From d67997aef5ad140080c993ee663ca30ae47112f9 Mon Sep 17 00:00:00 2001
From: Samuel Hassine <samuel.hassine@filigran.io>
Date: Fri, 8 Mar 2024 09:06:28 +0100
Subject: [PATCH] Deployed e6ae5b2 to 6.0.X with MkDocs 1.5.3 and mike
 2.1.0.dev0

---
 6.0.X/404.html                                |   2 +-
 .../audit/configuration/index.html            |   2 +-
 6.0.X/administration/audit/events/index.html  |   2 +-
 .../administration/audit/overview/index.html  |   2 +-
 .../administration/audit/triggers/index.html  |   2 +-
 6.0.X/administration/csv-mappers/index.html   |   2 +-
 6.0.X/administration/decay-rules/index.html   |   2 +-
 6.0.X/administration/enterprise/index.html    |   2 +-
 6.0.X/administration/entities/index.html      |   2 +-
 6.0.X/administration/file-indexing/index.html |   2 +-
 6.0.X/administration/introduction/index.html  |   2 +-
 6.0.X/administration/merging/index.html       |   2 +-
 .../notifier-samples/index.html               |   2 +-
 6.0.X/administration/notifiers/index.html     |   2 +-
 6.0.X/administration/ontologies/index.html    |   2 +-
 6.0.X/administration/parameters/index.html    |   2 +-
 6.0.X/administration/policies/index.html      |   2 +-
 6.0.X/administration/reasoning/index.html     |   2 +-
 6.0.X/administration/retentions/index.html    |   2 +-
 6.0.X/administration/segregation/index.html   |   2 +-
 6.0.X/administration/users/index.html         |   2 +-
 6.0.X/deployment/authentication/index.html    |   2 +-
 6.0.X/deployment/clustering/index.html        |   2 +-
 6.0.X/deployment/configuration/index.html     |  20 +-
 6.0.X/deployment/connectors/index.html        |   2 +-
 6.0.X/deployment/installation/index.html      |   2 +-
 6.0.X/deployment/integrations/index.html      |   2 +-
 6.0.X/deployment/managers/index.html          |   2 +-
 6.0.X/deployment/overview/index.html          |   2 +-
 6.0.X/deployment/resources/index.html         |   2 +-
 6.0.X/deployment/rollover/index.html          |   2 +-
 6.0.X/deployment/troubleshooting/index.html   |   2 +-
 6.0.X/deployment/upgrade/index.html           |   2 +-
 6.0.X/development/api-usage/index.html        |   2 +-
 6.0.X/development/connectors/index.html       |   2 +-
 .../development/environment_ubuntu/index.html |   2 +-
 .../environment_windows/index.html            |   2 +-
 6.0.X/development/platform/index.html         |   2 +-
 6.0.X/development/python/index.html           |   2 +-
 6.0.X/index.html                              |   2 +-
 6.0.X/reference/api/index.html                |   2 +-
 6.0.X/reference/data-intelligence/index.html  |   2 +-
 6.0.X/reference/data-model/index.html         |   2 +-
 6.0.X/reference/filters-migration/index.html  |   2 +-
 6.0.X/reference/filters/index.html            |   2 +-
 6.0.X/reference/fips/index.html               |   2 +-
 6.0.X/reference/streaming/index.html          |   2 +-
 6.0.X/reference/taxonomy/index.html           |   2 +-
 6.0.X/search/search_index.json                |   2 +-
 6.0.X/sitemap.xml                             | 170 ++++++------
 6.0.X/sitemap.xml.gz                          | Bin 881 -> 876 bytes
 6.0.X/usage/{AskAI => ask-ai}/index.html      | 260 ++++++++++++++++--
 6.0.X/usage/automation/index.html             |   2 +-
 6.0.X/usage/background-tasks/index.html       |   2 +-
 6.0.X/usage/case-management/index.html        |   6 +-
 6.0.X/usage/containers/index.html             |   2 +-
 6.0.X/usage/dashboards/index.html             |   2 +-
 6.0.X/usage/data-model/index.html             |   2 +-
 6.0.X/usage/deduplication/index.html          |   2 +-
 6.0.X/usage/enrichment/index.html             |   2 +-
 6.0.X/usage/exploring-analysis/index.html     |   2 +-
 6.0.X/usage/exploring-arsenal/index.html      |   2 +-
 6.0.X/usage/exploring-cases/index.html        |   2 +-
 6.0.X/usage/exploring-entities/index.html     |   2 +-
 6.0.X/usage/exploring-events/index.html       |   2 +-
 6.0.X/usage/exploring-locations/index.html    |   2 +-
 6.0.X/usage/exploring-observations/index.html |   2 +-
 6.0.X/usage/exploring-techniques/index.html   |   2 +-
 6.0.X/usage/exploring-threats/index.html      |   2 +-
 6.0.X/usage/export/index.html                 |   2 +-
 6.0.X/usage/feeds/index.html                  |   2 +-
 6.0.X/usage/getting-started/index.html        |   2 +-
 6.0.X/usage/import-automated/index.html       |   2 +-
 6.0.X/usage/import-files/index.html           |   2 +-
 6.0.X/usage/indicators-lifecycle/index.html   |   2 +-
 6.0.X/usage/inferences/index.html             |   2 +-
 6.0.X/usage/manual-creation/index.html        |   2 +-
 6.0.X/usage/merging/index.html                |   6 +-
 6.0.X/usage/nested/index.html                 |   2 +-
 6.0.X/usage/notifications/index.html          |   2 +-
 6.0.X/usage/overview/index.html               |   2 +-
 6.0.X/usage/pivoting/index.html               |   2 +-
 6.0.X/usage/reliability-confidence/index.html |   2 +-
 6.0.X/usage/search/index.html                 |   2 +-
 6.0.X/usage/tips-widget-creation/index.html   |   2 +-
 6.0.X/usage/widgets/index.html                |   2 +-
 6.0.X/usage/workbench/index.html              |   2 +-
 6.0.X/usage/workflows/index.html              |   2 +-
 88 files changed, 430 insertions(+), 196 deletions(-)
 rename 6.0.X/usage/{AskAI => ask-ai}/index.html (92%)

diff --git a/6.0.X/404.html b/6.0.X/404.html
index 5fe38395..e1a51c3d 100755
--- a/6.0.X/404.html
+++ b/6.0.X/404.html
@@ -2001,7 +2001,7 @@
   
   
     <li class="md-nav__item">
-      <a href="/latest/usage/AskAI/" class="md-nav__link">
+      <a href="/latest/usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/audit/configuration/index.html b/6.0.X/administration/audit/configuration/index.html
index cc2a0d11..0a16e1bf 100755
--- a/6.0.X/administration/audit/configuration/index.html
+++ b/6.0.X/administration/audit/configuration/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../../usage/AskAI/" class="md-nav__link">
+      <a href="../../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/audit/events/index.html b/6.0.X/administration/audit/events/index.html
index ffe03220..11095864 100755
--- a/6.0.X/administration/audit/events/index.html
+++ b/6.0.X/administration/audit/events/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../../usage/AskAI/" class="md-nav__link">
+      <a href="../../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/audit/overview/index.html b/6.0.X/administration/audit/overview/index.html
index 9011d531..c2f10748 100755
--- a/6.0.X/administration/audit/overview/index.html
+++ b/6.0.X/administration/audit/overview/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../../usage/AskAI/" class="md-nav__link">
+      <a href="../../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/audit/triggers/index.html b/6.0.X/administration/audit/triggers/index.html
index a8223b08..5aef1ca4 100755
--- a/6.0.X/administration/audit/triggers/index.html
+++ b/6.0.X/administration/audit/triggers/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../../usage/AskAI/" class="md-nav__link">
+      <a href="../../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/csv-mappers/index.html b/6.0.X/administration/csv-mappers/index.html
index 621e4929..5a114759 100755
--- a/6.0.X/administration/csv-mappers/index.html
+++ b/6.0.X/administration/csv-mappers/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/decay-rules/index.html b/6.0.X/administration/decay-rules/index.html
index f88c1a83..3aa25b26 100755
--- a/6.0.X/administration/decay-rules/index.html
+++ b/6.0.X/administration/decay-rules/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/enterprise/index.html b/6.0.X/administration/enterprise/index.html
index 85c247cc..8b28b663 100755
--- a/6.0.X/administration/enterprise/index.html
+++ b/6.0.X/administration/enterprise/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/entities/index.html b/6.0.X/administration/entities/index.html
index 62937da7..b2b4640a 100755
--- a/6.0.X/administration/entities/index.html
+++ b/6.0.X/administration/entities/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/file-indexing/index.html b/6.0.X/administration/file-indexing/index.html
index e22d0860..57227ca7 100755
--- a/6.0.X/administration/file-indexing/index.html
+++ b/6.0.X/administration/file-indexing/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/introduction/index.html b/6.0.X/administration/introduction/index.html
index 445da5a5..54efba96 100755
--- a/6.0.X/administration/introduction/index.html
+++ b/6.0.X/administration/introduction/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/merging/index.html b/6.0.X/administration/merging/index.html
index fa67f06a..21022286 100755
--- a/6.0.X/administration/merging/index.html
+++ b/6.0.X/administration/merging/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/notifier-samples/index.html b/6.0.X/administration/notifier-samples/index.html
index 2936f19a..ed5ba6c9 100755
--- a/6.0.X/administration/notifier-samples/index.html
+++ b/6.0.X/administration/notifier-samples/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/notifiers/index.html b/6.0.X/administration/notifiers/index.html
index 0f586ed6..5c17d63d 100755
--- a/6.0.X/administration/notifiers/index.html
+++ b/6.0.X/administration/notifiers/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/ontologies/index.html b/6.0.X/administration/ontologies/index.html
index 5a96d871..0d21770f 100755
--- a/6.0.X/administration/ontologies/index.html
+++ b/6.0.X/administration/ontologies/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/parameters/index.html b/6.0.X/administration/parameters/index.html
index 9270f315..ffa1b0bc 100755
--- a/6.0.X/administration/parameters/index.html
+++ b/6.0.X/administration/parameters/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/policies/index.html b/6.0.X/administration/policies/index.html
index cc10d95c..a2df2f41 100755
--- a/6.0.X/administration/policies/index.html
+++ b/6.0.X/administration/policies/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/reasoning/index.html b/6.0.X/administration/reasoning/index.html
index 5a8a41fb..148635a7 100755
--- a/6.0.X/administration/reasoning/index.html
+++ b/6.0.X/administration/reasoning/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/retentions/index.html b/6.0.X/administration/retentions/index.html
index f41c92cf..721a2526 100755
--- a/6.0.X/administration/retentions/index.html
+++ b/6.0.X/administration/retentions/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/segregation/index.html b/6.0.X/administration/segregation/index.html
index 4c09ac4a..bec51dd0 100755
--- a/6.0.X/administration/segregation/index.html
+++ b/6.0.X/administration/segregation/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/administration/users/index.html b/6.0.X/administration/users/index.html
index 0ee536da..667edb6f 100755
--- a/6.0.X/administration/users/index.html
+++ b/6.0.X/administration/users/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/authentication/index.html b/6.0.X/deployment/authentication/index.html
index 428ea585..8a370a94 100755
--- a/6.0.X/deployment/authentication/index.html
+++ b/6.0.X/deployment/authentication/index.html
@@ -2267,7 +2267,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/clustering/index.html b/6.0.X/deployment/clustering/index.html
index f42f2184..20a4d707 100755
--- a/6.0.X/deployment/clustering/index.html
+++ b/6.0.X/deployment/clustering/index.html
@@ -2201,7 +2201,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/configuration/index.html b/6.0.X/deployment/configuration/index.html
index 48783d91..e5d6e6a6 100755
--- a/6.0.X/deployment/configuration/index.html
+++ b/6.0.X/deployment/configuration/index.html
@@ -2384,7 +2384,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -5525,6 +5525,12 @@ <h4 id="elasticsearch">ElasticSearch</h4>
 <td style="text-align: left;"><code>elk</code> or <code>opensearch</code>, default is <code>auto</code>, please put <code>elk</code> if you use token auth.</td>
 </tr>
 <tr>
+<td style="text-align: left;">elasticsearch:engine_check</td>
+<td style="text-align: left;">ELASTICSEARCH__ENGINE_CHECK</td>
+<td style="text-align: left;">false</td>
+<td style="text-align: left;">Disable Search Engine <a href="../overview/#dependencies">compatibility matrix</a> verification. <br> <strong>Caution</strong>: OpenCTI was developed in compliance with the <a href="../overview/#dependencies">compatibility matrix</a>. Setting the parameter to <code>true</code> may result in negative impacts.</td>
+</tr>
+<tr>
 <td style="text-align: left;">elasticsearch:url</td>
 <td style="text-align: left;">ELASTICSEARCH__URL</td>
 <td style="text-align: left;">http://localhost:9200</td>
@@ -6450,7 +6456,7 @@ <h2 id="elasticsearch_1">ElasticSearch</h2>
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2024-03-02T09:39:30+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2024-03-02</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2024-03-02T11:57:10+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2024-03-02</span>
   </span>
 
     
@@ -6478,6 +6484,11 @@ <h2 id="elasticsearch_1">ElasticSearch</h2>
     
     <nav>
       
+        <a href="https://github.com/c-neto" class="md-author" title="@c-neto">
+          
+          <img src="https://avatars.githubusercontent.com/u/26532223?v=4&size=72" alt="c-neto">
+        </a>
+      
         <a href="https://github.com/SamuelHassine" class="md-author" title="@SamuelHassine">
           
           <img src="https://avatars.githubusercontent.com/u/1334279?v=4&size=72" alt="SamuelHassine">
@@ -6493,11 +6504,6 @@ <h2 id="elasticsearch_1">ElasticSearch</h2>
           <img src="https://avatars.githubusercontent.com/u/668192?v=4&size=72" alt="SouadHadjiat">
         </a>
       
-        <a href="https://github.com/c-neto" class="md-author" title="@c-neto">
-          
-          <img src="https://avatars.githubusercontent.com/u/26532223?v=4&size=72" alt="c-neto">
-        </a>
-      
       
       
         
diff --git a/6.0.X/deployment/connectors/index.html b/6.0.X/deployment/connectors/index.html
index e15bf31d..7a329844 100755
--- a/6.0.X/deployment/connectors/index.html
+++ b/6.0.X/deployment/connectors/index.html
@@ -2267,7 +2267,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/installation/index.html b/6.0.X/deployment/installation/index.html
index a66fefdb..e8f53a6e 100755
--- a/6.0.X/deployment/installation/index.html
+++ b/6.0.X/deployment/installation/index.html
@@ -2484,7 +2484,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/integrations/index.html b/6.0.X/deployment/integrations/index.html
index ed8222c4..5b1ebd52 100755
--- a/6.0.X/deployment/integrations/index.html
+++ b/6.0.X/deployment/integrations/index.html
@@ -2212,7 +2212,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/managers/index.html b/6.0.X/deployment/managers/index.html
index 9ff97012..914455d8 100755
--- a/6.0.X/deployment/managers/index.html
+++ b/6.0.X/deployment/managers/index.html
@@ -2205,7 +2205,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/overview/index.html b/6.0.X/deployment/overview/index.html
index 90283276..f2001529 100755
--- a/6.0.X/deployment/overview/index.html
+++ b/6.0.X/deployment/overview/index.html
@@ -2162,7 +2162,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/resources/index.html b/6.0.X/deployment/resources/index.html
index 4351838b..8ebc27d3 100755
--- a/6.0.X/deployment/resources/index.html
+++ b/6.0.X/deployment/resources/index.html
@@ -2117,7 +2117,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/rollover/index.html b/6.0.X/deployment/rollover/index.html
index d4e37ac6..e973b4e0 100755
--- a/6.0.X/deployment/rollover/index.html
+++ b/6.0.X/deployment/rollover/index.html
@@ -2250,7 +2250,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/troubleshooting/index.html b/6.0.X/deployment/troubleshooting/index.html
index 6b269693..5727af43 100755
--- a/6.0.X/deployment/troubleshooting/index.html
+++ b/6.0.X/deployment/troubleshooting/index.html
@@ -2173,7 +2173,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/deployment/upgrade/index.html b/6.0.X/deployment/upgrade/index.html
index b04e3bec..c5c18eeb 100755
--- a/6.0.X/deployment/upgrade/index.html
+++ b/6.0.X/deployment/upgrade/index.html
@@ -2123,7 +2123,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/development/api-usage/index.html b/6.0.X/development/api-usage/index.html
index 45a7b5c0..de16d27e 100755
--- a/6.0.X/development/api-usage/index.html
+++ b/6.0.X/development/api-usage/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/development/connectors/index.html b/6.0.X/development/connectors/index.html
index 74678fbd..03c3cec0 100755
--- a/6.0.X/development/connectors/index.html
+++ b/6.0.X/development/connectors/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/development/environment_ubuntu/index.html b/6.0.X/development/environment_ubuntu/index.html
index 0dc6cfb3..a76fd473 100755
--- a/6.0.X/development/environment_ubuntu/index.html
+++ b/6.0.X/development/environment_ubuntu/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/development/environment_windows/index.html b/6.0.X/development/environment_windows/index.html
index 212d182a..a188c85f 100755
--- a/6.0.X/development/environment_windows/index.html
+++ b/6.0.X/development/environment_windows/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/development/platform/index.html b/6.0.X/development/platform/index.html
index a83963f7..7b696705 100755
--- a/6.0.X/development/platform/index.html
+++ b/6.0.X/development/platform/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/development/python/index.html b/6.0.X/development/python/index.html
index fcab8d5e..4d4cf8f4 100755
--- a/6.0.X/development/python/index.html
+++ b/6.0.X/development/python/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/index.html b/6.0.X/index.html
index a32dae21..e74d6794 100755
--- a/6.0.X/index.html
+++ b/6.0.X/index.html
@@ -2115,7 +2115,7 @@
   
   
     <li class="md-nav__item">
-      <a href="usage/AskAI/" class="md-nav__link">
+      <a href="usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/reference/api/index.html b/6.0.X/reference/api/index.html
index 1aba2515..1cdc59e9 100755
--- a/6.0.X/reference/api/index.html
+++ b/6.0.X/reference/api/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/reference/data-intelligence/index.html b/6.0.X/reference/data-intelligence/index.html
index d61e4464..432422d8 100755
--- a/6.0.X/reference/data-intelligence/index.html
+++ b/6.0.X/reference/data-intelligence/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/reference/data-model/index.html b/6.0.X/reference/data-model/index.html
index 6aea3ad0..5eff76e4 100755
--- a/6.0.X/reference/data-model/index.html
+++ b/6.0.X/reference/data-model/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/reference/filters-migration/index.html b/6.0.X/reference/filters-migration/index.html
index 9695e90f..c5014759 100755
--- a/6.0.X/reference/filters-migration/index.html
+++ b/6.0.X/reference/filters-migration/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/reference/filters/index.html b/6.0.X/reference/filters/index.html
index 1c3165e8..78aca183 100755
--- a/6.0.X/reference/filters/index.html
+++ b/6.0.X/reference/filters/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/reference/fips/index.html b/6.0.X/reference/fips/index.html
index da837d51..f141ac97 100755
--- a/6.0.X/reference/fips/index.html
+++ b/6.0.X/reference/fips/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/reference/streaming/index.html b/6.0.X/reference/streaming/index.html
index ae0a4ddd..07ddf94b 100755
--- a/6.0.X/reference/streaming/index.html
+++ b/6.0.X/reference/streaming/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/reference/taxonomy/index.html b/6.0.X/reference/taxonomy/index.html
index 39806c63..f90a763d 100755
--- a/6.0.X/reference/taxonomy/index.html
+++ b/6.0.X/reference/taxonomy/index.html
@@ -2027,7 +2027,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../usage/AskAI/" class="md-nav__link">
+      <a href="../../usage/ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/search/search_index.json b/6.0.X/search/search_index.json
index 38ef5f48..f5d54b39 100755
--- a/6.0.X/search/search_index.json
+++ b/6.0.X/search/search_index.json
@@ -1 +1 @@
-{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"],"fields":{"title":{"boost":1000.0},"text":{"boost":1.0},"tags":{"boost":1000000.0}}},"docs":[{"location":"","title":"OpenCTI Documentation Space","text":"<p>Welcome to the OpenCTI Documentation space. Here you will be able to find all documents, meeting notes and presentations about the platform.</p> <p>Release notes</p> <p>Please, be sure to also take a look at the OpenCTI releases notes, they may contain important information about releases and deployments.</p>"},{"location":"#introduction","title":"Introduction","text":"<p>OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.</p>"},{"location":"#getting-started","title":"Getting started","text":"<ul> <li> <p> Deployment &amp; Setup</p> <p>Learn how to deploy and configure the platform as well as launch connectors to get the first data in OpenCTI.</p> <p> Deploy now</p> </li> <li> <p> User Guide</p> <p>Understand how to use the platform, explore the knowledge, import and export information, create dashboard, etc.</p> <p> Explore</p> </li> <li> <p> Administration</p> <p>Know how to administrate OpenCTI, create users and groups using RBAC / segregation, put retention policies and custom taxonomies.</p> <p> Customize</p> </li> </ul> <p>Need more help?</p> <p>We are doing our best to keep this documentation complete, accurate and up to date. </p> <p>If you still have questions or you find something which is not sufficiently explained, join the Filigran Community on Slack.</p>"},{"location":"#latest-blog-posts","title":"Latest blog posts","text":"<p>All tutorials are published directly on the Medium blog, this section provides a comprehensive list of the most important ones.</p> <ul> <li> <p>Introducing malware analysis: enhance your cybersecurity triage with OpenCTI <sub><sup>Jul 22, 2023</sup></sub></p> <p>As a cybersecurity analyst, you understand the importance of quickly identifying and analyzing suspicious or malicious files, URLs, and network traffic...</p> <p> Read</p> </li> <li> <p>OpenCTI case management is ready for takeoff: what is available and what\u2019s next <sub><sup>Jul 3, 2023</sup></sub></p> <p>As part of our 2023 strategic roadmap, we\u2019ve worked since January on the case management system within the OpenCTI platform. This initiative comes from 2 simple statements...</p> <p> Read</p> </li> <li> <p>Progressive rollout of the OpenCTI Enterprise Edition: why, what and how? <sub><sup>June 10, 2023</sup></sub></p> <p>We are thrilled to announce that, from OpenCTI 5.8, Filigran is now providing some customers with an Enterprise Edition of the platform, whether on-premise...</p> <p> Read</p> </li> </ul>"},{"location":"#additional-resources","title":"Additional resources","text":"<p>Below, you will find external resources which may be useful along your OpenCTI journey.</p> <p> OpenCTI Ecosystem List of available connectors and integrations to expand platform usage.</p> <p> Training Courses Training courses for analysts and administrators in the Filigran training center.</p> <p> Performances tests &amp; metrics Regular performance tests based on default configuration and datasets.</p> <p></p>"},{"location":"administration/csv-mappers/","title":"CSV Mappers","text":"<p>In OpenCTI, CSV Mappers allow to parse CSV files in a STIX 2.1 Objects. The mappers are created and configured by users with the Manage CSV mappers capability. Then, they are available to users who import CSV files, for instance inside a report or in the global import view.</p>"},{"location":"administration/csv-mappers/#principles","title":"Principles","text":"<p>The mapper contains representations of STIX 2.1 entities and relationships, in order for the parser to properly extract them. One mapper is dedicated to parsing a specific CSV file structure, and thus dedicated mappers should be created for every specific CSV structure you might need to ingest in the platform.</p>"},{"location":"administration/csv-mappers/#create-a-new-csv-mapper","title":"Create a new CSV Mapper","text":"<p>In menu Data, select the submenu Processing, and on the right menu select CSV Mappers. You are presented with a list of all the mappers set in the platform. Note that you can delete or update any mapper from the context menu via the burger button beside each mapper.</p> <p>Click on the button + in the bottom-right corner to add a new Mapper.</p> <p>Enter a name for your mapper and some basic information about your CSV files: </p> <ul> <li>The line separator used (defaults to the standard comma character)</li> <li>The presence of a header on the first line</li> </ul> <p>header management</p> <p>The parser will not extract any information from the CSV header if any ; it will just skip the first line during parsing.</p> <p></p> <p>Then, you need to create every representation, one per entity and relationship type represented in the CSV file. Click on the + button to add an empty representation in the list, and click on the chevron to expand the section and configure the representation.</p> <p>Depending on the entity type, the form contains the fields that are either required (input outlined in red) or optional. For each field, set the corresponding columns mapping (the letter-based index of the column in the CSV table, as presented in common spreadsheet tools). </p> <p>References to other entities should be picked from the list of all the other representations already defined earlier in the mapper.</p> <p>You can do the same for all the relationships between entities that might be defined in this particular CSV file structure.</p> <p></p> <p>Fields might have options besides the mandatory column index, to help extract relevant data:</p> <ul> <li>Date values are expected in ISO 8601 format, but you can set your own format to the time parser</li> <li>Multiple values can be extracted by specifying the separator used inside the cell (e.g. <code>+</code> or <code>|</code>)</li> </ul> <p>Or to set default values in case some data is missing in the imported file.</p> <p></p>"},{"location":"administration/csv-mappers/#csv-mapper-validity","title":"CSV Mapper validity","text":"<p>The only parameter required to save a CSV Mapper is a name ; creating and refining its representations can be done iteratively.</p> <p>Nonetheless, all CSV Mappers go through a quick validation that checks if all the representations have all their mandatory fields set.  Only valid mappers can be run by the users on their CSV files.</p> <p>Mapper validity is visible in the list of CSV Mappers as shown below.</p> <p></p>"},{"location":"administration/csv-mappers/#test-your-csv-mapper","title":"Test your CSV mapper","text":"<p>In the creation or edition form, hit the button Test to open a dialog. Select a sample CSV file and hit the Test button.</p> <p>The code block contains the raw result of the parsing attempt, in the form of a STIX 2.1 bundle in JSON format.</p> <p>You can then check if the extracted values match the expected entities and relationships.</p> <p></p>"},{"location":"administration/csv-mappers/#use-a-mapper-for-importing-a-csv-file","title":"Use a mapper for importing a CSV file","text":"<p>You can change the default configuration of the import csv connector in your configuration file. <pre><code>\"import_csv_built_in_connector\": {\n  \"enabled\": true, \n  \"interval\": 10000, \n  \"validate_before_import\": false\n},\n</code></pre></p> <p>In Data import section, or Data tab of an entity, when you upload a CSV, you can select a mapper to apply to the file.  The file will then be parsed following the representation rules set in the mapper.</p> <p>By default, the imported elements will be added in a new Analyst Workbench where you will be able to check the result of the import.</p>"},{"location":"administration/csv-mappers/#default-values-for-attributes","title":"Default values for attributes","text":"<p>In the case of the CSV file misses some data, you can complete it with default values. To achieve this you have two possibilities:</p> <ul> <li>Set default values in the settings of the entities,</li> <li>Set specific default values directly in the CSV mapper.</li> </ul>"},{"location":"administration/csv-mappers/#set-default-values-in-the-settings-of-the-entities","title":"Set default values in the settings of the entities","text":"<p>Default value mechanisms</p> <p>Note that adding default values in settings have an impact at entity creation globally on the platform, not only on CSV mappers. If you want to apply those default values only at CSV mapper level, please use the second option.</p> <p>In settings &gt; Customization, you can select an entity type and then set default values for its attributes.</p> <p></p> <p>In the configuration of the entity, you have access to the entity's attributes that can be managed.</p> <p>Click on the attribute to add a default value information.</p> <p></p> <p>Enter the default value in the input and save the update.</p> <p></p> <p>The value filled will be used in the case where the CSV file lacks data for this attribute.</p>"},{"location":"administration/csv-mappers/#set-specific-default-values-directly-in-the-csv-mapper","title":"Set specific default values directly in the CSV mapper","text":"<p>Information retained in case of default value</p> <p>If you fill a default value in entity settings and the CSV mapper, the one from CSV mapper will be used.</p> <p>In the mapper form, you will see next to the column index input a gear icon to add extra information for the attribute. If the attribute can have a customizable default value, then you will be able to set one here.</p> <p></p> <p>The example above shows the case of the attribute <code>architecture implementation</code> of a malware. You have some information here. First, it seems we have a default value already set in entity settings for this attribute with the value <code>[powerpc, x86]</code>. However, we want to override this value with another one for our case: <code>[alpha]</code>.</p>"},{"location":"administration/csv-mappers/#specific-case-of-marking-definitions","title":"Specific case of marking definitions","text":"<p>For marking definitions, setting a default value is different from other attributes. We are not choosing a particular marking definition to use if none is specified in the CSV file. Instead, we will choose a default policy and we have two:</p> <p></p> <ul> <li>Use the default marking definitions of the user. In this case the default marking definitions of the connected user importing the CSV file will be used,</li> <li>Let the user choose marking definitions. Here the user importing the CSV file will choose marking definitions (among the ones they can see) when selecting the CSV mapper.</li> </ul>"},{"location":"administration/csv-mappers/#additional-resources","title":"Additional resources","text":"<ul> <li>Usefulness: To additional content on entity customization, refers to the Customize entities page in the Administration section of the documentation.</li> </ul>"},{"location":"administration/decay-rules/","title":"Decay rules","text":"<p>Decay rules are used to update automatically indicators score in order to represent their lifecycle.</p>"},{"location":"administration/decay-rules/#configuration","title":"Configuration","text":"<p>Decay rules can be configured in the \"Settings &gt; Customization &gt; Decay rule\" menu.</p> <p></p> <p>There are built-in decay rules that can't be modified and are applied by default to indicators depending on their main observable type. Decay rules are applied following their order : from highest to lowest (lowest being 0).</p> <p>You can create new decay rules with higher order to apply them along with (or instead of) the built-in rules.</p> <p></p> <p>When you create a decay rule, you can specify on which indicators' main observable types it will apply. If you don't enter any, it will apply to all indicators.</p> <p>You can also add reaction points which represent the scores at which indicators are updated. For example if you add one reaction point at 60 and another one at 40, indicators that have an initial score of 80 will be updated with a score of 60, then 40, depending on the decay curve.</p> <p>The decay curve is based on two parameters : lifetime and decay factor. Decay factor represent the speed at which the score drops, and lifetime is how long (in days) it will drop until reaching 0.</p> <p>Finally, the revoke score is the score at which the indicator can be revoked automatically.</p> <p></p> <p>Once you have created a new decay rule, you will be able to view its details, along with a life curve graph showing the score evolution over time.</p> <p>You will also be able to edit your rule, change all its parameters and order, activate or deactivate it (only activated rules are applied), or delete it.</p> <p></p> <p>Indicator decay manager</p> <p>Decay rules are only applied, and indicators score updated, if indicator decay manager is enabled (enabled by default). </p> <p>Please read the dedicated page to have all information</p>"},{"location":"administration/enterprise/","title":"Enterprise edition","text":"<p>Filigran</p> <p>Filigran is providing an Enterprise Edition of the platform, whether on-premise or in the SaaS.</p>"},{"location":"administration/enterprise/#what-is-opencti-ee","title":"What is OpenCTI EE?","text":"<p>OpenCTI Enterprise Edition is based on the open core concept. This means that the source code of OCTI EE remains open source and included in the main GitHub repository of the platform but is published under a specific license. As specified in the GitHub license file:</p> <p>The OpenCTI Community Edition is licensed under the Apache License, Version 2.0 (the \u201cApache License\u201d). The OpenCTI Enterprise Edition is licensed under the OpenCTI Non-Commercial License (the \u201cNon-Commercial License\u201d). The source files in this repository have a header indicating which license they are under. If no such header is provided, this means that the file is belonging to the Community Edition under the Apache License, Version 2.0.</p> <p>We wrote a complete article to explain the enterprise edition, feel free to read it to have more information</p>"},{"location":"administration/enterprise/#ee-activation","title":"EE Activation","text":"<p>Enterprise edition is easy to activate. You need to go the platform settings and click on the Activate button.</p> <p></p> <p>Then you will need to agree to the Filigran EULA. </p> <p></p> <p>As a reminder:</p> <ul> <li>OpenCTI EE is free-to-use for development, testing and research purposes as well as for non-profit organizations.</li> <li>OpenCTI EE is included for all Filigran SaaS customers without additional fee.</li> <li>For all other usages, OpenCTI EE is reserved to organizations that have signed a Filigran Enterprise agreement.</li> </ul>"},{"location":"administration/enterprise/#available-features","title":"Available features","text":""},{"location":"administration/enterprise/#activity-monitoring","title":"Activity monitoring","text":"<p>Audit logs help you answer \"who did what, where, and when?\" within your data with the maximum level of transparency. Please read Activity monitoring page to get all information.</p>"},{"location":"administration/enterprise/#playbooks-and-automation","title":"Playbooks and automation","text":"<p>OpenCTI playbooks are flexible automation scenarios which can be fully customized and enabled by platform administrators to enrich, filter and modify the data created or updated in the platform. Please read Playbook automation page to get all information.</p>"},{"location":"administration/enterprise/#organizations-management-and-segregation","title":"Organizations management and segregation","text":"<p>Organizations segregation is a way to segregate your data considering the organization associated to the users. Useful when your platform aims to share data to multiple organizations that have access to the same OpenCTI platform. Please read Organizations RBAC to get more information.</p>"},{"location":"administration/enterprise/#full-text-indexing","title":"Full text indexing","text":"<p>Full text indexing grants improved searches across structured and unstructured data. OpenCTI classic searches are based on metadata fields (e.g. title, description, type) while advanced indexing capability  enables  searches  to  be  extended  to  the document\u2019s contents. Please read File indexing to get all information.</p>"},{"location":"administration/enterprise/#more-to-come","title":"More to come","text":"<p>More features will be available in OpenCTI in the future. Features like:</p> <ul> <li>Generative AI for correlation and content generation.</li> <li>Supervised machine learning for natural language processing.</li> </ul>"},{"location":"administration/entities/","title":"Customize entities","text":""},{"location":"administration/entities/#introduction","title":"Introduction","text":"<p>A variety of entity customization options are available to optimize data representation, workflow management, and enhance overall user experience. Whether you're fine-tuning processing statuses, configuring entities' attributes, or hiding entities, OpenCTI's customization capabilities provide the flexibility you need to create a tailored environment for your threat intelligence and cybersecurity workflows.</p> <p>The following chapter aims to provide readers with an understanding of the available customization options by entity type. Customize entities can be done in \"Settings &gt; Customization\".</p> <p></p>"},{"location":"administration/entities/#hidden-in-interface","title":"Hidden in interface","text":"<p>This configuration allows to hide a specific entity type throughout the entire platform. It provides a potent means to simplify the interface and tailor it to your domain expertise. For instance, if you have no interest in disinformation campaigns, you can conceal related entities such as Narratives and Channels from the menus.</p> <p>You can specify which entities to hide on a platform-wide basis from \"Settings &gt; Customization\" and from \"Settings &gt; Parameters\", providing you with a list of hidden entities. Furthermore, you can designate hidden entities for specific Groups and Organizations from \"Settings &gt; Security &gt; Groups/Organizations\" by editing a Group/Organization.</p> <p>An overview of hidden entity types is available in the \"Hidden entity types\" field in \"Settings &gt; Parameters.\"</p>"},{"location":"administration/entities/#automatic-references-at-file-upload","title":"Automatic references at file upload","text":"<p>This configuration enables an entity to automatically construct an external reference from the uploaded file.</p>"},{"location":"administration/entities/#enforce-references","title":"Enforce references","text":"<p>This configuration enables the requirement of a reference message on an entity creation or modification. This option is helpful if you want to keep a strong consistency and traceability of your Knowledge and is well suited for manual creation and update.</p> <p></p> <p></p>"},{"location":"administration/entities/#workflow","title":"Workflow","text":"<p>For now, OpenCTI has a simple workflow approach. They're represented by the \"Processing status\" field embedded in each object. By default, this field is disabled for most objects but can be activated through the platform settings:</p> <ol> <li>Navigate to \"Settings &gt; Customization &gt; Entity types &gt; [Desired object type].\"</li> <li>Click on the small pink pen icon next to \"Workflow\" to access the object customization window.</li> <li>Add and configure the desired statuses, defining their order within the workflow.</li> </ol> <p></p> <p>In addition, the available statuses are defined by a collection of status templates visible in \"Settings &gt; Taxonomies &gt; Status templates\". This collection can be customized.</p> <p></p>"},{"location":"administration/entities/#attributes","title":"Attributes","text":"<p>Each attribute in an Entity offers several customization options:</p> <ul> <li>It can be set as mandatory if not already defined as such in the STIX standard.</li> <li>A default value can be established to streamline entity creation through the creation forms.</li> <li>Different thresholds and their corresponding labels for scalable attributes can be defined.</li> </ul> <p></p>"},{"location":"administration/entities/#confidence-scale-configuration","title":"Confidence scale configuration","text":"<p>Confidence scale can be customized for each entity type by selecting another scale template or by editing directly the scale values. Once you have customized your scale, click on \"Update\" to save your configuration.</p> <p></p> <p>Max confidence level</p> <p>The above scale also needs to take into account the confidence level per user. To understand the concept, please navigate to this page</p>"},{"location":"administration/file-indexing/","title":"File indexing","text":""},{"location":"administration/file-indexing/#files-search-requirements","title":"Files search requirements","text":"<p>In order to search in files, we need to extract and index files text content, which requires to have one of these database configurations :</p> <ul> <li>Elasticsearch &gt;= 8.4</li> <li>Elasticsearch &lt; 8.4 with ingest-attachment plugin</li> <li>OpenSearch with ingest-attachment plugin</li> </ul>"},{"location":"administration/file-indexing/#file-indexing-configuration","title":"File indexing configuration","text":"<p>File indexing can be configured via the <code>File indexing</code> tab in the <code>Settings</code> menu.</p> <p>The configuration and impact panel shows all file types that can be indexed, as well as the volume of storage used.</p> <p>It is also possible to include or exclude files uploaded from the global Data import panel and that are not associated with a specific entity in the platform.</p> <p>Finally, it is possible to set a maximum file size for indexing (5 Mb by default).</p> <p>Currently supported content types : <code>application/pdf</code>, <code>text/plain</code>, <code>text/csv</code>, <code>text/html</code>, <code>application/vnd.ms-excel</code>, <code>application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</code> (excel sheets).</p> <p></p> <p>Once indexing has been launched by pressing the <code>Start</code> button, you can follow its progress. </p> <p>You will also be able to <code>Pause</code> it and restart from the beginning by pressing <code>Reset</code> button which deletes all indexed files from the database.</p> <p>If you change the configuration while file indexing is running, you might need to reset in order to include newly impacted files.</p> <p>File indexing runs every 5 minutes to index last uploaded files.</p> <p></p>"},{"location":"administration/introduction/","title":"Introduction","text":"<p>This guide aims to give you a full overview of the OpenCTI features and workflows. The platform can be used in various contexts to handle threats management use cases from a technical to a more strategic level.</p>"},{"location":"administration/introduction/#administrative-settings","title":"Administrative Settings","text":"<p>The OpenCTI Administrative settings console allows administrators to configure many options dynamically within the system. As an Administrator, you can access this settings console, by clicking the settings link. </p> <p>The Settings Console allows for configuration of various aspects of the system.</p>"},{"location":"administration/introduction/#general-configuration","title":"General Configuration","text":"<ul> <li>Platform Title (Default: OpenCTI - Cyber Threat Intelligence Platform)</li> <li>Platform Favicon</li> <li>Platform General Sender email (Default: admin@opencti.io) </li> <li>Platform Default Theme (Default: Dark)</li> <li>Language (Default: Automatic Detection)</li> <li>Hidden Entity Types (Default: None)</li> </ul>"},{"location":"administration/introduction/#authentication-strategies-display","title":"Authentication Strategies Display","text":"<ul> <li>This section will show configured and enabled/disabled strategies. The configuration is done in the config/default.json file or via ENV variables detected at launch.