Skip to content

Activity monitoring


Enterprise edition

Activity unified interface and logging are available under the "Filigran entreprise edition" license.

Please read the dedicated page to have all information

OpenCTI activity capability is the way to unified whats really happen in the platform. With this feature you will be able to answer "who did what, where, and when?" within your data with the maximum level of transparency. Enabling activity helps your security, auditing, and compliance entities monitor platform for possible vulnerabilities or external data misuse.


The activity group 3 different concepts that need to be explains.

Basic knowledge

The basic knowledge refers to all stix data knowledge inside OpenCTI. Every create/update/delete actions on that knowledge is accessible through the history. That basic activity is handled by the history manager and can be also found directly on each entity.

Extended knowledge

The extended knowledge refers to extra information data to track specific user activity. As this kind of tracking is expensive, the tracking will only be done for specific user/group/organization explicitly configured.

Audit knowledge

Audit is focusing on user administration or security actions. Audit will produces console/logs files along with user interface elements.

  "auth": "<User information>",
  "category": "AUDIT",
  "level": "<info | error>",
  "message": "<human readable explanation>",
  "resource": {
    "type": "<authentication | mutation>",
    "event_scope": "<depends on type>",
    "event_access": "<administration>",
    "data": "<contextual data linked to the event type>",
    "version": "<version of audit log format>"
  "timestamp": "<event date>",
  "version": "<platform version>"

User interface

OpenCTI is providing a unified user interface to access and filter all categories. This dedicated UI provides the easiest experience to consult / analyze / filters all available information.

Audit interface


OpenCTI use different mechanisms to be able to publish actions (audit) or data modification (history)

Audit knowledge

Administration or security actions

With Enterprise edition activated, Administration and security actions are always written; you can't configure, exclude, or disable them

✅ Supported

❌ Not supported for now

🚫 Not applicable


Create Delete Edit
Remote OCTI Streams ✅ ✅ ✅

Data sharing

Create Delete Edit
CSV Feeds ✅ ✅ ✅
TAXII Feeds ✅ ✅ ✅
Stream Feeds ✅ ✅ ✅


Create Delete Edit
Connectors ✅ ✅ ✅ State reset
Works 🚫 ✅ 🚫


Create Delete Edit
Platform parameters 🚫 🚫 ✅


Create Delete Edit
Roles ✅ ✅ ✅
Groups ✅ ✅ ✅
Users ✅ ✅ ✅
Sessions 🚫 ✅ 🚫
Policies 🚫 🚫 ✅


Create Delete Edit
Entity types 🚫 🚫 ✅
Rules engine 🚫 🚫 ✅
Retention policies ✅ ✅ ✅


Create Delete Edit
Status templates ✅ ✅ ✅
Case templates + tasks ✅ ✅ ✅


Login (success or fail) ✅
Logout ✅
Unauthorized access ✅

Extended knowledge

Extended knowledge

Extented knowledge activity are written only if you activate the feature for a subset of users / groups or organizations

Data management

Some history actions are already included in the "basic knowledge". (basic marker)

Read Create Delete Edit
Platform knowledge ✅ basic basic basic
Background tasks Knowledge 🚫 ✅ ✅ 🚫
Knowledge files ✅ basic basic 🚫
Global data import files ✅ ✅ ✅ 🚫
Analyst workbenches files 🚫 ✅ ✅ 🚫
Triggers 🚫 ✅ ✅ ❌
Workspaces ✅ ✅ ✅ ❌
Investigations ✅ ✅ ✅ ❌
User profile 🚫 🚫 🚫 ✅

User actions

Ask for file import ✅
Ask for data enrichment ✅
Ask for export generation ✅
Execute global search ✅