Skip to content

Location

OpenCTI's Locations objects provides a comprehensive framework for representing various geographic entities within your threat intelligence data. With five distinct Location object types, you can precisely define regions, countries, areas, cities, and specific positions. This robust classification empowers you to contextualize threats geographically, enhancing the depth and accuracy of your analysis.

When you click on "Locations" in the left-side bar, you access all the "Locations" tabs, visible on the top bar on the left. By default, the user directly access the "Regions" tab, but can navigate to the other tabs as well.

From the Locations section, users can access the following tabs:

  • Regions: very large geographical territories, such as a continent.
  • Countries: the world's countries.
  • Areas: more or less extensive geographical areas and often not having a very defined limit
  • Cities: the world's cities.
  • Positions: very precise positions on the globe.

Regions

General presentation

Regions encapsulate broader geographical territories, often representing continents or significant parts of continents. Examples include EMEA (Europe, Middle East, and Africa), Asia, Western Europe, and North America. Utilize regions to categorize large geopolitical areas and gain macro-level insights into threat patterns.

When clicking on the Regions tab at the top left, you see the list of all the Regions you have access to, in respect with your allowed marking definitions.

Regions list

Visualizing Knowledge associated with a Region

When clicking on a Region in the list, you land on its Overview tab. For a Region, the following tabs are accessible:

  • Overview: as described here, with the particularity of not having a Details section but a map locating the Region.
  • Knowledge: a complex tab that regroups all the structured Knowledge linked to the Region. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Region. As described here.
  • Content: This specific tab allows to previzualize, manage and write deliverable associated with the Location. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described here.
  • Analyses: as described here.
  • Sightings: a table containing all Sightings relationships corresponding to events in which an Indicator (IP, domain name, url, etc.) is sighted in a Region.
  • Data: as described here.
  • History: as described here.

Region Overview

Countries

General presentation

Countries represent individual nations across the world. With this object type, you can specify detailed information about a particular country, enabling precise localization of threat intelligence data. Countries are fundamental entities in geopolitical analysis, offering a focused view of activities within national borders.

When clicking on the Countries tab at the top left, you see the list of all the Countries you have access to, in respect with your allowed marking definitions.

Countries list

Visualizing Knowledge associated with a Country

When clicking on a Country in the list, you land on its Overview tab. For a Country, the following tabs are accessible:

  • Overview: as described here, with the particularity of not having a Details section but a map locating the Country.
  • Knowledge: a complex tab that regroups all the structured Knowledge linked to the Country. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Country. As described here.
  • Content: This specific tab allows to previzualize, manage and write deliverable associated with the Country. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described here.
  • Analyses: as described here.
  • Sightings: a table containing all Sightings relationships corresponding to events in which an Indicator (IP, domain name, url, etc.) is sighted in a Country.
  • Data: as described here.
  • History: as described here.

Areas

General presentation

Areas define specific geographical regions of interest, such as the Persian Gulf, the Balkans, or the Caucasus. Use areas to identify unique zones with distinct geopolitical, cultural, or strategic significance. This object type facilitates nuanced analysis of threats within defined geographic contexts.

When clicking on the Areas tab at the top left, you see the list of all the Areas you have access to, in respect with your allowed marking definitions.

Areas list

Visualizing Knowledge associated with an Area

When clicking on an Area in the list, you land on its Overview tab. For an Area, the following tabs are accessible:

  • Overview: as described here, with the particularity of not having a Details section but a map locating the Area.
  • Knowledge: a complex tab that regroups all the structured Knowledge linked to the Area. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Area. As described here.
  • Content: This specific tab allows to previzualize, manage and write deliverable associated with the Area. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described here.
  • Analyses: as described here.
  • Sightings: a table containing all Sightings relationships corresponding to events in which an Indicator (IP, domain name, url, etc.) is sighted in an Area.
  • Data: as described here.
  • History: as described here.

Cities

General presentation

Cities provide granular information about urban centers worldwide. From major metropolises to smaller towns, cities are crucial in understanding localized threat activities. With this object type, you can pinpoint threats at the urban level, aiding in tactical threat assessments and response planning.

When clicking on the Cities tab at the top left, you see the list of all the Cities you have access to, in respect with your allowed marking definitions.

Cities list

Visualizing Knowledge associated with a City

When clicking on a City in the list, you land on its Overview tab. For a City, the following tabs are accessible:

  • Overview: as described here, with the particularity of not having a Details section but a map locating the City.
  • Knowledge: a complex tab that regroups all the structured Knowledge linked to the City. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the City. As described here.
  • Content: This specific tab allows to previzualize, manage and write deliverable associated with the City. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described here.
  • Analyses: as described here.
  • Sightings: a table containing all Sightings relationships corresponding to events in which an Indicator (IP, domain name, url, etc.) is sighted in a City.
  • Data: as described here.
  • History: as described here.

Positions

General presentation

Positions represent highly precise geographical points, such as monuments, buildings, or specific event locations. This object type allows you to define exact coordinates, enabling accurate mapping of events or incidents. Positions enhance the granularity of your threat intelligence data, facilitating precise geospatial analysis.

When clicking on the Positions tab at the top left, you see the list of all the Positions you have access to, in respect with your allowed marking definitions.

Positions list

Visualizing Knowledge associated with a Position

When clicking on a Position in the list, you land on its Overview tab. For a Position, the following tabs are accessible:

  • Overview: as described here, with the particularity to display a map locating the Position.
  • Knowledge: a complex tab that regroups all the structured Knowledge linked to the Position. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Position. As described here.
  • Content: This specific tab allows to previzualize, manage and write deliverable associated with the Position. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described here.
  • Analyses: as described here.
  • Sightings: a table containing all Sightings relationships corresponding to events in which an Indicator (IP, domain name, url, etc.) is sighted at a Position.
  • Data: as described here.
  • History: as described here.