</li> </ul>"},{"location":"administration/introduction/#platform-messages","title":"Platform Messages","text":"<ul> <li>Platform Login Message (optional) - if configured this will be displayed on the login page. This is usually used to have a welcome type message for users before login.</li> <li>Platform Consent Message (optional) - if configured this will be displayed on the login page. This is usually used to display some type of consent message for users to agree to before login. If enabled, a user must check the checkbox displayed to allow login.</li> <li>Platform Consent Confirm Text (optional) - This is displayed next to the platform consent checkbox, if Platform Consent Message is configured. Users must agree to the checkbox before the login prompt will be displayed. This message can be configured, but by default reads: I have read and comply with the above statement</li> </ul>"},{"location":"administration/introduction/#dark-theme-color-scheme","title":"Dark Theme Color Scheme","text":"<p>Various aspects of the Dark Theme can be dynamically configured in this section.</p>"},{"location":"administration/introduction/#light-theme-color-scheme","title":"Light Theme Color Scheme","text":"<p>Various aspects of the Light Theme can be dynamically configured in this section.</p>"},{"location":"administration/introduction/#tools-configuration-display","title":"Tools Configuration Display","text":"<p>This section will give general status on the various tools and enabled components of the currently configured OpenCTI deployment.</p>"},{"location":"administration/merging/","title":"Merging","text":""},{"location":"administration/merging/#data-merging","title":"Data merging","text":"<p>Within the OpenCTI platform, the merge capability is present into the \"Data &gt; Entities\" tab, and is fairly straightforward to use. To execute a merge, select the set of entities to be merged, then click on the Merge icon. NB: it is not possible to merge entities of different types, nor is it possible to merge more than 4 entities at a time (it will have to be done in several stages).</p> <p></p> <p>Central to the merging process is the selection of a main entity. This primary entity becomes the anchor, retaining crucial attributes such as name and description. Other entities, while losing specific fields like descriptions, are aliased under the primary entity. This strategic decision preserves vital data while eliminating redundancy.</p> <p></p> <p>Once the choice has been made, simply validate to run the task in the background. Depending on the number of entity relationships, and the current workload on the platform, the merge may take more or less time. In the case of a healthy platform and around a hundred relationships per entity, merge is almost instantaneous.</p>"},{"location":"administration/merging/#data-preservation-and-relationship-continuity","title":"Data preservation and relationship continuity","text":"<p>A common concern when merging entities lies in the potential loss of information. In the context of OpenCTI, this worry is alleviated. Even if the merged entities were initially created by distinct sources, the platform ensures that data is not lost. Upon merging, the platform automatically generates relationships directly on the merged entity. This strategic approach ensures that all connections, regardless of their origin, are anchored to the consolidated entity. Post-merge, OpenCTI treats these once-separate entities as a singular, unified entity. Subsequent information from varied sources is channeled directly into the entity resulting from the merger. This unified entity becomes the focal point for all future relationships, ensuring the continuity of data and relationships without any loss or fragmentation.</p>"},{"location":"administration/merging/#important-considerations","title":"Important considerations","text":"<ul> <li>Irreversible process: It's essential to know that a merge operation is irreversible. Once completed, the merged entities cannot be reverted to their original state. Consequently, careful consideration and validation are crucial before initiating the merge process.</li> <li>Loss of fields in aliased entities: Fields, such as descriptions, in aliased entities - entities that have not been chosen as the main - will be lost during the merge. Ensuring that essential information is captured in the primary entity is crucial to prevent data loss.</li> </ul>"},{"location":"administration/merging/#additional-resources","title":"Additional resources","text":"<ul> <li>Usefulness: To understand the benefits of entity merger, refer to the Merge objects page in the User Guide section of the documentation.</li> <li>Deduplication mechanism: the platform is equipped with deduplication processes that automatically merge data at creation (either manually or by importing data from different sources) if it meets certain conditions.</li> </ul>"},{"location":"administration/notifier-samples/","title":"Notifier samples","text":""},{"location":"administration/notifier-samples/#configure-teams-webhook","title":"Configure Teams webhook","text":"<p>To configure a notifier for Teams, allowing to send notifications via Teams messages, we followed the guidelines outlined in the Microsoft documentation.</p> <p></p>"},{"location":"administration/notifier-samples/#template-message-for-live-trigger","title":"Template message for live trigger","text":"<p>The Teams template message sent through webhook for a live notification is:</p> <pre><code>{\n        \"type\": \"message\",\n        \"attachments\": [\n            {\n                \"contentType\": \"application/vnd.microsoft.card.thumbnail\",\n                \"content\": {\n                    \"subtitle\": \"Operation : &lt;%=content[0].events[0].operation%&gt;\",\n                    \"text\": \"&lt;%=(new Date(notification.created)).toLocaleString()%&gt;\",\n                    \"title\": \"&lt;%=content[0].events[0].message%&gt;\",\n                    \"buttons\": [\n                        {\n                            \"type\": \"openUrl\",\n                            \"title\": \"See in OpenCTI\",\n                            \"value\": \"https://YOUR_OPENCTI_URL/dashboard/id/&lt;%=content[0].events[0].instance_id%&gt;\"\n                        }\n                    ]\n                }\n            }\n        ]\n    }\n</code></pre>"},{"location":"administration/notifier-samples/#template-message-for-digest","title":"Template message for digest","text":"<p>The Teams template message sent through webhook for a digest notification is:</p> <pre><code>{\n    \"type\": \"message\",\n    \"attachments\": [\n        {\n            \"contentType\": \"application/vnd.microsoft.card.adaptive\",\n            \"content\": {\n                \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n                \"type\": \"AdaptiveCard\",\n                \"version\": \"1.0\",\n                \"body\": [\n                    {\n                        \"type\": \"Container\",\n                        \"items\": [\n                            {\n                                \"type\": \"TextBlock\",\n                                \"text\": \"&lt;%=notification.name%&gt;\",\n                                \"weight\": \"bolder\",\n                                \"size\": \"extraLarge\"\n                            }, {\n                                \"type\": \"TextBlock\",\n                                \"text\": \"&lt;%=(new Date(notification.created)).toLocaleString()%&gt;\",\n                                \"size\": \"medium\"\n                            }\n                        ]\n                    },\n                    &lt;% for(var i=0; i&lt;content.length; i++) { %&gt;\n                    {\n                        \"type\": \"Container\",\n                        \"items\": [&lt;% for(var j=0; j&lt;content[i].events.length; j++) { %&gt;\n                            {\n                                \"type\" : \"TextBlock\",\n                                \"text\" : \"[&lt;%=content[i].events[j].message%&gt;](https://YOUR_OPENCTI_URL/dashboard/id/&lt;%=content[i].events[j].instance_id%&gt;)\"\n                            }&lt;% if(j&lt;(content[i].events.length - 1)) {%&gt;,&lt;% } %&gt;\n                        &lt;% } %&gt;]\n           }&lt;% if(i&lt;(content.length - 1)) {%&gt;,&lt;% } %&gt;\n                    &lt;% } %&gt;\n                ]\n            }\n        }\n    ],\n   \"dataString\": &lt;%-JSON.stringify(notification)%&gt;\n}\n</code></pre>"},{"location":"administration/notifiers/","title":"Custom notifiers","text":"<p>Leveraging the platform's built-in connectors, users can create custom notifiers tailored to their unique needs. OpenCTI features three built-in connectors: a webhook connector, a simple mailer connector, and a platform mailer connector. These connectors operate based on registered schemas that describe their interaction methods.</p> <p></p>"},{"location":"administration/notifiers/#built-in-notifier-connectors","title":"Built-In notifier connectors","text":""},{"location":"administration/notifiers/#platform-mailer","title":"Platform mailer","text":"<p>This notifier connector enables customization of notifications raised within the platform. It's simple to configure, requiring only:</p> <ul> <li>Title: The title for the platform notification.</li> <li>Template: Specifies the message template for the notification.</li> </ul>"},{"location":"administration/notifiers/#simple-mailer","title":"Simple mailer","text":"<p>This notifier connector offers a straightforward approach to email notifications with simplified configuration options. Users can set:</p> <ul> <li>Title: The title for the email notification.</li> <li>Header: Additional content to include at the beginning of the email.</li> <li>Footer: Additional content to include at the end of the email.</li> <li>Logo: The option to add a logo to the email.</li> <li>Background Color: Customize the background color of the email.</li> </ul> <p></p>"},{"location":"administration/notifiers/#webhook","title":"Webhook","text":"<p>This notifier connector enables users to send notifications to external applications or services through HTTP requests. Users can specify:</p> <ul> <li>Verb: Specifies the HTTP method (GET, POST, PUT, DELETE).</li> <li>URL: Defines the destination URL for the webhook.</li> <li>Template: Specifies the message template for the notification.</li> <li>Parameters and Headers: Customizable parameters and headers sent through the webhook request.</li> </ul> <p>OpenCTI provides two notifier samples by default, designed to communicate with Microsoft Teams through a webhook. A documentation page providing details on these samples is available.</p>"},{"location":"administration/notifiers/#configuration-and-access","title":"Configuration and access","text":"<p>Custom notifiers are manageable in the \"Settings &gt; Customization &gt; Notifiers\" window and can be restricted through Role-Based Access Control (RBAC). Administrators can control access, limiting usage to specific Users, Groups, or Organizations.</p> <p>For guidance on configuring notification triggers and exploring the usages of notifiers, refer to the dedicated documentation page.</p>"},{"location":"administration/ontologies/","title":"Taxonomies","text":"<p>Taxonomies in OpenCTI refer to the structured classification systems that help in organizing and categorizing cyber threat intelligence data. They play a crucial role in the platform by allowing analysts to systematically tag and retrieve information based on predefined categories and terms.</p> <p>Along with the Customization page, these pages allow the administrator to customize the platform.</p>"},{"location":"administration/ontologies/#labels","title":"Labels","text":"<p>Labels in OpenCTI serve as a powerful tool for organizing, categorizing, and prioritizing data. Here\u2019s how they can be used effectively:</p> <ol> <li>Tagging and Categorization: Labels can be used to tag malware, incidents, or indicators (IOCs) with specific categories, making it easier to filter and search through large datasets.</li> <li>Prioritization: By labeling threats based on their severity or impact, security analysts can prioritize their response efforts accordingly.</li> <li>Correlation and Analysis: Labels help in correlating different pieces of intelligence. For example, if multiple indicators are tagged with the same label, it might indicate a larger campaign or a common adversary.</li> <li>Automation and Integration: Labels can trigger automated workflows (also called playbooks) within OpenCTI. For instance, a label might automatically initiate further investigation or escalate an incident.</li> <li>Reporting and Metrics: Labels facilitate the generation of reports and metrics, allowing organizations to track trends through dashboards, measure response effectiveness, and make data-driven decisions.</li> <li>Sharing and Collaboration: When sharing intelligence with other organizations or platforms, labels provide a common language that helps in understanding the context and relevance of the shared data.</li> </ol> <p>Tip</p> <p>In order to achieve effective data labeling methods, it is recommended to establish a clear and consistent criteria for your labeling and document them in a policy or guideline.</p>"},{"location":"administration/ontologies/#kill-chain-phases","title":"Kill chain phases","text":"<p>Kill chain phases are used in OpenCTI to structure and analyze the data related to cyber threats and attacks. They describe the stages of an attack from the perspective of the attacker and provide a framework for identifying, analysing and responding to threats.</p> <p>OpenCTI supports the following kill chain models:</p> <ul> <li>Lockheed Martin Cyber Kill Chain</li> <li>MITRE ATT&amp;CK Framework (Entreprise, PRE, Mobile and ICS)</li> <li>DISARM framework</li> </ul> <p>You can add, edit, or delete kill chain phases in the settings page, and assign them to indicators, attack patterns, incidents, or courses of action in the platform. You can also filter the data by kill chain phase, and view the kill chain phases in a timeline or as a matrix.</p> <p></p>"},{"location":"administration/ontologies/#vocabularies","title":"Vocabularies","text":"<p>Open vocabularies are sets of terms and definitions that are agreed upon by the CTI community. They help to standardize the communication documentation of cyber threat information. This section allows you to customize a set of available fields by adding vocabulary. Almost all of the drop-down menus available in the entities can be modified from this panel.</p> <p>Open vocabularies in OpenCTI are mainly based on the STIX standard.</p> <p></p>"},{"location":"administration/ontologies/#status-templates","title":"Status templates","text":"<p>Status templates are predefined statuses that can be assigned to different entities in OpenCTI, such as reports, incidents, or cases (incident responses, requests for information and requests for takedown).</p> <p>They help to track the progress of the analysis and response activities by defining statuses that are used in the workflows.</p> <p></p>"},{"location":"administration/ontologies/#case-templates","title":"Case templates","text":"<p>Customizable case templates help to streamline the process of creating cases with predefined lists of tasks.</p> <p></p>"},{"location":"administration/parameters/","title":"Parameters","text":""},{"location":"administration/parameters/#description","title":"Description","text":"<p>This part of the interface wil let you configure global platform settings, like title, favicon, etc.</p> <p>It will also give you important information about the platform.</p>"},{"location":"administration/parameters/#the-configuration-section","title":"The \"Configuration\" section","text":"<p>This section allows the administrator to edit the following settings:</p> <ul> <li>Platform title</li> <li>Platform favicon URL</li> <li>Sender email address: email address displayed as sender when sending notifications. The technical sender is defined in the SMTP configuration.</li> <li>Theme</li> <li>Language</li> <li>Hidden entity types: allows you to customize which types of entities you want to see or hide in the platform. This can help you focus on the relevant information and avoid cluttering the platform with unnecessary data.</li> </ul>"},{"location":"administration/parameters/#opencti-platform","title":"OpenCTI Platform","text":"<p>This is where the Enterprise edition can be enabled.</p> <p>This section gives important information about the platform like the used version, the edition, the architecture mode (can be Standalone or Cluster) and the number used nodes.</p> <p>Through the \"Remove Filigran logos\" toggle, the administrator has the option to hide the Filigran logo on the login page and the sidebar.</p>"},{"location":"administration/parameters/#platform-announcement","title":"Platform Announcement","text":"<p>This section gives you the possibility to set and display Announcements in the platform. Those announcements will be visible to every user in the platform, on top of the interface.</p> <p>They can be used to inform some of your users or all of important information, like a scheduled downtime, an incoming upgrade, or even to share important tips regarding the usage of the platform.</p> <p>An Announcement can be accompanied by a \"Dismiss\u201d button. When clicked by a user, it makes the message disappear for this user.</p> <p></p> <p>This option can be deactivated to have a permanent announcement.</p> <p> \u26a0\ufe0f Only one announcement is shown at a time, with priority given to dismissible ones. If there are no dismissible announcements, the most recent non-dismissible one is shown.</p>"},{"location":"administration/parameters/#third-party-analytics","title":"Third-party Analytics","text":"<p>Enterprise edition</p> <p>Analytics is available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have more information</p> <p>This is where you can configure analytics providers. At the moment only Google Analytics v4 is supported.</p>"},{"location":"administration/parameters/#theme-customization","title":"Theme customization","text":"<p>In this section, the administrator can customize the two OpenCTI themes </p>"},{"location":"administration/parameters/#tools","title":"Tools","text":"<p>This section informs the administrator of the statuses of the different managers used in the Platform. More information about the managers can be found here. It shows also the used versions of the search engine database, RabbitMQ and Redis.</p> <p>In cluster mode, the fact that a manager appears as enabled means that it is active in at least one node. </p> <p></p>"},{"location":"administration/policies/","title":"Policies","text":"<p>The Policies configuration window (in \"Settings &gt; Security &gt; Policies\") encompasses essential settings that govern the organizational sharing, authentication strategies, password policies, login messages, and banner appearance within the OpenCTI platform.</p>"},{"location":"administration/policies/#platform-main-organization","title":"Platform main organization","text":"<p>Allow to set a main organization for the entire platform. Users belonging to the main organization enjoy unrestricted access to all data stored in the platform. In contrast, users affiliated with other organizations will only have visibility into data explicitly shared with them.</p> <p></p>"},{"location":"administration/policies/#authentication-strategies","title":"Authentication strategies","text":"<p>The authentication strategies section provides insights into the configured authentication methods. Additionally, an \"Enforce Two-Factor Authentication\" button is available, allowing administrators to mandate 2FA activation for users, enhancing overall account security.</p> <p>Please see the Authentication section for further details on available authentication strategies.</p> <p></p>"},{"location":"administration/policies/#local-password-policies","title":"Local password policies","text":"<p>This section encompasses a comprehensive set of parameters defining the local password policy. Administrators can specify requirements such as minimum/maximum number of characters, symbols, digits, and more to ensure robust password security across the platform. Here are all the parameters available:</p> Parameter Description <code>Number of chars must be greater than or equals to</code> Define the minimum length required for passwords. <code>Number of chars must be lower or equals to (0 equals no maximum)</code> Set an upper limit for password length. <code>Number of symbols must be greater or equals to</code> Specify the minimum number of symbols required in a password. <code>Number of digits must be greater or equals to</code> Set the minimum number of numeric characters in a password. <code>Number of words (split on hyphen, space) must be greater or equals to</code> Enforce a minimum count of words in a password. <code>Number of lowercase chars must be greater or equals to</code> Specify the minimum number of lowercase characters. <code>Number of uppercase chars must be greater or equals to</code> Specify the minimum number of uppercase characters. <p></p>"},{"location":"administration/policies/#login-messages","title":"Login messages","text":"<p>Allow to define messages on the login page to customize and highlight your platform's security policy. Three distinct messages can be customized:</p> <ul> <li>Platform login message: Appears above the login form to convey important information or announcements.</li> <li>Platform consent message: A consent message that obscures the login form until users check the approval box, ensuring informed user consent.</li> <li>Platform consent confirm text: A message accompanying the consent box, providing clarity on the consent confirmation process.</li> </ul> <p></p> <p></p>"},{"location":"administration/policies/#platform-banner-configuration","title":"Platform banner configuration","text":"<p>The platform banner configuration section allows administrators to display a custom banner message at the top and bottom of the screen. This feature enables customization for enhanced visual communication and branding within the OpenCTI platform. It can be used to add a disclaimer or system purpose.</p> <p>This configuration has two parameters:</p> <ul> <li>Platform banner level: Options defining the banner background color (Green, Red, or Yellow).</li> <li>Platform banner text: Field referencing the message to be displayed within the banner.</li> </ul> <p></p>"},{"location":"administration/reasoning/","title":"Rules engine","text":""},{"location":"administration/reasoning/#inference-rules","title":"Inference rules","text":"<p>The rules engine comprises a set of predefined rules (named inference rules) that govern how new relationships are inferred based on existing data. These rules are carefully crafted to ensure logical and accurate relationship creation. Here is the list of existing inference rules:</p>"},{"location":"administration/reasoning/#raise-incident-based-on-sighting","title":"Raise incident based on sighting","text":"Conditions Creations A non-revoked Indicator is sighted in an Entity Creation of an Incident linked to the sighted Indicator and the targeted Entity"},{"location":"administration/reasoning/#sightings-of-observables-via-observed-data","title":"Sightings of observables via observed data","text":"Conditions Creations An Indicator is based on an Observable contained in an Observed Data Creation of a sighting between the Indicator and the creating Identity of the Observed Data"},{"location":"administration/reasoning/#sightings-propagation-from-indicator","title":"Sightings propagation from indicator","text":"Conditions Creations An Indicator based on an Observable is sighted in an Entity The Observable is sighted in the Entity"},{"location":"administration/reasoning/#sightings-propagation-from-observable","title":"Sightings propagation from observable","text":"Conditions Creations An Indicator is based on an Observable sighted in an Entity The Indicator is sighted in the Entity"},{"location":"administration/reasoning/#relation-propagation-via-an-observable","title":"Relation propagation via an observable","text":"Conditions Creations An observable is related to two Entities Create a related to relationship between the two Entities"},{"location":"administration/reasoning/#attribution-propagation","title":"Attribution propagation","text":"Conditions Creations An Entity A is attributed to an Entity B and this Entity B is itself attributed to an Entity C The Entity A is attributed to Entity C"},{"location":"administration/reasoning/#belonging-propagation","title":"Belonging propagation","text":"Conditions Creations An Entity A is part of an Entity B and this Entity B is itself part of an Entity C The Entity A is part of Entity C"},{"location":"administration/reasoning/#location-propagation","title":"Location propagation","text":"Conditions Creations A Location A is located at a Location B and this Location B is itself located at a Location C The Location A is located at Location C"},{"location":"administration/reasoning/#organization-propagation-via-participation","title":"Organization propagation via participation","text":"Conditions Creations A User is affiliated with an Organization B, which is part of an Organization C The User is affiliated to the Organization C"},{"location":"administration/reasoning/#identities-propagation-in-reports","title":"Identities propagation in reports","text":"Conditions Creations A Report contains an Identity B and this Identity B is part of an Identity C The Report contains Identity C, as well as the Relationship between Identity B and Identity C"},{"location":"administration/reasoning/#locations-propagation-in-reports","title":"Locations propagation in reports","text":"Conditions Creations A Report contains a Location B and this Location B is located at a Location C The Report contains Location B, as well as the Relationship between Location B and Location C"},{"location":"administration/reasoning/#observables-propagation-in-reports","title":"Observables propagation in reports","text":"Conditions Creations A Report contains an Indicator and this Indicator is based on an Observable The Report contains the Observable, as well as the Relationship between the Indicator and the Observable"},{"location":"administration/reasoning/#usage-propagation-via-attribution","title":"Usage propagation via attribution","text":"Conditions Creations An Entity A, attributed to an Entity C, uses an Entity B The Entity C uses the Entity B"},{"location":"administration/reasoning/#inference-of-targeting-via-a-sighting","title":"Inference of targeting via a sighting","text":"Conditions Creations An Indicator, sighted at an Entity C, indicates an Entity B The Entity B targets the Entity C"},{"location":"administration/reasoning/#targeting-propagation-via-attribution","title":"Targeting propagation via attribution","text":"Conditions Creations An Entity A, attributed to an Entity C, targets an Entity B The Entity C targets the Entity B"},{"location":"administration/reasoning/#targeting-propagation-via-belonging","title":"Targeting propagation via belonging","text":"Conditions Creations An Entity A targets an Identity B, part of an Identity C The Entity A targets the Identity C"},{"location":"administration/reasoning/#targeting-propagation-via-location","title":"Targeting propagation via location","text":"Conditions Creations An Entity targets a Location B and this Location B is located at a Location C The Entity targets the Location C"},{"location":"administration/reasoning/#targeting-propagation-when-located","title":"Targeting propagation when located","text":"Conditions Creations An Entity A targets an Entity B and this target is located at Location D. The Entity A targets the Location D"},{"location":"administration/reasoning/#rule-execution","title":"Rule execution","text":""},{"location":"administration/reasoning/#rule-activation","title":"Rule activation","text":"<p>When a rule is activated, a background task is initiated. This task scans all platform data, identifying existing relationships that meet the conditions defined by the rule. Subsequently, it creates new objects (entities and/or relationships), expanding the network of insights within your threat intelligence environment. Then, activated rules operate continuously. Whenever a relationship is created or modified, and this change aligns with the conditions specified in an active rule, the reasoning mechanism is triggered. This ensures real-time relationship inference.</p>"},{"location":"administration/reasoning/#rule-deactivation","title":"Rule deactivation","text":"<p>Deactivating a rule leads to the deletion of all objects and relationships created by it. This cleanup process maintains the accuracy and reliability of your threat intelligence database.</p>"},{"location":"administration/reasoning/#access-restrictions-and-data-impact","title":"Access restrictions and data impact","text":"<p>Access to the rule engine panel is restricted to administrators only. Regular users do not have visibility into this section of the platform. Administrators possess the authority to activate or deactivate rules.</p> <p>The rules engine empowers OpenCTI with the capability to automatically establish intricate relationships within your data. However, these rules can lead to a very large number of objects created. Even if the operation is reversible, an administrator should consider the impact of activating a rule.</p>"},{"location":"administration/reasoning/#additional-resources","title":"Additional resources","text":"<ul> <li>Usefulness: To understand the benefits and results of these rules, refer to the Inferences and reasoning page in the User Guide section of the documentation.</li> <li>New inference rule: Given the potential impact of a rule on your data, users are not allowed to add new rules. However, users can submit rule suggestions via a GitHub issue for evaluation. These suggestions are carefully evaluated by our team, ensuring continuous improvement and innovation.</li> </ul>"},{"location":"administration/retentions/","title":"Retention policies","text":"<p>Retention rules serve the purpose of establishing data retention times, specifying when data should be automatically deleted from the platform. Users can define filters to target specific objects. Any object meeting these criteria that haven't been updated within the designated time frame will be deleted.</p>"},{"location":"administration/retentions/#configuration","title":"Configuration","text":"<p>Retention rules can be configured in the \"Settings &gt; Customization &gt; Retention policies\" window. A set of parameters must be configured:</p> <ul> <li>Maximum retention days: Set the maximum number of days an object can remain unchanged before being eligible for deletion.</li> <li>Filters: Define filters based on specific criteria to select the types of objects subject to retention rules.</li> </ul> <p>An object will be removed if it meets the specified filters and hasn't been updated for the duration set in the \"Maximum retention days\" field.</p> <p></p>"},{"location":"administration/retentions/#verification-process","title":"Verification process","text":"<p>Before activating a retention rule, users have the option to verify its impact using the \"Verify\" button. This action provides insight into the number of objects that currently match the rule's criteria and would be deleted if the rule is activated.</p> <p></p> <p>Verify before activation</p> <p>Always use the \"Verify\" feature to assess the potential impact of a retention rule before activating it. Once the rule is activated, data deletion will begin, and retrieval of the deleted data will not be possible.</p> <p>Retention rules contribute to maintaining a streamlined and efficient data lifecycle within OpenCTI, ensuring that outdated or irrelevant information is systematically removed from the platform, thereby optimizing disk space usage.</p>"},{"location":"administration/segregation/","title":"Data segregation","text":""},{"location":"administration/segregation/#introduction","title":"Introduction","text":"<p>Data segregation in the context of Cyber Threat Intelligence refers to the practice of categorizing and separating different types of data or information related to cybersecurity threats based on specific criteria.</p> <p>This separation helps organizations manage and analyze threat intelligence more effectively and securely and the goal of data segregation is to ensure that only those individuals who are authorized to view a particular set of data have access to that set of data.</p> <p>Practically, \"Need-to-know basis\" and \"classification level\" are data segregation measures.</p>"},{"location":"administration/segregation/#marking-definitions","title":"Marking Definitions","text":""},{"location":"administration/segregation/#description","title":"Description","text":"<p>Marking definitions are essential in the context of data segregation to ensure that data is appropriately categorized and protected based on its sensitivity or classification level. Marking definitions establish a standardized framework for classifying data.</p> <p>Marking Definition objects are unique among STIX objects in the STIX 2.1 standard in that they cannot be versioned.  This restriction is in place to prevent the possibility of indirect alterations to the markings associated with a STIX Object.</p> <p>Multiple markings can be added to the same object. Certain categories of marking definitions or trust groups may enforce rules that specify which markings take precedence over others or how some markings can be added to complement existing ones.</p> <p>In OpenCTI, data is segregated based on knowledge marking. The diagram provided below illustrates the manner in which OpenCTI establishes connections between pieces of information to authorize data access for a user:</p> <p></p>"},{"location":"administration/segregation/#traffic-light-protocol","title":"Traffic Light Protocol","text":"<p>The Traffic Light Protocol is implemented by default as marking definitions in OpenCTI. It allows you to segregate information by TLP level in your platform and restrict access to marked data if users are not authorized to see the corresponding marking.</p> <p>The Traffic Light Protocol (TLP) was designed by the Forum of Incidence Response and Security Teams (FIRST) to provide a standardized method for classifying and handling sensitive information, based on four categories of sensitivity.</p> <p>For more details, the diagram provided below illustrates how are categorized the marking definitions:</p> <p></p>"},{"location":"administration/segregation/#create-new-markings","title":"Create new markings","text":"<p>In order to create a marking, you must first have the ability to access the Settings tab. For example, a user who is in a group with the role of Administrator can bypass all capabilities or a user who is in a group with the role that has <code>Access administration</code> checked can access the Settings tab. For more details about user administration here: Users and Role Based Access Control</p> <p></p> <p>Once you have access to the settings, you can create your new marking in <code>Security</code> -&gt; <code>Marking Definitions</code></p> <p>A marking has:</p> <ul> <li>a type</li> <li>a definition</li> <li>a color</li> <li>an order</li> </ul> <p></p>"},{"location":"administration/segregation/#allowed-marking-definitions","title":"Allowed marking definitions","text":"<p>In order for all users in a group to be able to see entities and relationships that have specific markings on them, allowed markings can be checked when updating a group:</p> <p></p>"},{"location":"administration/segregation/#default-marking-definitions","title":"Default marking definitions","text":"<p>To apply a default marking when creating a new entity or relationship, you can choose which marking to add by default from the list of allowed markings. You can add only one marking per type, but you can have multiple types.</p> <p></p> <p>Be careful, add markings as default markings is not enough to see the markings when you create an entity or relationship, you need to enable default markings in an entity or relationship customization.</p> <p>For example, if you create a new report, got to <code>Settings</code> -&gt; <code>Customization</code> -&gt; <code>Report</code> -&gt; <code>Markings</code> and click on <code>Activate/Desactivate default values</code></p> <p></p>"},{"location":"administration/segregation/#authorize-a-group-to-new-marking-definition","title":"Authorize a group to new marking definition","text":"<p>To authorize a group to automatically have access to a newly created marking definition in allowed marking definitions, you can check <code>Automatically authorize this group to new marking definition</code> when update a group:</p> <p></p>"},{"location":"administration/segregation/#behavior-on-the-opencti-platform","title":"Behavior on the OpenCTI Platform","text":""},{"location":"administration/segregation/#create-a-new-entity-or-relationship","title":"Create a new entity or relationship","text":"<p>When a new entity or a new relationship is created, if multiple markings of the same type and different order are added, the platform will only keep the highest order for each type.</p> <p>For example:</p> <p>Create a new report and add markings <code>PAP:AMBER</code>,<code>PAP:RED</code>,<code>TLP:AMBER+STRICT</code>,<code>TLP:CLEAR</code> and a statement <code>CC-BY-SA-4.0 DISARM Foundation</code></p> <p></p> <p>The final markings kept are: <code>PAP:RED</code>, <code>TLP:AMBER+STRICT</code> and <code>CC-BY-SA-4.0 DISARM Foundation</code></p> <p></p>"},{"location":"administration/segregation/#update-an-entity-or-a-relationship","title":"Update an entity or a relationship","text":"<p>When update an entity or a relationship:</p> <ul> <li>add a marking with same type and different order, a pop-up will be displayed to confirm the choice</li> <li>add a marking with same type and same order, the marking will be added</li> <li>add a marking with different type, the marking will be added</li> </ul> <p></p>"},{"location":"administration/segregation/#merge-entities","title":"Merge entities","text":"<p>When you merge multiple entities, the platform will keep the highest order for each type of markings when the merge is complete:</p> <p>For example, merging 2 observables, one with <code>TLP:CLEAR</code> and <code>PAP:CLEAR</code> and the other one with <code>PAP:RED</code> and <code>TLP:GREEN</code> from 198.250.250.11 to 197.250.251.12.</p> <p></p> <p>As final result, you will have the observable with the value 197.250.251.12 with <code>PAP:RED</code> and <code>TLP:GREEN</code></p> <p></p>"},{"location":"administration/segregation/#import-data-from-a-connector","title":"Import data from a connector","text":"<p>When you import data from a connector, the connector cannot downgrade a marking for the same entity, if a same type of marking is set on it.</p> <p>For example, if you create a new observable with same values as Alien Vault data and change marking in the platform as <code>TLP:AMBER</code>, when importing data, the platform will keep the highest rank for the same type of markings.</p>"},{"location":"administration/users/","title":"Users and Role Based Access Control","text":""},{"location":"administration/users/#introduction","title":"Introduction","text":"<p>In OpenCTI, the RBAC system not only related to what users can do or cannot do in the platform (aka. <code>Capabilities</code>) but also to the system of data segregation. Also, platform behaviour such as default home dashboards, default triggers and digests as well as default hidden menus or entities can be defined across groups and organizations.</p>"},{"location":"administration/users/#high-level-design","title":"High level design","text":""},{"location":"administration/users/#roles","title":"Roles","text":"<p>Roles are used in the platform to grant the given groups with some capabilities to define what users in those groupes can do or cannot do.</p>"},{"location":"administration/users/#list-of-capabilities","title":"List of capabilities","text":"Capability Description <code>Bypass all capabilities</code> Just bypass everything including data segregation and enforcements. <code>Access knowledge</code> Access in read-only to all the knowledge in the platform. <code>Access to collaborative creation</code> Create notes and opinions (and modify its own) on entities and relations. <code>Create / Update knowledge</code> Create and update existing entities and relationships. <code>Restrict organization access</code> Share entities and relationships with other organizations. <code>Delete knowledge</code> Delete entities and relationships. <code>Upload knowledge files</code> Upload files in the <code>Data</code> and <code>Content</code> section of entities. <code>Download knowledge export</code> Download the exports generated in the entities (in the <code>Data</code> section). <code>Ask for knowledge enrichment</code> Trigger an enrichment for a given entity. <code>Access exploration</code> Access to workspaces whether custom dashboards or investigations. <code>Create / Update exploration</code> Create and update existing workspaces whether custom dashboards or investigations. <code>Delete exploration</code> Delete workspaces whether custom dashboards or investigations. <code>Access connectors</code> Read information in the <code>Data &gt; Connectors</code> section. <code>Manage connector state</code> Reset the connector state to restart ingestion from the beginning. <code>Access data sharing &amp; ingestion</code> Access and consume data such as TAXII collections. <code>Manage data sharing &amp; ingestion</code> Create, update and delete data such as TAXII collections. <code>Manage CSV mappers</code> Create, update and delete CSV mappers. <code>Access administration</code> Access and manage overall parameters of the platform in <code>Settings &gt; Parameters</code>. <code>Manage credentials</code> Access and manage roles, groups, users, organizations and security policies. <code>Manage marking definitions</code> Update and delete marking definitions. <code>Manage labels &amp; Attributes</code> Update and delete labels, custom taxonomies, workflow and case templates. <code>Connectors API usage: register, ping, export push ...</code> Connectors specific permissions for register, ping, push export files, etc. <code>Connect and consume the platform streams (/stream, /stream/live)</code> List and consume the OpenCTI live streams. <code>Bypass mandatory references if any</code> If external references enforced in a type of entity, be able to bypass the enforcement."},{"location":"administration/users/#manage-roles","title":"Manage roles","text":"<p>You can manage the roles in <code>Settings &gt; Security &gt; Roles</code>.</p> <p>To create a role, just click on the <code>+</code> button:</p> <p></p> <p>Then you will be able to define the capabilities of the role:</p> <p></p>"},{"location":"administration/users/#users","title":"Users","text":"<p>You can manage the users in <code>Settings &gt; Security &gt; Users</code>. If you are using Single-Sign-On (SSO), the users in OpenCTI are automatically created upon login.</p> <p>To create a user, just click on the <code>+</code> button:</p> <p></p>"},{"location":"administration/users/#manage-a-user","title":"Manage a user","text":"<p>When access to a user, it is possible to:</p> <ul> <li>Visualize information including the token</li> <li>Modify it, reset 2FA if necessary</li> <li>Manage its sessions</li> <li>Manage its triggers and digests</li> <li>Visualize the history and operations</li> <li>Manage its max confidence level (override the value inherited from the group)</li> </ul> <p></p> <p>In the below image, you can see how to override the value inherited from the group.</p> <p></p> <p>Mandatory max confidence level</p> <p>A user without Max confidence level won't have the ability to create, delete or update any data in our platform. Please be sure that your users are always either assigned to group that have a confidence level defined or that have an override of this group confidence level.