Overview
Overview
Enterprise edition
Activity unified interface and logging are available under the "OpenCTI Enterprise Edition" license.
OpenCTI activity capability is the way to unify what's really happening in the platform. With this feature you will be able to answer "who did what, where, and when?" within your data with the maximum level of transparency.
Enabling activity helps your security, auditing, and compliance entities monitor platform for possible vulnerabilities or external data misuse.
Categories
The activity groups 3 different concepts that need to be explained.
Basic knowledge
The basic knowledge refers to all STIX data knowledge inside OpenCTI. Every create/update/delete action on that knowledge is accessible through the history. That basic activity is handled by the history manager and can also be found directly on each entity.
Extended knowledge
The extended knowledge refers to extra information data to track specific user activity. As this kind of tracking is expensive, the tracking will only be done for specific users/groups/organizations explicitly configured in the configuration window.
Audit knowledge
Audit is focusing on user administration or security actions. Audit will produce console/logs files along with user interface elements.
{
"auth": "<User information>",
"category": "AUDIT",
"level": "<info | error>",
"message": "<human readable explanation>",
"resource": {
"type": "<authentication | mutation>",
"event_scope": "<depends on type>",
"event_access": "<administration>",
"data": "<contextual data linked to the event type>",
"version": "<version of audit log format>"
},
"timestamp": "<event date>",
"version": "<platform version>"
}
Architecture
OpenCTI uses different mechanisms to be able to publish actions (audit) or data modification (history)
Audit knowledge
Administration or security actions
With Enterprise edition activated, Administration and security actions are always written; you can't configure, exclude, or disable them
Supported
Not supported for now
Not applicable
Ingestion
| Create | Delete | Edit | |
|---|---|---|---|
| Remote OCTI Streams | |
|
|
Data sharing
| Create | Delete | Edit | |
|---|---|---|---|
| CSV Feeds | |
|
|
| TAXII Feeds | |
|
|
| Stream Feeds | |
|
|
Connectors
| Create | Delete | Edit | |
|---|---|---|---|
| Connectors | |
|
State reset |
| Works | |
|
|
Parameters
| Create | Delete | Edit | |
|---|---|---|---|
| Platform parameters | |
|
|
Security
| Create | Delete | Edit | |
|---|---|---|---|
| Roles | |
|
|
| Groups | |
|
|
| Users | |
|
|
| Sessions | |
|
|
| Policies | |
|
|
Customization
| Create | Delete | Edit | |
|---|---|---|---|
| Entity types | |
|
|
| Rules engine | |
|
|
| Retention policies | |
|
|
Taxonomies
| Create | Delete | Edit | |
|---|---|---|---|
| Status templates | |
|
|
| Case templates + tasks | |
|
|
Accesses
| Listen | |||
|---|---|---|---|
| Login (success or fail) | |
||
| Logout | |
||
| Unauthorized access | |
Extended knowledge
Extended knowledge
Extented knowledge activity are written only if you activate the feature for a subset of users / groups or organizations
Data management
Some history actions are already included in the "basic knowledge". (basic marker)
| Read | Create | Delete | Edit | |
|---|---|---|---|---|
| Platform knowledge | |
basic | basic | basic |
| Background tasks knowledge | |
|
|
|
| Knowledge files | |
basic | basic | |
| Global data import files | |
|
|
|
| Analyst workbenches files | |
|
|
|
| Triggers | |
|
|
|
| Workspaces | |
|
|
|
| Investigations | |
|
|
|
| User profile | |
|
|
|
User actions
| Supported | ||||
|---|---|---|---|---|
| Ask for file import | |
|||
| Ask for data enrichment | |
|||
| Ask for export generation | |
|||
| Execute global search | |