Getting started
This guide aims to give you a full overview of the OpenCTI features and workflows. The platform can be used in various contexts to handle threats management use cases from a technical to a more strategic level. OpenCTI has been designed as a knowledge graph, taking inputs (threat intelligence feeds, sightings & alerts, vulnerabilities, assets, artifacts, etc.) and generating outputs based on built-in capabilities and / or connectors.
Here are some examples of use cases:
- Cyber Threat Intelligence knowledge base
- Detection as code feeds for XDR, EDR, SIEMs, firewalls, proxies, etc.
- Incident response artifacts & cases management
- Vulnerabilities management
- Reporting, alerting and dashboarding on a subset of data
Welcome dashboard
The welcome gives any visitor on the OpenCTI platform an outlook on the live of the platform. It can be replaced by a custom dashboard, created by a user (or the default dashboard in a role, a group or an organization).
Indicators in the dashboard
Numbers
| Component | Description |
|---|---|
| Total entities | Number of entities (threat actor, intrusion set, indicator, etc.). |
| Total relationships | Number of relationships (targets, uses, indicates, etc.). |
| Total reports | Number of reports. |
| Total observables | Number of observables (IPv4-Addr, File, etc.). |
Charts & lists
| Component | Description |
|---|---|
| Top labels | Top labels given to entities during the last 3 months. |
| Ingested entities | Number of entities ingested by month. |
| Top 10 active entities | List of the entities with the greatest number of relations over the last 3 months. |
| Targeted countries | Intensity of the targeting tied to the number of relations targets for a given country. |
| Observable distribution | Distribution of the number of observables by type. |
| Last ingested reports | Last reports ingested in the platform. |