</p>"},{"location":"administration/users/#groups","title":"Groups","text":"<p>Groups is the main vehicule to manage permissions and data segregation as well as platform customization for the given users part of this group. You can manage the groups in <code>Settings &gt; Security &gt; Groups</code>.</p> <p>Here is the description of the group available parameters.</p> Parameter Description <code>Auto new markings</code> If a new marking definition is created, this group will automatically be granted to it. <code>Default membership</code> If a new user is created (manually or upon SSO), it will be added to this group. <code>Roles</code> Roles and capabilities granted to the users belonging to this group. <code>Default dashboard</code> Customize the home dashboard for the users belonging to this group. <code>Default markings</code> In <code>Settings &gt; Customization &gt; Entity types</code>, if default marking definitions is enabled, default markings of the group is used. <code>Allowed markings</code> Grant access to the group to the defined marking definitions, more details in data segregation. <code>Triggers and digests</code> Define defaults triggers and digests for the users belonging to this group. <code>Max confidence level</code> Define the maximum confidence level for the group: it will impact the capacity to update entities, the confidence level of a newly created entity by a user of the group <p></p> <p>Max confidence level when a user has multiple groups</p> <p>A user with multiple groups will have the the highest confidence level of all its groups.  For instance, if a user is part of group A (max confidence level = 100) and group B (max confidence level = 50), then the user max confidence level will be 100.</p>"},{"location":"administration/users/#manage-a-group","title":"Manage a group","text":"<p>When managing a group, you can define the members and all above configurations.</p> <p></p> <p></p>"},{"location":"administration/users/#organizations","title":"Organizations","text":"<p>Users can belong to organizations, which is an additional layer of data segregation and customization.</p>"},{"location":"administration/users/#organization-administration","title":"Organization administration","text":"<p>Platform administrators can promote members of an organization as \"Organization administrator\". This elevated role grants them the necessary capabilities to create, edit and delete users from the corresponding Organization. Additionally, administrators have the flexibility to define a list of groups that can be granted to newly created members by the organization administrators. This feature simplifies the process of granting appropriate access and privileges to individuals joining the organization.</p> <p></p> <p>The platform administrator can promote/demote an organization admin through its user edition form.</p> <p></p> <p>The \"Organization admin\" has restricted access to Settings. They can only manage the members of the organizations for which they have been promoted as \"admins\".</p>"},{"location":"administration/audit/configuration/","title":"Configuration","text":"<p>Enterprise edition</p> <p>Activity unified interface and logging are available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p> <p>As explained in overview page, all administration actions are listen by default.  However, all knowledge are not listened by default due to performance impact on the platform. </p> <p>For this reason you need to explicitly activate extended listening on user / group or organization.</p> <p></p> <p>Listening will start just after the configuration. Every past events will not be taken into account.</p>"},{"location":"administration/audit/events/","title":"Events","text":"<p>Enterprise edition</p> <p>Activity unified interface and logging are available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p>"},{"location":"administration/audit/events/#description","title":"Description","text":"<p>OpenCTI activity capability is the way to unified whats really happen in the platform. In events section you will have access to the UI that will answer to \"who did what, where, and when?\" within your data with the maximum level of transparency. </p> <p></p>"},{"location":"administration/audit/events/#include-knowledge","title":"Include knowledge","text":"<p>By default, the events screen only show you the administration actions done by the users.</p> <p>If you want to see also the information about the knowledge, you can simply activate the filter in the bar to get the complete overview of all user actions.</p> <p>Don't hesitate to read again the overview page to have a better understanding of the difference between Audit, Basic/Extended knowledge.</p>"},{"location":"administration/audit/overview/","title":"Overview","text":""},{"location":"administration/audit/overview/#overview","title":"Overview","text":"<p>Enterprise edition</p> <p>Activity unified interface and logging are available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p> <p>OpenCTI activity capability is the way to unified whats really happen in the platform. With this feature you will be able to answer \"who did what, where, and when?\" within your data with the maximum level of transparency.  Enabling activity helps your security, auditing, and compliance entities monitor platform for possible vulnerabilities or external data misuse.</p>"},{"location":"administration/audit/overview/#categories","title":"Categories","text":"<p>The activity groups 3 different concepts that need to be explained.</p>"},{"location":"administration/audit/overview/#basic-knowledge","title":"Basic knowledge","text":"<p>The basic knowledge refers to all STIX data knowledge inside OpenCTI. Every create/update/delete actions on that knowledge is accessible through the history. That basic activity is handled by the history manager and can be also found directly on each entity.</p>"},{"location":"administration/audit/overview/#extended-knowledge","title":"Extended knowledge","text":"<p>The extended knowledge refers to extra information data to track specific user activity. As this kind of tracking is expensive, the tracking will only be done for specific user/group/organization explicitly configured.</p>"},{"location":"administration/audit/overview/#audit-knowledge","title":"Audit knowledge","text":"<p>Audit is focusing on user administration or security actions. Audit will produce console/logs files along with user interface elements.</p> <pre><code>{\n  \"auth\": \"&lt;User information&gt;\",\n  \"category\": \"AUDIT\",\n  \"level\": \"&lt;info | error&gt;\",\n  \"message\": \"&lt;human readable explanation&gt;\",\n  \"resource\": {\n    \"type\": \"&lt;authentication | mutation&gt;\",\n    \"event_scope\": \"&lt;depends on type&gt;\",\n    \"event_access\": \"&lt;administration&gt;\",\n    \"data\": \"&lt;contextual data linked to the event type&gt;\",\n    \"version\": \"&lt;version of audit log format&gt;\"\n  },\n  \"timestamp\": \"&lt;event date&gt;\",\n  \"version\": \"&lt;platform version&gt;\"\n}\n</code></pre>"},{"location":"administration/audit/overview/#architecture","title":"Architecture","text":"<p>OpenCTI uses different mechanisms to be able to publish actions (audit) or data modification (history)</p>"},{"location":"administration/audit/overview/#audit-knowledge_1","title":"Audit knowledge","text":"<p>Administration or security actions</p> <p>With Enterprise edition activated, Administration and security actions are always written; you can't configure, exclude, or disable them</p> <p> Supported</p> <p> Not supported for now</p> <p> Not applicable</p>"},{"location":"administration/audit/overview/#ingestion","title":"Ingestion","text":"Create Delete Edit Remote OCTI Streams"},{"location":"administration/audit/overview/#data-sharing","title":"Data sharing","text":"Create Delete Edit CSV Feeds TAXII Feeds Stream Feeds"},{"location":"administration/audit/overview/#connectors","title":"Connectors","text":"Create Delete Edit Connectors  State reset Works"},{"location":"administration/audit/overview/#parameters","title":"Parameters","text":"Create Delete Edit Platform parameters"},{"location":"administration/audit/overview/#security","title":"Security","text":"Create Delete Edit Roles Groups Users Sessions Policies"},{"location":"administration/audit/overview/#customization","title":"Customization","text":"Create Delete Edit Entity types Rules engine Retention policies"},{"location":"administration/audit/overview/#taxonomies","title":"Taxonomies","text":"Create Delete Edit Status templates Case templates + tasks"},{"location":"administration/audit/overview/#accesses","title":"Accesses","text":"Listen Login (success or fail) Logout Unauthorized access"},{"location":"administration/audit/overview/#extended-knowledge_1","title":"Extended knowledge","text":"<p>Extended knowledge</p> <p>Extented knowledge activity are written only if you activate the feature for a subset of users / groups or organizations</p>"},{"location":"administration/audit/overview/#data-management","title":"Data management","text":"<p>Some history actions are already included in the \"basic knowledge\". (basic marker) </p> Read Create Delete Edit Platform knowledge basic basic basic Background tasks Knowledge Knowledge files basic basic Global data import files Analyst workbenches files Triggers Workspaces Investigations User profile"},{"location":"administration/audit/overview/#user-actions","title":"User actions","text":"Supported Ask for file import Ask for data enrichment Ask for export generation Execute global search"},{"location":"administration/audit/triggers/","title":"Activity triggers","text":"<p>Enterprise edition</p> <p>Activity unified interface and logging are available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p>"},{"location":"administration/audit/triggers/#description","title":"Description","text":"<p>Having all the history in the user interface (events) its sometimes not enough to have a proactive monitoring. For this reason you can configure some specific triggers to receive notifications on audit events. You can configure like personal triggers, lives one that will be sent directly or digest depending on your needs. </p>"},{"location":"administration/audit/triggers/#configuration","title":"Configuration","text":"<p>In this kind of trigger you will have to configure different options: - Notification target: User interface or email - Recipients: who will receive the notification - Filters: a set of filters to get only events that really interested you. (who is responsible for this event, kind of events, ...)</p>"},{"location":"administration/audit/triggers/#event-structure","title":"Event structure","text":"<p>In order to correctly configure the filters, here's a definition of the event structure</p> <ul> <li>Event type: <code>authentication</code></li> <li> <p>Event scopes: <code>login</code> and <code>logout</code> </p> </li> <li> <p>Event type: <code>read</code></p> <ul> <li>Event scopes: <code>read</code> and <code>unauthorized</code> </li> </ul> </li> <li> <p>Event type: <code>file</code></p> <ul> <li>Event scopes: <code>read</code>, <code>create</code> and <code>delete</code></li> </ul> </li> <li> <p>Event type: <code>mutation</code></p> <ul> <li>Event scopes: <code>unauthorized</code>, <code>update</code>, <code>create</code> and <code>delete</code></li> </ul> </li> <li> <p>Event type: <code>command</code></p> <ul> <li>Event scopes: <code>search</code>, <code>enrich</code>, <code>import</code> and <code>export</code></li> </ul> </li> </ul>"},{"location":"deployment/authentication/","title":"Authentication","text":""},{"location":"deployment/authentication/#introduction","title":"Introduction","text":"<p>OpenCTI supports several authentication providers. If you configure multiple strategies, they will be tested in the order you declared them.</p> <p>Activation</p> <p>You need to configure/activate only the strategy that you really want to propose to your users in term of authentication</p> <p>The product proposes two kinds of authentication strategies:</p> <ul> <li>Form (asking user for a user/password)</li> <li>Buttons (click with authentication on an external system)</li> </ul>"},{"location":"deployment/authentication/#supported-strategies","title":"Supported Strategies","text":"<p>Under the hood we technically use the strategies provided by PassportJS. We integrate a subset of the strategies available with passport. If you need more, we can integrate other strategies.</p>"},{"location":"deployment/authentication/#local-users-form","title":"Local users (form)","text":"<p>This strategy uses the OpenCTI database as a user management.</p> <p>OpenCTI use this strategy as the default but its not the one we recommend for security reasons.</p> <pre><code>\"local\": {\n    \"strategy\": \"LocalStrategy\",\n    \"config\": {\n        \"disabled\": false\n    }\n}\n</code></pre> <p>Production deployment</p> <p>Please use the LDAP/Auth0/OpenID/SAML strategy for production deployment.</p>"},{"location":"deployment/authentication/#ldap-form","title":"LDAP (form)","text":"<p>This strategy can be used to authenticate your user with your company LDAP and is based on Passport - LDAPAuth.</p> <pre><code>\"ldap\": {\n    \"strategy\": \"LdapStrategy\",\n    \"config\": {\n        \"url\": \"ldaps://mydc.domain.com:686\",\n        \"bind_dn\": \"cn=Administrator,cn=Users,dc=mydomain,dc=com\",\n        \"bind_credentials\": \"MY_STRONG_PASSWORD\",\n        \"search_base\": \"cn=Users,dc=mydomain,dc=com\",\n        \"search_filter\": \"(cn={{username}})\",\n        \"mail_attribute\": \"mail\",\n        // \"account_attribute\": \"givenName\",\n        // \"firstname_attribute\": \"cn\",\n        // \"lastname_attribute\": \"cn\",\n        \"account_attrgroup_search_filteribute\": \"givenName\",\n        \"allow_self_signed\": true\n    }\n}\n</code></pre> <p>If you would like to use LDAP groups to automatically associate LDAP groups and OpenCTI groups/organizations:</p> <pre><code>\"ldap\": {\n    \"config\": {\n        ...\n        \"group_search_base\": \"cn=Groups,dc=mydomain,dc=com\",\n        \"group_search_filter\": \"(member={{dn}})\",\n        \"groups_management\": { // To map LDAP Groups to OpenCTI Groups\n            \"group_attribute\": \"cn\",\n            \"groups_mapping\": [\"LDAP_Group_1:OpenCTI_Group_1\", \"LDAP_Group_2:OpenCTI_Group_2\", ...]\n        },\n        \"organizations_management\": { // To map LDAP Groups to OpenCTI Organizations\n            \"organizations_path\": \"cn\",\n            \"organizations_mapping\": [\"LDAP_Group_1:OpenCTI_Organization_1\", \"LDAP_Group_2:OpenCTI_Organization_2\", ...]\n        }\n    }\n}\n</code></pre>"},{"location":"deployment/authentication/#saml-button","title":"SAML (button)","text":"<p>This strategy can be used to authenticate your user with your company SAML and is based on Passport - SAML.</p> <pre><code>\"saml\": {\n    \"identifier\": \"saml\",\n    \"strategy\": \"SamlStrategy\",\n    \"config\": {\n        \"issuer\": \"mytestsaml\",\n        // \"account_attribute\": \"nameID\",\n        // \"firstname_attribute\": \"nameID\",\n        // \"lastname_attribute\": \"nameID\",\n        \"entry_point\": \"https://auth.mydomain.com/auth/realms/mydomain/protocol/saml\",\n        \"saml_callback_url\": \"http://localhost:4000/auth/saml/callback\",\n        // \"private_key\": \"MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg...\",\n        \"cert\": \"MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w...\",\n        \"logout_remote\": false\n    }\n}\n</code></pre> <p>For the SAML strategy to work:</p> <ul> <li>The <code>cert</code> parameter is mandatory (PEM format) because it is used to validate the SAML response.</li> <li>The <code>private_key</code> (PEM format) is optional and is only required if you want to sign the SAML client request.</li> </ul> <p>Certificates</p> <p>Be careful to put the <code>cert</code> / <code>private_key</code>  key in PEM format. Indeed, a lot of systems generally export the keys in X509 / PCKS12 formats and so you will need to convert them.  Here is an example to extract PEM from PCKS12: <pre><code>openssl pkcs12 -in keystore.p12 -out newfile.pem -nodes\n</code></pre></p> <p>Here is an example of SAML configuration using environment variables:</p> <pre><code>- PROVIDERS__SAML__STRATEGY=SamlStrategy \n- \"PROVIDERS__SAML__CONFIG__LABEL=Login with SAML\"\n- PROVIDERS__SAML__CONFIG__ISSUER=mydomain\n- PROVIDERS__SAML__CONFIG__ENTRY_POINT=https://auth.mydomain.com/auth/realms/mydomain/protocol/saml\n- PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL=http://opencti.mydomain.com/auth/saml/callback\n- PROVIDERS__SAML__CONFIG__CERT=MIICmzCCAYMCBgF3Rt3X1zANBgkqhkiG9w0BAQsFADARMQ8w\n- PROVIDERS__SAML__CONFIG__LOGOUT_REMOTE=false\n</code></pre> <p>OpenCTI supports mapping SAML Roles/Groups on OpenCTI Groups. Here is an example:</p> <pre><code>\"saml\": {\n    \"config\": {\n        ...,\n        // Groups mapping\n        \"groups_management\": { // To map SAML Groups to OpenCTI Groups\n            \"group_attributes\": [\"Group\"],\n            \"groups_mapping\": [\"SAML_Group_1:OpenCTI_Group_1\", \"SAML_Group_2:OpenCTI_Group_2\", ...]\n        },\n        \"groups_management\": { // To map SAML Roles to OpenCTI Groups\n            \"group_attributes\": [\"Role\"],\n            \"groups_mapping\": [\"SAML_Role_1:OpenCTI_Group_1\", \"SAML_Role_2:OpenCTI_Group_2\", ...]\n        },\n        // Organizations mapping\n        \"organizations_management\": { // To map SAML Groups to OpenCTI Organizations\n            \"organizations_path\": [\"Group\"],\n            \"organizations_mapping\": [\"SAML_Group_1:OpenCTI_Organization_1\", \"SAML_Group_2:OpenCTI_Organization_2\", ...]\n        },\n        \"organizations_management\": { // To map SAML Roles to OpenCTI Organizations\n            \"organizations_path\": [\"Role\"],\n            \"organizations_mapping\": [\"SAML_Role_1:OpenCTI_Organization_1\", \"SAML_Role_2:OpenCTI_Organization_2\", ...]\n        }\n    }\n}\n</code></pre> <p>Here is an example of SAML Groups mapping configuration using environment variables:</p> <pre><code>- \"PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUP_ATTRIBUTES=[\\\"Group\\\"]\"\n- \"PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING=[\\\"SAML_Group_1:OpenCTI_Group_1\\\", \\\"SAML_Group_2:OpenCTI_Group_2\\\", ...]\"\n</code></pre>"},{"location":"deployment/authentication/#auth0-button","title":"Auth0 (button)","text":"<p>This strategy allows to use Auth0 Service to handle the authentication and is based on Passport - Auth0.</p> <pre><code>\"authzero\": {\n    \"identifier\": \"auth0\",\n    \"strategy\": \"Auth0Strategy\",\n    \"config\": {\n        \"clientID\": \"XXXXXXXXXXXXXXXXXX\",\n        \"baseURL\": \"https://opencti.mydomain.com\",\n        \"clientSecret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"callback_url\": \"https://opencti.mydomain.com/auth/auth0/callback\",\n        \"domain\": \"mycompany.eu.auth0.com\",\n        \"audience\": \"XXXXXXXXXXXXXXX\",\n        \"scope\": \"openid email profile XXXXXXXXXXXXXXX\",\n        \"logout_remote\": false\n    }\n}\n</code></pre> <p>Here is an example of Auth0 configuration using environment variables:</p> <pre><code>- PROVIDERS__AUTHZERO__STRATEGY=Auth0Strategy\n- PROVIDERS__AUTHZERO__CONFIG__CLIENT_ID=${AUTH0_CLIENT_ID}\n- PROVIDERS__AUTHZERO__CONFIG__BASEURL=${AUTH0_BASE_URL}\n- PROVIDERS__AUTHZERO__CONFIG__CLIENT_SECRET=${AUTH0_CLIENT_SECRET}\n- PROVIDERS__AUTHZERO__CONFIG__CALLBACK_URL=${AUTH0_CALLBACK_URL}\n- PROVIDERS__AUTHZERO__CONFIG__DOMAIN=${AUTH0_DOMAIN}\n- \"PROVIDERS__AUTHZERO__CONFIG__SCOPE=openid email profile\"\n- PROVIDERS__AUTHZERO__CONFIG__LOGOUT_REMOTE=false\n</code></pre>"},{"location":"deployment/authentication/#openid-connect-button","title":"OpenID Connect (button)","text":"<p>This strategy allows to use the OpenID Connect Protocol to handle the authentication and is based on Node OpenID Client which is more powerful than the passport one.</p> <pre><code>\"oic\": {\n    \"identifier\": \"oic\",\n    \"strategy\": \"OpenIDConnectStrategy\",\n    \"config\": {\n        \"label\": \"Login with OpenID\",\n        \"issuer\": \"https://auth.mydomain.com/auth/realms/mydomain\",\n        \"client_id\": \"XXXXXXXXXXXXXXXXXX\",\n        \"client_secret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"redirect_uris\": [\"https://opencti.mydomain.com/auth/oic/callback\"],\n        \"logout_remote\": false\n    }\n}\n</code></pre> <p>Here is an example of OpenID configuration using environment variables:</p> <pre><code>- PROVIDERS__OPENID__STRATEGY=OpenIDConnectStrategy \n- \"PROVIDERS__OPENID__CONFIG__LABEL=Login with OpenID\"\n- PROVIDERS__OPENID__CONFIG__ISSUER=https://auth.mydomain.com/auth/realms/xxxx\n- PROVIDERS__OPENID__CONFIG__CLIENT_ID=XXXXXXXXXXXXXXXXXX\n- PROVIDERS__OPENID__CONFIG__CLIENT_SECRET=XXXXXXXXXXXXXXXXXX\n- \"PROVIDERS__OPENID__CONFIG__REDIRECT_URIS=[\\\"https://opencti.mydomain.com/auth/oic/callback\\\"]\"\n- PROVIDERS__OPENID__CONFIG__LOGOUT_REMOTE=false\n</code></pre> <p>OpenCTI support mapping OpenID Claims on OpenCTI Groups (everything is tied to a group in the platform). Here is an example:</p> <pre><code>\"oic\": {\n    \"config\": {\n        ...,\n        // Groups mapping\n        \"groups_management\": { // To map OpenID Claims to OpenCTI Groups\n            \"groups_scope\": \"groups\",\n            \"groups_path\": [\"groups\", \"realm_access.groups\", \"resource_access.account.groups\"],\n            \"groups_mapping\": [\"OpenID_Group_1:OpenCTI_Group_1\", \"OpenID_Group_2:OpenCTI_Group_2\", ...]\n        },\n        // Organizations mapping  \n        \"organizations_management\": { // To map OpenID Claims to OpenCTI Organizations\n            \"organizations_scope\": \"groups\",\n            \"organizations_path\": [\"groups\", \"realm_access.groups\", \"resource_access.account.groups\"],\n            \"organizations_mapping\": [\"OpenID_Group_1:OpenCTI_Group_1\", \"OpenID_Group_2:OpenCTI_Group_2\", ...]\n        },\n    }\n}\n</code></pre> <p>Here is an example of OpenID Groups mapping configuration using environment variables:</p> <pre><code>- PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_SCOPE=groups\n- \"PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_PATH=[\\\"groups\\\", \\\"realm_access.groups\\\", \\\"resource_access.account.groups\\\"]\"\n- \"PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING=[\\\"OpenID_Group_1:OpenCTI_Group_1\\\", \\\"OpenID_Group_2:OpenCTI_Group_2\\\", ...]\"\n</code></pre> <p>By default, the claims are mapped based on the content of the JWT <code>access_token</code>. If you want to map claims which are in other JWT (such as <code>id_token</code>), you can define the following environment variables:</p> <pre><code>- PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__TOKEN_REFERENCE=id_token\n- PROVIDERS__OPENID__CONFIG__ORGANISATIONS_MANAGEMENT__TOKEN_REFERENCE=id_token\n</code></pre> <p>Alternatively, you can request OpenCTI to use claims from the <code>userinfo</code> endpoint instead of a JWT. <pre><code>- PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__READ_USERINFO=true\n- PROVIDERS__OPENID__CONFIG__ORGANISATIONS_MANAGEMENT__READ_USERINFO=true\n</code></pre></p>"},{"location":"deployment/authentication/#facebook-button","title":"Facebook (button)","text":"<p>This strategy can authenticate your users with Facebook and is based on Passport - Facebook</p> <pre><code>\"facebook\": {\n    \"identifier\": \"facebook\",\n    \"strategy\": \"FacebookStrategy\",\n    \"config\": {\n        \"client_id\": \"XXXXXXXXXXXXXXXXXX\",\n        \"client_secret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"callback_url\": \"https://opencti.mydomain.com/auth/facebook/callback\",\n        \"logout_remote\": false\n    }\n}\n</code></pre>"},{"location":"deployment/authentication/#google-button","title":"Google (button)","text":"<p>This strategy can authenticate your users with Google and is based on Passport - Google</p> <pre><code>\"google\": {\n    \"identifier\": \"google\",\n    \"strategy\": \"GoogleStrategy\",\n    \"config\": {\n        \"client_id\": \"XXXXXXXXXXXXXXXXXX\",\n        \"client_secret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"callback_url\": \"https://opencti.mydomain.com/auth/google/callback\",\n        \"logout_remote\": false\n    }\n}\n</code></pre>"},{"location":"deployment/authentication/#github-button","title":"GitHub (button)","text":"<p>This strategy can authenticate your users with GitHub and is based on Passport - GitHub</p> <pre><code>\"github\": {\n    \"identifier\": \"github\",\n    \"strategy\": \"GithubStrategy\",\n    \"config\": {\n        \"client_id\": \"XXXXXXXXXXXXXXXXXX\",\n        \"client_secret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"callback_url\": \"https://opencti.mydomain.com/auth/github/callback\",\n        \"logout_remote\": false\n  }\n}\n</code></pre>"},{"location":"deployment/authentication/#client-certificate-button","title":"Client certificate (button)","text":"<p>This strategy can authenticate a user based on SSL client certificates. For this you need to configure your OCTI to start in HTTPS, for example:</p> <pre><code>\"port\": 443,\n\"https_cert\": {\n    \"key\": \"/cert/server_key.pem\",\n    \"crt\": \"/cert/server_cert.pem\",\n    \"reject_unauthorized\": true\n}\n</code></pre> <p>And then add the <code>ClientCertStrategy</code>:</p> <pre><code>\"cert\": {\n    \"strategy\":\"ClientCertStrategy\",\n    \"config\": {\n        \"label\":\"CLIENT CERT\"\n    }\n}\n</code></pre> <p>Then when accessing for the first time OCTI, the browser will ask for the certificate you want to use.</p>"},{"location":"deployment/authentication/#proxy-headers-automatic","title":"Proxy headers (automatic)","text":"<p>This strategy can authenticate your users with directly from trusted headers</p> <pre><code>{\n  \"header\": {\n    \"strategy\": \"HeaderStrategy\",\n    \"config\": {\n      \"disabled\": false,\n      \"header_email\": \"auth_email_address\",\n      \"header_name\": \"auth_name\",\n      \"header_firstname\": \"auth_firstname\",\n      \"header_lastname\": \"auth_lastname\",\n      \"logout_uri\": \"https://www.filigran.io\",\n      \"groups_management\": {\n        \"groups_header\": \"auth_groups\",\n        \"groups_splitter\": \",\",\n        \"groups_mapping\": [\"admin:admin\", \"root:root\"]\n      },\n      \"organizations_management\": {\n        \"organizations_header\": \"auth_institution\",\n        \"organizations_splitter\": \",\",\n        \"organizations_mapping\": [\"test:test\"]\n      }\n    }\n  }\n}\n</code></pre> <p>If this mode is activated and the headers are available the user will be automatically logged without any action or notice. The logout uri will remove the session and redirect the configured uri. If not specified the redirect will be done to the request referer and so the header authentication will be done again.</p>"},{"location":"deployment/authentication/#automatically-create-group-on-sso","title":"Automatically create group on SSO","text":"<p>The variable auto_create_group can be added in the options of some strategies (LDAP, SAML and OpenID). If this variable is true, the groups of a user that logins will automatically be created if they don\u2019t exist.</p> <p>More precisely, if the user that tries to authenticate has groups that don\u2019t exist in OpenCTI but exist in the SSO configuration, there are two cases:</p> <ul> <li>if auto_create_group= true in the SSO configuration: the groups are created at the platform initialization and the user will be mapped on them.</li> <li>else: an error is raised.</li> </ul>"},{"location":"deployment/authentication/#example","title":"Example","text":"<p>We assum that Group1 exists in the platform, and newGroup doesn\u2019t exist. The user that tries to log in has the group newGroup. If auto_create_group = true in the SSO configuration, the group named newGroup will be created at the platform initialization and the user will be mapped on it. If auto_create_group = false or is undefined, the user can\u2019t login and an error is raised.</p> <pre><code>\"groups_management\": {\n  \"group_attribute\": \"cn\",\n  \"groups_mapping\": [\"SSO_GROUP_NAME1:group1\", \"SSO_GROUP_NAME_2:newGroup\", ...]\n},\n\"auto_create_group\": true\n</code></pre>"},{"location":"deployment/authentication/#examples","title":"Examples","text":""},{"location":"deployment/authentication/#ldap-then-fallback-to-local","title":"LDAP then fallback to local","text":"<p>In this example the users have a login form and need to enter login and password. The authentication is done on LDAP first, then locally if user failed to authenticate and finally fail if none of them succeded. Here is an example for the <code>production.json</code> file:</p> <pre><code>\"providers\": {\n    \"ldap\": {\n        \"strategy\": \"LdapStrategy\",\n        \"config\": {\n            \"url\": \"ldaps://mydc.mydomain.com:636\",\n            \"bind_dn\": \"cn=Administrator,cn=Users,dc=mydomain,dc=com\",\n            \"bind_credentials\": \"MY_STRONG_PASSWORD\",\n            \"search_base\": \"cn=Users,dc=mydomain,dc=com\",\n            \"search_filter\": \"(cn={{username}})\",\n            \"mail_attribute\": \"mail\",\n            \"account_attribute\": \"givenName\"\n        }\n    },\n    \"local\": {\n        \"strategy\": \"LocalStrategy\",\n        \"config\": {\n            \"disabled\": false\n        }\n    }\n}\n</code></pre> <p>If you use a container deployment, here is an example using environment variables:</p> <pre><code>- PROVIDERS__LDAP__STRATEGY=LdapStrategy\n- PROVIDERS__LDAP__CONFIG__URL=ldaps://mydc.mydomain.org:636\n- PROVIDERS__LDAP__CONFIG__BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=com\n- PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=XXXXXXXXXX\n- PROVIDERS__LDAP__CONFIG__SEARCH_BASE=cn=Users,dc=mydomain,dc=com\n- PROVIDERS__LDAP__CONFIG__SEARCH_FILTER=(cn={{username}})\n- PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail\n- PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=givenName\n- PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true\n- PROVIDERS__LOCAL__STRATEGY=LocalStrategy\n</code></pre>"},{"location":"deployment/clustering/","title":"Clustering","text":""},{"location":"deployment/clustering/#introduction","title":"Introduction","text":"<p>The OpenCTI platform technological stack has been designed to be able to scale horizontally. All dependencies such as Elastic or Redis can be deployed in cluster mode and performances can be drastically increased by deploying multiple platform and worker instances.</p>"},{"location":"deployment/clustering/#high-level-architecture","title":"High level architecture","text":"<p>Here is the high level architecture for customers and Filigran cloud platform to ensure both high availability and throughput.</p> <p></p>"},{"location":"deployment/clustering/#configuration","title":"Configuration","text":""},{"location":"deployment/clustering/#dependencies","title":"Dependencies","text":""},{"location":"deployment/clustering/#elasticsearch","title":"ElasticSearch","text":"<p>In the ElasticSearch configuration of OpenCTI, it is possible to declare all nodes.</p> <pre><code>- \"ELASTICSEARCH__URL=[\\\"https://user:pass@node1:9200\\\", \\\"https://user:pass@node2:9200\\\", ...]\"\n</code></pre> <p>Compatibility</p> <p>OpenCTI is also compatible with OpenSearch and AWS / GCP / Azure native search services based on the ElasticSearch query language.</p>"},{"location":"deployment/clustering/#redis","title":"Redis","text":"<p>Redis should be turned to cluster mode:</p> <pre><code>- REDIS__MODE=cluster\n- \"REDIS__HOSTNAMES=[\\\"node1:6379\\\", \\\"node2:6379\\\", ...]\"\n</code></pre> <p>Compatibility</p> <p>OpenCTI is also compatible with ElastiCache, MemoryStore and AWS / GCP / Azure native services based on the Redis protocol.</p>"},{"location":"deployment/clustering/#rabbitmq","title":"RabbitMQ","text":"<p>For the RabbitMQ cluster, you will need a TCP load balancer on top of the nodes since the configuration does not support multi-nodes for now:</p> <pre><code>- RABBITMQ__HOSTNAME=load-balancer-rabbitmq\n</code></pre> <p>Compatibility</p> <p>OpenCTI is also compatible with Amazon MQ, CloudAMQP and AWS / GCP / Azure native services based on the AMQP protocol.</p>"},{"location":"deployment/clustering/#s3-bucket-minio","title":"S3 bucket / MinIO","text":"<p>MinIO is an open source server able to serve S3 buckets. It can be deployed in cluster mode and is compatible with several storage backend. OpenCTI is compatible with any tool following the S3 standard.</p>"},{"location":"deployment/clustering/#platform","title":"Platform","text":"<p>As showed on the schema, best practices for cluster mode and to avoid any congestion in the technological stack are:</p> <ul> <li>Deploy platform(s) dedicated to end users and connectors registration</li> <li>Deploy platform(s) dedicated to workers / ingestion process<ul> <li>We recommend 3 to 4 workers maxiumum by OpenCTI instance.</li> <li>The ingestion platforms will never be accessed directly by end users.</li> </ul> </li> </ul> <p>When enabling clustering, the number of nodes is displayed in Settings &gt; Parameters.</p> <p></p>"},{"location":"deployment/clustering/#managers-and-schedulers","title":"Managers and schedulers","text":"<p>Also, since some managers like the rule engine, the task manager and the notification manager can take some resources in the OpenCTI NodeJS process, it is highly recommended to disable them in the frontend cluster. OpenCTI automatically handle the distribution and the launching of the engines across all nodes in the cluster except where they are explicitely disabled in the configuration.</p>"},{"location":"deployment/configuration/","title":"Configuration","text":"<p>The purpose of this section is to learn how to configure OpenCTI to have it tailored for your production and development needs. It is possible to check all default parameters implemented in the platform in the <code>default.json</code> file.</p> <p>Here are the configuration keys, for both containers (environment variables) and manual deployment.</p> <p>Parameters equivalence</p> <p>The equivalent of a config variable in environment variables is the usage of a double underscores (<code>__</code>) for a level of config.</p> <p>For example: <pre><code>\"providers\": {\n  \"ldap\": {\n    \"strategy\": \"LdapStrategy\"\n  }\n}\n</code></pre></p> <p>will become: <pre><code>PROVIDERS__LDAP__STRATEGY=LdapStrategy\n</code></pre></p> <p>If you need to put a list of elements for the key, it must have a special formatting. Here is an example for redirect URIs for OpenID config: <pre><code>\"PROVIDERS__OPENID__CONFIG__REDIRECT_URIS=[\\\"https://demo.opencti.io/auth/oic/callback\\\"]\"\n</code></pre></p>"},{"location":"deployment/configuration/#platform","title":"Platform","text":""},{"location":"deployment/configuration/#api-frontend","title":"API &amp; Frontend","text":""},{"location":"deployment/configuration/#basic-parameters","title":"Basic parameters","text":"Parameter Environment variable Default value Description app:port APP__PORT 4000 Listen port of the application app:base_path APP__BASE_PATH Specific URI (ie. /opencti) app:base_url APP__BASE_URL http://localhost:4000 Full URL of the platform (should include the <code>base_path</code> if any) app:request_timeout APP__REQUEST_TIMEOUT 1200000 Request timeout, in ms (default 20 minutes) app:session_timeout APP__SESSION_TIMEOUT 1200000 Session timeout, in ms (default 20 minutes) app:session_idle_timeout APP__SESSION_IDLE_TIMEOUT 0 Idle timeout (locking the screen), in ms (default 0 minute - disabled) app:session_cookie APP__SESSION_COOKIE false Use memory/session cookie instead of persistent one app:admin:email APP__ADMIN__EMAIL admin@opencti.io Default login email of the admin user app:admin:password APP__ADMIN__PASSWORD ChangeMe Default password of the admin user app:admin:token APP__ADMIN__TOKEN ChangeMe Default token (must be a valid UUIDv4) app:health_access_key APP__HEALTH_ACCESS_KEY ChangeMe Access key that enables access to the <code>/health</code> endpoint. Must be changed - will not respond to default value. Access with <code>/health?health_access_key=ChangeMe</code>"},{"location":"deployment/configuration/#network-and-security","title":"Network and security","text":"Parameter Environment variable Default value Description http_proxy HTTP_PROXY Proxy URL for HTTP connection (example: http://proxy:80080) https_proxy HTTPS_PROXY Proxy URL for HTTPS connection (example: http://proxy:80080) no_proxy NO_PROXY Comma separated list of hostnames for proxy exception (example: localhost,127.0.0.0/8,internal.opencti.io) app:https_cert:cookie_secure APP__HTTPS_CERT__COOKIE_SECURE false Set the flag \"secure\" for session cookies. app:https_cert:ca APP__HTTPS_CERT__CA Empty list [] Certificate authority paths or content, only if the client uses a self-signed certificate. app:https_cert:key APP__HTTPS_CERT__KEY Certificate key path or content app:https_cert:crt APP__HTTPS_CERT__CRT Certificate crt path or content app:https_cert:reject_unauthorized APP__HTTPS_CERT__REJECT_UNAUTHORIZED If not false, the server certificate is verified against the list of supplied CAs"},{"location":"deployment/configuration/#logging","title":"Logging","text":""},{"location":"deployment/configuration/#errors","title":"Errors","text":"Parameter Environment variable Default value Description app:app_logs:logs_level APP__APP_LOGS__LOGS_LEVEL info The application log level app:app_logs:logs_files APP__APP_LOGS__LOGS_FILES <code>true</code> If application logs is logged into files app:app_logs:logs_console APP__APP_LOGS__LOGS_CONSOLE <code>true</code> If application logs is logged to console (useful for containers) app:app_logs:logs_max_files APP__APP_LOGS__LOGS_MAX_FILES 7 Maximum number of daily files in logs app:app_logs:logs_directory APP__APP_LOGS__LOGS_DIRECTORY ./logs File logs directory"},{"location":"deployment/configuration/#audit","title":"Audit","text":"Parameter Environment variable Default value Description app:audit_logs:logs_files APP__AUDIT_LOGS__LOGS_FILES <code>true</code> If audit logs is logged into files app:audit_logs:logs_console APP__AUDIT_LOGS__LOGS_CONSOLE <code>true</code> If audit logs is logged to console (useful for containers) app:audit_logs:logs_max_files APP__AUDIT_LOGS__LOGS_MAX_FILES 7 Maximum number of daily files in logs app:audit_logs:logs_directory APP__AUDIT_LOGS__LOGS_DIRECTORY ./logs Audit logs directory"},{"location":"deployment/configuration/#telemetry","title":"Telemetry","text":"Parameter Environment variable Default value Description app:telemetry:metrics:enabled APP__TELEMETRY__METRICS__ENABLED <code>false</code> Enable the metrics collection. app:telemetry:metrics:exporter_otlp APP__TELEMETRY__METRICS__EXPORTER_OTLP Port to expose the OTLP endpoint. app:telemetry:metrics:exporter_prometheus APP__TELEMETRY__METRICS__EXPORTER_PROMETHEUS 14269 Port to expose the Prometheus endpoint. app:health_access_key APP__HEALTH_ACCESS_KEY ChangeMe Access key for the <code>/health</code> endpoint."},{"location":"deployment/configuration/#maps-references","title":"Maps &amp; references","text":"Parameter Environment variable Default value Description app:map_tile_server_dark APP__MAP_TILE_SERVER_DARK https://map.opencti.io/styles/luatix-dark/{z}/{x}/{y}.png The address of the OpenStreetMap provider with dark theme style app:map_tile_server_light APP__MAP_TILE_SERVER_LIGHT https://map.opencti.io/styles/luatix-light/{z}/{x}/{y}.png The address of the OpenStreetMap provider with light theme style app:reference_attachment APP__REFERENCE_ATTACHMENT <code>false</code> External reference mandatory attachment"},{"location":"deployment/configuration/#functional-customization","title":"Functional customization","text":"Parameter Environment variable Default value Description relations_deduplication:past_days RELATIONS_DEDUPLICATION__PAST_DAYS 30 De-duplicate relations based on <code>start_time</code> and <code>stop_time</code> - n days relations_deduplication:next_days RELATIONS_DEDUPLICATION__NEXT_DAYS 30 De-duplicate relations based on <code>start_time</code> and <code>stop_time</code> + n days relations_deduplication:created_by_based RELATIONS_DEDUPLICATION__CREATED_BY_BASED <code>false</code> Take into account the author to duplicate even if <code>stat_time</code> / <code>stop_time</code> are matching relations_deduplication:types_overrides:relationship_type:past_days RELATIONS_DEDUPLICATION__RELATIONSHIP_TYPE__PAST_DAYS Override the past days for a specific type of relationship (ex. targets) relations_deduplication:types_overrides:relationship_type:next_days RELATIONS_DEDUPLICATION__RELATIONSHIP_TYPE__NEXT_DAYS Override the next days for a specific type of relationship (ex. targets) relations_deduplication:types_overrides:relationship_type:created_by_based RELATIONS_DEDUPLICATION__RELATIONSHIP_TYPE__CREATED_BY_BASED Override the author duplication for a specific type of relationship (ex. targets) Parameter Environment variable Default value Description app:graphql:playground:enabled APP__GRAPHQL__PLAYGROUND__ENABLED <code>true</code> Enable the playground on /graphql app:graphql:playground:force_disabled_introspection APP__GRAPHQL_PLAYGROUND__FORCE_DISABLED_INTROSPECTION <code>false</code> Introspection is allowed to auth users but can be disabled in needed app:concurrency:retry_count APP__CONCURRENCY__RETRY_COUNT 200 Number of try to get the lock to work an element (create/update/merge, ...) app:concurrency:retry_delay APP__CONCURRENCY__RETRY_DELAY 100 Delay between 2 lock retry (in milliseconds) app:concurrency:retry_jitter APP__CONCURRENCY__RETRY_JITTER 50 Random jitter to prevent concurrent retry  (in milliseconds) app:concurrency:max_ttl APP__CONCURRENCY__MAX_TTL 30000 Global maximum time for lock retry (in milliseconds)"},{"location":"deployment/configuration/#technical-customization","title":"Technical customization","text":"Parameter Environment variable Default value Description app:graphql:playground:enabled APP__GRAPHQL__PLAYGROUND__ENABLED <code>true</code> Enable the playground on /graphql app:graphql:playground:force_disabled_introspection APP__GRAPHQL_PLAYGROUND__FORCE_DISABLED_INTROSPECTION <code>false</code> Introspection is allowed to auth users but can be disabled in needed app:concurrency:retry_count APP__CONCURRENCY__RETRY_COUNT 200 Number of try to get the lock to work an element (create/update/merge, ...) app:concurrency:retry_delay APP__CONCURRENCY__RETRY_DELAY 100 Delay between 2 lock retry (in milliseconds) app:concurrency:retry_jitter APP__CONCURRENCY__RETRY_JITTER 50 Random jitter to prevent concurrent retry  (in milliseconds) app:concurrency:max_ttl APP__CONCURRENCY__MAX_TTL 30000 Global maximum time for lock retry (in milliseconds)"},{"location":"deployment/configuration/#dependencies","title":"Dependencies","text":""},{"location":"deployment/configuration/#elasticsearch","title":"ElasticSearch","text":"Parameter Environment variable Default value Description elasticsearch:engine_selector ELASTICSEARCH__ENGINE_SELECTOR auto <code>elk</code> or <code>opensearch</code>, default is <code>auto</code>, please put <code>elk</code> if you use token auth. elasticsearch:url ELASTICSEARCH__URL http://localhost:9200 URL(s) of the ElasticSearch (supports http://user:pass@localhost:9200 and list of URLs) elasticsearch:username ELASTICSEARCH__USERNAME Username can be put in the URL or with this parameter elasticsearch:password ELASTICSEARCH__PASSWORD Password can be put in the URL or with this parameter elasticsearch:api_key ELASTICSEARCH__API_KEY API key for ElasticSearch token auth. Please set also <code>engine_selector</code> to <code>elk</code> elasticsearch:index_prefix ELASTICSEARCH__INDEX_PREFIX opencti Prefix for the indices elasticsearch:ssl:reject_unauthorized ELASTICSEARCH__SSL__REJECT_UNAUTHORIZED <code>true</code> Enable TLS certificate check elasticsearch:ssl:ca ELASTICSEARCH__SSL__CA Custom certificate path or content elasticsearch:search_wildcard_prefix ELASTICSEARCH__SEARCH_WILDCARD_PREFIX <code>false</code> Search includes words with automatic fuzzy comparison elasticsearch:search_fuzzy ELASTICSEARCH__SEARCH_FUZZY <code>false</code> Search will include words not starting with the search keyword"},{"location":"deployment/configuration/#redis","title":"Redis","text":"Parameter Environment variable Default value Description redis:mode REDIS__MODE single Connect to redis \"single\" or \"cluster\" redis:namespace REDIS__NAMESPACE Namespace (to use as prefix) redis:hostname REDIS__HOSTNAME localhost Hostname of the Redis Server redis:hostnames REDIS__HOSTNAMES Hostnames definition for Redis cluster mode: a list of host/port objects. redis:port REDIS__PORT 6379 Port of the Redis Server redis:use_ssl REDIS__USE_SSL <code>false</code> Is the Redis Server has TLS enabled redis:username REDIS__USERNAME Username of the Redis Server redis:password REDIS__PASSWORD Password of the Redis Server redis:ca REDIS__CA [] List of path(s) of the CA certificate(s) redis:trimming REDIS__TRIMMING 2000000 Number of elements to maintain in the stream. (0 = unlimited)"},{"location":"deployment/configuration/#rabbitmq","title":"RabbitMQ","text":"Parameter Environment variable Default value Description rabbitmq:hostname RABBITMQ__HOSTNAME localhost Hostname of the RabbitMQ server rabbitmq:port RABBITMQ__PORT 5672 Port of the RabbitMQ server rabbitmq:port_management RABBITMQ__PORT_MANAGEMENT 15672 Port of the RabbitMQ Management Plugin rabbitmq:username RABBITMQ__USERNAME guest RabbitMQ user rabbitmq:password RABBITMQ__PASSWORD guest RabbitMQ password rabbitmq:queue_type RABBITMQ__QUEUE_TYPE \"classic\" RabbitMQ Queue Type (\"classic\" or \"quorum\") - - - - rabbitmq:use_ssl RABBITMQ__USE_SSL <code>false</code> Use TLS connection rabbitmq:use_ssl_cert RABBITMQ__USE_SSL_CERT Path or cert content rabbitmq:use_ssl_key RABBITMQ__USE_SSL_KEY Path or key content rabbitmq:use_ssl_pfx RABBITMQ__USE_SSL_PFX Path or pfx content rabbitmq:use_ssl_ca RABBITMQ__USE_SSL_CA [] List of path(s) of the CA certificate(s) rabbitmq:use_ssl_passphrase RABBITMQ__SSL_PASSPHRASE Passphrase for the key certificate rabbitmq:use_ssl_reject_unauthorized RABBITMQ__SSL_REJECT_UNAUTHORIZED <code>false</code> Reject rabbit self signed certificate - - - - rabbitmq:management_ssl RABBITMQ__MANAGEMENT_SSL <code>false</code> Is the Management Plugin has TLS enabled rabbitmq:management_ssl_reject_unauthorized RABBITMQ__SSL_REJECT_UNAUTHORIZED <code>true</code> Reject management self signed certificate"},{"location":"deployment/configuration/#s3-bucket","title":"S3 Bucket","text":"Parameter Environment variable Default value Description minio:endpoint MINIO__ENDPOINT localhost Hostname of the S3 Service. Example if you use AWS Bucket S3: s3.us-east-1.amazonaws.com (if <code>minio:bucket_region</code> value is us-east-1). This parameter value can be omitted if you use Minio as an S3 Bucket Service. minio:port MINIO__PORT 9000 Port of the S3 Service. For AWS Bucket S3 over HTTPS, this value can be changed (usually 443). minio:use_ssl MINIO__USE_SSL <code>false</code> Indicates whether the S3 Service has TLS enabled. For AWS Bucket S3 over HTTPS, this value could be <code>true</code>. minio:access_key MINIO__ACCESS_KEY ChangeMe Access key for the S3 Service. minio:secret_key MINIO__SECRET_KEY ChangeMe Secret key for the S3 Service. minio:bucket_name MINIO__BUCKET_NAME opencti-bucket S3 bucket name. Useful to change if you use AWS. minio:bucket_region MINIO__BUCKET_REGION us-east-1 Region of the S3 bucket if you are using AWS. This parameter value can be omitted if you use Minio as an S3 Bucket Service. minio:use_aws_role MINIO__USE_AWS_ROLE <code>false</code> Indicates whether to use AWS role auto credentials. When this parameter is configured, the <code>minio:access_key</code> and <code>minio:secret_key</code> parameters are not necessary."