OpenCTI activity capability is the way to unified whats really happen in the platform.
With this feature you will be able to answer "who did what, where, and when?" within your data with the maximum level of transparency.
Enabling activity helps your security, auditing, and compliance entities monitor platform for possible vulnerabilities or external data misuse.
Categories
The activity group 3 different concepts that need to be explains.
Basic knowledge
The basic knowledge refers to all stix data knowledge inside OpenCTI. Every create/update/delete actions on that knowledge is accessible through the history.
That basic activity is handled by the history manager and can be also found directly on each entity.
Extended knowledge
The extended knowledge refers to extra information data to track specific user activity.
As this kind of tracking is expensive, the tracking will only be done for specific user/group/organization explicitly configured.
Audit knowledge
Audit is focusing on user administration or security actions.
Audit will produces console/logs files along with user interface elements.
{"auth":"<User information>","category":"AUDIT","level":"<info | error>","message":"<human readable explanation>","resource":{"type":"<authentication | mutation>","event_scope":"<depends on type>","event_access":"<administration>","data":"<contextual data linked to the event type>","version":"<version of audit log format>"},"timestamp":"<event date>","version":"<platform version>"}
User interface
OpenCTI is providing a unified user interface to access and filter all categories.
This dedicated UI provides the easiest experience to consult / analyze / filters all available information.
Architecture
OpenCTI use different mechanisms to be able to publish actions (audit) or data modification (history)
Audit knowledge
Administration or security actions
With Enterprise edition activated, Administration and security actions are always written; you can't configure, exclude, or disable them
Supported
Not supported for now
Not applicable
Ingestion
Create
Delete
Edit
Remote OCTI Streams
Data sharing
Create
Delete
Edit
CSV Feeds
TAXII Feeds
Stream Feeds
Connectors
Create
Delete
Edit
Connectors
State reset
Works
Parameters
Create
Delete
Edit
Platform parameters
Security
Create
Delete
Edit
Roles
Groups
Users
Sessions
Policies
Customization
Create
Delete
Edit
Entity types
Rules engine
Retention policies
Taxonomies
Create
Delete
Edit
Status templates
Case templates + tasks
Accesses
Listen
Login (success or fail)
Logout
Unauthorized access
Extended knowledge
Extended knowledge
Extented knowledge activity are written only if you activate the feature for a subset of users / groups or organizations
Data management
Some history actions are already included in the "basic knowledge". (basic marker)