Activity monitoring
Overview
Enterprise edition
Activity unified interface and logging are available under the "Filigran entreprise edition" license.
OpenCTI activity capability is the way to unified whats really happen in the platform. With this feature you will be able to answer "who did what, where, and when?" within your data with the maximum level of transparency. Enabling activity helps your security, auditing, and compliance entities monitor platform for possible vulnerabilities or external data misuse.
Categories
The activity group 3 different concepts that need to be explains.
Basic knowledge
The basic knowledge refers to all stix data knowledge inside OpenCTI. Every create/update/delete actions on that knowledge is accessible through the history. That basic activity is handled by the history manager and can be also found directly on each entity.
Extended knowledge
The extended knowledge refers to extra information data to track specific user activity. As this kind of tracking is expensive, the tracking will only be done for specific user/group/organization explicitly configured.
Audit knowledge
Audit is focusing on user administration or security actions. Audit will produces console/logs files along with user interface elements.
{
"auth": "<User information>",
"category": "AUDIT",
"level": "<info | error>",
"message": "<human readable explanation>",
"resource": {
"type": "<authentication | mutation>",
"event_scope": "<depends on type>",
"event_access": "<administration>",
"data": "<contextual data linked to the event type>",
"version": "<version of audit log format>"
},
"timestamp": "<event date>",
"version": "<platform version>"
}
User interface
OpenCTI is providing a unified user interface to access and filter all categories. This dedicated UI provides the easiest experience to consult / analyze / filters all available information.
Architecture
OpenCTI use different mechanisms to be able to publish actions (audit) or data modification (history)
Audit knowledge
Administration or security actions
With Enterprise edition activated, Administration and security actions are always written; you can't configure, exclude, or disable them
Supported
Not supported for now
Not applicable
Ingestion
| Create | Delete | Edit | |
|---|---|---|---|
| Remote OCTI Streams | |
|
|
Data sharing
| Create | Delete | Edit | |
|---|---|---|---|
| CSV Feeds | |
|
|
| TAXII Feeds | |
|
|
| Stream Feeds | |
|
|
Connectors
| Create | Delete | Edit | |
|---|---|---|---|
| Connectors | |
|
State reset |
| Works | |
|
|
Parameters
| Create | Delete | Edit | |
|---|---|---|---|
| Platform parameters | |
|
|
Security
| Create | Delete | Edit | |
|---|---|---|---|
| Roles | |
|
|
| Groups | |
|
|
| Users | |
|
|
| Sessions | |
|
|
| Policies | |
|
|
Customization
| Create | Delete | Edit | |
|---|---|---|---|
| Entity types | |
|
|
| Rules engine | |
|
|
| Retention policies | |
|
|
Taxonomies
| Create | Delete | Edit | |
|---|---|---|---|
| Status templates | |
|
|
| Case templates + tasks | |
|
|
Accesses
| Listen | |||
|---|---|---|---|
| Login (success or fail) | |
||
| Logout | |
||
| Unauthorized access | |
Extended knowledge
Extended knowledge
Extented knowledge activity are written only if you activate the feature for a subset of users / groups or organizations
Data management
Some history actions are already included in the "basic knowledge". (basic marker)
| Read | Create | Delete | Edit | |
|---|---|---|---|---|
| Platform knowledge | |
basic | basic | basic |
| Background tasks Knowledge | |
|
|
|
| Knowledge files | |
basic | basic | |
| Global data import files | |
|
|
|
| Analyst workbenches files | |
|
|
|
| Triggers | |
|
|
|
| Workspaces | |
|
|
|
| Investigations | |
|
|
|
| User profile | |
|
|
|
User actions
| Supported | ||||
|---|---|---|---|---|
| Ask for file import | |
|||
| Ask for data enrichment | |
|||
| Ask for export generation | |
|||
| Execute global search | |