},{"location":"deployment/configuration/#smtp-service","title":"SMTP Service","text":"Parameter Environment variable Default value Description smtp:hostname SMTP__HOSTNAME SMTP Server hostname smtp:port SMTP__PORT 9000 SMTP Port (25 or 465 for TLS) smtp:use_ssl SMTP__USE_SSL <code>false</code> SMTP over TLS smtp:reject_unauthorized SMTP__REJECT_UNAUTHORIZED <code>false</code> Enable TLS certificate check smtp:username SMTP__USERNAME SMTP Username if authentication is needed smtp:password SMTP__PASSWORD SMTP Password if authentication is needed"},{"location":"deployment/configuration/#ai-service","title":"AI Service","text":"<p>AI deployment and cloud services</p> <p>There are several possibilities for Enterprise Edition customers to use OpenCTI AI endpoints:</p> <ul> <li>Use the Filigran AI Service leveraging our custom AI model using the token given by the support team.</li> <li>Use OpenAI or MistralAI cloud endpoints using your own tokens.</li> <li>Deploy or use local AI endpoints (Filigran can provide you with the custom model).</li> </ul> Parameter Environment variable Default value Description ai:enabled AI__ENABLED true Enable AI capabilities ai:type AI__TYPE mistralai AI type (<code>mistralai</code> or <code>openai</code>) ai:endpoint AI__ENDPOINT Endpoint URL (empty means default cloud service) ai:token AI__TOKEN Token for endpoint credentials ai:model AI__MODEL Model to be used for text generation (depending on type) ai:model_images AI__MODEL_IMAGES Model to be used for image generation (depending on type)"},{"location":"deployment/configuration/#engines-schedules-and-managers","title":"Engines, Schedules and Managers","text":"Parameter Environment variable Default value Description rule_engine:enabled RULE_ENGINE__ENABLED <code>true</code> Enable/disable the rule engine rule_engine:lock_key RULE_ENGINE__LOCK_KEY rule_engine_lock Lock key of the engine in Redis - - - - history_manager:enabled HISTORY_MANAGER__ENABLED <code>true</code> Enable/disable the history manager history_manager:lock_key HISTORY_MANAGER__LOCK_KEY history_manager_lock Lock key for the manager in Redis - - - - task_scheduler:enabled TASK_SCHEDULER__ENABLED <code>true</code> Enable/disable the task scheduler task_scheduler:lock_key TASK_SCHEDULER__LOCK_KEY task_manager_lock Lock key for the scheduler in Redis task_scheduler:interval TASK_SCHEDULER__INTERVAL 10000 Interval to check new task to do (in ms) - - - - sync_manager:enabled SYNC_MANAGER__ENABLED <code>true</code> Enable/disable the sync manager sync_manager:lock_key SYNC_MANAGER__LOCK_KEY sync_manager_lock Lock key for the manager in Redis sync_manager:interval SYNC_MANAGER__INTERVAL 10000 Interval to check new sync feeds to consume (in ms) - - - - expiration_scheduler:enabled EXPIRATION_SCHEDULER__ENABLED <code>true</code> Enable/disable the scheduler expiration_scheduler:lock_key EXPIRATION_SCHEDULER__LOCK_KEY expired_manager_lock Lock key for the scheduler in Redis expiration_scheduler:interval EXPIRATION_SCHEDULER__INTERVAL 300000 Interval to check expired indicators (in ms) - - - - retention_manager:enabled RETENTION_MANAGER__ENABLED <code>true</code> Enable/disable the retention manager retention_manager:lock_key RETENTION_MANAGER__LOCK_KEY retention_manager_lock Lock key for the manager in Redis retention_manager:interval RETENTION_MANAGER__INTERVAL 60000 Interval to check items to be deleted (in ms) - - - - notification_manager:enabled NOTIFICATION_MANAGER__ENABLED <code>true</code> Enable/disable the notification manager notification_manager:lock_live_key NOTIFICATION_MANAGER__LOCK_LIVE_KEY notification_live_manager_lock Lock live key for the manager in Redis notification_manager:lock_digest_key NOTIFICATION_MANAGER__LOCK_DIGEST_KEY notification_digest_manager_lock Lock digest key for the manager in Redis notification_manager:interval NOTIFICATION_MANAGER__INTERVAL 10000 Interval to push notifications - - - - publisher_manager:enabled PUBLISHER_MANAGER__ENABLED <code>true</code> Enable/disable the publisher manager publisher_manager:lock_key PUBLISHER_MANAGER__LOCK_KEY publisher_manager_lock Lock key for the manager in Redis publisher_manager:interval PUBLISHER_MANAGER__INTERVAL 10000 Interval to send notifications / digests (in ms) - - - - ingestion_manager:enabled INGESTION_MANAGER__ENABLED <code>true</code> Enable/disable the ingestion manager ingestion_manager:lock_key INGESTION_MANAGER__LOCK_KEY ingestion_manager_lock Lock key for the manager in Redis ingestion_manager:interval INGESTION_MANAGER__INTERVAL 300000 Interval to check for new data in remote feeds - - - - playbook_manager:enabled PLAYBOOK_MANAGER__ENABLED <code>true</code> Enable/disable the playbook manager playbook_manager:lock_key PLAYBOOK_MANAGER__LOCK_KEY publisher_manager_lock Lock key for the manager in Redis playbook_manager:interval PLAYBOOK_MANAGER__INTERVAL 60000 Interval to check new playbooks - - - - activity_manager:enabled ACTIVITY_MANAGER__ENABLED <code>true</code> Enable/disable the activity manager activity_manager:lock_key ACTIVITY_MANAGER__LOCK_KEY activity_manager_lock Lock key for the manager in Redis - - - - connector_manager:enabled CONNECTOR_MANAGER__ENABLED <code>true</code> Enable/disable the connector manager connector_manager:lock_key CONNECTOR_MANAGER__LOCK_KEY connector_manager_lock Lock key for the manager in Redis connector_manager:works_day_range CONNECTOR_MANAGER__WORKS_DAY_RANGE 7 Days range before considering the works as too old connector_manager:interval CONNECTOR_MANAGER__INTERVAL 10000 Interval to check the state of the works - - - - import_csv_built_in_connector:enabled IMPORT_CSV_CONNECTOR__ENABLED <code>true</code> Enable/disable the csv import connector import_csv_built_in_connector:validate_before_import IMPORT_CSV_CONNECTOR__VALIDATE_BEFORE_IMPORT <code>false</code> Validates the bundle before importing - - - - file_index_manager:enabled FILE_INDEX_MANAGER__ENABLED <code>true</code> Enable/disable the file indexing manager file_index_manager:stream_lock_key FILE_INDEX_MANAGER__STREAM_LOCK file_index_manager_stream_lock Stream lock key for the manager in Redis file_index_manager:interval FILE_INDEX_MANAGER__INTERVAL 60000 Interval to check for new files - - - - indicator_decay_manager:enabled INDICATOR_DECAY_MANAGER__ENABLED <code>true</code> Enable/disable the file indexing manager indicator_decay_manager:lock_key INDICATOR_DECAY_MANAGER__LOCK_LOCK indicator_decay_manager_lock Lock key for the manager in Redis indicator_decay_manager:interval INDICATOR_DECAY_MANAGER__INTERVAL 60000 Interval to check for indicators to update indicator_decay_manager:batch_size INDICATOR_DECAY_MANAGER__BATCH_SIZE 10000 Number of indicators handled by the manager <p>Manager's duties</p> <p>A description of each manager's duties is available on a dedicated page.</p>"},{"location":"deployment/configuration/#worker-and-connector","title":"Worker and connector","text":"<p>Can be configured manually using the configuration file <code>config.yml</code> or through environment variables.</p> Parameter Environment variable Default value Description opencti:url OPENCTI_URL The URL of the OpenCTI platform opencti:token OPENCTI_TOKEN A token of an administrator account with bypass capability - - - - mq:use_ssl / / Depending of the API configuration (fetch from API) mq:use_ssl_ca MQ_USE_SSL_CA Path or cacert content mq:use_ssl_cert MQ_USE_SSL_CERT Path or cert content mq:use_ssl_key MQ_USE_SSL_KEY Path or key content mq:use_ssl_passphrase MQ_USE_SSL_PASSPHRASE Passphrase for the key certificate mq:use_ssl_reject_unauthorized MQ_USE_SSL_REJECT_UNAUTHORIZED <code>false</code> Reject rabbit self signed certificate"},{"location":"deployment/configuration/#worker-specific-configuration","title":"Worker specific configuration","text":""},{"location":"deployment/configuration/#logging_1","title":"Logging","text":"Parameter Environment variable Default value Description worker:log_level WORKER_LOG_LEVEL info The log level (error, warning, info or debug)"},{"location":"deployment/configuration/#telemetry_1","title":"Telemetry","text":"Parameter Environment variable Default value Description worker:telemetry_enabled WORKER_TELEMETRY_ENABLED false Enable the Prometheus endpoint worker:telemetry_prometheus_port WORKER_PROMETHEUS_TELEMETRY_PORT 14270 Port of the Prometheus endpoint worker:telemetry_prometheus_host WORKER_PROMETHEUS_TELEMETRY_HOST 0.0.0.0 Listen address of the Prometheus endpoint"},{"location":"deployment/configuration/#connector-specific-configuration","title":"Connector specific configuration","text":"<p>For specific connector configuration, you need to check each connector behavior.</p>"},{"location":"deployment/configuration/#elasticsearch_1","title":"ElasticSearch","text":"<p>If you want to adapt the memory consumption of ElasticSearch, you can use these options:</p> <pre><code># Add the following environment variable:\n\"ES_JAVA_OPTS=-Xms8g -Xmx8g\"\n</code></pre> <p>This can be done in configuration file in the <code>jvm.conf</code> file.</p>"},{"location":"deployment/connectors/","title":"Connectors","text":""},{"location":"deployment/connectors/#introduction","title":"Introduction","text":"<p>Connectors list</p> <p>You are looking for the available connectors? The list is in the OpenCTI Ecosystem.</p> <p>Connectors are the cornerstone of the OpenCTI platform and allow organizations to easily ingest, enrich or export data in the platform. According to their functionality and use case, they are categorized in the following classes.</p> <p></p>"},{"location":"deployment/connectors/#import","title":"Import","text":"<p>These connectors automatically retrieve information from an external organization, application or service, convert it to STIX 2.1 bundles and import it into OpenCTI using the workers.</p>"},{"location":"deployment/connectors/#enrichment","title":"Enrichment","text":"<p>When a new object is created in the platform or on the user request, it is possible to trigger the internal enrichment connector to lookup and/or search the object in external organizations, applications or services. If the object is found, the connectors will generate a STIX 2.1 bundle which will increase the level of knowledge about the concerned object.</p> <p></p>"},{"location":"deployment/connectors/#stream","title":"Stream","text":"<p>These connectors connect to a platform data stream and continously do something with the received events. In most cases, they are used to consume OpenCTI data and insert them in third-party platforms such as SIEMs, XDRs, EDRS, etc. In some cases, stream connectors can also query the external system on a regular basis and act as import connector for instance to gather alerts and sightings related to CTI data and push them to OpenCTI (bi-directional).</p>"},{"location":"deployment/connectors/#import-files","title":"Import files","text":"<p>Information from an uploaded file can be extracted and ingested into OpenCTI. Examples are files attached to a report or a STIX 2.1 file.</p>"},{"location":"deployment/connectors/#export-files","title":"Export files","text":"<p>Information stored in OpenCTI can be extracted into different file formats like .csv or .json (STIX 2).</p>"},{"location":"deployment/connectors/#connector-configuration","title":"Connector configuration","text":"<p>All connectors have to be able to access the OpenCTI API. To allow this connection, they have 2 mandatory configuration parameters, the <code>OPENCTI_URL</code> and the <code>OPENCTI_TOKEN</code>. In addition to these 2 parameters, connectors have other mandatory parameters that need to be set in order to get them work.</p> <p>Connectors tokens</p> <p>Be careful, we strongly recommend to use a dedicated token for each connector running in the platform. So you have to create a specific user for each of them.</p> <p>Also, if all connectors users can run in with a user belonging to the <code>Connectors</code> group (with the <code>Connector</code> role), the <code>Internal Export Files</code> should be run with a user who is Administrator (with bypass capability) because they impersonate the user requesting the export to avoid data leak.</p> Type Required role Used permissions EXTERNAL_IMPORT Connector Import data with the connector user. INTERNAL_ENRICHMENT Connector Enrich data with the connector user. INTERNAL_IMPORT_FILE Connector Import data with the connector user. INTERNAL_EXPORT_FILE Administrator Export data with the user who requested the export. STREAM Connector Consume the streams the connector user. <p>Here is an example of a connector <code>docker-compose.yml</code> file: <pre><code>- CONNECTOR_ID=ChangeMe\n- CONNECTOR_TYPE=EXTERNAL_IMPORT\n- CONNECTOR_NAME=MITRE ATT&amp;CK\n- CONNECTOR_SCOPE=identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report\n- CONNECTOR_CONFIDENCE_LEVEL=3\n- CONNECTOR_UPDATE_EXISTING_DATA=true\n- CONNECTOR_LOG_LEVEL=info\n</code></pre></p> <p>Here is an example in a connector <code>config.yml</code> file:</p> <pre><code>-connector:\n  id: 'ChangeMe'\n  type: 'EXTERNAL_IMPORT'\n  name: 'MITRE ATT&amp;CK'\n  scope: 'identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report'\n  confidence_level: 3\n  update_existing_data: true\n  log_level: 'info'\n</code></pre>"},{"location":"deployment/connectors/#networking","title":"Networking","text":"<p>Be aware that all connectors are reaching RabbitMQ based the RabbitMQ configuration provided by the OpenCTI platform. The connector must be able to reach RabbitMQ on the specified hostname and port. If you have a specific Docker network configuration, please be sure to adapt your <code>docker-compose.yml</code> file in such way that the connector container gets attached to the OpenCTI Network, e.g.:</p> <pre><code>networks:\n  default:\n    external: true\n    name: opencti-docker_default\n</code></pre> <p></p>"},{"location":"deployment/connectors/#connector-token","title":"Connector token","text":""},{"location":"deployment/connectors/#create-the-user","title":"Create the user","text":"<p>As mentioned previously, it is strongly recommended to run each connector with its own user. The <code>Internal Export File</code> connectors should be launched with a user that belongs to a group which has an \u201cAdministrator\u201d role (with bypass all capabilities enabled).</p> <p>By default, in platform, a group named \"Connectors\" already exists. So just create a new user with the name <code>[C] Name of the connector</code> in Settings &gt; Security &gt; Users.</p> <p></p>"},{"location":"deployment/connectors/#put-the-user-in-the-group","title":"Put the user in the group","text":"<p>Just go to the user you have just created and add it to the <code>Connectors</code> group.</p> <p></p> <p>Then just get the token of the user displayed in the interface.</p> <p></p>"},{"location":"deployment/connectors/#docker-activation","title":"Docker activation","text":"<p>You can either directly run the Docker image of connectors or add them to your current <code>docker-compose.yml</code> file.</p>"},{"location":"deployment/connectors/#add-a-connector-to-your-deployment","title":"Add a connector to your deployment","text":"<p>For instance, to enable the MISP connector, you can add a new service to your <code>docker-compose.yml</code> file:</p> <pre><code>  connector-misp:\n    image: opencti/connector-misp:latest\n    environment:\n      - OPENCTI_URL=http://localhost\n      - OPENCTI_TOKEN=ChangeMe\n      - CONNECTOR_ID=ChangeMe\n      - CONNECTOR_TYPE=EXTERNAL_IMPORT\n      - CONNECTOR_NAME=MISP\n      - CONNECTOR_SCOPE=misp\n      - CONNECTOR_CONFIDENCE_LEVEL=3\n      - CONNECTOR_UPDATE_EXISTING_DATA=false\n      - CONNECTOR_LOG_LEVEL=info\n      - MISP_URL=http://localhost # Required\n      - MISP_KEY=ChangeMe # Required\n      - MISP_SSL_VERIFY=False # Required\n      - MISP_CREATE_REPORTS=True # Required, create report for MISP event\n      - MISP_REPORT_CLASS=MISP event # Optional, report_class if creating report for event\n      - MISP_IMPORT_FROM_DATE=2000-01-01 # Optional, import all event from this date\n      - MISP_IMPORT_TAGS=opencti:import,type:osint # Optional, list of tags used for import events\n      - MISP_INTERVAL=1 # Required, in minutes\n    restart: always\n</code></pre>"},{"location":"deployment/connectors/#launch-a-standalone-connector","title":"Launch a standalone connector","text":"<p>To launch standalone connector, you can use the <code>docker-compose.yml</code> file of the connector itself. Just download the latest release and start the connector:</p> <pre><code>$ wget https://github.com/OpenCTI-Platform/connectors/archive/{RELEASE_VERSION}.zip\n$ unzip {RELEASE_VERSION}.zip\n$ cd connectors-{RELEASE_VERSION}/misp/\n</code></pre> <p>Change the configuration in the <code>docker-compose.yml</code> according to the parameters of the platform and of the targeted service. Then launch the connector:</p> <pre><code>$ docker-compose up\n</code></pre>"},{"location":"deployment/connectors/#manual-activation","title":"Manual activation","text":"<p>If you want to manually launch connector, you just have to install Python 3 and pip3 for dependencies:</p> <pre><code>$ apt install python3 python3-pip\n</code></pre> <p>Download the release of the connectors:</p> <pre><code>$ wget &lt;https://github.com/OpenCTI-Platform/connectors/archive/{RELEASE_VERSION}.zip&gt;\n$ unzip {RELEASE_VERSION}.zip\n$ cd connectors-{RELEASE_VERSION}/misp/src/\n</code></pre> <p>Install dependencies and initialize the configuration:</p> <pre><code>$ pip3 install -r requirements.txt\n$ cp config.yml.sample config.yml\n</code></pre> <p>Change the <code>config.yml</code> content according to the parameters of the platform and of the targeted service and launch the connector:</p> <pre><code>$ python3 misp.py\n</code></pre>"},{"location":"deployment/connectors/#connectors-status","title":"Connectors status","text":"<p>The connector status can be displayed in the dedicated section of the platform available in Data &gt; Connectors. You will be able to see the statistics of the RabbitMQ queue of the connector:</p> <p></p> <p>Problem</p> <p>If you encounter problems deploying OpenCTI or connectors, you can consult the troubleshooting page page.</p>"},{"location":"deployment/installation/","title":"Installation","text":"<p>All components of OpenCTI are shipped both as Docker images and manual installation packages.</p> <p>Production deployment</p> <p>For production deployment, we recommend to deploy all components in containers, including dependencies, using native cloud services or orchestration systems such as Kubernetes.</p> <p>To have more details about deploying OpenCTI and its dependencies in cluster mode, please read the dedicated section.</p> <ul> <li> <p> Use Docker</p> <p>Deploy OpenCTI using Docker and the default <code>docker-compose.yml</code> provided in the docker.</p> <p> Setup</p> </li> <li> <p> Manual installation</p> <p>Deploy dependencies and launch the platform manually using the packages released in the GitHub releases.</p> <p> Explore</p> </li> </ul>"},{"location":"deployment/installation/#using-docker","title":"Using Docker","text":"<p>Deploy FIPS 140-2 compliant components</p> <p>We are providing FIPS 140-2 compliant images, please read the dedicated documentation to understand how to deploy OpenCTI in FIPS-compliant mode.</p>"},{"location":"deployment/installation/#introduction","title":"Introduction","text":"<p>OpenCTI can be deployed using the docker-compose command.</p>"},{"location":"deployment/installation/#pre-requisites","title":"Pre-requisites","text":"<p> Linux</p> <pre><code>$ sudo apt install docker-compose\n</code></pre> <p> Windows and MacOS</p> <p>Just download the appropriate Docker for Desktop version for your operating system.</p>"},{"location":"deployment/installation/#clone-the-repository","title":"Clone the repository","text":"<p>Docker helpers are available in the Docker GitHub repository.</p> <pre><code>$ mkdir -p /path/to/your/app &amp;&amp; cd /path/to/your/app\n$ git clone https://github.com/OpenCTI-Platform/docker.git\n$ cd docker\n</code></pre>"},{"location":"deployment/installation/#configure-the-environment","title":"Configure the environment","text":"<p>ElasticSearch / OpenSearch configuration</p> <ul> <li>We highly recommend to put the ElasticSearch / OpenSearch following parameter:</li> </ul> <pre><code>thread_pool.search.queue_size=5000\n</code></pre> <ul> <li>Check the OpenCTI Integration User Permissions in OpenSearch/ElasticSearch for detailed information about the necessary user permissions for the OpenSearch/ElasticSearch integration.</li> </ul> <p>Before running the <code>docker-compose</code> command, the <code>docker-compose.yml</code> file should be configured. By default, the <code>docker-compose.yml</code> file is using environment variables available in the file <code>.env.sample</code>.</p> <p>You can either rename the file <code>.env.sample</code> in <code>.env</code> and put the expected values or just fill directly the <code>docker-compose.yml</code> with the values corresponding to your environment.</p> <p>Configuration static parameters</p> <p>The complete list of available static parameters is available in the configuration section.</p> <p>Here is an example to quickly generate the <code>.env</code> file under Linux, especially all the default UUIDv4:</p> <pre><code>$ sudo apt install -y jq\n$ cd ~/docker\n$ (cat &lt;&lt; EOF\nOPENCTI_ADMIN_EMAIL=admin@opencti.io\nOPENCTI_ADMIN_PASSWORD=ChangeMePlease\nOPENCTI_ADMIN_TOKEN=$(cat /proc/sys/kernel/random/uuid)\nOPENCTI_BASE_URL=http://localhost:8080\nMINIO_ROOT_USER=$(cat /proc/sys/kernel/random/uuid)\nMINIO_ROOT_PASSWORD=$(cat /proc/sys/kernel/random/uuid)\nRABBITMQ_DEFAULT_USER=guest\nRABBITMQ_DEFAULT_PASS=guest\nELASTIC_MEMORY_SIZE=4G\nCONNECTOR_HISTORY_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_EXPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_EXPORT_FILE_CSV_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_IMPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_EXPORT_FILE_TXT_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_IMPORT_DOCUMENT_ID=$(cat /proc/sys/kernel/random/uuid)\nSMTP_HOSTNAME=localhost\nEOF\n) &gt; .env\n</code></pre> <p>If your <code>docker-compose</code> deployment does not support <code>.env</code> files, just export all environment variables before launching the platform:</p> <pre><code>$ export $(cat .env | grep -v \"#\" | xargs)\n</code></pre> <p>As OpenCTI has a dependency on ElasticSearch, you have to set the <code>vm.max_map_count</code> before running the containers, as mentioned in the ElasticSearch documentation.</p> <pre><code>$ sudo sysctl -w vm.max_map_count=1048575\n</code></pre> <p>To make this parameter persistent, add the following to the end of your <code>/etc/sysctl.conf</code>:</p> <pre><code>$ vm.max_map_count=1048575\n</code></pre>"},{"location":"deployment/installation/#persist-data","title":"Persist data","text":"<p>The default for OpenCTI data is to be persistent.</p> <p>In the <code>docker-compose.yml</code>, you will find at the end the list of necessary persitent volumes for the dependencies:</p> <pre><code>volumes:\n  esdata:     # ElasticSearch data\n  s3data:     # S3 bucket data\n  redisdata:  # Redis data\n  amqpdata:   # RabbitMQ data\n</code></pre>"},{"location":"deployment/installation/#run-opencti","title":"Run OpenCTI","text":""},{"location":"deployment/installation/#using-single-node-docker","title":"Using single node Docker","text":"<p>After changing your <code>.env</code> file run <code>docker-compose</code> in detached (-d) mode:</p> <pre><code>$ sudo systemctl start docker.service\n# Run docker-compose in detached\n$ docker-compose up -d\n</code></pre>"},{"location":"deployment/installation/#using-docker-swarm","title":"Using Docker swarm","text":"<p>In order to have the best experience with Docker, we recommend using the Docker stack feature. In this mode you will have the capacity to easily scale your deployment.</p> <pre><code># If your virtual machine is not a part of a Swarm cluster, please use:\n$ docker swarm init\n</code></pre> <p>Put your environment variables in <code>/etc/environment</code>:</p> <pre><code># If you already exported your variables to .env from above:\n$ sudo cat .env &gt;&gt; /etc/environment\n$ sudo bash -c 'cat .env &gt;&gt; /etc/environment\u2019\n$ sudo docker stack deploy --compose-file docker-compose.yml opencti\n</code></pre> <p>Installation done</p> <p>You can now go to http://localhost:8080 and log in with the credentials configured in your environment variables.</p>"},{"location":"deployment/installation/#manual-installation","title":"Manual installation","text":""},{"location":"deployment/installation/#prerequisites","title":"Prerequisites","text":""},{"location":"deployment/installation/#prepare-the-installation","title":"Prepare the installation","text":""},{"location":"deployment/installation/#installation-of-dependencies","title":"Installation of dependencies","text":"<p>You have to install all the needed dependencies for the main application and the workers. The example below is for Debian-based systems:</p> <pre><code>$ sudo apt-get install build-essential nodejs npm python3 python3-pip python3-dev\n</code></pre>"},{"location":"deployment/installation/#download-the-application-files","title":"Download the application files","text":"<p>First, you have to download and extract the latest release file. Then select the version to install depending of your operating system:</p> <p>For Linux:</p> <ul> <li>If your OS supports libc (Ubuntu, Debian, ...) you have to install the <code>opencti-release_{RELEASE_VERSION}.tar.gz</code> version.</li> <li>If your OS uses musl (Alpine, ...) you have to install the <code>opencti-release-{RELEASE_VERSION}_musl.tar.gz</code> version.</li> </ul> <p>For Windows:</p> <p>We don't provide any Windows release for now. However it is still possible to check the code out, manually install the dependencies and build the software.</p> <pre><code>$ mkdir /path/to/your/app &amp;&amp; cd /path/to/your/app\n$ wget &lt;https://github.com/OpenCTI-Platform/opencti/releases/download/{RELEASE_VERSION}/opencti-release-{RELEASE_VERSION}.tar.gz&gt;\n$ tar xvfz opencti-release-{RELEASE_VERSION}.tar.gz\n</code></pre>"},{"location":"deployment/installation/#install-the-main-platform","title":"Install the main platform","text":""},{"location":"deployment/installation/#configure-the-application","title":"Configure the application","text":"<p>The main application has just one JSON configuration file to change and a few Python modules to install</p> <pre><code>$ cd opencti\n$ cp config/default.json config/production.json\n</code></pre> <p>Change the config/production.json file according to your configuration of ElasticSearch, Redis, RabbitMQ and S3 bucket as well as default credentials (the <code>ADMIN_TOKEN</code> must be a valid UUID).</p>"},{"location":"deployment/installation/#install-the-python-modules","title":"Install the Python modules","text":"<pre><code>$ cd src/python\n$ pip3 install -r requirements.txt\n$ cd ../..\n</code></pre>"},{"location":"deployment/installation/#start-the-application","title":"Start the application","text":"<p>The application is just a NodeJS process, the creation of the database schema and the migration will be done at starting.</p> <pre><code>$ yarn install\n$ yarn build\n$ yarn serv\n</code></pre> <p>The default username and password are those you have put in the <code>config/production.json</code> file.</p>"},{"location":"deployment/installation/#install-the-worker","title":"Install the worker","text":"<p>The OpenCTI worker is used to write the data coming from the RabbitMQ messages broker.</p>"},{"location":"deployment/installation/#configure-the-worker","title":"Configure the worker","text":"<pre><code>$ cd worker\n$ pip3 install -r requirements.txt\n$ cp config.yml.sample config.yml\n</code></pre> <p>Change the config.yml file according to your OpenCTI token.</p>"},{"location":"deployment/installation/#start-as-many-workers-as-you-need","title":"Start as many workers as you need","text":"<pre><code>$ python3 worker.py &amp;\n$ python3 worker.py &amp;\n</code></pre> <p>Installation done</p> <p>You can now go to http://localhost:4000 and log in with the credentials configured in your <code>production.json</code> file.</p>"},{"location":"deployment/installation/#appendix","title":"Appendix","text":""},{"location":"deployment/installation/#community-contributions","title":"Community contributions","text":""},{"location":"deployment/installation/#terraform","title":"Terraform","text":"<ul> <li> <p> Multi-clouds Terraform scripts</p> <p>This repository is here to provide you with a quick and easy way to deploy an OpenCTI instance in the cloud (AWS, Azure, or GCP).</p> <p> GitHub Respository</p> </li> <li> <p> AWS Advanced Terraform scripts</p> <p>A Terraform deployment of OpenCTI designed to make use of native AWS Resources (where feasible). This includes AWS ECS Fargate, AWS OpenSearch, etc.</p> <p> GitHub Repository</p> </li> </ul>"},{"location":"deployment/installation/#helm-charts","title":"Helm Charts","text":"<ul> <li> <p> Kubernetes Helm Charts</p> <p>OpenCTI Helm Charts for Kubernetes with a global configuration file. More information how to deploy here on basic installation and examples.</p> <p> GitHub Repository</p> </li> </ul>"},{"location":"deployment/installation/#deploy-behind-a-reverse-proxy","title":"Deploy behind a reverse proxy","text":"<p>If you want to use OpenCTI behind a reverse proxy with a context path, like <code>https://domain.com/opencti</code>, please change the <code>base_path</code> static parameter.</p> <ul> <li><code>APP__BASE_PATH=/opencti</code></li> </ul> <p>By default OpenCTI use websockets so don't forget to configure your proxy for this usage, an example with <code>Nginx</code>:</p> <pre><code>location / {\n    proxy_cache                 off;\n    proxy_buffering             off;\n    proxy_http_version          1.1;\n    proxy_set_header Upgrade    $http_upgrade;\n    proxy_set_header Connection \"upgrade\";\n    proxy_set_header Host       $host;\n    chunked_transfer_encoding   off;\n    proxy_pass                  http://YOUR_UPSTREAM_BACKEND;\n  }\n</code></pre>"},{"location":"deployment/installation/#additional-memory-information","title":"Additional memory information","text":""},{"location":"deployment/installation/#platform","title":"Platform","text":"<p>OpenCTI platform is based on a NodeJS runtime, with a memory limit of 8GB by default. If you encounter <code>OutOfMemory</code> exceptions, this limit could be changed:</p> <pre><code>- NODE_OPTIONS=--max-old-space-size=8096\n</code></pre>"},{"location":"deployment/installation/#workers-and-connectors","title":"Workers and connectors","text":"<p>OpenCTI workers and connectors are Python processes. If you want to limit the memory of the process, we recommend to directly use Docker to do that. You can find more information in the official Docker documentation.</p>"},{"location":"deployment/installation/#elasticsearch","title":"ElasticSearch","text":"<p>ElasticSearch is also a JAVA process. In order to setup the JAVA memory allocation, you can use the environment variable <code>ES_JAVA_OPTS</code>. You can find more information in the official ElasticSearch documentation.</p>"},{"location":"deployment/installation/#redis","title":"Redis","text":"<p>Redis has a very small footprint on keys but will consume memory for the stream. By default the size of the stream is limited to 2 millions which represents a memory footprint around <code>8 GB</code>. You can find more information in the Redis docker hub.</p>"},{"location":"deployment/installation/#minio-s3-bucket","title":"MinIO / S3 Bucket","text":"<p>MinIO is a small process and does not require a high amount of memory. More information are available for Linux here on the Kernel tuning guide.</p>"},{"location":"deployment/installation/#rabbitmq","title":"RabbitMQ","text":"<p>The RabbitMQ memory configuration can be find in the RabbitMQ official documentation. RabbitMQ will consumed memory until a specific threshold, therefore it should be configure along with the Docker memory limitation.</p>"},{"location":"deployment/integrations/","title":"Integrations","text":""},{"location":"deployment/integrations/#introduction","title":"Introduction","text":"<p>OpenCTI supports multiple ways to integrate with other systems which do not have native connectors or plugins to the platform. Here are the technical features available to ease the connection and the integration of the platform with other applications.</p> <p>Connectors list</p> <p>If you are looking for the list of OpenCTI connectors or native integration, please check the OpenCTI Ecosystem.</p>"},{"location":"deployment/integrations/#native-feeds-and-streams","title":"Native feeds and streams","text":"<p>To ease integrations with other products, OpenCTI has built-in capabilities to deliver the data to third-parties.</p>"},{"location":"deployment/integrations/#csv-feeds","title":"CSV Feeds","text":"<p>It is possible to create as many CSV feeds as needed, based on filters and accessible in HTTP. CSV feeds are available in Data &gt; Data sharing &gt; Feeds (CSV).</p> <p>When creating a CSV feed, you need to select one or multiple types of entities to make available. Then, you must assign a field (of an entity type) to each column in the CSV:</p> <p></p> <p>Details</p> <p>For more information about CSV feeds, filters and configuration, please check the Export in structured format section.</p>"},{"location":"deployment/integrations/#taxii-collections","title":"TAXII collections","text":"<p>Most of the modern cybersecurity systems such as SIEMs, EDRs, XDRs and even firewalls supports the TAXII protocol which is basically a paginated HTTP STIX feed. OpenCTI implements a TAXII 2.1 server with the ability to create as many TAXII collections as needed in Data &gt; Data sharing &gt; TAXII Collections.</p> <p>TAXII collections are a sub-selection of the knowledge available in the platform and rely on filters. For instance, it is possible to create TAXII collections for pieces of malware with a given label, for indicators with a score greater than n, etc.</p> <p></p>"},{"location":"deployment/integrations/#live-streams","title":"Live Streams","text":"<p>After implementing CSV feeds and TAXII collections, we figured out that those 2 stateless APIs are definitely not enough when it comes to tackle advanced information sharing challenges such as:</p> <ul> <li>Real time transmission of the information (i.e. avoid hundreds of systems to pull data every 5 minutes).</li> <li>Dependencies resolution (i.e. an intrusion created by an organization but the organization is not in the TAXII collection).</li> <li>Partial update for huge entities such as report (i.e. just having the update event).</li> <li>Delete events when necessary (i.e. to handle indicators expiration in third party systems for instance).</li> </ul> <p>Live streams are available in Data &gt; Data sharing &gt; Live streams. As TAXII collections, it is possible to create as many streams as needed using filters.</p> <p></p> <p>Streams implement the HTTP SSE (Server-sent events) protocol and give applications the possibility to consume a real time pure STIX 2.1 stream. Stream connectors in the OpenCTI Ecosystem are using live streams to consume data and do something such as create / update / delete information in SIEMs, XDRs, etc.</p>"},{"location":"deployment/integrations/#authentication","title":"Authentication","text":"<p>For all previously explained capabilities, as they are over the HTTP protocol, 3 authentication mechanisms are available to consume them.</p> <ol> <li> <p>Using a bearer header with your OpenCTI API key</p> <pre><code>Authorization: Bearer a17bc103-8420-4208-bd53-e1f80845d15f\n</code></pre> <p>API Key</p> <p>Your API key can be found in your profile available clicking on the top right icon.</p> </li> <li> <p>Using basic authentication</p> <pre><code>Username: Your platform username\nPassword: Your plafrom password\nAuthorization: Basic c2FtdWVsLmhhc3NpbmVBZmlsaWdyYW4uaW86TG91aXNlMTMwNCM=\n</code></pre> </li> <li> <p>Using client certificate authentication</p> <p>To know how to configure the client certificate authentication, please consult the authentication configuration section.</p> </li> </ol>"},{"location":"deployment/integrations/#api-and-libraries","title":"API and libraries","text":""},{"location":"deployment/integrations/#graphql-api","title":"GraphQL API","text":"<p>To allow analysts and developers to implement more custom or complex use cases, a full GraphQL API is available in the application on the <code>/graphql</code> endpoint.</p> <p>The API can be queried using various GraphQL client such as Postman but you can leverage any HTTP client to forge GraphQL queries using <code>POST</code> methods.</p>"},{"location":"deployment/integrations/#authentication_1","title":"Authentication","text":"<p>The API authentication can be performed using the token of a user and a classic Authorization header:</p> <pre><code>Content-Type: application/json\nAuthorization: Bearer 6b6554c4-bb2c-4c80-9cd3-30288c8bf424\n</code></pre>"},{"location":"deployment/integrations/#playground","title":"Playground","text":"<p>The playground is available on the <code>/graphql</code> endpoint. A link button is also available in the profile of your user.</p> <p></p> <p>All the schema documentation is directly available in the playground.</p> <p></p> <p>If you already logged to OpenCTI with the same browser you should be able to directly do some requests. If you are not authenticated or want to authenticate only through the playground you can use a header configuration using your profile token</p> <p>Example of configuration (bottom left of the playground):</p> <p></p>"},{"location":"deployment/integrations/#python-library","title":"Python library","text":"<p>Since not everyone is familiar with GraphQL APIs, we've developed a Python library to ease the interaction with it. The library is pretty easy to use. To initiate the client:</p> <pre><code># coding: utf-8\n\nfrom pycti import OpenCTIApiClient\n\n# Variables\napi_url = \"http://opencti:4000\"\napi_token = \"bfa014e0-e02e-4aa6-a42b-603b19dcf159\"\n\n# OpenCTI initialization\nopencti_api_client = OpenCTIApiClient(api_url, api_token)\n</code></pre> <p>Then just use the available helpers: <pre><code># Search for malware with the keyword \"windows\"\nmalwares = opencti_api_client.malware.list(search=\"windows\")\n\n# Print\nprint(malwares)\n</code></pre></p> <p>Details</p> <p>For more detailed information about the Python library, please read the dedicated section.</p>"},{"location":"deployment/managers/","title":"Platform managers","text":"<p>Platform managers are background components that perform various tasks to support some important functionalities in the platform.</p> <p>Here is a list of all the managers on the platform:</p>"},{"location":"deployment/managers/#rules-engine","title":"Rules engine","text":"<p>Allows users to execute pre-defined actions based on the data and events in the platform.</p> <p>These rules are accessible in Settings &gt; Customization &gt; Rules engine.</p> <p>The rules engine is designed to help users automate and streamline their cyber threat intelligence processes.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#history-manager","title":"History manager","text":"<p>This manager keeps tracks of user/connector interactions on entities in the platform.</p> <p>It is designed to help users audit and understand the evolution of their CTI data.</p>"},{"location":"deployment/managers/#activity-manager","title":"Activity manager","text":"<p>The activity manager in OpenCTI is a component that monitors and logs the user actions in the platform such as login, settings update, and user activities if configured (read, udpate, etc.).</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#background-task-manager","title":"Background task manager","text":"<p>Is a component that handles the execution of tasks, such as importing data, exporting data and mass operations.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#expiration-scheduler","title":"Expiration scheduler","text":"<p>The expiration scheduler is responsible for monitoring expired elements in the platform. It cancels the access rights of expired user accounts and revokes expired indicators from the platform.</p>"},{"location":"deployment/managers/#synchronization-manager","title":"Synchronization manager","text":"<p>The synchronization manager enables the data sharing between multiple OpenCTI platforms.  