. You can see this as the "encyclopedia" of all pieces of knowledge you need to get context: threats, countries, sectors, etc.
Threats
: all threats entities from campaigns to threat actors, including intrusion sets.Arsenal
: all tools and pieces of malware used and/or targeted by threats, including vulnerabilities.Techniques
: all objects related to tactics and techniques used by threats (TTPs, etc.).Entities
: all non-geographical contextual information such as sectors, events, organizations, etc.Locations
: all geographical contextual information, from cities to regions, including precise positions.
Hide categories
You can customize the experience in the platform by hiding some categories in the left menu, whether globally or for a specific role.
Hide categories globally
In the Settings > Parameters
, it is possible for the platform administrator to hide categories in the platform for all users.
Hide categories in roles
In OpenCTI, the different roles are highly customizable. It is possible to defined default dashboards, triggers, etc. but also be able to hide categories in the roles:
Presentation of a typical page in OpenCTI
Although there are many different entities in OpenCTI and many different tabs, most of them are quite similar and only have minor differences from the other, mostly due to some of their characteristics, which requires specific fields or do not require some fields which are necessary for the other.
In this part will only be detailed a general outline of a "typical" OpenCTI page. The specifies of the different entities will be detailed in the corresponding pages below (Activities and Knowledge).
Overview
In the Overview
tab on the entity, you will find all properties of the entity as well as the recent activities.
First, you will find the Details
section, where are displayed all properties specific to the type of entity you are looking at, an example below with a piece of malware:
Thus, in the Basic information
section, are displayed all common properties to all objects in OpenCTI, such as the marking definition, the author, the labels (i.e. tags), etc.
Below these two sections, you will find latest modifications in the Knowledge base related to the Entity:
Latest created relationships
: display the latest relationships that have been created from or to this Entity. For example, latest Indicators of Compromise and associated Threat Actor of a Malware.latest containers about the object
: display all the Cases and Analyses that contains this Entity. For example, the latest Reports about a Malware.External references
: display all the external sources associated with the Entity. You will often find here links to external reports or webpages from where Entity's information came from.History
: display the latest chronological modifications of the Entity and its relationships that occurred in the platform, in order to traceback any alteration.
Last, all Notes written by users of the platform about this Entity are displayed in order to access unstructured analysis comments.
Knowledge
In the Knowledge
tab, which is the central part of the entity, you will find all the Knowledge related to the current entity. The Knowledge
tab is different for Analyses (Report
, Groupings
) and Cases (Incident response
, Request for Information
, Request for Takedown
) entities than for all the other entity types.
- The
Knowledge
tab of those entities (who represents Analyses or Cases that can contains a collection of Objects) is the place to integrate and link together entities. For more information on how to integrate information in OpenCTI using the knowledge tab of a report, please refer to the part Manual creation. - The
Knowledge
tabs of any other entity (that does not aim to contain a collection of Objects) gather all the entities which have been at some point linked to the entity the user is looking at. For instance, as shown in the following capture, theKnowledge
tab of Intrusion set APT29, gives access to the list of all entities APT29 is attributed to, all victims the intrusion set has targeted, all its campaigns, TTPs, malware etc. For entities to appear in these tabs underKnowledge
, they need to have been linked to the entity directly or have been computed with the inference engine.
Focus on Indicators and Observables
The Indicators
and Observables
section offers 3 display modes:
- The entities view
, which displays the indicators/observables linked to the entity.
- The relationship view
, which displays the various relationships between the indicators/observables linked to the entity and the entity itself.
- The contextual view
, which displays the indicators/observables contained in the cases and analyses that contain the entity.
Content
The Content
tab allows for uploading and creating outcomes documents related to the content of the current entity (in PDF, text, HTML or markdown files). This specific tab enable to previzualize, manage and write deliverable associated with the entity. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc.
The Content
tab is available for a subset of entities: Report
, Incident
, Incident response
, Request for Information
, and Request for Takedown
.
Analyses
The Analyses
tab contains the list of all Analyses (Report
, Groupings
) and Cases (Incident response
, Request for Information
, Request for Takedown
) in which the entity has been identified.
By default, this tab display the list, but you can also display the content of all the listed Analyses on a graph, allowing you to explore all their Knowledge and have a glance of the context around the Entity.
Data
The Data
tab contains documents that are associated to the object and were either:
- Uploaded to the platform : for instance the PDF document containing the text of the report
- Generated from the platform to be downloaded : a JSON or CSV file containing information on the object and generated by the user.
- associated to an external reference
Analyst Workbench can also be created from here. They will contain the entity by default.
In addition, the Data
tab of Threat actors (group)
, Threat actors (individual)
, Intrusions sets
, Organizations
, Individuals
have an extra panel:
- Pictures Management: allows to manage the profile pictures attached to the entity.
History
The History
tab display the history of change of the Entity, update of attributes, creation of relations, ...
Because of the volumes of information the history is written in a specific index that consume the redis stream to rebuild the history for the UI.
Less frequent tabs
- The
Observables
tab (for Reports and Observed data): A table containing all SCO (Stix Cyber Observable) contained in the Report or the Observed data, with search and filters available. It also displays if the SCO has been added directly or through inferences with the reasoning engine - the
Entities
tab (for Reports and Observed data): A table containing all SDO (Stix Domain Objects) contained in the Report or the Observed data, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine - Observables:
- the
Sightings
tab (for Indicators and Observables): A table containing allSightings
relationships corresponding to events in whichIndicators
(IP, domain name, url, etc.) are detected by or within an information system, an individual or an organization. Most often, this corresponds to a security event transmitted by a SIEM or EDR.