The following chapter aims at giving the reader a step-by-step description of what is available on the platform and the meaning of the different tabs and entries.
When the user connects to the platform, the home page is the
Dashboard contains several visuals summarizing the types and quantity of data recently imported into the platform.
To get more information about the components of the default dashboard, you can consult the Getting started.
The left side panel allows the user to navigate through different windows and access different views and categories of knowledge.
The "hot knowledge"
The first part of the platform in the left menu is dedicated to what we call the "hot knowledge", which means this is the entities and relationships which are added on a daily basis in the platform and which generally require work / analysis from the users.
Analyses: all containers which convey relevant knowledge such as reports, groupings and malware analyses.
Cases: all types of case like incident responses, requests for information, for takedown, etc.
Events: all incidents & alerts coming from operational systems as well as sightings.
Observations: all technical data in the platform such as observables, artifacts and indicators.
The "cold knowledge"
The second part of the platform in the left menu is dedicated to the "cold knowledge", which means this is the entities and relationships used in the hot knowledge. You can see this as the "encyclopedia" of all pieces of knowledge you need to get context: threats, countries, sectors, etc.
Threats: all threats entities from campaigns to threat actors, including intrusion sets.
Arsenal: all tools and pieces of malware used and/or targeted by threats, including vulnerabilities.
Techniques: all objects related to tactics and techniques used by threats (TTPs, etc.).
Entities: all non-geographical contextual information such as sectors, events, organizations, etc.
Locations: all geographical contextual information, from cities to regions, including precise positions.
You can customize the experience in the platform by hiding some categories in the left menu, whether globally or for a specific role.
Hide categories globally
Settings > Parameters, it is possible for the platform administrator to hide categories in the platform for all users.
Hide categories in roles
In OpenCTI, the different roles are highly customizable. It is possible to defined default dashboards, triggers, etc. but also be able to hide categories in the roles:
Presentation of a typical page in OpenCTI
While OpenCTI features numerous entities and tabs, many of them share similarities, with only minor differences arising from specific characteristics. These differences may involve the inclusion or exclusion of certain fields, depending on the nature of the entity.
In this part will only be detailed a general outline of a "typical" OpenCTI page. The specifies of the different entities will be detailed in the corresponding pages below (Activities and Knowledge).
Overview tab on the entity, you will find all properties of the entity as well as the recent activities.
First, you will find the
Details section, where are displayed all properties specific to the type of entity you are looking at, an example below with a piece of malware:
Thus, in the
Basic information section, are displayed all common properties to all objects in OpenCTI, such as the marking definition, the author, the labels (i.e. tags), etc.
Below these two sections, you will find latest modifications in the Knowledge base related to the Entity:
Latest created relationships: display the latest relationships that have been created from or to this Entity. For example, latest Indicators of Compromise and associated Threat Actor of a Malware.
latest containers about the object: display all the Cases and Analyses that contains this Entity. For example, the latest Reports about a Malware.
External references: display all the external sources associated with the Entity. You will often find here links to external reports or webpages from where Entity's information came from.
History: display the latest chronological modifications of the Entity and its relationships that occurred in the platform, in order to traceback any alteration.
Last, all Notes written by users of the platform about this Entity are displayed in order to access unstructured analysis comments.
Knowledge tab, which is the central part of the entity, you will find all the Knowledge related to the current entity. The
Knowledge tab is different for Analyses (
Groupings) and Cases (
Request for Information,
Request for Takedown) entities than for all the other entity types.
Knowledgetab of those entities (who represents Analyses or Cases that can contains a collection of Objects) is the place to integrate and link together entities. For more information on how to integrate information in OpenCTI using the knowledge tab of a report, please refer to the part Manual creation.
Knowledgetabs of any other entity (that does not aim to contain a collection of Objects) gather all the entities which have been at some point linked to the entity the user is looking at. For instance, as shown in the following capture, the
Knowledgetab of Intrusion set APT29, gives access to the list of all entities APT29 is attributed to, all victims the intrusion set has targeted, all its campaigns, TTPs, malware etc. For entities to appear in these tabs under
Knowledge, they need to have been linked to the entity directly or have been computed with the inference engine.
Focus on Indicators and Observables
Observables section offers 3 display modes:
entities view, which displays the indicators/observables linked to the entity.
relationship view, which displays the various relationships between the indicators/observables linked to the entity and the entity itself.
contextual view, which displays the indicators/observables contained in the cases and analyses that contain the entity.
Content tab allows for uploading and creating outcomes documents related to the content of the current entity (in PDF, text, HTML or markdown files). This specific tab enable to previzualize, manage and write deliverable associated with the entity. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc.
Content tab is available for a subset of entities:
Request for Information, and
Request for Takedown.
Analyses tab contains the list of all Analyses (
Groupings) and Cases (
Request for Information,
Request for Takedown) in which the entity has been identified.
By default, this tab display the list, but you can also display the content of all the listed Analyses on a graph, allowing you to explore all their Knowledge and have a glance of the context around the Entity.
Data tab contains documents that are associated to the object and were either:
- Uploaded to the platform : for instance the PDF document containing the text of the report
- Generated from the platform to be downloaded : a JSON or CSV file containing information on the object and generated by the user.
- associated to an external reference
Analyst Workbench can also be created from here. They will contain the entity by default.
In addition, the
Data tab of
Threat actors (group),
Threat actors (individual),
Individuals have an extra panel:
- Pictures Management: allows to manage the profile pictures attached to the entity.
History tab displays the history of change of the Entity, update of attributes, creation of relations, ...
Less frequent tabs
Observablestab (for Reports and Observed data): A table containing all SCO (Stix Cyber Observable) contained in the Report or the Observed data, with search and filters available. It also displays if the SCO has been added directly or through inferences with the reasoning engine
Entitiestab (for Reports and Observed data): A table containing all SDO (Stix Domain Objects) contained in the Report or the Observed data, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine
Sightingstab (for Indicators and Observables): A table containing all
Sightingsrelationships corresponding to events in which
Indicators(IP, domain name, URL, etc.) are detected by or within an information system, an individual or an organization. Most often, this corresponds to a security event transmitted by a SIEM or EDR.