It allows the user to create and configure synchronizers which are processes that connect to the live streams of remote OpenCTI platforms and import the data into the local platform. </p>"},{"location":"deployment/managers/#retention-manager","title":"Retention manager","text":"<p>The retention manager is a component that allows the user to define rules to help delete data in OpenCTI that is no longer relevant or useful. This helps to optimize the performance and storage of the OpenCTI platform and ensures the quality and accuracy of the data.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#notification-manager","title":"Notification manager","text":"<p>The notification manager is a component that allows the user to customize and receive alerts about events/changes in the platform.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#ingestion-manager","title":"Ingestion manager","text":"<p>The ingestion manager in OpenCTI is a component that manages the ingestion of data from RSS and TAXII feeds.</p>"},{"location":"deployment/managers/#playbook-manager","title":"Playbook manager","text":"<p>The playbook manager handles the automation scenarios which can be fully customized and enabled by platform administrators to enrich, filter and modify the data created or updated in the platform.</p> <p>Please read the Playbook automation page to get more information.</p>"},{"location":"deployment/managers/#file-index-manager","title":"File index manager","text":"<p>The file indexing manager extracts and indexes the text content of the files, and stores it in the database. It allows users to search for text content within files uploaded to the platform.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#indicator-decay-manager","title":"Indicator decay manager","text":"<p>The indicator decay manager allows to update indicators score automatically based on configured decay rules.</p> <p>More information can be found here.</p>"},{"location":"deployment/overview/","title":"Overview","text":"<p>Before starting the installation, let's discover how OpenCTI is working, which dependencies are needed and what are the minimal requirements to deploy it in production.</p>"},{"location":"deployment/overview/#architecture","title":"Architecture","text":"<p>The OpenCTI platform relies on several external databases and services in order to work.</p> <p></p>"},{"location":"deployment/overview/#platform","title":"Platform","text":"<p>The platform is the central part of the OpenCTI technological stack. It allows users to access to the user interface but also provides the GraphQL API used by connectors and workers to insert data. In the context of a production deployment, you may need to scale horizontally and launch multiple platforms behind a load balancer connected to the same databases (ElasticSearch, Redis, S3, RabbitMQ).</p>"},{"location":"deployment/overview/#workers","title":"Workers","text":"<p>The workers are standalone Python processes consuming messages from the RabbitMQ broker in order to do asynchronous write queries. You can launch as many workers as you need to increase the write performances. At some point, the write performances will be limited by the throughput of the ElasticSearch database cluster.</p> <p>Number of workers</p> <p>If you need to increase performances, it is better to launch more platforms to handle worker queries. The recommended setup is to have at least one platform for 3 workers (ie. 9 workers distributed over 3 platforms).</p>"},{"location":"deployment/overview/#connectors","title":"Connectors","text":"<p>The connectors are third-party pieces of software (Python processes) that can play five different  roles on the platform:</p> Type Description Examples EXTERNAL_IMPORT Pull data from remote sources, convert it to STIX2 and insert it on the OpenCTI platform. MITRE Datasets, MISP, CVE, AlienVault, Mandiant, etc. INTERNAL_ENRICHMENT Listen for new OpenCTI entities or users requests, pull data from remote sources to enrich. Shodan, DomainTools, IpInfo, etc. INTERNAL_IMPORT_FILE Extract data from files uploaded on OpenCTI trough the UI or the API. STIX 2.1, PDF, Text, HTML, etc. INTERNAL_EXPORT_FILE Generate export from OpenCTI data, based on a single object or a list. STIX 2.1, CSV, PDF, etc. STREAM Consume a platform data stream an do something with events. Splunk, Elastic Security, Q-Radar, etc. <p>List of connectors</p> <p>You can find all currently available connector in the OpenCTI Ecosystem.</p>"},{"location":"deployment/overview/#infrastructure-requirements","title":"Infrastructure requirements","text":""},{"location":"deployment/overview/#dependencies","title":"Dependencies","text":"Component Version CPU RAM Disk type Disk space ElasticSearch / OpenSearch &gt;= 8.0 / &gt;= 2.9 2 cores \u2265 8GB SSD \u2265 16GB Redis &gt;= 7.1 1 core \u2265 1GB SSD \u2265 16GB RabbitMQ &gt;= 3.11 1 core \u2265 512MB Standard \u2265 2GB S3 / MinIO &gt;= RELEASE.2023-02 1 core \u2265 128MB SSD \u2265 16GB"},{"location":"deployment/overview/#platform_1","title":"Platform","text":"Component CPU RAM Disk type Disk space OpenCTI Core 2 cores \u2265 8GB None (stateless) - Worker(s) 1 core \u2265 128MB None (stateless) - Connector(s) 1 core \u2265 128MB None (stateless) - <p>Clustering</p> <p>To have more details about deploying OpenCTI and its dependencies in cluster mode, please read the dedicated section.</p>"},{"location":"deployment/resources/","title":"Other resources","text":""},{"location":"deployment/resources/#introduction","title":"Introduction","text":"<p>OpenCTI is an open and modular platform. A lot of connectors, plugins and clients  are created by Filigran and by the community. You can find here other resources available to complete your OpenCTI journey.</p>"},{"location":"deployment/resources/#videos-training","title":"Videos &amp; training","text":"<ul> <li> <p> YouTube channel</p> <p>Watch demonstration videos, use case explanations, customers and community testimonies and past webinars.</p> <p> Watch</p> </li> <li> <p> Training courses</p> <p>Empower your journey with OpenCTI training courses for both analyst and  administrators and get your certifcate.</p> <p> Learn</p> </li> </ul>"},{"location":"deployment/resources/#articles-news","title":"Articles &amp; news","text":"<ul> <li> <p> Blog articles</p> <p>Read posts written by both Filigran teams and community members about OpenCTI features and use cases.</p> <p> Read</p> </li> <li> <p> Newsletters</p> <p>Subscribe to Filigran newsletters to get informed about the latest evolutions of our product ecosystems.</p> <p> Subscribe</p> </li> </ul>"},{"location":"deployment/resources/#analysis","title":"Analysis","text":"<ul> <li> <p> Verticalized threat landcapes</p> <p>Access to monthly sectorial analysis from our experts team based on knowledge and data collected by our partners.</p> <p> Consult</p> </li> <li> <p> Case studies</p> <p>Explore the Filigran case studies about stories and usages of the platform  among our communities and customers.</p> <p> Download</p> </li> </ul>"},{"location":"deployment/rollover/","title":"Indices and rollover policies","text":"<p>Default rollover policies</p> <p>Since OpenCTI 5.9.0, rollover policies are automatically created when the platform is initialized for the first time. If your platform has been initialized using an older version of OpenCTI or if you would like to understand (and customize) rollover policies please read the following documentation.</p>"},{"location":"deployment/rollover/#introduction","title":"Introduction","text":"<p>ElasticSearch and OpenSearch both support rollover on indices. OpenCTI has been designed to be able to use aliases for indices and so support very well index lifeycle policies. Thus, by default OpenCTI initialized indices with a suffix <code>-00001</code> and use wildcard to query indices. When rollover policies are implemented (default starting OCTI 5.9.X if you initialized your platform at this version), indices are splitted to keep a reasonable volume of data in shards.</p> <p></p>"},{"location":"deployment/rollover/#opencti-integration-user-permissions-in-opensearchelasticsearch","title":"OpenCTI Integration User Permissions in OpenSearch/ElasticSearch","text":"<ul> <li> <p>Index Permissions</p> <ul> <li>Patterns: <code>opencti*</code> (Dependent on the parameter elasticsearch:index_prefix value)</li> <li>Permissions: <code>indices_all</code></li> </ul> </li> <li> <p>Cluster Permissions</p> <ul> <li><code>cluster_composite_ops_ro</code></li> <li><code>cluster_manage_index_templates</code></li> <li><code>cluster:admin/ingest/pipeline/put</code></li> <li><code>cluster:admin/opendistro/ism/policy/write</code></li> <li><code>cluster:monitor/health</code></li> <li><code>cluster:monitor/main</code></li> <li><code>cluster:monitor/state</code></li> <li><code>indices:admin/index_template/put</code></li> <li><code>indices:data/read/scroll/clear</code></li> <li><code>indices:data/read/scroll</code></li> <li><code>indices:data/write/bulk</code></li> </ul> </li> </ul> <p>About<code>indices:*</code> in Cluster Permissions</p> <p>It is crucial to include <code>indices:*</code> permissions in Cluster Permissions for the proper functioning of the OpenCTI integration. Removing these, even if already present in Index Permissions, may result in startup issues for the OpenCTI Platform.</p>"},{"location":"deployment/rollover/#elasticsearch-configuration","title":"ElasticSearch configuration","text":""},{"location":"deployment/rollover/#indices","title":"Indices","text":"<p>By default, a rollover policy is applied on all indices used by OpenCTI.</p> <ul> <li><code>opencti_history</code></li> <li><code>opencti_inferred_entities</code></li> <li><code>opencti_inferred_relationships</code></li> <li><code>opencti_internal_objects</code></li> <li><code>opencti_internal_relationships</code></li> <li><code>opencti_stix_core_relationships</code></li> <li><code>opencti_stix_cyber_observable_relationships</code></li> <li><code>opencti_stix_cyber_observables</code></li> <li><code>opencti_stix_domain_objects</code></li> <li><code>opencti_stix_meta_objects</code></li> <li><code>opencti_stix_meta_relationships</code></li> <li><code>opencti_stix_sighting_relationships</code></li> </ul> <p>For your information, the indices which can grow rapidly are:</p> <ul> <li>Index <code>opencti_stix_meta_relationships</code>: it contains all the nested relationships between objects and labels / marking definitions / external references / authors, etc.</li> <li>Index <code>opencti_history</code>: it contains the history log of all objects in the platform.</li> <li>Index <code>opencti_stix_cyber_observables</code>: it contains all observables stored in the platform.</li> <li>Index <code>opencti_stix_core_relationships</code>: it contains all main STIX relationships stored in the platform.</li> </ul>"},{"location":"deployment/rollover/#default-implemented-licecycle-policy","title":"Default implemented licecycle policy","text":"<p>Here is the recommended policy (initialized starting 5.9.X):</p> <ul> <li>Maximum primary shard size: <code>50 GB</code></li> <li>Maximum age: <code>365 days</code></li> <li>Maximum documents: <code>75,000,000</code></li> </ul>"},{"location":"deployment/rollover/#applying-rollover-policies-on-existing-indices","title":"Applying rollover policies on existing indices","text":"<p>Procedure information</p> <p>Please read the following only if your platform has been initialized before 5.9.0, otherwise lifecycle policies has been created (but you can still cutomize them).</p> <p>Unfortunately, to be able to implement rollover policies on ElasticSearch / OpenSearch indices, it will be needed to re-index all the data in new indices using ElasticSearch capabilities.</p>"},{"location":"deployment/rollover/#shutdown","title":"Shutdown","text":"<p>First step is to shutdown your OpenCTI platform.</p>"},{"location":"deployment/rollover/#change-configuration","title":"Change configuration","text":"<p>Then, in the OpenCTI configuration, change the ElasticSearch / OpenSearch default prefix to <code>octi</code> (default is <code>opencti</code>).</p>"},{"location":"deployment/rollover/#create-the-rollover-policy","title":"Create the rollover policy","text":"<p>Create a rollover policy named <code>octi-ilm-policy</code> (in Kibana, <code>Management &gt; Index Lifecycle Policies</code>):</p> <ul> <li>Maximum primary shard size: <code>50 GB</code></li> <li>Maximum age: <code>365 days</code></li> <li>Maximum documents: <code>75,000,000</code></li> </ul> <p></p>"},{"location":"deployment/rollover/#create-index-templates","title":"Create index templates","text":"<p>In Kibana, clone the <code>opencti-index-template</code> to have one index template by OpenCTI index with the appropriate rollover policy, index pattern and rollover alias (in Kibana, <code>Management &gt; Index Management &gt; Index Templates</code>).</p> <p></p> <p>Create the following index templates:</p> <ul> <li><code>octi_history</code></li> <li><code>octi_inferred_entities</code></li> <li><code>octi_inferred_relationships</code></li> <li><code>octi_internal_objects</code></li> <li><code>octi_internal_relationships</code></li> <li><code>octi_stix_core_relationships</code></li> <li><code>octi_stix_cyber_observable_relationships</code></li> <li><code>octi_stix_cyber_observables</code></li> <li><code>octi_stix_domain_objects</code></li> <li><code>octi_stix_meta_objects</code></li> <li><code>octi_stix_meta_relationships</code></li> <li><code>octi_stix_sighting_relationships</code></li> </ul> <p>Here is the overview of all templates (you should have something with <code>octi_</code> instead of <code>opencti_</code>).</p> <p></p>"},{"location":"deployment/rollover/#apply-rollover-policy-on-all-index-templates","title":"Apply rollover policy on all index templates","text":"<p>Then, going back in the index lifecycle policies screen, you can click on the \"+\" button of the <code>octi-ilm-policy</code> to <code>Add the policy to index template</code>, then add the policy to add previously created template with the proper \"Alias for rollover index\".</p> <p></p>"},{"location":"deployment/rollover/#bootstrap-all-new-indices","title":"Bootstrap all new indices","text":"<p>Before we can re-index, we need to create the new indices with aliases.</p> <pre><code>PUT octi_history-000001\n{\n  \"aliases\": {\n    \"octi_history\": {\n      \"is_write_index\": true\n    }\n  }\n}\n</code></pre> <p>Repeat this step for all indices:</p> <ul> <li><code>octi_history</code></li> <li><code>octi_inferred_entities</code></li> <li><code>octi_inferred_relationships</code></li> <li><code>octi_internal_objects</code></li> <li><code>octi_internal_relationships</code></li> <li><code>octi_stix_core_relationships</code></li> <li><code>octi_stix_cyber_observable_relationships</code></li> <li><code>octi_stix_cyber_observables</code></li> <li><code>octi_stix_domain_objects</code></li> <li><code>octi_stix_meta_objects</code></li> <li><code>octi_stix_meta_relationships</code></li> </ul>"},{"location":"deployment/rollover/#re-index-all-indices","title":"Re-index all indices","text":"<p>Using the <code>reindex</code> API, re-index all indices one by one:</p> <pre><code>curl -X POST \"localhost:9200/_reindex?pretty\" -H 'Content-Type: application/json' -d'\n{\n  \"source\": {\n    \"index\": \"opencti_history-000001\"\n  },\n  \"dest\": {\n    \"index\": \"octi_history\"\n  }\n}\n'\n</code></pre> <p>You will see the rollover policy to be applied and the new indices are automatically rolled-over during reindexation.</p>"},{"location":"deployment/rollover/#delete-all-old-indices","title":"Delete all old indices","text":"<p>Then just delete all indices with the prefix <code>opencti_</code>.</p>"},{"location":"deployment/rollover/#start-your-platform","title":"Start your platform","text":"<p>Start your platform, using the new indices.</p> <p>Rollover documentation</p> <p>To have more details about automatic rollover and lifecycle policies, please read the official ElasticSearch documentation.</p>"},{"location":"deployment/troubleshooting/","title":"Troubleshooting","text":"<p>This page aims to explains the typical errors you can have with your OpenCTI platform.</p>"},{"location":"deployment/troubleshooting/#finding-the-relevant-logs","title":"Finding the relevant logs","text":"<p>It is highly recommended to monitor the error logs of the platforms, workers and connectors. All the components have log outputs in an understandable JSON format. It necessary, it is always possible to increase the log level. In production, it is recommended to have the log level set to <code>error</code>.</p>"},{"location":"deployment/troubleshooting/#platform","title":"Platform","text":"<p>Here are some useful parameters for platform logging:</p> <pre><code>- APP__APP_LOGS__LOGS_LEVEL=[error|warning|info|debug]\n- APP__APP_LOGS__LOGS_CONSOLE=true # Output in the container console\n</code></pre>"},{"location":"deployment/troubleshooting/#connectors","title":"Connectors","text":"<p>All connectors support the same set of parameters to manage the log level and outputs:</p> <pre><code>- OPENCTI_JSON_LOGGING=true # Enable / disable JSON logging\n- CONNECTOR_LOG_LEVEL=info=[error|warning|info|debug]\n</code></pre>"},{"location":"deployment/troubleshooting/#workers","title":"Workers","text":"<p>The workers can have more or less verbose outputs:</p> <pre><code>- OPENCTI_JSON_LOGGING=true # Enable / disable JSON logging\n- WORKER_LOG_LEVEL=[error|warning|info|debug]\n</code></pre>"},{"location":"deployment/troubleshooting/#common-errors","title":"Common errors","text":""},{"location":"deployment/troubleshooting/#ingestion-technical-errors","title":"Ingestion technical errors","text":"<p>Missing reference to handle creation</p> <p>After 5 retries, if an element required to create another element is missing, the platform raises an exception. It usually comes from a connector that generates inconsistent STIX 2.1 bundles.</p> <p>Cant upsert entity. Too many entities resolved</p> <p>OpenCTI received an entity which is matching too many other entities in the platform. In this condition we cannot take a decision. We need to dig into the data bundle to identify why he match too much entities and fix the data in the bundle / or the platform according to what you expect.</p> <p>Execution timeout, too many concurrent call on the same entities</p> <p>The platform supports multi workers and multiple parallel creation but different parameters can lead to some locking timeout in the execution. </p> <ul> <li>Throughput capacity of your ElasticSearch</li> <li>Number of workers started at the same time</li> <li>Dependencies between data</li> <li>Merging capacity of OpenCTI</li> </ul> <p>If you have this kind of error, limit the number of workers deployed. Try to find the right balance of the number of workers, connectors and elasticsearch sizing.</p>"},{"location":"deployment/troubleshooting/#ingestion-functional-errors","title":"Ingestion functional errors","text":"<p>Indicator of type yara is not correctly formatted</p> <p>OpenCTI check the validity of the indicator rule.</p> <p>Observable of type IPv4-Addr is not correctly formatted</p> <p>OpenCTI check the validity of the oversable value.</p>"},{"location":"deployment/troubleshooting/#dependencies-errors","title":"Dependencies errors","text":"<p>TOO_MANY_REQUESTS/12/disk usage exceeded flood-stage watermark...</p> <p>Disk full, no space left on the device for ElasticSearch.</p>"},{"location":"deployment/upgrade/","title":"Upgrade","text":"<p>Depending on your installation mode, upgrade path may change.</p> <p>Migrations</p> <p>The platform is taking care of all necessary underlying migrations in the databases if any, you can upgrade OpenCTI from any version to the latest one, including skipping multiple major releases.</p>"},{"location":"deployment/upgrade/#using-docker","title":"Using Docker","text":"<p>Before applying this procedure, please update your <code>docker-compose.yml</code> file with the new version number of container images.</p>"},{"location":"deployment/upgrade/#for-single-node-docker","title":"For single node Docker","text":"<pre><code>$ sudo docker-compose stop\n$ sudo docker-compose pull\n$ sudo docker-compose up -d\n</code></pre>"},{"location":"deployment/upgrade/#for-docker-swarm","title":"For Docker swarm","text":"<p>For each of services, you have to run the following command:</p> <pre><code>$ sudo docker service update --force service_name\n</code></pre>"},{"location":"deployment/upgrade/#manual-installation","title":"Manual installation","text":"<p>When upgrading the platform, you have to replace all files and restart the platform, the database migrations will be done automatically:</p> <pre><code>$ yarn serv\n</code></pre>"},{"location":"development/api-usage/","title":"GraphQL playground","text":"<p>The GraphQL playground is an integrated development environment (IDE) provided by OpenCTI for exploring and testing GraphQL APIs. It offers a user-friendly interface that allows developers to interactively query the GraphQL schema, experiment with different queries, and visualize the responses.</p>"},{"location":"development/api-usage/#key-features","title":"Key features","text":""},{"location":"development/api-usage/#interactive-querying","title":"Interactive querying","text":"<p>The Playground provides a text editor where developers can write GraphQL queries, mutations, and subscriptions. As you type, the Playground offers syntax highlighting, autocompletion, and error checking to aid in query composition.</p> <p></p>"},{"location":"development/api-usage/#documentation","title":"Documentation","text":"<p>Developers can access comprehensive documentation for the GraphQL schema directly within the Playground. This documentation includes descriptions of all available types, fields, and directives, making it easy to understand the data model and construct queries.</p> <p></p>"},{"location":"development/api-usage/#query-history","title":"Query history","text":"<p>The playground keeps track of previously executed queries, allowing developers to revisit and reuse queries from previous sessions. This feature streamlines the development process by eliminating the need to retype complex queries.</p> <p></p>"},{"location":"development/api-usage/#response-visualization","title":"Response visualization","text":"<p>Upon executing a query, the playground displays the response data in a structured and readable format. JSON responses are presented in a collapsible tree view, making it easy to navigate nested data structures and inspect individual fields.</p> <p></p>"},{"location":"development/api-usage/#schema-exploration","title":"Schema exploration","text":"<p>Developers can explore the GraphQL schema using the built-in schema viewer. This feature provides a graphical representation of the schema, showing types, fields, and their relationships. Developers can explore the schema and understand its structure.</p> <p></p>"},{"location":"development/api-usage/#getting-started","title":"Getting started","text":"<p>To access the GraphQL playground, navigate to the GraphQL endpoint of your OpenCTI instance: <code>https://[your-opencti-instance]/graphql</code>. Then, follow these steps to utilize the playground:</p> <ol> <li>Query editor: Write GraphQL queries, mutations, and subscriptions in the text editor. Use syntax highlighting and autocompletion to speed up query composition.</li> <li>Documentation explorer: Access documentation for the GraphQL schema by clicking on the \"Docs\" tab on the right. Browse types, fields, and descriptions to understand the available data and query syntax.</li> <li>Query history: View and execute previously executed queries from the \"History\" tab on the top. Reuse queries and experiment with variations without retyping.</li> <li>Response pane: Visualize query responses in the response pane. Expand and collapse sections to navigate complex data structures and inspect individual fields.</li> <li>Schema viewer: Explore the GraphQL schema interactively using the \"Schema\" tab on the right. Navigate types, fields, and relationships to understand the data model and plan queries.</li> </ol>"},{"location":"development/connectors/","title":"Connector development","text":""},{"location":"development/connectors/#introduction","title":"Introduction","text":"<p>A connector in OpenCTI is a service that runs next to the platform and can be implemented in almost any programming language that has STIX2 support. Connectors are used to extend the functionality of OpenCTI and allow operators to shift some of the processing workload to external services. To use the conveniently provided OpenCTI connector SDK you need to use Python3 at the moment.</p> <p>We choose to have a very decentralized approach on connectors, in order to bring a maximum freedom to developers and vendors. So a connector on OpenCTI can be defined by a standalone Python 3 process that pushes an understandable format of data to an ingestion queue of messages.</p> <p>Each connector must implement a long-running process that can be launched just by executing the main Python file. The only mandatory dependency is the <code>OpenCTIConnectorHelper</code> class that enables the connector to send data to OpenCTI.</p>"},{"location":"development/connectors/#getting-started","title":"Getting started","text":"<p>In the beginning first think about your use-case to choose and appropriate connector type - what do want to achieve with your connector? The following table gives you an overview of the current connector types and some typical use-cases:</p> <p>Connector types</p> Type Typical use cases Example connector EXTERNAL_IMPORT Integrate external TI provider, Integrate external TI platform AlienVault INTERNAL_ENRICHMENT Enhance existing data with additional knowledge AbuseIP INTERNAL_IMPORT_FILE (Bulk) import knowledge from files Import document INTERNAL_EXPORT_FILE (Bulk) export knowledge to files STIX 2.1, CSV. STREAM Integrate external TI provider, Integrate external TI platform Elastic Security <p>After you've selected your connector type make yourself familiar with STIX2 and the supported relationships in OpenCTI. Having some knowledge about the internal data models with help you a lot with the implementation of your idea.</p>"},{"location":"development/connectors/#preparation","title":"Preparation","text":""},{"location":"development/connectors/#environment-setup","title":"Environment Setup","text":"<p>To develop and test your connector, you need a running OpenCTI instance with the frontend and the messaging broker accessible. If you don't plan on developing anything for the OpenCTI platform or the frontend, the easiest setup for the connector development is using the docker setup, For more details see here.</p>"},{"location":"development/connectors/#coding-setup","title":"Coding Setup","text":"<p>To give you an easy starting point we prepared an example connector in the public repository you can use as template to bootstrap your development.</p> <p>Some prerequisites we recommend to follow this tutorial:</p> <ul> <li>Code editor with good Python3 support (e.g. Visual Studio Code with the Python extension pack)</li> <li>Python3 + setuptools is installed and configured</li> <li>Command shell (either Linux/Mac terminal or WSL on Windows)</li> </ul> <p>In the terminal check out the connectors repository and copy the template connector to <code>$myconnector</code> (replace it with your name throughout the following text examples).</p> <pre><code>$ pip3 install black flake8 pycti\n# Fork the current repository, then clone your fork\n$ git clone https://github.com/YOUR-USERNAME/connectors.git\n$ cd connectors\n$ git remote add upstream https://github.com/OpenCTI-Platform/connectors.git\n# Create a branch for your feature/fix\n$ git checkout -b [branch-name]\n# Copy the appropriate template directory for the connector type\n$ cp -r templates/$connector_type $connector_type/$myconnector\n$ cd $connector_type/$myconnector\n$ ls -R\nDockerfile              docker-compose.yml      requirements.txt\nREADME.md               entrypoint.sh           src\n\n./src:\nlib     main.py\n\n./src/lib:\n$connector_type.py\n</code></pre>"},{"location":"development/connectors/#changing-the-template","title":"Changing the template","text":"<p>There are a few files in the template we need to change for our connector to be unique. You can check for all places you need to change you connector name with the following command (the output will look similar):</p> <pre><code>$ grep -Ri template .\n\nREADME.md:# OpenCTI Template Connector\nREADME.md:| `connector_type`                     | `CONNECTOR_TYPE`                    | Yes          | Must be `Template_Type` (this is the connector type).                                                                                                      |\nREADME.md:| `connector_name`                     | `CONNECTOR_NAME`                    | Yes          | Option `Template`                                                                                                                                          |\nREADME.md:| `connector_scope`                    | `CONNECTOR_SCOPE`                   | Yes          | Supported scope: Template Scope (MIME Type or Stix Object)                                                                                                 |\nREADME.md:| `template_attribute`                 | `TEMPLATE_ATTRIBUTE`                | Yes          | Additional setting for the connector itself                                                                                                                |\ndocker-compose.yml:  connector-template:\ndocker-compose.yml:    image: opencti/connector-template:4.5.5\ndocker-compose.yml:      - CONNECTOR_TYPE=Template_Type\ndocker-compose.yml:      - CONNECTOR_NAME=Template\ndocker-compose.yml:      - CONNECTOR_SCOPE=Template_Scope # MIME type or Stix Object\nentrypoint.sh:cd /opt/opencti-connector-template\nDockerfile:COPY src /opt/opencti-template\nDockerfile:    cd /opt/opencti-connector-template &amp;&amp; \\\nsrc/main.py:class Template:\nsrc/main.py:            \"TEMPLATE_ATTRIBUTE\", [\"template\", \"attribute\"], config, True\nsrc/main.py:        connectorTemplate = Template()\nsrc/main.py:        connectorTemplate.run()\nsrc/config.yml.sample:  type: 'Template_Type'\nsrc/config.yml.sample:  name: 'Template'\nsrc/config.yml.sample:  scope: 'Template_Scope' # MIME type or SCO\n</code></pre> <p>Required changes:</p> <ul> <li> Change <code>Template</code> or <code>template</code>mentions to your connector name e.g. <code>ImportCsv</code> or <code>importcsv</code></li> <li> Change <code>TEMPLATE</code> mentions to your connector name e.g. <code>IMPORTCSV</code></li> <li> Change <code>Template_Scope</code> mentions to the required scope of your connector. For processing imported files, that can be the Mime type e.g. <code>application/pdf</code> or for enriching existing information in OpenCTI, define the STIX object's name e.g. <code>Report</code>. Multiple scopes can be separated by a simple <code>,</code></li> <li> Change <code>Template_Type</code> to the connector type you wish to develop. The OpenCTI types (OpenCTI flags) are defined in this table.</li> </ul>"},{"location":"development/connectors/#development","title":"Development","text":""},{"location":"development/connectors/#initialize-the-opencti-connector-helper","title":"Initialize the OpenCTI connector helper","text":"<p>After getting the configuration parameters of your connector, you have to initialize the OpenCTI connector helper by using the <code>pycti</code> Python library. This is shown in the following example:</p> <pre><code>class TemplateConnector:\n    def __init__(self):\n                # Instantiate the connector helper from config\n        config_file_path = os.path.dirname(os.path.abspath(__file__)) + \"/config.yml\"\n        config = (\n            yaml.load(open(config_file_path), Loader=yaml.SafeLoader)\n            if os.path.isfile(config_file_path)\n            else {}\n        )\n        self.helper = OpenCTIConnectorHelper(config)\n                self.custom_attribute = get_config_variable(\n            \"TEMPLATE_ATTRIBUTE\", [\"template\", \"attribute\"], config\n        )\n</code></pre> <p>Since there are some basic differences in the tasks of the different connector classes, the structure is also a bit class dependent. While the external-import and the stream connector run independently in a regular interval or constantly, the other 3 connector classes only run when being requested by the OpenCTI platform.</p> <p>The self-triggered connectors run independently, but the OpenCTI need to define a callback function, which can be executed for the connector to start its work. This is done via         <code>self.helper.listen(self._process_message)</code> . In the appended examples, the difference of the setup can be seen.</p> <p>Self-triggered Connectors</p> <ul> <li>external-import</li> <li>stream</li> </ul> <p>OpenCTI triggered</p> <ul> <li>internal-enrichment</li> <li>internal-import</li> <li>internal-export</li> </ul> <pre><code>from pycti import OpenCTIConnectorHelper, get_config_variable\n\nclass TemplateConnector:\n    def __init__(self) -&gt; None:\n                # Initialization procedures\n                [...]\n        self.template_interval = get_config_variable(\n            \"TEMPLATE_INTERVAL\", [\"template\", \"interval\"], config, True\n        )\n\n    def get_interval(self) -&gt; int:\n        return int(self.template_interval) * 60 * 60 * 24\n\n    def run(self) -&gt; None:\n                # Main procedure\n\nif __name__ == \"__main__\":\n    try:\n        template_connector = TemplateConnector()\n        template_connector.run()\n    except Exception as e:\n        print(e)\n        time.sleep(10)\n        exit(0)\n</code></pre> <pre><code>from pycti import OpenCTIConnectorHelper, get_config_variable\n\nclass TemplateConnector:\n    def __init__(self) -&gt; None:\n                # Initialization procedures\n                [...]\n\n    def _process_message(self, data: dict) -&gt; str:\n                # Main procedure                \n\n    # Start the main loop\n    def start(self) -&gt; None:\n        self.helper.listen(self._process_message)\n\nif __name__ == \"__main__\":\n    try:\n        template_connector = TemplateConnector()\n        template_connector.start()\n    except Exception as e:\n        print(e)\n        time.sleep(10)\n        exit(0)\n</code></pre>"},{"location":"development/connectors/#write-and-read-operations","title":"Write and Read Operations","text":"<p>When using the <code>OpenCTIConnectorHelper</code> class, there are two way for reading from or writing data to the OpenCTI platform.</p> <ol> <li>via the OpenCTI API interface via <code>self.helper.api</code></li> <li>via the OpenCTI worker via <code>self.send_stix2_bundle</code></li> </ol>"},{"location":"development/connectors/#sending-data-to-the-opencti-platform","title":"Sending data to the OpenCTI platform","text":"<p>The recommended way for creating or updating data in the OpenCTI platform is via the OpenCTI worker. This enables the connector to just send and forget about thousands of entities at once to without having to think about the ingestion order, performance or error handling.</p>  \u26a0\ufe0f **Please DO NOT use the api interface to create new objects in connectors.**   <p>The OpenCTI connector helper method <code>send_stix2_bundle</code> must be used to send data to OpenCTI. The <code>send_stix2_bundle</code> function takes 2 arguments.</p> <ol> <li>A serialized STIX2 bundle as a <code>string</code> (mandatory)</li> <li>A <code>list</code> of entities types that should be ingested (optional)</li> </ol> <p>Here is an example using the STIX2 Python library:</p> <pre><code>from stix2 import Bundle, AttackPattern\n\n[...]\n\nattack_pattern = AttackPattern(name='Evil Pattern')\n\nbundle_objects = []\nbundle_objects.append(attack_pattern)\n\nbundle = Bundle(objects=bundle_objects).serialize()\nbundles_sent = self.opencti_connector_helper.send_stix2_bundle(bundle)\n</code></pre>"},{"location":"development/connectors/#reading-from-the-opencti-platform","title":"Reading from the OpenCTI platform","text":"<p>Read queries to the OpenCTI platform can be achieved using the API and the STIX IDs can be attached to reports to create the relationship between those two entities.</p> <pre><code>entity = self.helper.api.vulnerability.read(\n    filters={\"key\": \"name\", \"values\": [\"T1234\"]}\n)\n</code></pre> <p>If you want to add the found entity via <code>objects_refs</code> to another SDO, simple add a list of <code>stix_ids</code> to the SDO. Here's an example using the entity from the code snippet above:</p> <pre><code>from stix2 import Report\n\n[...]\n\nreport = Report(\n    id=report[\"standard_id\"],\n  object_refs=[entity[\"standard_id\"]],\n)\n</code></pre>"},{"location":"development/connectors/#logging","title":"Logging","text":"<p>When something crashes at a user's, you as a developer want to know as much as possible about this incident to easily improve your code and remove this issue. To do so, it is very helpful if your connector documents what it does. Use <code>info</code> messages for big changes like the beginning or the finishing of an operation, but to facilitate your bug removal attempts, implement <code>debug</code> messages for minor operation changes to document different steps in your code.</p> <p>When encountering a crash, the connector's user can easily restart the troubling connector with the debug logging activated.</p> <ul> <li><code>CONNECTOR_LOG_LEVEL=debug</code></li> </ul> <p>Using those additional log messages, the bug report is more enriched with information about the possible cause of the problem. Here's an example of how the logging should be implemented:</p> <pre><code>        def run(self) -&gt; None:\n                self.helper.log_info('Template connector starts')\n                results = self._ask_for_news()\n                [...]\n\n        def _ask_for_news() -&gt; None:\n                overall = []\n                for i in range(0, 10):\n                        self.log_debug(f\"Asking about news with count '{i}'\")\n                        # Do something\n                        self.log_debug(f\"Resut: '{result}'\")\n                        overall.append(result)\n                return overall\n</code></pre> <p>Please make sure that the debug messages rich of useful information, but that they are not redundant and that the user is not drowned by unnecessary information.</p>"},{"location":"development/connectors/#additional-implementations","title":"Additional implementations","text":"<p>If you are still unsure about how to implement certain things in your connector, we advise you to have a look at the code of other connectors of the same type. Maybe they are already using approach which is suitable for addressing to your problem.</p>"},{"location":"development/connectors/#opencti-triggered-connector-special-cases","title":"OpenCTI triggered Connector - Special cases","text":""},{"location":"development/connectors/#data-layout-of-dictionary-from-callback-function","title":"Data Layout of Dictionary from Callback function","text":"<p>OpenCTI sends the connector a few instructions via the <code>data</code> dictionary in the callback function. Depending on the connector type, the data dictionary content is a bit different. Here are a few examples for each connector type.</p> <p>Internal Import Connector</p> <p>Internal Enrichment Connector</p> <pre><code>{ \n  \"file_id\": \"&lt;fileId&gt;\",\n  \"file_mime\": \"application/pdf\", \n  \"file_fetch\": \"storage/get/&lt;file_id&gt;\", // Path to get the file\n  \"entity_id\": \"report--82843863-6301-59da-b783-fe98249b464e\", // Context of the upload\n}\n</code></pre> <pre><code>{ \n  \"entity_id\": \"&lt;stixCoreObjectId&gt;\" // StixID of the object wanting to be enriched\n}\n</code></pre> <p>Internal Export Connector</p> <pre><code>{ \n  \"export_scope\": \"single\", // 'single' or 'list'\n  \"export_type\": \"simple\", // 'simple' or 'full'\n  \"file_name\": \"&lt;fileName&gt;\", // Export expected file name\n  \"max_marking\": \"&lt;maxMarkingId&gt;\", // Max marking id\n  \"entity_type\": \"AttackPattern\", // Exported entity type\n  // ONLY for single entity export\n  \"entity_id\": \"&lt;entity.id&gt;\", // Exported element\n  // ONLY for list entity export\n  \"list_params\": \"[&lt;parameters&gt;]\" // Parameters for finding entities\n}\n</code></pre>"},{"location":"development/connectors/#self-triggered-connector-special-cases","title":"Self triggered Connector - Special cases","text":""},{"location":"development/connectors/#initiating-a-work-before-pushing-data","title":"Initiating a 'Work' before pushing data","text":"<p>For self-triggered connectors, OpenCTI has to be told about new jobs to process and to import. This is done by registering a so called <code>work</code> before sending the stix bundle and signalling the end of a work. Here an example:</p> <p>By implementing the work registration, they will show up as shown in this screenshot for the MITRE ATT&amp;CK connector:</p> <pre><code>def run() -&gt; None:\n        # Anounce upcoming work\n        timestamp = int(time.time())\n        now = datetime.utcfromtimestamp(timestamp)\n    friendly_name = \"Template run @ \" + now.strftime(\"%Y-%m-%d %H:%M:%S\")\n    work_id = self.helper.api.work.initiate_work(\n                self.helper.connect_id, friendly_name\n        )\n\n        [...]\n        # Send Stix bundle\n        self.helper.send_stix2_bundle(\n                bundle,\n                entities_types=self.helper.connect_scope,\n                update=True,\n                work_id=work_id,\n        )\n        # Finish the work\n        self.helper.log_info(\n            f\"Connector successfully run, storing last_run as {str(timestamp)}\"\n    )              \n        message = \"Last_run stored, next run in: {str(round(self.get_interval() / 60 / 60 / 24, 2))} days\"\n        self.helper.api.work.to_processed(work_id, message)\n</code></pre>"},{"location":"development/connectors/#interval-handling","title":"Interval handling","text":"<p>The connector is also responsible for making sure that it runs in certain intervals. In most cases, the intervals are definable in the connector config and then only need to be set and updated during the runtime.</p> <pre><code>class TemplateConnector:\n    def __init__(self) -&gt; None:\n                # Initialization procedures\n                [...]\n        self.template_interval = get_config_variable(\n            \"TEMPLATE_INTERVAL\", [\"template\", \"interval\"], config, True\n        )\n\n    def get_interval(self) -&gt; int:\n        return int(self.template_interval) * 60 * 60 * 24\n\n        def run(self) -&gt; None:\n        self.helper.log_info(\"Fetching knowledge...\")\n        while True:\n            try:\n                # Get the current timestamp and check\n                timestamp = int(time.time())\n                current_state = self.helper.get_state()\n                if current_state is not None and \"last_run\" in current_state:\n                    last_run = current_state[\"last_run\"]\n                    self.helper.log_info(\n                        \"Connector last run: \"\n                        + datetime.utcfromtimestamp(last_run).strftime(\n                            \"%Y-%m-%d %H:%M:%S\"\n                        )\n                    )\n                else:\n                    last_run = None\n                    self.helper.log_info(\"Connector has never run\")\n                # If the last_run is more than interval-1 day\n                if last_run is None or (\n                    (timestamp - last_run)\n                    &gt; ((int(self.template_interval) - 1) * 60 * 60 * 24)\n                ):\n                    timestamp = int(time.time())\n                    now = datetime.utcfromtimestamp(timestamp)\n                    friendly_name = \"Connector run @ \" + now.strftime(\"%Y-%m-%d %H:%M:%S\")\n\n                                        ###\n                                        # RUN CODE HERE     \n                                        ###\n\n                    # Store the current timestamp as a last run\n                    self.helper.log_info(\n                        \"Connector successfully run, storing last_run as \"\n                        + str(timestamp)\n                    )\n                    self.helper.set_state({\"last_run\": timestamp})\n                    message = (\n                        \"Last_run stored, next run in: \"\n                        + str(round(self.get_interval() / 60 / 60 / 24, 2))\n                        + \" days\"\n                    )\n                    self.helper.api.work.to_processed(work_id, message)\n                    self.helper.log_info(message)\n                    time.sleep(60)\n                else:\n                    new_interval = self.get_interval() - (timestamp - last_run)\n                    self.helper.log_info(\n                        \"Connector will not run, next run in: \"\n                        + str(round(new_interval / 60 / 60 / 24, 2))\n                        + \" days\"\n                    )\n                    time.sleep(60)\n</code></pre>"},{"location":"development/connectors/#running-the-connector","title":"Running the connector","text":"<p>For development purposes, it is easier to simply run the python script locally until everything works as it sould.