This guide aims to give you a full overview of the OpenCTI features and workflows. The platform can be used in various contexts to handle threats management use cases from a technical to a more strategic level. OpenCTI has been designed as a knowledge graph, taking inputs (threat intelligence feeds, sightings & alerts, vulnerabilities, assets, artifacts, etc.) and generating outputs based on built-in capabilities and / or connectors.
Here are some examples of use cases:
- Cyber Threat Intelligence knowledge base
- Detection as code feeds for XDR, EDR, SIEMs, firewalls, proxies, etc.
- Incident response artifacts & cases management
- Vulnerabilities management
- Reporting, alerting and dashboarding on a subset of data
The welcome gives any visitor on the OpenCTI platform an outlook on the live of the platform. It can be replaced by a custom dashboard, created by a user (or the default dashboard in a role, a group or an organization).
Indicators in the dashboard
|Number of entities (
|Number of relationships (
|Number of reports.
|Number of observables (
Charts & lists
|Top labels given to entities during the last 3 months.
|Number of entities ingested by month.
|Top 10 active entities
|List of the entities with the greatest number of relations over the last 3 months.
|Intensity of the targeting tied to the number of relations
targets for a given country.
|Distribution of the number of observables by type.
|Last ingested reports
|Last reports ingested in the platform.