</p> <pre><code>$ virtualenv env\n$ source ./env/bin/activate\n$ pip3 install -r requirements\n$ cp config.yml.sample config.yml\n# Define the opencti url and token, as well as the connector's id\n$ vim config.yml\n$ python3 main.py\nINFO:root:Listing Threat-Actors with filters null.\nINFO:root:Connector registered with ID: a2de809c-fbb9-491d-90c0-96c7d1766000\nINFO:root:Starting ping alive thread\n...\n</code></pre>"},{"location":"development/connectors/#final-testing","title":"Final Testing","text":"<p>Before submitting a Pull Request, please test your code for different use cases and scenarios. We don't have an automatic testing suite for the connectors yet, thus we highly depend on developers thinking about creative scenarios their code could encounter.</p>"},{"location":"development/connectors/#prepare-for-release","title":"Prepare for release","text":"<p>If you plan to provide your connector to be used by the community (\u2764\ufe0f) your code should pass the following (minimum) criteria.</p> <pre><code># Linting with flake8 contains no errors or warnings\n$ flake8 --ignore=E,W\n# Verify formatting with black\n$ black .\nAll done! \u2728 \ud83c\udf70 \u2728\n1 file left unchanged.\n# Verify import sorting\n$ isort --profile black .\nFixing /path/to/connector/file.py\n# Push you feature/fix on Github\n$ git add [file(s)]\n$ git commit -m \"[connector_name] descriptive message\"\n$ git push origin [branch-name]\n# Open a pull request with the title \"[connector_name] message\"\n</code></pre> <p>If you have any trouble with this just reach out to the OpenCTI core team. We are happy to assist with this.</p>"},{"location":"development/environment_ubuntu/","title":"Prerequisites Ubuntu","text":"<p>Development stack require some base software that need to be installed.</p>"},{"location":"development/environment_ubuntu/#docker-or-podman","title":"Docker or podman","text":"<p>Platform dependencies in development are deployed through container management, so you need to install a container stack.</p> <p>We currently support docker and podman.</p> <pre><code>$ sudo apt-get install docker docker-compose curl\n</code></pre> <pre><code>sudo apt-get -y install podman\n</code></pre> <p>As OpenCTI has a dependency to ElasticSearch, you have to set the vm.max_map_count before running the containers, as mentioned in the ElasticSearch documentation.</p> <pre><code>$ sudo sysctl -w vm.max_map_count=262144\n</code></pre>"},{"location":"development/environment_ubuntu/#nodejs-and-yarn","title":"NodeJS and yarn","text":"<p>The platform is developed on nodejs technology, so you need to install node and the yarn package manager.</p> <pre><code>$ sudo apt-get install nodejs\n$ sudo curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -\n$ sudo echo \"deb https://dl.yarnpkg.com/debian/ stable main\" | sudo tee /etc/apt/sources.list.d/yarn.list\n$ sudo apt-get update &amp;&amp; sudo apt-get install yarn\n</code></pre>"},{"location":"development/environment_ubuntu/#python-runtime","title":"Python runtime","text":"<p>For worker and connectors, a python runtime is needed.</p> <pre><code>$ sudo apt-get install python3 python3-pip\n</code></pre>"},{"location":"development/environment_ubuntu/#git-and-dev-tool","title":"Git and dev tool","text":"<ul> <li>Install Git from apt</li> </ul> <pre><code>$ sudo apt-get install git-all\n</code></pre> <ul> <li>Install your preferred IDE<ul> <li>Intellij community edition - https://www.jetbrains.com/idea/download/</li> <li>VSCode - https://code.visualstudio.com/</li> </ul> </li> </ul>"},{"location":"development/environment_windows/","title":"Prerequisites Windows","text":"<p>Development stack require some base software that need to be installed.</p>"},{"location":"development/environment_windows/#docker-or-podman","title":"Docker or podman","text":"<p>Platform dependencies in development are deployed through container management, so you need to install a container stack.</p> <p>We currently support docker and postman.</p> <p>Docker Desktop from - https://docs.docker.com/desktop/install/windows-install/</p> <ul> <li>Install new version of - https://docs.microsoft.com/windows/wsl/wsl2-kernel. This will require a reboot.</li> <li>Shell out to CMD as Administrator and run the following powershell command: </li> </ul> <p><code>wsl --set-default-version 2</code></p> <ul> <li>Reboot computer and continue to next step       </li> <li>Load Docker Application</li> <li>NOTE DOCKER LICENSE - You are agreeing to the licence for Non-commercial Open Source Project use. OpenCTI is Open Source and the version you would be possibly contributing to enhancing is the unpaid non-commercial/non-enterprise version. If you intention is different - please consult with your organization's legal/licensing department.</li> <li>Leave Docker Desktop running</li> </ul>"},{"location":"development/environment_windows/#nodejs-and-yarn","title":"NodeJS and yarn","text":"<p>The platform is developed on nodejs technology, so you need to install node and the yarn package manager.</p> <ul> <li>Install NodeJS from - https://nodejs.org/download/release/v16.20.0/node-v16.20.0-x64.msi</li> <li>Select the option for installing Chocolatey on the Tools for Native Modules screen<ul> <li>Will do this install for you automatically - https://chocolatey.org/packages/visualstudio2019-workload-vctools</li> <li>Includes Python 3.11.4</li> </ul> </li> <li> <p>Shell out to CMD prompt as Administrator and install/run:</p> <ul> <li><code>pip3 install pywin32</code></li> </ul> </li> <li> <p>Configure Yarn (https://yarnpkg.com/getting-started/install)</p> </li> <li>Open CMD as Administrator and run the following command:<ul> <li><code>corepack enable</code></li> </ul> </li> </ul>"},{"location":"development/environment_windows/#python-runtime","title":"Python runtime","text":"<p>For worker and connectors, a python runtime is needed. Even if you already have a python runtime installed through node installation,  on windows some nodejs package will be recompiled with python and C++ runtime. </p> <p>For this reason Visual Studio Build Tools is required.</p> <ul> <li>Install Visual Studio Build Tools from - https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=BuildTools</li> <li>Check off Desktop Development with C++</li> <li>Run install</li> </ul>"},{"location":"development/environment_windows/#git-and-dev-tool","title":"Git and dev tool","text":"<ul> <li>Download GIT for Windows (64-bit Setup)- https://git-scm.com/download/win</li> <li> <p>Just use defaults on each screen</p> </li> <li> <p>Install your preferred IDE</p> </li> <li>Intellij community edition - https://www.jetbrains.com/idea/download/</li> <li>VSCode - https://code.visualstudio.com/docs/?dv=win64</li> </ul>"},{"location":"development/platform/","title":"Platform development","text":""},{"location":"development/platform/#introduction","title":"Introduction","text":"<p>This summary should give you a detailed setup description for initiating the OpenCTI setup environment  necessary for developing on the OpenCTI platform, a client library or the connectors.  This page document how to set up an \"All-in-One\" development environment for OpenCTI.  The devenv will contain data of 3 different repositories:</p> <ul> <li>Platform: https://github.com/OpenCTI-Platform/opencti</li> <li>Connectors: https://github.com/OpenCTI-Platform/connectors</li> <li>Client python: https://github.com/OpenCTI-Platform/client-python</li> </ul>"},{"location":"development/platform/#platform","title":"Platform","text":"<p>Contains the platform OpenCTI project code base:</p> <ul> <li>docker-compose (docker or podman) <code>~/opencti/opencti-platform/opencti-dev</code></li> <li>Web frontend (nodejs / react) <code>~/opencti/opencti-platform/opencti-graphql</code></li> <li>Backend (nodejs) <code>~/opencti/opencti-platform/opencti-frontend</code></li> <li>Worker (nodejs / python) <code>~/opencti/opencti-worker</code></li> </ul>"},{"location":"development/platform/#connectors","title":"Connectors","text":"<p>Contains a lot of developed connectors, as a source of inspiration for your new connector.</p>"},{"location":"development/platform/#client-python","title":"Client python","text":"<p>Contains the source code of the python library used in worker or connectors.</p>"},{"location":"development/platform/#prerequisites","title":"Prerequisites","text":"<p>Some tools are needed before starting to develop. Please check Ubuntu prerequisites or Windows prerequisites</p>"},{"location":"development/platform/#clone-the-projects","title":"Clone the projects","text":"<p>Fork and clone the git repositories</p> <ul> <li>https://github.com/OpenCTI-Platform/opencti/ - frontend / backend</li> <li>https://github.com/OpenCTI-Platform/connectors - connectors</li> <li>https://github.com/OpenCTI-Platform/docker - docker stack</li> <li>https://github.com/OpenCTI-Platform/client-python/ - python client</li> </ul>"},{"location":"development/platform/#dependencies-containers","title":"Dependencies containers","text":"<p>In development dependencies are deployed trough containers. A development compose file is available in <code>~/opencti/opencti-platform/opencti-dev</code></p> <pre><code>cd ~/docker\n#Start the stack in background\ndocker-compose -f ./docker-compose-dev.yml up -d\n</code></pre> <p>You have now all the dependencies of OpenCTI running and waiting for product to run.</p>"},{"location":"development/platform/#backend-api","title":"Backend / API","text":""},{"location":"development/platform/#python-virtual-env","title":"Python virtual env","text":"<p>The GraphQL API is developed in JS and with some python code.  As it's an \"all-in-one\" installation, the python environment will be installed in a virtual environment.</p> <pre><code>cd ~/opencti/opencti-platform/opencti-graphql\npython3 -m venv .venv --prompt \"graphql\"\nsource .venv/bin/activate\npip install --upgrade pip wheel setuptools\nyarn install\nyarn install:python \ndeactivate\n</code></pre>"},{"location":"development/platform/#development-configuration","title":"Development configuration","text":"<p>The API can be specifically configured with files depending on the starting profile. By default, the default.json file is used and will be correctly configured for local usage except for admin password</p> <p>So you need to create a development profile file. You can duplicate the default file and adapt if for you need. <pre><code>cd ~/opencti/opencti-platform/opencti-graphql/config\ncp default.json development.json\n</code></pre></p> <p>At minimum adapt the admin part for the password and token. <pre><code>    \"admin\": {\n      \"email\": \"admin@opencti.io\",\n      \"password\": \"MyNewPassord\",\n      \"token\": \"UUID generated with https://www.uuidgenerator.net\"\n    }\n</code></pre></p>"},{"location":"development/platform/#install-start","title":"Install / start","text":"<p>Before starting the backend you need to install the nodejs modules</p> <pre><code>cd ~/opencti/opencti-platform/opencti-graphql\nyarn install\n</code></pre> <p>Then you can simply start the backend API with the yarn start command</p> <pre><code>cd ~/opencti/opencti-platform/opencti-graphql\nyarn start\n</code></pre> <p>The platform will start logging some interesting information</p> <pre><code>{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[OPENCTI] Starting platform\",\"timestamp\":\"2023-07-02T16:37:10.984Z\",\"version\":\"5.8.7\"}\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[OPENCTI] Checking dependencies statuses\",\"timestamp\":\"2023-07-02T16:37:10.987Z\",\"version\":\"5.8.7\"}\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[SEARCH] Elasticsearch (8.5.2) client selected / runtime sorting enabled\",\"timestamp\":\"2023-07-02T16:37:11.014Z\",\"version\":\"5.8.7\"}\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[CHECK] Search engine is alive\",\"timestamp\":\"2023-07-02T16:37:11.015Z\",\"version\":\"5.8.7\"}\n...\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[INIT] Platform initialization done\",\"timestamp\":\"2023-07-02T16:37:11.622Z\",\"version\":\"5.8.7\"}\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[OPENCTI] API ready on port 4000\",\"timestamp\":\"2023-07-02T16:37:12.382Z\",\"version\":\"5.8.7\"}\n</code></pre> <p>If you want to start on another profile you can use the -e parameter. For example here to use the profile.json configuration file.</p> <pre><code>yarn start -e profile\n</code></pre>"},{"location":"development/platform/#code-check","title":"Code check","text":"<p>Before pushing your code you need to validate the syntax and ensure the testing will be validated.</p>"},{"location":"development/platform/#for-validation","title":"For validation","text":"<p><code>yarn lint</code></p> <p><code>yarn check-ts</code></p>"},{"location":"development/platform/#for-testing","title":"For testing","text":"<p>For starting the test you will need to create a test.json file. You can use the same dependencies by only adapting all prefix for all dependencies.</p> <p><code>yarn test:dev</code></p>"},{"location":"development/platform/#frontend","title":"Frontend","text":""},{"location":"development/platform/#install-start_1","title":"Install / start","text":"<p>Before starting the backend you need to install the nodejs modules</p> <pre><code>cd ~/opencti/opencti-platform/opencti-front\nyarn install\n</code></pre> <p>Then you can simply start the frontend with the yarn start command</p> <pre><code>cd ~/opencti/opencti-platform/opencti-front\nyarn start\n</code></pre> <p>The frontend will start with some interesting information</p> <pre><code>[INFO] [default] compiling...\n[INFO] [default] compiled documents: 1592 reader, 1072 normalization, 1596 operation text\n[INFO] Compilation completed.\n[INFO] Done.\n[HPM] Proxy created: /stream  -&gt; http://localhost:4000\n[HPM] Proxy created: /storage  -&gt; http://localhost:4000\n[HPM] Proxy created: /taxii2  -&gt; http://localhost:4000\n[HPM] Proxy created: /feeds  -&gt; http://localhost:4000\n[HPM] Proxy created: /graphql  -&gt; http://localhost:4000\n[HPM] Proxy created: /auth/**  -&gt; http://localhost:4000\n[HPM] Proxy created: /static/flags/**  -&gt; http://localhost:4000\n</code></pre> <p>The web UI should be accessible on http://127.0.0.1:3000</p>"},{"location":"development/platform/#code-check_1","title":"Code check","text":"<p>Before pushing your code you need to validate the syntax and ensure the testing will be validated.</p>"},{"location":"development/platform/#for-validation_1","title":"For validation","text":"<p><code>yarn lint</code></p> <p><code>yarn check-ts</code></p>"},{"location":"development/platform/#for-testing_1","title":"For testing","text":"<p><code>yarn test</code></p>"},{"location":"development/platform/#worker","title":"Worker","text":"<p>Running a worker is required when you want to develop on the ingestion or import/export connectors.</p>"},{"location":"development/platform/#python-virtual-env_1","title":"Python virtual env","text":"<pre><code>cd ~/opencti/opencti-worker/src\npython3 -m venv .venv --prompt \"worker\"\nsource .venv/bin/activate\npip3 install --upgrade pip wheel setuptools\npip3 install -r requirements.txt\ndeactivate\n</code></pre>"},{"location":"development/platform/#install-start_2","title":"Install / start","text":"<pre><code>cd ~/opencti/opencti-worker/src\nsource .venv/bin/activate\npython worker.py\n</code></pre>"},{"location":"development/platform/#connectors_1","title":"Connectors","text":"<p>For connectors development, please take a look to Connectors development dedicated page.</p>"},{"location":"development/platform/#production-build","title":"Production build","text":"<p>Based on development source you can build the package for production. This package will be minified and optimized with esbuild.</p> <pre><code>$ cd opencti-frontend\n$ yarn build\n$ cd ../opencti-graphql\n$ yarn build\n</code></pre> <p>After the build you can start the production build with yarn serv. This build will use the production.json configuration file</p> <pre><code>$ cd ../opencti-graphql\n$ yarn serv\n</code></pre>"},{"location":"development/python/","title":"Python library","text":"<p>The PyCTI library is the official Python client for OpenCTI. It is made to help developers interact with the openCTI plaform.</p>"},{"location":"development/python/#installation","title":"Installation","text":"<p>To install the latest Python client library, please use <code>pip</code>:</p> <pre><code>$ pip3 install pycti\n</code></pre>"},{"location":"development/python/#using-the-helper-functions","title":"Using the helper functions","text":"<p>The main class <code>OpenCTIApiClient</code> contains all what you need to interact with the platform, you just have to initialize it.</p> <p>The following example shows how you create an indicator in OpenCTI using the python library with TLP marking and OpenCTI compatible date format.</p> <pre><code>from dateutil.parser import parse\nfrom pycti import OpenCTIApiClient\nfrom stix2 import TLP_GREEN\n\n# OpenCTI API client initialization\nopencti_api_client = OpenCTIApiClient(\"https://myopencti.server\", \"mysupersecrettoken\")\n\n# Define an OpenCTI compatible date\ndate = parse(\"2019-12-01\").strftime(\"%Y-%m-%dT%H:%M:%SZ\")\n\n# Get the OpenCTI marking for stix2 TLP_GREEN\nTLP_GREEN_CTI = opencti_api_client.marking_definition.read(id=TLP_GREEN[\"id\"])\n\n# Use the client to create an indicator in OpenCTI\nindicator = opencti_api_client.indicator.create(\n    name=\"C2 server of the new campaign\",\n    description=\"This is the C2 server of the campaign\",\n    pattern_type=\"stix\",\n    pattern=\"[domain-name:value = 'www.5z8.info']\",\n    x_opencti_main_observable_type=\"IPv4-Addr\",\n    valid_from=date,\n    update=True,\n    markingDefinitions=[TLP_GREEN_CTI[\"id\"]],\n)\n</code></pre>"},{"location":"development/python/#examples","title":"Examples","text":"<p>A suite of illustrative examples is available in the PyCTI GitHub repository to aid in better understanding.</p>"},{"location":"reference/api/","title":"GraphQL API","text":"<p>OpenCTI provides a comprehensive API based on GraphQL, allowing users to perform various actions programmatically. The API enables users to interact with OpenCTI's functionality and data, offering a powerful tool for automation, integration, and customization. All actions that can be performed through the platform's graphical interface are also achievable via the API.</p>"},{"location":"reference/api/#authentication","title":"Authentication","text":"<p>Access to the OpenCTI API requires authentication using standard authentication mechanisms. Access rights to data via the API will be determined by the access privileges of the user associated with the API key. For authentication, users need to include the following headers in their API requests:</p> <pre><code>Content-Type: application/json\nAuthorization: Bearer [API key]\n</code></pre>"},{"location":"reference/api/#documentation","title":"Documentation","text":"<p>The OpenCTI API consists of various endpoints corresponding to different functionalities and operations within the platform. These endpoints allow users to perform actions such as querying data, creating or updating entities, and more. Users can refer to the Understand GraphQL section to understand how it works.</p> <p>Documentation for the OpenCTI API, including schema definitions, the list of filters available and queryable fields, is available through the OpenCTI platform. It can be found on the GraphQL playground. However, query examples and mutation examples are not yet available. In the meantime, users can explore the available endpoints and their functionality by inspecting network traffic in the browser's developer tools or by examining the source code of the Python client.</p> <p></p> <p></p>"},{"location":"reference/api/#understand-graphql","title":"Understand GraphQL","text":"<p>GraphQL is a powerful query language for APIs that enables clients to request exactly the data they need. Unlike traditional REST APIs, which expose fixed endpoints and return predefined data structures, GraphQL APIs allow clients to specify the shape and structure of the data they require.</p>"},{"location":"reference/api/#core-concepts","title":"Core concepts","text":""},{"location":"reference/api/#schema-definition-language-sdl","title":"Schema Definition Language (SDL)","text":"<p>GraphQL APIs are defined by a schema, which describes the types of data that can be queried and the relationships between them. The schema is written using the Schema Definition Language (SDL), which defines types, fields, and their relationships.</p>"},{"location":"reference/api/#query-language","title":"Query language","text":"<p>GraphQL uses a query language to request data from the server. Clients can specify exactly which fields they need and how they are related, enabling precise data retrieval without over-fetching or under-fetching.</p> <p>Example:</p> <pre><code>query IntrusionSets {\n    intrusionSets (\n        filters:\n        {\n            mode: and,\n            filters: [\n                {\n                    key: \"name\",\n                    values: [\"Ajax Security Team\"],\n                    operator: eq,\n                    mode: or,\n                }\n            ],\n            filterGroups: [],\n        }\n    )\n    {\n        edges{\n            node{\n                id\n                name\n                description\n                externalReferences{\n                    edges{\n                        node{\n                            url\n                            source_name\n                        }\n                    }\n                }\n            }\n        }\n    }\n}\n</code></pre>"},{"location":"reference/api/#resolvers","title":"Resolvers","text":"<p>Resolvers are functions responsible for fetching the requested data. Each field in the GraphQL schema corresponds to a resolver function, which determines how to retrieve the data from the underlying data sources.</p>"},{"location":"reference/api/#how-it-works","title":"How it Works","text":"<ol> <li>Schema definition: The API provider defines a GraphQL schema using SDL, specifying the types and fields available for querying.</li> <li>Query execution: Clients send GraphQL queries to the server, specifying the data they need. The server processes the query, resolves each field, and constructs a response object with the requested data.</li> <li>Validation and execution: The server validates the query against the schema to ensure it is syntactically and semantically correct. If validation passes, the server executes the query, invoking the appropriate resolver functions to fetch the requested data.</li> <li>Data retrieval: Resolvers fetch data from the relevant data sources, such as databases, APIs, or other services. They transform the raw data into the shape specified in the query and return it to the client.</li> <li>Response formation: Once all resolvers have completed, the server assembles the response object containing the requested data and sends it back to the client.</li> </ol>"},{"location":"reference/api/#external-resources","title":"External Resources","text":"<p>For a more in-depth understanding of GraphQL and its usage, consider exploring the following external resources:</p> <ul> <li>GraphQL Official Documentation</li> <li>GraphQL query documentation</li> <li>How to GraphQL</li> </ul>"},{"location":"reference/data-intelligence/","title":"Data intelligence","text":"<p>As a cyber threat intelligence platform, OpenCTI offers functionalities that enable users to move quickly from raw data to operational intelligence by building up high-quality, structured information.</p> <p>To do so, the platform provides a number of essential capabilities, such as automated data deduplication, merging of similar entities while preserving relationship integrity, the ability to modulate the confidence levels on your intelligence, and the presence of inference rules to automate the creation of logical relationships among your data.</p>"},{"location":"reference/data-intelligence/#data-intelligence-feature-deduplication","title":"Data intelligence feature: Deduplication","text":"<p>The first essential data intelligence mechanism in OpenCTI is the deduplication of information and relations.</p> <p>This advanced functionality not only enables you to check whether a piece of data, information or a relationship is not a duplicate of an existing element, but will also, under certain conditions, enrich the element already present.</p> <p>If the new duplicated entity has new content, the pre-existing entity can be enriched with the new information from the duplicate.</p> <p>It works as follows (see details in deduplication):</p> <ul> <li>For entities: based on the entity's properties based on a specific ID generated by the \"ID Contributing Properties\" platform (properties listed on the dedicated page).</li> <li>For relationships: based on type, source, target, start time, and stop time.</li> <li>For observables: a specific ID is also generated by the platform, this time based on the specifications of the STIX model.</li> </ul> <p>The ability to update and enrich is determined by the confidence level and quality level of the entities and relationships (see diagram on page deduplication).</p>"},{"location":"reference/data-intelligence/#data-intelligence-feature-merging","title":"Data intelligence feature: Merging","text":"<p>OpenCTI's merging function is one of the platform's crucial data intelligence elements.</p> <p>From the Data &gt; Entities tab, this feature lets you merge up to 4 entities of the same type. A parent entity is selected and assigned up to three child entities.</p> <p>The benefit of this feature is to centralize a number of similar elements from different sources without losing data or degrading the quality of the information. During merging, the platform will create relationships to anchor all the data to the consolidated entity.</p> <p>This enrichment function consolidates the data and avoids duplication, but above all initiates a structured intelligence process while preserving the integrity of pre-existing relationships as presented here.</p>"},{"location":"reference/data-intelligence/#data-intelligence-feature-confidence-level-and-data-segregation","title":"Data intelligence feature: Confidence level and data segregation","text":"<p>Another key element of OpenCTI's data intelligence is its ability to apply confidence levels and to segregate the data present in the platform.</p> <p>The confidence level is directly linked to Users and Role Based Access Control. It is applied to a user directly or indirectly via the confidence level of the group to which the user belongs. This element is fundamental as it defines the levels of data manipulation to which the user (real or connector) is entitled.</p> <p>The correct application of confidence levels is all the more important as it will determine the confidence level of the data manipulated by a user. It is therefore a decisive mechanism, since it underpins the confidence you have in the content of your instance.</p> <p>While it is important to apply a level of trust to your users or groups, it is also important to define a way of categorizing and protecting your data.</p> <p>Data segregation makes it possible to apply marking definitions and therefore establish a standardized framework for classifying data.</p> <p>These marking definitions, like the classic Trafic Light Protocols (TLP) implemented by default in the platform, will determine whether or not a user can access a specific data set. The marking will be applied at the group level to which the user belongs, which will determine the data to which the user has access and therefore the data that the user can potentially handle.</p>"},{"location":"reference/data-intelligence/#data-intelligence-feature-inference-rules","title":"Data intelligence feature: Inference rules","text":"<p>In OpenCTI, data intelligence is not just about the ability to segregate, qualify or enrich data. OpenCTI's inference rules enable you to mobilize the data on your platform effectively and operationally.</p> <p>These predefined rules enable the user to speed up cyber threat management. For example, inferences can be used to automatically identify incidents based on a sighting, to create sightings on observables based on new observed data, to propagate relationships based on an observable, etc.</p> <p>In all, the platform includes some twenty high-performance inference rules that considerably speed up the analysis and response to threats (see the full list here).</p> <p>These rules are based on a logical interpretation of the data, resulting in a pre-analysis of the information by creating relationships that will enrich the intelligence in the platform. There are three main benefits: efficiency, completeness and accuracy. These user benefits can be found here.</p> <p>Note: If these rules are present in the platform, they are not activated by default.</p> <p>Once activated, they scan all the data in your platform in the background to identify all the existing relationships that meet the conditions of the rules. Then, the rules operate continuously to create relationships. If you deactivate a rule, all the objects and relationships it has created will be deleted.</p> <p>These actions can only be carried out by an administrator of the instance.</p>"},{"location":"reference/data-model/","title":"Data model","text":"<p>Under construction</p> <p>We are doing our best to complete this page.  If you want to participate, don't hesitate to join the Filigran Community on Slack  or submit your pull request on the Github doc repository.</p>"},{"location":"reference/filters-migration/","title":"Filters format migration for OpenCTI 5.12","text":"<p>The version 5.12 of OpenCTI introduces breaking changes to the filters format used in the API. This documentation describes how you can migrate your scripts or programs that call the OpenCTI API, when updating from a version of OpenCTI inferior to 5.12.</p>"},{"location":"reference/filters-migration/#context-why-this-migration","title":"Context: why this migration?","text":"<p>Before OpenCTI 5.12, it was not possible to construct complex filters combinations: we couldn't embed filters within filters, using different boolean modes (and/or), filter on all available attributes or relations for a given entity type, or even test for empty fields of any sort.</p> <p>Legacy of years of development, the former format and filtering mechanics were not adapted for such task, and a profound refactoring was necessary to make it happen.</p> <p>Here are the main pain points we identified beforehand:</p> <ul> <li>the filters frontend and backend formats were very different, requiring careful conversions</li> <li>the filter keys were enums, i.e. the keys would belong to static lists of keys, depending on each given entity type and maintained by hands</li> <li>the operator (<code>eq</code>, <code>not_eq</code>, etc.) was inside the key (e.g. <code>entity_type_not_eq</code>), limiting operator combination and requiring error-prone parsing</li> <li>the frontend format imposed a unique form of combination (<code>and</code> between filters, <code>or</code> between values inside each filter, and nothing else possible)</li> <li>the flat list structure made impossible filter imbrication by nature</li> <li>Filters and query options were mixed in GQL queries for the same purpose (for instance, option <code>types</code> analog to a filter on key <code>entity_type</code>)</li> </ul> <pre><code>// filter formats in OpenCTI &lt;= 5.11\n\ntype Filter = {\n    key: string, // an enum that should be in the list of the available filter keys for given the entity type\n    values: string[],\n    operator: string,\n    filterMode: 'and' | 'or',\n}\n\n// \"give me Reports labelled with labelX or labelY\"\nconst filters = [\n  { \n    \"key\": \"entity_type\",\n    \"values\": [\"Report\"],\n    \"operator\": \"eq\",\n    \"filterMode\": \"or\"\n  },\n  { \n    \"key\": \"labelledBy\",\n    \"values\": [\"&lt;id-for-labelX&gt;\", \"id-for-labelY&gt;\"],\n    \"operator\": \"eq\",\n    \"filterMode\": \"or\"\n  },\n]\n</code></pre> <p>The new format brings a lot of short-term benefits and is compatible with our long-term vision of the filtering capabilities in OpenCTI. We chose a simple recursive structure that allow complex combination of any sort with respect to basic boolean logic.</p> <p>The list of operator is fixed and can be extended during future developments.</p> <pre><code>// filter formats in OpenCTI &gt;= 5.12\n\ntype FilterGroup = {\n  mode: 'and' | 'or'\n  filters: Filter[]\n  filterGroups: FilterGroup[] // recursive definition\n}\n\ntype Filter  = {\n  key: string[]\n  values: string[]\n  operator: 'eq' | 'not_eq' | 'gt' // ... and more\n  mode: 'and' | 'or',\n}\n\n// \"give me Reports and RFIs, not marked TLP;RED with no label or labelX\"\nconst filters = {\n  mode: 'and',\n  filters: [\n    { key: 'entity_type', values: ['Report', 'Case-Rfi'], operator: 'eq', mode: 'or', },\n    { key: 'objectMarking', values: ['&lt;id-for-TLP;RED&gt;'], operator: 'not_eq', mode: 'or', },\n  ],\n  filterGroups: [{\n    mode: 'or',\n    filters: [\n      { key: 'objectLabel', values: [\"&lt;id-for-labelX&gt;\"], operator: 'eq', mode: 'or', },\n      { key: 'objectLabel', values: [], operator: 'nil', mode: 'or', },\n    ],\n    filterGroups: [],\n  }],\n};\n</code></pre> <p>Because changing filters format impacts almost everything in the platform, we decided to do a complete refactoring once and for all. We want this migration process to be clear and easy.</p>"},{"location":"reference/filters-migration/#what-has-been-changed","title":"What has been changed","text":"<p>The new filter implementation bring major changes in the way filters are processed and executed.</p> <ul> <li>We change the filters formats (see <code>FilterGroup</code> type above):</li> <li>In the frontend, an operator and a mode are stored for each key</li> <li>The new format enables filters imbrication thanks to the new attribute 'filterGroups'</li> <li>The keys are of type string (no more static list of enums)</li> <li> <p>The 'values' attribute can no longer contain null values (use the <code>nil</code> operator instead)</p> </li> <li> <p>We also renamed some filter keys, to be consistent with the entities schema definitions.</p> </li> <li> <p>We implemented the handling of the different operators and modes in the backend.</p> </li> <li> <p>We introduced new void operators (<code>nil</code> / <code>not_nil</code>) to test the presence or absence of value in any field</p> </li> </ul>"},{"location":"reference/filters-migration/#how-to-migrate-your-own-filters","title":"How to migrate your own filters","text":"<p>We wrote a migration script to convert all filters created and stored in database prior to version 5.12 (filters contained in streams, taxii collections, feeds, triggers, playbooks, dashboards). These filters will thus be migrated automatically when starting your updated platform.</p> <p>However, you might have your own connectors, queries, or python scripts that use the graphql API or the python client. If this is the case, you must change the filter format if you want to run the code against OpenCTI 5.12.</p> <p>To convert filters prior to version 5.12 in the new format:</p> <ul> <li>update the <code>key</code> field if it has been changed in 5.12 (see the full list below)</li> <li>rename the field <code>filterMode</code> in <code>mode</code></li> <li><code>operator</code> unchanged</li> <li>if <code>values</code> does not contain <code>null</code>, you can keep the array as-is</li> </ul> <p>Now you can build your new <code>FilterGroup</code> object with:</p> <ul> <li><code>mode: 'and'</code></li> <li><code>filters</code> = array of converted filters (following previous steps),</li> <li><code>filterGroups: []</code></li> </ul> <pre><code>const oldFilter = {\n    key: 'old_key',\n    values: ['value1', 'value2'],\n    operator: 'XX',\n    filterMode: 'XX',\n}\n\nconst convertedFilter = {\n    key: 'converted_key_if_necessary',\n    values: ['value1', 'value2'],\n    operator: 'XX',\n    mode: 'XX',\n}\n\nconst newFilters = {\n    mode: 'and',\n    filters: [convertedFilter1, convertedFilter2...], // array with all converted filter\n    filterGroups: [],\n}\n</code></pre> <p>if <code>values</code> contains a <code>null</code> value (for instance <code>['XXX', null]</code>), you need to convert the filter using the new <code>nil</code> / <code>not_nil</code> operators. This will happen if you have old filters on labels with the \"no label\" value, which is actually a <code>null</code> in <code>values</code>.</p> <ul> <li>Extract one filter dedicated to <code>null</code></li> <li><code>operator: 'nil'</code> if operator was <code>'eq'</code>, <code>operator = 'not_nil'</code> if operator was <code>not_eq</code></li> <li><code>values = []</code></li> <li>extract another filter for all the other values</li> </ul> <pre><code>// \"Must have a label that is not Label1 or Label2\"\nconst oldFilter = {\n    key: 'labelledBy',\n    values: [null, 'id-for-Label1', 'id-for-Label2'],\n    operator: 'not_eq',\n    filterMode: 'and',\n}\n\nconst newFilters = {\n    mode: 'and',\n    filters: [\n      {\n        key: 'objectLabel',\n        values: ['id-label-1', 'id-for-Label2'],\n        operator: 'not_eq',\n        mode: 'and',\n      },\n      {\n        key: 'objectLabel',\n        values: [],\n        operator: 'not_nil',\n        mode: 'and',\n      },\n    ],\n    filterGroups: [],\n}\n</code></pre> <p>To preserve the logic of your old filter you might need to compose nested filter groups. This could happen for instance when using <code>eq</code> operator with <code>null</code> values for one filter, combined in <code>and</code> mode with other filters</p> <p>for example:</p> <p>\"All Reports that have either the label \"label1\" or \"label2\", or no label at all\"</p> <p><code>(entity_type = Report) AND (label = \"No label\" OR label1 OR label2)</code></p> <p>Cannot be expressed a simple list of filters, it requires a <code>filterGroup</code>. This case is detailed in the examples below.</p>"},{"location":"reference/filters-migration/#filter-keys-that-have-been-renamed","title":"Filter keys that have been renamed","text":"<p>Make sure you address all the filter keys that require conversion, following the map below:</p> <pre><code>// array of [oldKey, newKey] for the renamed keys\nconst keyConversion = [\n    ['labelledBy', 'objectLabel'],\n    ['markedBy', 'objectMarking'],\n    ['objectContains', 'objects'],\n    ['killChainPhase', 'killChainPhases'],\n    ['assigneeTo', 'objectAssignee'],\n    ['participant', 'objectParticipant'],\n    ['creator', 'creator_id'],\n    ['hasExternalReference', 'externalReferences'],\n    ['hashes_MD5', 'hashes.MD5'],\n    ['hashes_SHA1', 'hashes.SHA-1'],\n    ['hashes_SHA256', 'hashes.SHA-256'],\n    ['hashes_SHA512', 'hashes.SHA-512']\n]\n</code></pre>"},{"location":"reference/filters-migration/#examples","title":"Examples","text":"<p>Let's start with a simple case:</p> <p>All Reports with label \"label1\" or \"label2\"</p> <p><code>(entity_type = Report) AND (label = label1 OR label2)</code></p> <pre><code>const oldBackendFilter = [\n  {\n    key: 'entity_type',\n    values: ['Report'],\n    operator: 'eq',\n    filterMode: 'or',\n  },\n  {\n   key: 'labelledBy',\n    values: [label1_id, label2_id],\n    operator: 'eq',\n    filterMode: 'or',\n  },\n];\n\nconst newFilters = {\n  mode: 'and',\n  filters: [\n    {\n      key: 'entity_type',\n      values: ['Report'],\n      operator: 'eq',\n      mode: 'or',\n    },\n    {\n      key: 'objectLabel',\n      values: [label1_id, label2_id],\n      operator: 'eq',\n      mode: 'or',\n    }\n  ],\n  filterGroups: [],\n};\n</code></pre> <p>And now for a more complex case involving filter group nesting:</p> <p>\"All Reports that have either the label \"label1\" or \"label2\", or no label at all\"</p> <p><code>(entity_type = Report) AND (label = \"No label\" OR label1 OR label2)</code></p> <pre><code>const oldBackendFilter = [\n    {\n      key: 'labelledBy',\n      values: [label1_id, label2_id, null],\n      operator: 'eq',\n      filterMode: 'or',\n    },\n    {\n      key: 'entity_type',\n      values: ['Report'],\n      operator: 'eq',\n      filterMode: 'or',\n    },\n];\n\nconst newFilters = {\n    mode: 'and',\n    filters: [\n      {\n        key: 'entity_type',\n        values: ['Report'],\n        operator: 'eq',\n        mode: 'or',\n      },\n    ],\n    // the combination mode/operator in this case requires nested filter groups\n    filterGroups: [\n      {\n        mode: 'or',\n        filters: [\n          {\n            key: 'objectLabel',\n            values: [label1_id, label2_id],\n            operator: 'eq',\n            mode: 'or',\n          },\n          {\n            key: 'objectLabel',\n            operator: 'nil',\n            values: [], // empty, does not matter\n            mode: 'or', // and/or, does not matter \n          },\n        ],\n        filterGroups: [],\n      }\n    ],\n};\n</code></pre>"},{"location":"reference/filters-migration/#local-filters-in-url-and-local-storage","title":"Local Filters in URL and Local storage","text":"<p>Please note that the filters saved in local storage are not migrated automatically and are lost when moving to 5.12. This concerns the filters saved for each view, that are restored when coming back to the same view. You will need to reconstruct the filters by hand in the UI ; these new filters will be properly saved and restored afterward.</p> <p>Also, when going to an url with filters in the old format, OpenCTI will display a warning and remove the filter parameters. Only URLs built by OpenCTI 5.12 are compatible with it, so you will need to reconstruct the filters by hand and save / share your updated links.</p> <p></p>"},{"location":"reference/filters/","title":"Filter knowledge","text":"<p>In OpenCTI, you can filter data to target or view entities that have particular attributes.</p>"},{"location":"reference/filters/#filters-usages","title":"Filters usages","text":"<p>Filters are used in many locations in the platform.</p> <ul> <li>in entities lists: to display only the entities matching the filters. If an export or a background task is generated, only the filtered data will be taken into account.</li> <li>in investigations and knowledge graphs: to display only the entities matching the filters.</li> <li>in dashboards: to create Widget graphs and lists with only the entities matching the filters.</li> <li>in feeds, taxii collections, triggers, streams, playbooks, background tasks: to process only the data  or events matching the filters.</li> </ul> <p>There are two types of filters:</p> <ul> <li>dynamic filters: they are not stored in the database, they enable to filter view in the UI. Examples: filters in entities list, investigations, knowledge graphs;</li> <li>stored filters: They are attributes of an entity, they are stored as an attribute in the object. Examples: filters in dashboards, feeds, taxii collections, triggers, streams, playbooks.</li> </ul> <p></p>"},{"location":"reference/filters/#create-a-filter","title":"Create a filter","text":"<p>To create a filter, add every key you need using the 'Add filter' select box. It will give you the possible attributes on which you can filter in the current view.</p> <p>A grey box appears and allows to select:</p> <ul> <li>the operator to use</li> <li>the values to compare (if operator is not 'empty' or 'not_empty')</li> </ul> <p>You can add as many filters as you like, even use the same key twice with different operators and values.</p> <p>The boolean modes (and /or) are either global (between every attribute filters) or local (between values inside a filter). Both can be switched with a single click, changing the logic of your filtering.</p>"},{"location":"reference/filters/#dynamic-filters-persistence","title":"Dynamic filters persistence","text":"<p>Dynamic filters are not saved in database, but they are still persistent in the platform frontend side. The filters used in a view are saved as URL parameters, so you can save and share links of these filtered views.</p> <p>Also, your web browser saves in local storage the filters that you are setting in various places of the platform, allowing to retrieve them when you come back to the same view. You can then keep working from where you left of.</p>"},{"location":"reference/filters/#filters-format-since-512","title":"Filters format (since 5.12)","text":"<p>Since OpenCTI 5.12, the OpenCTI platform uses a new filter format called <code>FilterGroup</code>, that must be used in API calls. The <code>FilterGroup</code> model enables to do complex filters imbrication with different boolean operators, which extends greatly the filtering capabilities in every parts of the platform.</p> <p>The new format used internally by OpenCTI and exposed through its API, can be described as below:</p> <pre><code>// filter formats in OpenCTI &gt;= 5.12\n\ntype FilterGroup = {\n  mode: 'and' | 'or'\n  filters: Filter[]\n  filterGroups: FilterGroup[] // recursive definition\n}\n\ntype Filter  = {\n  key: string[] // or single string (input coercion)\n  values: string[]\n  operator: 'eq' | 'not_eq' | 'gt' // ... and more\n  mode: 'and' | 'or',\n}\n\n// \"give me Reports and RFIs, not marked TLP;RED, with no label or labelX\"\nconst filters = {\n  mode: 'and',\n  filters: [\n    { key: 'entity_type', values: ['Report', 'Case-Rfi'], operator: 'eq', mode: 'or', },\n    { key: 'objectMarking', values: ['&lt;id-for-TLP;RED&gt;'], operator: 'not_eq', mode: 'or', },\n  ],\n  filterGroups: [{\n    mode: 'or',\n    filters: [\n      { key: 'objectLabel', values: [\"&lt;id-for-labelX&gt;\"], operator: 'eq', mode: 'or', },\n      { key: 'objectLabel', values: [], operator: 'nil', mode: 'or', },\n    ],\n    filterGroups: [],\n  }],\n};\n</code></pre> <p>We can express complex, nested filters like:</p> <pre><code>(Entity Type = Malware) AND (Marking = TLP;CLEAR or TLP;GREEN)\nOR\n(Entity Type = Intrusion Set) AND (Label = labelX)  \n</code></pre> <p>In a given filter group, the <code>mode</code> (<code>and</code> or <code>or</code>) represents the boolean operation between the different <code>filters</code> and <code>filterGroups</code> arrays. The <code>filters</code> and <code>filterGroups</code> arrays are composed of objects of type Filter and FilterGroup.</p> <p>The <code>Filter</code> has 4 properties:</p> <ul> <li>a <code>key</code>, representing the kind of data we want to target (example: <code>objectLabel</code> to filter on labels or <code>createdBy</code> to filter on the author)</li> <li>an array of <code>values</code>, representing the values we want to compare to</li> <li>an <code>operator</code> representing the operation we want to apply between the <code>key</code> and the <code>values</code></li> <li>a <code>mode</code> (again, <code>and</code> or <code>or</code>) to apply between the values if there are several ones</li> </ul>"},{"location":"reference/filters/#operators","title":"Operators","text":"<p>The available operators are:</p> <ul> <li><code>eq</code>  for 'equal', and <code>not_eq</code> for 'different',</li> <li><code>gt</code> / <code>gte</code> for 'greater than' / 'greater than or equal',</li> <li><code>lt</code> / <code>lte</code> for 'lower than' / 'lower than or equal',</li> <li><code>nil</code> for 'empty', and <code>not_nil</code> for non-empty (any value),</li> <li><code>starts_with</code> / <code>not_starts_with</code> / <code>ends_with</code> / <code>not_ends_with</code> / <code>contains</code> / <code>not contains</code> are available for searching in short string fields (name, value, title...),</li> <li><code>search</code>  is available in short string and text fields.</li> </ul>"},{"location":"reference/filters/#note","title":"Note","text":"<p><code>nil</code> and <code>not_nil</code> are the only operators that do not require anything inside <code>values</code>.</p> <p>There is a small difference between <code>search</code> and <code>contains</code>. <code>search</code> finds any occurrence of specified words, regardless of order, while \"contains\" specifically looks for the exact sequence of words you provide.</p> <p>When using a numerical comparison operators (<code>gt</code> and the like) against textual values, the alphabetical ordering is used.</p> <p>Some operator may not be allowed for some key, for additional information please navigate to the \"Special keys\" section.</p> <p>Also note that GraphQL input coercion makes possible using a simple <code>string</code> key instead of an array. Multi-key filters are not supported across the platform and are reserved to specific, internal cases. Bottom line: Always use single-key filters.</p>"},{"location":"reference/filters/#examples-of-filter-using-opencti-version-512","title":"Examples of filter using OpenCTI version 5.12+","text":"<ul> <li>entity_type = 'Report'</li> </ul> <pre><code>filters = {\n    mode: 'and',\n    filters: [{\n        key: 'entity_type',\n        values: ['Report'],\n        operator: 'eq',\n        mode: 'or', // useless here because values contains only 1 value\n    }],\n    filterGroups: [],\n};\n</code></pre> <ul> <li>(entity_type = 'Report') AND (label = 'label1' OR 'label2')</li> </ul> <pre><code>filters = {\n    mode: 'and',\n    filters: [\n        {\n            key: 'entity_type',\n            values: ['Report'],\n            operator: 'eq',\n            mode: 'or',\n        },\n        {\n            key: 'objectLabel',\n            values: ['label1', 'label2'],\n            operator: 'eq',\n            mode: 'or',\n        }\n    ],\n    filterGroups: [],\n};\n</code></pre> <ul> <li>(entity_type = 'Report') AND (confidence &gt; 50 OR marking is empty)</li> </ul> <pre><code>filters = {\n    mode: 'and',\n    filters: [\n        {\n            key: 'entity_type',\n            values: ['Report'],\n            operator: 'eq',\n            mode: 'or',\n        }\n    ],\n    filterGroups: [\n        {\n            mode: 'or',\n            filters: [\n                {\n                    key: 'confidence',\n                    values: ['50'],\n                    operator: 'gt',\n                    mode: 'or',\n                },\n                {\n                    key: 'objectMarking',\n                    values: [],\n                    operator: 'nil',\n                    mode: 'or',\n                },\n            ],\n            filterGroups: [],\n        }\n    ],\n};\n</code></pre>"},{"location":"reference/filters/#filter-keys","title":"Filter keys","text":""},{"location":"reference/filters/#filter-keys-validation","title":"Filter keys validation","text":"<p>Only a specific set of key can be used in the filters.</p> <p>Automatic key checking prevents typing error when constructing filters via the API: if a user write an unhandled key (<code>object-label</code> instead of <code>objectLabel</code> for instance), the API will return an error instead of an empty list. Doing so, we make sure the platform do not provide misleading results.</p>"},{"location":"reference/filters/#regular-filter-keys","title":"Regular filter keys","text":"<p>For an extensive list of available filter keys, refer to the attributes and relations schema definitions.</p> <p>Here are some of the most useful keys as example. X refers here to the filtered entities.</p> <ul> <li><code>objectLabel</code>: label of X,</li> <li><code>objectMarking</code>: marking of X,</li> <li><code>createdBy</code>: author of X,</li> <li><code>creator_id</code>: technical creator of X,</li> <li><code>created_at</code>: date of creation of X in the platform,</li> <li><code>confidence</code>: confidence of X,</li> <li><code>entity_type</code>: X entity type ('Report', 'Stix-Cyber-Observable', ...),</li> </ul>"},{"location":"reference/filters/#special-filter-keys","title":"Special filter keys","text":"<p>Some keys do not exist in the schema definition, but are allowed in addition. They describe a special behavior.</p> <p>It is the case for:</p> <ul> <li><code>sightedBy</code>: entities to which X is linked via a stix sighting relationship,</li> <li><code>workflow_id</code>: status id of the entities, or status template id of the status of the entities,</li> <li><code>connectedToId</code>: the listened instances for an instance trigger.</li> </ul> <p>For some keys, negative equality filtering is not supported yet (<code>not_eq</code> operator). For instance, it is the case for:</p> <ul> <li><code>fromId</code></li> <li><code>fromTypes</code></li> <li><code>toId</code></li> <li><code>toTypes</code></li> </ul> <p>The <code>regardingOf</code> filter key has a special format and enables to target the entities having a relationship of a certain type with certain entities. Here is an example of filter to fetch the entities related to the entity X: <pre><code>filters = {\n  mode: 'and',\n  filters: [\n    {\n      key: 'regardingOf',\n      values: [\n        { key: 'id', values: ['id-of-X'] },\n        { key: 'relationship_type', values: ['related-to'] },\n      ],\n    },\n  ],\n  filterGroups: [],\n};\n</code></pre></p>"},{"location":"reference/filters/#limited-support-in-stream-events-filtering","title":"Limited support in stream events filtering","text":"<p>Filters that are run against the event stream are not using the complete schema definition in terms of filtering keys.</p> <p>This concerns:</p> <ul> <li>Live streams</li> <li>CSV feeds</li> <li>Taxii Collection</li> <li>Triggers</li> <li>Playbooks</li> </ul> <p>For filters used in this context, only some keys are supported for the moment:</p> <ul> <li><code>confidence</code></li> <li><code>objectAssignee</code></li> <li><code>createdBy</code></li> <li><code>creator</code></li> <li><code>x_opencti_detection</code></li> <li><code>indicator_types</code></li> <li><code>objectLabel</code></li> <li><code>x_opencti_main_observable_type</code></li> <li><code>objectMarking</code></li> <li><code>objects</code></li> <li><code>pattern_type</code></li> <li><code>priority</code></li> <li><code>revoked</code></li> <li><code>severity</code></li> <li><code>x_opencti_score</code></li> <li><code>entity_type</code></li> <li><code>x_opencti_workflow_id</code></li> <li><code>connectedToId</code> (for the instance triggers)</li> <li><code>fromId</code> (the instance in the 'from' of a relationship)</li> <li><code>fromTypes</code> (the entity type in the 'from' of a relationship)</li> <li><code>toId</code></li> <li><code>toTypes</code></li> </ul>"},{"location":"reference/fips/","title":"SSL FIPS 140-2 deployment","text":""},{"location":"reference/fips/#introduction","title":"Introduction","text":"<p>For organizations that need to deploy OpenCTI in a SSL FIPS 140-2 compliant environment, we provide FIPS compliant OpenCTI images for all components of the platform. Please note that you will also need to deploy dependencies (ElasticSearch / OpenSearch, Redis, etc.) with FIPS 140-2 SSL to have the full compliant OpenCTI technological stack.</p> <p>OpenCTI SSL FIPS 140-2 compliant builds</p> <p>The OpenCTI platform, workers and connectors SSL FIPS 140-2 compliant images are based on packaged Alpine Linux with OpenSSL 3 and FIPS mode enabled maintened by the Filigran engineering team.</p>"},{"location":"reference/fips/#dependencies","title":"Dependencies","text":""},{"location":"reference/fips/#aws-native-services-in-fedramp-compliant-environment","title":"AWS Native Services in FedRAMP compliant environment","text":"<p>It is important to remind that OpenCTI is fully compatible with AWS native services and all dependencies are available in both FedRAMP Moderate (East / West) and FedRAMP High (GovCloud) scopes.</p> <ul> <li>Amazon OpenSearch Service (OpenSearch)</li> <li>Amazon ElastiCache (Redis)</li> <li>Amazon MQ (RabbitMQ)</li> <li>Amazon Simple Storage Service (S3 bucket)</li> </ul>"},{"location":"reference/fips/#elasticsearch-opensearch","title":"ElasticSearch / OpenSearch","text":"<p>ElasticSearch is known to be compatible with FIPS 140-2 SSL using the proper JVM. There is a comprehensive guide in the Elastic documentation.</p> <p>Alternatively, please note that Elastic is also providing an ElasticSearch FedRAMP authorized cloud offering.  </p>"},{"location":"reference/fips/#redis","title":"Redis","text":"<p>Redis does not provide FIPS 140-2 SSL compliant Docker images but supports very well custom tls-ciphersuites that can be configured to use the system FIPS 140-2 OpenSSL library. </p> <p>Alternatively, you can use a Stunnel TLS endpoint to ensure encrypted communication between OpenCTI and Redis. There are a few examples available, here or here.</p>"},{"location":"reference/fips/#rabbitmq","title":"RabbitMQ","text":"<p>RabbitMQ does not provide FIPS 140-2 SSL compliant Docker images but, as Redis, supports custom cipher suites. Also, it is confirmed since RabbitMQ version 3.12.5, the associated Erlang build (&gt; 26.1), supports FIPS mode on OpenSSL 3.</p> <p>Alternatively, you can use a Stunnel TLS endpoint to ensure encrypted communication between OpenCTI and RabbitMQ.</p>"},{"location":"reference/fips/#s3-bucket-minio","title":"S3 Bucket / MinIO","text":"<p>If you cannot use an S3 endpoint already deployed in your FIPS 140-2 SSL compliant environment, MinIO provides FIPS 140-2 SSL compliant Docker images which then are very easy to deploy within your environment.</p>"},{"location":"reference/fips/#opencti-stack","title":"OpenCTI stack","text":""},{"location":"reference/fips/#platform","title":"Platform","text":"<p>For the platform, we provide FIPS 140-2 SSL compliant Docker images. Just use the appropriate tag to ensure you are deploying the FIPS compliant version and follow the standard Docker deployment procedure. </p>"},{"location":"reference/fips/#worker","title":"Worker","text":"<p>For the worker, we provide FIPS 140-2 SSL compliant Docker images. Just use the appropriate tag to ensure you are deploying the FIPS compliant version and follow the standard Docker deployment procedure.</p>"},{"location":"reference/fips/#connectors","title":"Connectors","text":"<p>All connectors have FIPS 140-2 SSL compliant Docker images. For each connector you need to deploy, please use the tag <code>{version}-fips</code> instead of <code>{version}</code> and  follow the standard deployment procedure. An example is available on Docker Hub. </p>"},{"location":"reference/streaming/","title":"Data Streaming","text":""},{"location":"reference/streaming/#presentation","title":"Presentation","text":"<p>In order to provide a real time way to consume STIX CTI information, OpenCTI provides data events in a stream that can be consume to react on creation, update, deletion and merge. This way of getting information out of OpenCTI is highly efficient and already use by some connectors.</p>"},{"location":"reference/streaming/#technology","title":"Technology","text":""},{"location":"reference/streaming/#redis-stream","title":"Redis stream","text":"<p>OpenCTI is currently using REDIS Stream (See https://redis.io/topics/streams-intro) as the technical layer. Each time something is modified in the OpenCTI database, a specific event is added in the stream.</p>"},{"location":"reference/streaming/#sse-protocol","title":"SSE protocol","text":"<p>In order to provides a really easy consuming protocol we decide to provide a SSE (https://fr.wikipedia.org/wiki/Server-sent_events) http URL linked to the standard login system of OpenCTI. Any user with the correct access rights can open and access http://opencti_instance/stream and open an SSE connection to start receiving live events. You can of course consume directly the stream in Redis but you will have to manage access and rights directly.</p>"},{"location":"reference/streaming/#events-format","title":"Events format","text":"<pre><code>id: {Event stream id} -&gt; Like 1620249512318-0\nevent: {Event type} -&gt; create / update / delete\ndata: { -&gt; The complete event data\n    version -&gt; The version number of the event\n    type -&gt; The inner type of the event\n    scope -&gt; The scope of the event [internal or external]\n    data: {STIX data} -&gt; The STIX representation of the data.\n    message -&gt; A simple string to easy understand the event\n    origin: {Data Origin} -&gt; Complex object with different information about the origin of the event\n    context: {Event context} -&gt; Complex object with meta information depending of the event type\n}\n</code></pre> <p>Id can be used to consume the stream from this specific point.</p>"},{"location":"reference/streaming/#stix-data","title":"STIX data","text":"<p>The current stix data representation is based on the STIX 2.1 format using extension mechanism. Please take a look to https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html for more information.</p>"},{"location":"reference/streaming/#create","title":"Create","text":"<p>Its simply the data created in STIX format.</p>"},{"location":"reference/streaming/#delete","title":"Delete","text":"<p>Its simply the data in STIX format just before his deletion. You will also find the automated deletions in context due to automatic dependency management.</p> <pre><code>{\n  \"context\": {\n      \"deletions\": [{STIX data}]\n  }\n}\n</code></pre>"},{"location":"reference/streaming/#update","title":"Update","text":"<p>This event type publish the complete STIX data information along with patches information. Thanks to the patches, its possible to rebuild the previous version and easily understand that happens in the update. patch and reverse_patch follow the official jsonpatch specification. You can find more information at https://jsonpatch.com/</p> <pre><code>{\n  \"context\": {\n      \"patch\": [/* patch operation object */],\n      \"reverse_patch\": [/* patch operation object */]\n  }\n}\n</code></pre>"},{"location":"reference/streaming/#merge","title":"Merge","text":"<p>Merge is a mix of an update of the merge targets and deletions of the sources. In this event you will find the same patch and reverse_patch as an update and the list of elements merged into the target in the \"sources\" attribute.</p> <pre><code>{\n  \"context\": {\n      \"patch\": [/* patch operation object */],\n      \"reverse_patch\": [/* patch operation object */],\n      \"sources\": [{STIX data}]\n  }\n}\n</code></pre>"},{"location":"reference/streaming/#stream-types","title":"Stream types","text":"<p>In OpenCTI we propose 2 types of streams.</p>"},{"location":"reference/streaming/#base-stream","title":"Base stream","text":"<p>The stream hosted in /stream url contains all the raw events of the platform, always filtered by the user rights (marking based). It's a technical stream a bit complex to used but very useful for internal processing or some specific connectors like backup/restore. This stream is live by default but if you want to catchup you can simply add the from parameter to your query. This parameter accept a timestamp in millisecond and also an event id. Like http://localhost/stream?from=1620249512599</p> <p>Stream size?</p> <p>The raw stream is really important in the platform and needs te be sized according to the period of retention you want to ensure. More retention you will have, more security about reprocessing the past information you will get. We usually recommand 1 month of retention, that usually match 2 000 000 of events. This limit can be configured with redis:trimming option, please check deployment configuration page.</p>"},{"location":"reference/streaming/#live-stream","title":"Live stream","text":"<p>This stream aims to simplify your usage of the stream through the connectors, providing a way to create stream with specific filters through the UI. After creating this stream, is simply accessible from /stream/{STREAM_ID}.</p> <p>It's very useful for various cases of data externalization, synchronization, like SPLUNK, TANIUM...</p> <p>This stream provides different interesting mechanics:</p> <ul> <li>Stream the initial list of instances matching your filters when connecting based on main database if you use the recover parameter</li> <li>Auto dependencies resolution to guarantee the consistency of the information distributed</li> <li>Automatic events translation depending on the element segregation</li> </ul> <p>If you want to dig in about the internal behavior you can check this complete diagram:</p>"},{"location":"reference/streaming/#general-options","title":"General options","text":"<ul> <li>no-dependencies (query parameter or header, default false). Can be used to prevent the auto dependencies resolution. To be used with caution.</li> <li>listen-delete (query parameter or header, default true). Can be used prevent receive deletion events. To be used with caution.</li> <li>with-inferences (query parameter or header, default false). Can be used to add inferences events (from rule engine) in the stream.</li> </ul>"},{"location":"reference/streaming/#from-and-recover","title":"From and Recover","text":"<p>From and recover are 2 different options that need to be explains.</p> <ul> <li> <p>from (query parameter) is always the parameter that describe the initial date/event_id you want to start from. Can also be setup with request header from or last-event-id </p> </li> <li> <p>recover (query parameter) is an option that let you consume the initial event from the database and not from the stream.  Can also be setup with request header recover or recover-date </p> </li> </ul> <p>This difference will be transparent for the consumer but very important to get old information as an initial snapshot. This also let you consume information that is no longer in the stream retention period.</p> <p>The next diagram will help you to understand the concept:</p>"},{"location":"reference/taxonomy/","title":"Taxonomy","text":"<p>In OpenCTI, taxonomies serve as structured classification systems that aid in organizing and categorizing intelligence data. This reference guide provides an exhaustive description of the platform's customizable fields within the taxonomies' framework. Users can modify, add, or delete values within the available vocabularies to tailor the classification system to their specific requirements.</p> <p>For broader documentation on the taxonomies section, please consult the appropriate page.</p>"},{"location":"reference/taxonomy/#vocabularies","title":"Vocabularies","text":"<p>Default values are based on those defined in the STIX standard but can be tailored to better suit the organization's needs.</p> Name Used in Default value Account type vocabulary (account-type-ov) User account facebook, ldap, nis, openid, radius, skype, tacacs, twitter, unix, windows-domain, windows-local Attack motivation vocabulary (attack-motivation-ov) Threat actor group accidental, coercion, dominance, ideology, notoriety, organizational-gain, personal-gain, personal-satisfaction, revenge, unpredictable Attack resource level vocabulary (attack-resource-level-ov) Threat actor group club, contest, government, individual, organization, team Case priority vocabulary (case_priority_ov) Incident response P1, P2, P3, P4 Case severity vocabulary (case_severity_ov) Incident response critical, high, medium, low Channel type vocabulary (channel_type_ov) Channel Facebook, Twitter Collection layers vocabulary (collection_layers_ov) Data source cloud-control-plane, container, host, network, OSINT Event type vocabulary (event_type_ov) Event conference, financial, holiday, international-summit, local-election, national-election, sport-competition Eye color vocabulary (eye_color_ov) Threat actor individual black, blue, brown, green, hazel, other Gender vocabulary (gender_ov) Threat actor individual female, male, nonbinary, other Grouping context vocabulary (grouping_context_ov) Grouping malware-analysis, suspicious-activity, unspecified Hair color vocabulary vocabulary (hair_color_ov) Threat actor individual bald, black, blond, blue, brown, gray, green, other, red Implementation language vocabulary (implementation_language_ov) Malware applescript, bash, c, c++, c#, go, java, javascript, lua, objective-c, perl, php, powershell, python, ruby, scala, swift, typescript, visual-basic, x86-32, x86-64 Incident response type vocabulary (incident_response_type_ov) Incident response data-leak, ransomware Incident severity vocabulary (incident_severity_ov) Incident critical, high, medium, low Incident type vocabulary (incident_type_ov) Incident alert, compromise, cybercrime, data-leak, information-system-disruption, phishing, reputation-damage, typosquatting Indicator type vocabulary (indicator_type_ov) Indicator anomalous-activity, anonymization, attribution, benign, compromised, malicious-activity, unknown Infrastructure type vocabulary (infrastructure_type_ov) Infrastructure amplification, anonymization, botnet, command-and-control, control-system, exfiltration, firewall, hosting-malware, hosting-target-lists, phishing, reconnaissance, routers-switches, staging, unknown, workstation Integrity level vocabulary (integrity_level_ov) Process high, medium, low, system Malware capabilities vocabulary (malware_capabilities_ov) Malware accesses-remote-machines, anti-debugging, anti-disassembly, anti-emulation, anti-memory-forensics, anti-sandbox, anti-vm, captures-input-peripherals, captures-output-peripherals, captures-system-state-data, cleans-traces-of-infection, commits-fraud, communicates-with-c2, compromises-data-availability, compromises-data-integrity, compromises-system-availability, controls-local-machine, degrades-security-software, degrades-system-updates, determines-c2-server, emails-spam, escalates-privileges, evades-av, exfiltrates-data, fingerprints-host, hides-artifacts, hides-executing-code, infects-files, infects-remote-machines, installs-other-components, persists-after-system-reboot, prevents-artifact-access, prevents-artifact-deletion, probes-network-environment, self-modifies, steals-authentication-credentials, violates-system-operational-integrity Malware result vocabulary (malware_result_ov) Malware analysis benign, malicious, suspicious, unknown Malware type vocabulary (malware_type_ov) Malware adware, backdoor, bootkit, bot, ddos, downloader, dropper, exploit-kit, keylogger, ransomware, remote-access-trojan, resource-exploitation, rogue-security-software, rootkit, screen-capture, spyware, trojan, unknown, virus, webshell, wiper, worm Marital status vocabulary (marital_status_ov) Threat actor individual annulled, divorced, domestic_partner, legally_separated, married, never_married, polygamous, separated, single, widowed Note types vocabulary (note_types_ov) Note analysis, assessment, external, feedback, internal Opinion vocabulary (opinion_ov) Opinion agree, disagree, neutral, strongly-agree, strongly-disagree Pattern type vocabulary (pattern_type_ov) Indicator eql, pcre, shodan, sigma, snort, spl, stix, suricata, tanium-signal, yara Permissions vocabulary (permissions_ov) Attack pattern Administrator, root, User Platforms vocabulary (platforms_ov) Data source android, Azure AD, Containers, Control Server, Data Historian, Engineering Workstation, Field Controller/RTU/PLC/IED, Google Workspace, Human-Machine Interface, IaaS, Input/Output Server, iOS, linux, macos, Office 365, PRE, SaaS, Safety Instrumented System/Protection Relay, windows Processor architecture vocabulary (processor_architecture_ov) Malware alpha, arm, ia-64, mips, powerpc, sparc, x86, x86-64 Reliability vocabulary (reliability_ov) Report, Organization A - Completely reliable, B - Usually reliable, C - Fairly reliable, D - Not usually reliable, E - Unreliable, F - Reliability cannot be judged Report types vocabulary (report_types_ov) Report internal-report, threat-report Request for information types vocabulary (request_for_information_types_ov) Request for information none Request for takedown types vocabulary (request_for_takedown_types_ov) Request for takedown brand-abuse, phishing Service status vocabulary (service_status_ov) Process SERVICE_CONTINUE_PENDING, SERVICE_PAUSE_PENDING, SERVICE_PAUSED, SERVICE_RUNNING, SERVICE_START_PENDING, SERVICE_STOP_PENDING, SERVICE_STOPPED Service type vocabulary (service_type_ov) Process SERVICE_FILE_SYSTEM_DRIVER, SERVICE_KERNEL_DRIVER, SERVICE_WIN32_OWN_PROCESS, SERVICE_WIN32_SHARE_PROCESS Start type vocabulary (start_type_ov) Process SERVICE_AUTO_START, SERVICE_BOOT_START, SERVICE_DEMAND_START, SERVICE_DISABLED, SERVICE_SYSTEM_ALERT Threat actor group role vocabulary (threat_actor_group_role_ov) Threat actor group agent, director, independent, infrastructure-architect, infrastructure-operator, malware-author, sponsor Threat actor group sophistication vocabulary (threat_actor_group_sophistication_ov) Threat actor group advanced, expert, innovator, intermediate, minimal, none, strategic Threat actor group type vocabulary (threat_actor_group_type_ov) Threat actor group activist, competitor, crime-syndicate, criminal, hacker, insider-accidental, insider-disgruntled, nation-state, sensationalist, spy, terrorist, unknown Threat actor individual role vocabulary (threat_actor_individual_role_ov) Threat actor individual agent, director, independent, infrastructure-architect, infrastructure-operator, malware-author, sponsor Threat actor individual sophistication vocabulary (threat_actor_individual_sophistication_ov) Threat actor individual advanced, expert, innovator, intermediate, minimal, none, strategic Threat actor individual type vocabulary (threat_actor_individual_type_ov) Threat actor individual activist, competitor, crime-syndicate, criminal, hacker, insider-accidental, insider-disgruntled, nation-state, sensationalist, spy, terrorist, unknown Tool types vocabulary (tool_types_ov) Tool credential-exploitation, denial-of-service, exploitation, information-gathering, network-capture, remote-access, unknown, vulnerability-scanning <p></p>"},{"location":"reference/taxonomy/#customization","title":"Customization","text":"<p>Users can customize the taxonomies by modifying the available values or adding new ones. These modifications enable users to adapt the classification system to their specific intelligence requirements. Additionally, within each vocabulary list, users have the flexibility to customize the order of the dropdown menu associated with the taxonomy. This feature allows users to prioritize certain values or arrange them in a manner that aligns with their specific classification needs. Additionally, users can track the usage count for each vocabulary, providing insights into the frequency of usage and helping to identify the most relevant and impactful classifications. These customization options empower users to tailor the taxonomy system to their unique intelligence requirements, enhancing the efficiency and effectiveness of intelligence analysis within the OpenCTI platform.</p> <p></p>"},{"location":"usage/AskAI/","title":"Ask AI","text":"<p>Enterprise edition</p> <p>Ask AI is available under the \"Filigran Entreprise Edition\" license.</p> <p>Please read the dedicated page to have all information</p> <p>Beta Feature</p> <p>Ask AI is a beta feature as we are currently fine-tuning our models. Consider checking important information.</p>"},{"location":"usage/AskAI/#prerequisites-for-using-ask-ai","title":"Prerequisites for using Ask AI","text":"<p>There are several possibilities for Enterprise Edition customers to use OpenCTI AI endpoints:</p> <ul> <li>Use the Filigran AI Service leveraging our custom AI model using the token given by the support team.</li> <li>Use OpenAI or MistralAI cloud endpoints using your own tokens.</li> <li>Deploy or use local AI endpoints (Filigran can provide you with the custom model).</li> </ul> <p>Please read the configuration documentation</p>"},{"location":"usage/AskAI/#functionalities-of-ask-ai","title":"Functionalities of Ask AI","text":"<p>Ask AI is represented by a dedicated icon wherever on of its functionalities is available to use.</p> <p></p>"},{"location":"usage/AskAI/#assistance-for-writing-menaningful-content","title":"Assistance for writing menaningful content","text":"<p>Ask AI can assist you for writing better textual content, for example better title, name, description and detailed content of Objects.</p> <ul> <li>Fix spelling &amp; grammar: try to improve the text from a formulation and grammar perspective.  </li> <li>Make it shorter/longer: try to shorten or lengthen the text.</li> <li>Change tone: try to change the tone of the text. You can select if you want the text to be written for Strategic (Management, decision makers), Operational (for team leaders) or Tactital (for technical CTI analysts) audiences.</li> <li>Summarize: try to summarize the text in bullet points.</li> <li>Explain: try to explain the context of the subject's text based on what is available to the LLM.</li> </ul>"},{"location":"usage/AskAI/#assistance-for-importing-data-from-documents","title":"Assistance for importing data from documents","text":"<p>Fom the Content tab of a Container (Reports, Groupings and Cases), Ask AI can also assist you for importing data contained in uploaded documents into OpenCTI for further exploitation.</p> <ul> <li>Generate report document: Generate a text report based on the knowledge graph (entities and relationships) of this container.</li> <li>Summarize associated files: Generate a summary of the selected files (or all files associated to this container).</li> <li>Try to convert the selected files (or all files associated to this container) in a STIX 2.1 bundle you will then be able to use at your convenience (for example importing it into the platform).</li> </ul> <p></p> <p></p> <p>A short video on the FiligranHQ Youtube channel presents tha capabilities of AskAI: https://www.youtube.com/watch?v=lsP3VVsk5ds</p>"},{"location":"usage/AskAI/#improving-generated-elements-of-ask-ai","title":"Improving generated elements of Ask AI","text":"<p>Be aware that the text quality is highly dependent on the capabilities of the associated LLM.</p> <p>That is why every generated text by Ask AI is provided in a dedicated panel, allowing you to verify and rectify any error the LLM could have made.</p>"},{"location":"usage/automation/","title":"Playbooks Automation","text":"<p>Enterprise edition</p> <p>Playbooks automation is available under the \"Filigran Entreprise Edition\" license.</p> <p>Please read the dedicated page to have all information</p> <p>OpenCTI playbooks are flexible automation scenarios which can be fully customized and enabled by platform administrators to enrich, filter and modify the data created or updated in the platform. </p> <p>Playbook automation is accessible in the user interface under Data &gt; Processing &gt; Automation.</p> <p>You need the \"Manage credentials\" capability to use the Playbooks automation, because you will be able to manipulate data simple users cannot access.</p> <p>You will then be able to:</p> <ul> <li>add labels depending on enrichment results to be used in threat intelligence-driven detection feeds;</li> <li>create reports and cases based on various criteria;</li> <li>trigger enrichments or webhooks in given conditions;</li> <li>modify attributes such as first_seen and last_seen based on other pieces of knowledge;</li> <li>etc.</li> </ul>"},{"location":"usage/automation/#playbook-philosophy","title":"Playbook philosophy","text":"<p>Consider Playbook as a STIX 2.1 bundle pipeline. </p> <p>Initiating with a component listening to a data stream, each subsequent component in the playbook processes a received STIX bundle. These components have the ability to modify the bundle and subsequently transmit the altered result to connected components.</p> <p>In this paradigm, components can send out the STIX 2.1 bundle to multiple components, enabling the development of multiple branches within your playbook.</p> <p>A well-designed playbook end with a component executing an action based on the processed information. For instance, this may involve writing the STIX 2.1 bundle in a data stream.</p> <p>Validate ingestion</p> <p>The STIX bundle processed by the playbook won't be written in the platform without specifying it using the appropriate component, i.e. \"Send for ingestion\".</p>"},{"location":"usage/automation/#create-a-playbook","title":"Create a Playbook","text":"<p>It is possible to create as many playbooks as needed which are running independently. You can give a name and description to each playbook.</p> <p></p> <p>The first step to define in the playbook is the \u201ctriggering event\u201d, which can be any knowledge event (create, update or delete) with customizable filters. To do so, click on the grey rectangle in the center of the workspace and choose the component to \"listen knowledge events\". Configure it with adequate filters. You can use same filters as in other part of the platform.</p> <p></p> <p>Then you have flexible choices for the next steps to:</p> <ul> <li>filter the initial knowledge ;</li> <li>enrich data using external sources and internal rules ;</li> <li>modify entities and relationships by applying patches ;</li> <li>write the data, send notifications, etc.</li> </ul> <p>Do not forget to start your Playbook when ready, with the Start option of the burger button placed near the name of your Playbook.</p> <p>By clicking the burger button of a component, you can replace it by another one.</p> <p>By clicking on the arrow icon in the bottom right corner of a component, you can develop a new branch at the same level.</p> <p>By clicking the \"+\" button on a link between components, you can insert a component between the two.</p>"},{"location":"usage/automation/#components-of-playbooks","title":"Components of playbooks","text":""},{"location":"usage/automation/#log-data-in-standard-output","title":"Log data in standard output","text":"<p>Will write the received STIX 2.1 bundle in platform logs with configurable log level and then send out the STIX 2.1 bundle unmodified.</p>"},{"location":"usage/automation/#send-for-ingestion","title":"Send for ingestion","text":"<p>Will pass the STIX 2.1 bundle to be written in the data stream. This component has no output and should end a branch of your playbook.</p>"},{"location":"usage/automation/#filter-knowledge","title":"Filter Knowledge","text":"<p>Will allow you to define filter and apply it to the received STIX 2.1 bundle. The component has 2 output, one for data matching the filter and one for the remainder. By default, filtering is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all elements in the bundle (elements that might result from enrichment for example).</p>"},{"location":"usage/automation/#enrich-through-connector","title":"Enrich through connector","text":"<p>Will send the received STIX 2.1 bundle to a compatible enrichement connector and send out the modifed bundle.</p>"},{"location":"usage/automation/#manipulate-knwoledge","title":"Manipulate Knwoledge","text":"<p>Will add, replace or remove compatible attribute of the entities contains in the received STIX 2.1 bundle and send out the modified bundle. By default, modification is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all elements in the bundle (elements that might result from enrichment for example).</p>"},{"location":"usage/automation/#container-wrapper","title":"Container wrapper","text":"<p>Will modify the received STIX 2.1 bundle to include the entities into an container of the type you configured.  By default, wrapping is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all elements in the bundle (elements that might result from enrichment for example).</p>"},{"location":"usage/automation/#manage-sharing-with-organizations","title":"Manage sharing with organizations","text":"<p>Will share every entity in the received STIX 2.1 bundle with Organizations you configured. Your platform need to have declare a platform main organization in Settings/Parameters.</p>"},{"location":"usage/automation/#apply-predefined-rule","title":"Apply predefined rule","text":"<p>Will apply a complex automation built-in rule. This kind of rule might impact performance. Current rules are: * First/Last seen computing extension from report publication date: will populate first seen and last seen date of entities contained in the report based on its publication date. * Resolve indicators based on observables (add in bundle) * Resolve observables an indicator is based on (add in bundle) * Resolve container references (add in bundle)</p>"},{"location":"usage/automation/#send-to-notifier","title":"Send to notifier","text":"<p>Will generate a Notification each time a STIX 2.1 bundle is received.</p>"},{"location":"usage/automation/#promote-observable-to-indicator","title":"Promote observable to indicator","text":"<p>Will generate indicator based on observables contained in the received STIX 2.1 bundle.  By default, it is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all observables in the bundle (observables that might result from enrichment for example).</p>"},{"location":"usage/automation/#extract-observables-from-indicator","title":"Extract observables from indicator","text":"<p>Will extract observables based on indicators contained in the received STIX 2.1 bundle.  By default, it is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all indicators in the bundle (indicators that might result from enrichment for example).</p>"},{"location":"usage/automation/#reduce-knowledge","title":"Reduce Knowledge","text":"<p>Will elagate the received STIX 2.1 bundle based on the configured filter.</p>"},{"location":"usage/automation/#monitor-playbook-activity","title":"Monitor playbook activity","text":"<p>At the top right of the interface, you can access execution trace of your playbook and consult the raw data after every step of your playbook execution.</p> <p></p>"},{"location":"usage/background-tasks/","title":"Background tasks","text":"<p>Three types of tasks are done in the background:</p> <ul> <li>rule tasks,</li> <li>knowledge tasks,</li> <li>user tasks.</li> </ul> <p>Rule tasks can be seen and activated in Settings &gt; Customization &gt; Rules engine. Knowledge and user tasks can be seen and managed in Data &gt; Background Tasks. The scope of each task is indicated.</p> <p></p>"},{"location":"usage/background-tasks/#rule-tasks","title":"Rule tasks","text":"<p>If a rule task is enabled, it leads to the scan of the whole platform data and the creation of entities or relationships in case a configuration corresponds to the tasks rules. The created data are called 'inferred data'. Each time an event occurs in the platform, the rule engine checks if inferred data should be updated/created/deleted.</p>"},{"location":"usage/background-tasks/#knowledge-tasks","title":"Knowledge tasks","text":"<p>Knowledge tasks are background tasks updating or deleting entities and correspond to mass operations on these data. To create one, select entities via the checkboxes in an entity list, and choose the action to perform via the toolbar.</p>"},{"location":"usage/background-tasks/#rights","title":"Rights","text":"<ul> <li>To create a knowledge task, the user should have the capability to Update Knowledge (or the capability to delete knowledge if the task action is a deletion).</li> <li>To see a knowledge task in the Background task section, the user should be the creator of the task, or have the KNOWLEDGE capability.</li> <li>To delete a knowledge task from the Background task section, the user should be the creator of the task, or have the KNOWLEDGE_UPDATE capability.</li> </ul>"},{"location":"usage/background-tasks/#user-tasks","title":"User tasks","text":"<p>User tasks are background tasks updating or deleting notifications. It can be done from the Notification section, by selecting several notifications via the checkboxes, and choosing an action via the toolbar.</p>"},{"location":"usage/background-tasks/#rights_1","title":"Rights","text":"<ul> <li>A user can create a user task on its own notifications only.</li> <li>To see or delete a user task, the user should be the creator of the task or have the SET_ACCESS capability.</li> </ul>"},{"location":"usage/case-management/","title":"Case management","text":""},{"location":"usage/case-management/#why-case-management","title":"Why Case management?","text":"<p>Compiling CTI data in one place, deduplicate and correlate to transform it into Intelligence is very important. But ultimately, you need to act based on this Intelligence. Some situations will need to be taken care of, like cybersecurity incidents, requests for information or requests for takedown. Some actions will then need to be traced, to be coordinated and oversaw. Some actions will include feedback and content delivery.</p> <p>OpenCTI includes Cases to allow organizations to manage situations and organize their team's work. Better, by doing Case management in OpenCTI, you handle your cases with all the context and Intelligence you need, at hand.</p>"},{"location":"usage/case-management/#how-to-manage-your-case-in-opencti","title":"How to manage your Case in OpenCTI?","text":"<p>Multiple situations can be modelize in OpenCTI as a Case, either an Incident Response, a Request for Takedown or a Request for Information.</p> <p></p> <p>All Cases can contain any entities and relationships you need to represent the Intelligence context related to the situation. At the beginning of your case, you may find yourself with only some Observables sighted in a system. At the end, you may have Indicators, Threat Actor, impacted systems, attack patterns. All representing your findings, ready to be presented and exported as graph, pdf report, timeline, etc.</p> <p></p> <p>Some Cases may need some collaborative work and specific Tasks to be performed by people that have the skillset for. OpenCTI allows you to associate <code>Tasks</code> in your Cases and assign them to users in the platform. As some type of situation may need the same tasks to be done, it is also possible to pre-define lists of tasks to be applied on your case. You can define these lists by accessing the Settings/Taxonomies/Case templates panel. Then you just need to add it from the overview of your desire Case.</p> <p>Tip: A user can have a custom dashboard showing him all the tasks that have been assigned to him.</p> <p></p> <p>As with other objects in OpenCTI, you can also leverage the <code>Notes</code> to add some investigation and analysis related comments, helping you shaping up the content of your case with unstructured data and trace all the work that have been done.</p> <p>You can also use <code>Opinions</code> to collect how the Case has been handled, helping you to build Lessons Learned.</p> <p></p> <p>To trace the evolution of your Case and define specific resolution worflows, you can use the <code>Status</code> (that can be define in Settings/Taxonomies/Status templates).</p> <p>At the end of your Case, you will certainly want to report on what have been done. OpenCTI allows you to export the content of the Case in a simple but customizable PDF (currently in refactor). But of course, your company have its own documents' templates, right? With OpenCTI, you will be able to include some nice graphics in it. For example, a Matrix view of the attacker attack pattern or even a graph display of how things are connected. </p> <p>Also, we are currently working a more meaningfull Timeline view that will be possible to export too.</p>"},{"location":"usage/case-management/#use-case-example-a-suspicious-observable-is-sighted-by-a-defense-system-is-it-important","title":"Use case example: A suspicious observable is sighted by a defense system. Is it important?","text":"<ul> <li>Daily, your SIEM and EDR are feeded Indicators of Compromise from your OpenCTI instance. </li> <li>Today, your SIEM have sighted the domain name \"bad.com\" matching one of them. Its alert has been transfered to OpenCTI and have created a <code>Sighting</code> relationship between your System \"SIEM permiter A\" and the Observable \"bad.com\". </li> <li>You are alerted immediatly, because you have activated the inference rule creating a corresponding <code>Incident</code> in this situation, and you have created an alert based on new Incident that send you email <code>notification</code> and Teams message (webhook).</li> <li>In OpenCTI, you can clearly see the link between the alerting System, the sighted Observable and the corresponding Indicator. Better, you can also see all the context of the Indicator. It is linked to a notorious and recent phishing <code>campaign</code> targeting your activity <code>sector</code>. \"bad.com\" is clearly something to investigate ASAP.</li> <li>You quickly select all the context you have found, and add it to a new <code>Incident response</code>case. You position the priority to High, regarding the context, and the severity to Low, as you don't know yet if someone really interact with \"bad.com\"</li> <li>You also assign the case to one of your collegue, on duty for investigative work. To guide him, you also create a <code>Task</code> in your case for verifying if an actual interaction happened with \"bad.com\".</li> </ul>"},{"location":"usage/containers/","title":"Containers","text":""},{"location":"usage/containers/#stix-standard","title":"STIX standard","text":""},{"location":"usage/containers/#definition","title":"Definition","text":"<p>In the STIX 2.1 standard, some STIX Domain Objects (SDO) can be considered as \"container of knowledge\", using the <code>object_refs</code> attribute to refer multiple other objects as nested references. In <code>object_refs</code>, it is possible to refer to entities and relationships. </p>"},{"location":"usage/containers/#example","title":"Example","text":"<pre><code>{\n   \"type\": \"report\",\n   \"spec_version\": \"2.1\",\n   \"id\": \"report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3\",\n   \"created_by_ref\": \"identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283\",\n   \"created\": \"2015-12-21T19:59:11.000Z\",\n   \"modified\": \"2015-12-21T19:59:11.000Z\",\n   \"name\": \"The Black Vine Cyberespionage Group\",\n   \"description\": \"A simple report with an indicator and campaign\",\n   \"published\": \"2016-01-20T17:00:00.000Z\",\n   \"report_types\": [\"campaign\"],\n   \"object_refs\": [\n      \"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2\",\n      \"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c\",\n      \"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a\"\n   ]\n}\n</code></pre> <p>In the previous example, we have a nested reference to 3 other objects:</p> <pre><code>\"object_refs\": [\n   \"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2\",\n   \"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c\",\n   \"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a\"\n]\n</code></pre>"},{"location":"usage/containers/#implementation","title":"Implementation","text":""},{"location":"usage/containers/#types-of-container","title":"Types of container","text":"<p>In OpenCTI, containers are displayed differently than other entities, because they contain pieces of knowledge. Here is the list of containers in the platform:</p> Type of entity STIX standard Description Report Native Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. Grouping Native A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). Observed Data Native Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). Note Native A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects. Opinion Native An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. Case Extension A case whether an Incident Response, a Request for Information or a Request for Takedown is used to convey an epic with a set of tasks. Task Extension A task, generally used in the context of a case, is intended to convey information about something that must be done in a limited timeframe."},{"location":"usage/containers/#containers-behavior","title":"Containers behavior","text":"<p>In the platform, it is always possible to visualize the list of entities and/or observables referenced in a container (<code>Container &gt; Entities or Observables</code>) but also to add / remove entities from the container.</p> <p></p> <p>As containers can also contain relationships, which are generally linked to the other entities in the container, it is also possible to visualize the container as a graph (<code>Container &gt; Knowledge</code>)</p> <p></p>"},{"location":"usage/containers/#containers-of-an-entity-or-a-relationship","title":"Containers of an entity or a relationship","text":"<p>On the entity or the relationship side, you can always find all containers where the object is contained using the top menu <code>Analysis</code>:</p> <p></p> <p>In all containers list, you can also filter containers based on one or multiple contained object(s):</p> <p></p>"},{"location":"usage/dashboards/","title":"Custom dashboards","text":"<p>OpenCTI provides an adaptable and entirely customizable dashboard functionality. The flexibility of OpenCTI's dashboard ensures a tailored and insightful visualization of data, fostering a comprehensive understanding of the platform's knowledge, relationships, and activities.</p>"},{"location":"usage/dashboards/#dashboard-overview","title":"Dashboard overview","text":"<p>You have the flexibility to tailor the arrangement of widgets on your dashboard, optimizing organization and workflow efficiency. Widgets can be intuitively placed to highlight key information. Additionally, you can resize widgets from the bottom right corner based on the importance of the information, enabling adaptation to specific analytical needs. This technical flexibility ensures a fluid, visually optimized user experience.</p> <p>Moreover, the top banner of the dashboard offers a convenient feature to configure the timeframe for displayed data. This can be accomplished through the selection of a relative time period, such as \"Last 7 days\", or by specifying fixed \"Start\" and \"End\" dates, allowing users to precisely control the temporal scope of the displayed information.</p> <p></p> <p></p>"},{"location":"usage/dashboards/#access-control","title":"Access control","text":"<p>In OpenCTI, the power to create custom dashboards comes with a flexible access control system, allowing users to tailor visibility and rights according to their collaborative needs.</p> <p>When a user crafts a personalized dashboard, by default, it remains visible only to the dashboard creator. At this stage, the creator holds administrative access rights. However, they can extend access and rights to others using the \"Manage access\" button, denoted by a locker icon, located at the top right of the dashboard page.</p> <p></p> <p>Levels of access:</p> <ul> <li>View: Access to view the dashboard. </li> <li>Edit: View + Permission to modify and update the dashboard and its widgets. </li> <li>Manage: Edit + Ability to delete the dashboard and to control user access and rights.</li> </ul> <p>It's crucial to emphasize that at least one user must retain admin access to ensure ongoing management capabilities for the dashboard.</p> <p> </p> <p>Knowledge access restriction</p> <p>The platform's data access restrictions also apply to dashboards. The data displayed in the widgets is subject to the user's access rights within the platform. Therefore, an admin user will not see the same results in the widgets as a user with limited access, such as viewing only TLP:CLEAR data (assuming the platform contains data beyond TLP:CLEAR). </p>"},{"location":"usage/dashboards/#share-dashboard-and-widget-configurations","title":"Share dashboard and widget configurations","text":"<p>OpenCTI provides functionality for exporting, importing and duplicating dashboard and widget configurations, facilitating the seamless transfer of customized dashboard setups between instances or users.</p>"},{"location":"usage/dashboards/#export","title":"Export","text":"<p>Dashboards can be exported from either the custom dashboards list or the dashboard view. </p> <p>To export a dashboard configuration from the custom dashboards list:</p> <ol> <li>Click on the burger menu button at the end of the dashboard line.</li> <li>Select <code>Export</code>.</li> </ol> <p></p> <p>To export a widget, the same mechanism is used, but from the burger menu button in the upper right-hand corner of the widget.</p> <p></p> <p>To export a dashboard configuration from the dashboard view:</p> <ol> <li>Navigate to the desired dashboard.</li> <li>Click on the <code>Export</code> button (file with an arrow pointing to the top right corner) located in the top-right corner of the dashboard.</li> </ol> <p></p>"},{"location":"usage/dashboards/#configuration-file","title":"Configuration file","text":"<p>The dashboard configuration will be saved as a JSON file, with the title formatted as <code>[YYYYMMDD]_octi_dashboard_[dashboard title]</code>. The expected configuration file content is as follows:</p> <pre><code>{\n  \"openCTI_version\": \"5.12.0\",\n  \"type\": \"dashboard\",\n  \"configuration\": {\n    \"name\": \"My dashboard title\",\n    \"manifest\": \"eyJ3aWRn(...)uZmlnIjp7fX0=\"\n  }\n}\n</code></pre> <p>The widget configuration will be saved as a JSON file, with the title formatted as <code>[YYYYMMDD]_octi_widget_[widget view]</code>. The expected configuration file content is as follows:</p> <pre><code>{\n  \"openCTI_version\": \"5.12.0\",\n  \"type\": \"widget\",\n  \"configuration\": \"eyJ0eXB(...)iOmZhbHNlfX0=\"\n}\n</code></pre> <p>Source platform-related filters</p> <p>When exporting a dashboard or widget configuration, all filters will be exported as is. Filters on objects that do not exist in the receiving platform will need manual deletion after import. Filters to be deleted can be identified by their \"delete\" barred value.</p> <p></p>"},{"location":"usage/dashboards/#import","title":"Import","text":"<p>Dashboards can be imported from the custom dashboards list:</p> <ol> <li>Hover over the Add button (+) in the right bottom corner.</li> <li>Click on the <code>Import dashboard</code> button (cloud with an upward arrow).</li> <li>Select your file.</li> </ol> <p></p> <p>To import a widget, the same mechanism is used, but from a dashboard view.</p> <p></p> <p>Configuration compatibility</p> <p>Only JSON files with the required properties will be accepted, including \"openCTI_version: [5.12.0 and above]\", \"type: [dashboard|widget]\", and a \"configuration\". This applies to both dashboards and widgets configurations.</p>"},{"location":"usage/dashboards/#duplicate","title":"Duplicate","text":"<p>Dashboards can be duplicated from either the custom dashboards list or the dashboard view.</p> <p>To duplicate a dashboard from the custom dashboards list:</p> <ol> <li>Click on the burger menu button at the end of the dashboard line.</li> <li>Select <code>Duplicate</code>.</li> </ol> <p>To duplicate a widget, the same mechanism is used, but from the burger menu button in the upper right-hand corner of the widget.</p> <p>To duplicate a dashboard from the dashboard view:</p> <ol> <li>Navigate to the desired dashboard.</li> <li>Click on the <code>Duplicate the dashboard</code> button (two stacked sheets) located in the top-right corner of the dashboard.</li> </ol> <p></p> <p>Upon successful duplication, a confirmation message is displayed for a short duration, accompanied by a link for easy access to the new dashboard view. Nevertheless, the new dashboard can still be found in the dashboards list.</p> <p></p> <p>Dashboard access</p> <p>The user importing or duplicating a dashboard becomes the only one with access to it. Then, access can be managed as usual.</p>"},{"location":"usage/data-model/","title":"Data model","text":""},{"location":"usage/data-model/#introduction","title":"Introduction","text":"<p>The OpenCTI core design relies on the concept of a knowledge graph, where you have two different kinds of object:</p> <ol> <li>Nodes are used to describe <code>entities</code>, which have some <code>properties</code> or <code>attributes</code>.</li> <li>Edges are used to describe <code>relationships</code>, which are created between two <code>entity</code> nodes and have some <code>properties</code> or <code>attributes</code>.</li> </ol> <p>Example</p> <p>An example would be that the entity <code>APT28</code> has a relationship <code>uses</code> to the malware entity <code>Drovorub</code>.</p>"},{"location":"usage/data-model/#standard","title":"Standard","text":""},{"location":"usage/data-model/#the-stix-model","title":"The STIX model","text":"<p>To enable a unified approach in the description of threat intelligence knowledge as well as importing and exporting data, the OpenCTI data model is based on the STIX 2.1 standard. Thus we highly recommend to take a look to the STIX Introductory Walkthrough and to the different kinds of STIX relationships to get a better understanding of how OpenCTI works.</p> <p>Some more important STIX naming shortcuts are:</p> <ul> <li>STIX Domain Objects (SDO): Attack Patterns, Malware, Threat Actors, etc.</li> <li>STIX Cyber Observable (SCO): IP Addresses, domain names, hashes, etc.</li> <li>STIX Relationship Object (SRO): Relationships, Sightings</li> </ul> <p></p>"},{"location":"usage/data-model/#extensions","title":"Extensions","text":"<p>In some cases, the model has been extended to be able to:</p> <ul> <li>Support more types of SCOs to modelize information systems such as cryptocurrency wallets, user agents, etc.</li> <li>Support more types of SDOs to modelize disinformation and cybercrime such as channels, events, narrative, etc.</li> <li>Support more types of SROs to extend the new SDOs such as<code>amplifies</code>, <code>publishes</code>, etc.</li> </ul>"},{"location":"usage/data-model/#implementation-in-the-platform","title":"Implementation in the platform","text":""},{"location":"usage/data-model/#diagram-of-types","title":"Diagram of types","text":"<p>You can find below the digram of all types of entities and relationships available in OpenCTI.</p>"},{"location":"usage/data-model/#attributes-and-properties","title":"Attributes and properties","text":"<p>To get a comprehensive list of available properties for a given type of entity or relationship, you can use the GraphQL playground schema available in your \"Profile &gt; Playground\". Then you can click on schema. You can for instance search for the keyword <code>IntrusionSet</code>:</p> <p></p>"},{"location":"usage/deduplication/","title":"Deduplication","text":"<p>One of the core concept of the OpenCTI knowledge graph is all underlying mechanisms implemented to accurately de-duplicate and consolidate (aka. <code>upserting</code>) information about entities and relationships.</p>"},{"location":"usage/deduplication/#creation-behavior","title":"Creation behavior","text":"<p>When an object is created in the platform, whether manually by a user or automatically by the connectors / workers chain, the platform checks if something already exist based on some properties of the object. If the object already exists, it will return the existing object and, in some cases, update it as well.</p> <p>Technically, OpenCTI generates deterministic IDs based on the listed properties below to prevent duplicate (aka \"ID Contributing Properties\"). Also, it is important to note that there is a special link between <code>name</code> and <code>aliases</code> leading to not have entities with overlapping aliases or an alias already used in the name of another entity.</p>"},{"location":"usage/deduplication/#entities","title":"Entities","text":"Type Attributes Area (<code>name</code> OR <code>x_opencti_alias</code>) AND <code>x_opencti_location_type</code> Attack Pattern (<code>name</code> OR <code>alias</code>) AND optional <code>x_mitre_id</code> Campaign <code>name</code> OR <code>alias</code> Channel <code>name</code> OR <code>alias</code> City (<code>name</code> OR <code>x_opencti_alias</code>) AND <code>x_opencti_location_type</code> Country (<code>name</code> OR <code>x_opencti_alias</code>) AND <code>x_opencti_location_type</code> Course Of Action (<code>name</code> OR <code>alias</code>) AND optional <code>x_mitre_id</code> Data Component <code>name</code> OR <code>alias</code> Data Source <code>name</code> OR <code>alias</code> Event <code>name</code> OR <code>alias</code> Feedback Case <code>name</code> AND <code>created</code> (date) Grouping <code>name</code> AND <code>context</code> Incident <code>name</code> OR <code>alias</code> Incident Response Case <code>name</code> OR <code>alias</code> Indicator <code>pattern</code> OR <code>alias</code> Individual (<code>name</code> OR <code>x_opencti_alias</code>) and <code>identity_class</code> Infrastructure <code>name</code> OR <code>alias</code> Intrusion Set <code>name</code> OR <code>alias</code> Language <code>name</code> OR <code>alias</code> Malware <code>name</code> OR <code>alias</code> Malware Analysis <code>name</code> OR <code>alias</code> Narrative <code>name</code> OR <code>alias</code> Note None Observed Data <code>name</code> OR <code>alias</code> Opinion None Organization (<code>name</code> OR <code>x_opencti_alias</code>) and <code>identity_class</code> Position (<code>name</code> OR <code>x_opencti_alias</code>) AND <code>x_opencti_location_type</code> Region <code>name</code> OR <code>alias</code> Report <code>name</code> AND <code>published</code> (date) RFI Case <code>name</code> AND <code>created</code> (date) RFT Case <code>name</code> AND <code>created</code> (date) Sector (<code>name</code> OR <code>alias</code>) and <code>identity_class</code> Task None Threat Actor <code>name</code> OR <code>alias</code> Tool <code>name</code> OR <code>alias</code> Vulnerability <code>name</code> OR <code>alias</code> <p>Names and aliases management</p> <p>The name and aliases of an entity define a set of unique values, so it's not possible to have the name equal to an alias and vice versa.</p>"},{"location":"usage/deduplication/#relationships","title":"Relationships","text":"<p>The deduplication process of relationships is based on the following criterias:</p> <ul> <li>Type</li> <li>Source</li> <li>Target</li> <li>Start time between -30 days / + 30 days</li> <li>Stop time between -30 days / + 30 days</li> </ul>"},{"location":"usage/deduplication/#observables","title":"Observables","text":"<p>For STIX Cyber Observables, OpenCTI also generate deterministic IDs based on the STIX specification using the \"ID Contributing Properties\" defined for each type of observable.</p>"},{"location":"usage/deduplication/#update-behavior","title":"Update behavior","text":"<p>In cases where an entity already exists in the platform, incoming creations can trigger updates to the existing entity's attributes. This logic has been implemented to converge the knowledge base towards the highest confidence and quality levels for both entities and relationships.</p> <p>To understand in details how the deduplication mechanism works in context of the maximum confidence level, you can navigate through this diagram (section deduplication):</p>"},{"location":"usage/enrichment/","title":"Enrichment connectors","text":"<p>Enriching the data within the OpenCTI platform is made seamlessly through the integration of enrichment connectors. These connectors facilitate the retrieval of additional data from external sources or portals.</p>"},{"location":"usage/enrichment/#automatic-enrichment","title":"Automatic enrichment","text":"<p>Enrichment can be conducted automatically in two distinct modes:</p> <ul> <li>Upon data arrival: Configuring the connector to run automatically when data arrives in OpenCTI ensures a real-time enrichment process, supplementing the platform's data. However, it's advisable to avoid automatic enrichment for quota-based connectors to paid sources to prevent quickly depleting all quotas. Additionally, this automatic enrichment contributes to increased data volume. On a large scale, with hundreds of thousands of objects, the disk space occupied by this data can be substantial, and it should be considered, especially if disk space is a concern. The automatic execution is configured at the connector level using the \"auto: true|false\" parameter.</li> <li>Targeted enrichment via playbooks: Enrichment can also be performed in a more targeted manner using playbooks. This approach allows for a customized enrichment strategy, focusing on specific objects and optimizing the relevance of the retrieved data.</li> </ul>"},{"location":"usage/enrichment/#manual-enrichment","title":"Manual enrichment","text":"<p>Manually initiating the enrichment process is straightforward. Simply locate the button with the cloud icon at the top right of an entity. </p> <p></p> <p>Clicking on this icon unveils a side panel displaying a list of available connectors that can be activated for the given object. If no connectors appear in the panel, it indicates that no enrichment connectors are available for the specific type of object in focus.</p> <p></p> <p>Activation of an enrichment connector triggers a contact with the designated remote source, importing a set of data into OpenCTI to enrich the selected object. Each enrichment connector operates uniquely, focusing on a specific set of object types it can enrich and a distinct set of data it imports. Depending on the connectors, they may, establish relationships, add external references, or complete object information, thereby contributing to the comprehensiveness of information within the platform.</p> <p>The list of available connectors can be found in our connectors catalog. In addition, further documentation on connectors is available on the dedicated documentation page.</p> <p>Impact of the max confidence level</p> <p>The maximum confidence level per user can have an impact on enrichment connectors, not being able to update data in the platform. To understand the concept and the potential issues you could face, please navigate to this page to understand.</p>"},{"location":"usage/exploring-analysis/","title":"Analyses","text":"<p>When you click on \"Analyses\" in the left-side bar, you see all the \"Analyses\" tabs, visible on the top bar on the left. By default, the user directly access the \"Reports\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Analyses</code> section, users can access the following tabs:</p> <ul> <li><code>Reports</code>: See Reports as a sort of containers to detail and structure what is contained on a specific report, either from a source or write by yourself. Think of it as an Intelligence Production in OpenCTI.</li> <li><code>Groupings</code>: Groupings are containers, like Reports, but do not represent an Intelligence Production. They regroup Objects sharing an explicit context. For example, a Grouping might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as Report container.</li> <li><code>Malware Analyses</code>: As define by STIX 2.1 standard, Malware Analyses captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.</li> <li><code>Notes</code>: Through this tab, you can find all the Notes that have been written in the platform, for example to add some analyst's unstructured knowledge about an Object.</li> <li><code>External references</code>: Intelligence is never created from nothing. External references give user a way to link sources or reference documents to any Object in the platform.</li> </ul> <p></p>"},{"location":"usage/exploring-analysis/#reports","title":"Reports","text":""},{"location":"usage/exploring-analysis/#general-presentation","title":"General presentation","text":"<p>Reports are one of the central component of the platform. It is from a <code>Report</code> that knowledge is extracted and integrated in the platform for further navigation, analyses and exports. Always tying the information back to a report allows for the user to be able to identify the source of any piece of information in the platform at all time.</p> <p>In the MITRE STIX 2.1 documentation, a <code>Report</code> is defined as such :</p> <p>Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story.</p> <p>As a result, a <code>Report</code> object in OpenCTI is a set of attributes and metadata defining and describing a document outside the platform, which can be a threat intelligence report from a security reseearch team, a blog post, a press article a video, a conference extract, a MISP event, or any type of document and source.</p> <p>When clicking on the Reports tab at the top left, you see the list of all the Reports you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of reports.</p>"},{"location":"usage/exploring-analysis/#visualizing-knowledge-within-a-report","title":"Visualizing Knowledge within a Report","text":"<p>When clicking on a Report, you land on the Overview tab. For a Report, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge contained in the report, accessible through different views (See below for a dive-in). As described here.</li> <li>Content: a tab to upload or creates outcomes document displaying the content of the Report (for example in PDF, text, HTML or markdown files). The Content of the document is displayed to ease the access of Knowledge through a readable format. As described here.</li> <li>Entities: A table containing all SDO (Stix Domain Objects) contained in the Report, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine</li> <li>Observables: A table containing all SCO (Stix Cyber Observable) contained in the Report, with search and filters available. It also displays if the SCO has been added directly or through inferences with the reasoning engine</li> <li>Data: as described here.</li> </ul> <p>Exploring and modifying the structured Knowledge contained in a Report can be done through different lenses.</p>"},{"location":"usage/exploring-analysis/#graph-view","title":"Graph View","text":"<p>In Graph view, STIX SDO are displayed as graph nodes and relationships as graph links. Nodes are colored depending of their type. Direct relationship are displayed as plain link and inferred relationships in dotted link. At the top right, you will find a serie of icons. From there you can change the current type of view. Here you can also perform global action on the Knowledge of the Report. Let's highlight 2 of them: - Suggestions: This tool suggests you some logical relationships to add between your contained Object to give more consistency to your Knowledge. - Share with an Organization: if you have designated a main Organization in the platform settings, you can here share your Report and its content with users of an other Organization. At the bottom, you have many option to manipulate the graph: - Multiple option for shaping the graph and applying forces to the nodes and links - Multiple selection options - Multiple filters, including a time range selector allowing you to see the evolution of the Knowledge within the Report. - Multiple creation and edition tools to modify the Knowledge contained in the Report.</p>"},{"location":"usage/exploring-analysis/#content-mapping-view","title":"Content mapping view","text":"<p>Through this view, you can map exsisting or new Objects directly from a readable content, allowing you to quickly append structured Knowledge in your Report before refining it with relationships and details.  This view is a great place to see the continuum between unstructured and structured Knowledge of a specific Intelligence Production.</p>"},{"location":"usage/exploring-analysis/#timeline-view","title":"Timeline view","text":"<p>This view allows you to see the structured Knowledge chronologically. This view is really useful when the report describes an attack or a campaign that lasted some time, and the analyst payed attention to the dates. The view can be filtered and displayed relationships too.</p>"},{"location":"usage/exploring-analysis/#correlation-view","title":"Correlation view","text":"<p>The correlation view is a great way to visualize and find other Reports related to your current subject of interest. This graph displays all Report related to the important nodes contained in your current Report, for example Objects like Malware or Intrusion sets.</p>"},{"location":"usage/exploring-analysis/#matrix-view","title":"Matrix view","text":"<p>If your Report describes let's say an attack, a campaign, or an understanding of an Intrusion set, it should contains multiple attack patterns Objects to structure the Knowledge about the TTPs of the Threat Actor. Those attack patterns can be displayed as highlighted matrices, by default the MITRE ATT&amp;CK Enterprise matrix. As some matrices can be huge, it can be also filtered to only display attack patterns describes in the Report.</p>"},{"location":"usage/exploring-analysis/#groupings","title":"Groupings","text":"<p>Groupings are an alternative to Report for grouping Objects sharing a context without describing an Intelligence Production.</p> <p>In the MITRE STIX 2.1 documentation, a <code>Grouping</code> is defined as such :</p> <p>A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. A STIX Grouping object might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as a STIX Report object. For example, a Grouping could be used to characterize an ongoing investigation into a security event or incident. A Grouping object could also be used to assert that the referenced STIX Objects are related to an ongoing analysis process, such as when a threat analyst is collaborating with others in their trust community to examine a series of Campaigns and Indicators.</p> <p>When clicking on the Groupings tab at the top of the interface, you see the list of all the Groupings you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of the groupings.</p> <p>Clicking on a Grouping, you land on its Overview tab. For a Groupings, the following tabs are accessible: - Overview: as described here. - Knowledge: a complex tab that regroups all the structured Knowledge contained in the groupings, as for a Report, except for the Timeline view. As described here. - Entities: A table containing all SDO (Stix Domain Objects) contained in the Grouping, with search and filters available. It also display if the SDO has been added directly or through inferences with the reasonging engine - Observables: A table containing all SCO (Stix Cyber Observable) contained in the Grouping, with search and filters available. It also display if the SDO has been added directly or through inferences with the reasonging engine - Data: as described here.</p>"},{"location":"usage/exploring-analysis/#malware-analyses","title":"Malware Analyses","text":"<p>Malware analyses are an important part of the Cyber Threat Intelligence, allowing an precise understanding of what and how a malware really do on the host but also how and from where it receives its command and communicates its results.</p> <p>In OpenCTI, Malware Analyses can be created from enrichment connectors that will take an Observable as input and perform a scan on a online service platform to bring back results. As such, Malware Analyses can be done on File, Domain and URL.</p> <p>In the MITRE STIX 2.1 documentation, a <code>Malware Analyses</code> is defined as such :</p> <p>Malware Analyses captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.</p> <p>When clicking on the Malware Analyses tab at the top of the interface, you see the list of all the Malware Analyses you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of the Malware Analyses.</p> <p>Clicking on a Malware Analyses, you land on its Overview tab. The following tabs are accessible: - Overview: This view contains some additions from the common Overview here. You will find here details about how the analysis have been performed, what is the global result regarding the malicioussness of the analysed artifact and all the Observables that have been found during the analysis.  - Knowledge: If you Malware analysis is linked to other Objects that are not part of the analysis result, they will be displayed here. As described here. - Data: as described here. - History: as described here.</p> <p></p>"},{"location":"usage/exploring-analysis/#notes","title":"Notes","text":"<p>Not every Knowledge can be structured. For allowing any users to share their insights about a specific Knowledge, they can create a Note for every Object and relationship in OpenCTI they can access to. All the Notes are listed within the Analyses menu for allowing global review of this unstructured addition to the global Knowledge.</p> <p>In the MITRE STIX 2.1 documentation, a <code>Note</code> is defined as such :</p> <p>A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator).</p> <p>Clicking on a Note, you land on its Overview tab. The following tabs are accessible: - Overview: as described here. - Data: as described here. - History: as described here.</p>"},{"location":"usage/exploring-analysis/#external-references","title":"External references","text":"<p>Intelligence is never created from nothing. External references give user a way to link sources or reference documents to any Object in the platform. All external references are listed within the Analyses menu for accessing directly sources of the structured Knowledge.</p> <p>In the MITRE STIX 2.1 documentation, a <code>External references</code> is defined as such :</p> <p>External references are used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.</p> <p>Clicking on an External reference, you land on its Overview tab. The following tabs are accessible: - Overview: as described here.</p>"},{"location":"usage/exploring-arsenal/","title":"Arsenal","text":"<p>When you click on \"Arsenal\" in the left-side bar, you access all the \"Arsenal\" tabs, visible on the top bar on the left. By default, the user directly access the \"Malware\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Arsenal</code> section, users can access the following tabs:</p> <ul> <li><code>Malware</code>: <code>Malware</code> represents any piece of code specifically designed to damage, disrupt, or gain unauthorized access to computer systems, networks, or user data.</li> <li><code>Channels</code>: <code>Channels</code>, in the context of cybersecurity, refer to places or means through which actors disseminate information. This category is used in particular in the context of FIMI (Foreign Information Manipulation Interference). </li> <li><code>Tools</code>: <code>Tools</code> represent legitimate, installed software or hardware applications on an operating system that can be misused by attackers for malicious purposes. (e.g. LOLBAS).</li> <li><code>Vulnerabilities</code>: <code>Vulnerabilities</code> are weaknesses or that can be exploited by attackers to compromise the security, integrity, or availability of a computer system or network.</li> </ul>"},{"location":"usage/exploring-arsenal/#malware","title":"Malware","text":""},{"location":"usage/exploring-arsenal/#general-presentation","title":"General presentation","text":"<p>Malware encompasses a broad category of malicious pieces of code built, deployed, and operated by intrusion set. Malware can take many forms, including viruses, worms, Trojans, ransomware, spyware, and more. These entities are created by individuals or groups, including state-nations, state-sponsored groups, corporations, or hacktivist collectives.</p> <p>Use the <code>Malware</code> SDO to model and track these threats comprehensively, facilitating in-depth analysis, response, and correlation with other security data.</p> <p>When clicking on the Malware tab on the top left, you see the list of all the Malware you have access to, in respect with your allowed marking definitions. These malware are displayed as Cards where you can find a summary of the important Knowledge associated with each of them: description, aliases, related intrusion sets, countries and sectors they target, and labels. You can then search and filter on some common and specific attributes of Malware.</p> <p>At the top right of each Card, you can click the star icon to put it as favorite. It will pin the card on top of the list. You will also be able to display all your favorite easily in your Custom Dashboards.</p> <p></p>"},{"location":"usage/exploring-arsenal/#visualizing-knowledge-associated-with-a-malware","title":"Visualizing Knowledge associated with a Malware","text":"<p>When clicking on an <code>Malware</code> card you land on its Overview tab. For a Malware, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Malware. Different thematic views are proposed to easily see the victimology, the threat actors and intrusion sets using the Malware, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-arsenal/#channels","title":"Channels","text":""},{"location":"usage/exploring-arsenal/#general-presentation_1","title":"General presentation","text":"<p><code>Channels</code> - such as forums, websites and social media platforms (e.g. Twitter, Telegram) - are mediums for disseminating news, knowledge, and messages to a broad audience. While they offer benefits like open communication and outreach, they can also be leveraged for nefarious purposes, such as spreading misinformation, coordinating cyberattacks, or promoting illegal activities. </p> <p>Monitoring and managing content within <code>Channels</code> aids in analyzing threats, activities, and indicators associated with various threat actors, campaigns, and intrusion sets.</p> <p>When clicking on the Channels tab at the top left, you see the list of all the Channels you have access to, in respect with your allowed marking definitions. These channels are displayed in a list where you can find certain fields characterizing the entity: type of channel, labels, and dates. You can then search and filter on some common and specific attributes of Channels.</p> <p></p>"},{"location":"usage/exploring-arsenal/#visualizing-knowledge-associated-with-a-channel","title":"Visualizing Knowledge associated with a Channel","text":"<p>When clicking on a <code>Channel</code> in the list, you land on its Overview tab. For a Channel, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Channel. Different thematic views are proposed to easily see the victimology, the threat actors and intrusion sets using the Malware, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-arsenal/#tools","title":"Tools","text":""},{"location":"usage/exploring-arsenal/#general-presentation_2","title":"General presentation","text":"<p><code>Tools</code> refers to legitimate, pre-installed software applications, command-line utilities, or scripts that are present on a compromised system. These objects enable you to model and monitor the activities of these tools, which can be misused by attackers.</p> <p>When clicking on the <code>Tools</code> tab at the top left, you see the list of all the <code>Tools</code> you have access to, in respect with your allowed marking definitions. These tools are displayed in a list where you can find certain fields characterizing the entity: labels and dates. You can then search and filter on some common and specific attributes of Tools.</p> <p></p>"},{"location":"usage/exploring-arsenal/#visualizing-knowledge-associated-with-an-observed-data","title":"Visualizing Knowledge associated with an Observed Data","text":"<p>When clicking on a <code>Tool</code> in the list, you land on its Overview tab. For a Tool, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Tool. Different thematic views are proposed to easily see the threat actors, the intrusion sets and the malware using the Tool. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-arsenal/#vulnerabilities","title":"Vulnerabilities","text":""},{"location":"usage/exploring-arsenal/#general-presentation_3","title":"General presentation","text":"<p><code>Vulnerabilities</code> represent weaknesses or flaws in software, hardware, configurations, or systems that can be exploited by malicious actors. This object assists in managing and tracking the organization's security posture by identifying areas that require attention and remediation, while also providing insights into associated intrusion sets, malware and campaigns where relevant.</p> <p>When clicking on the <code>Vulnerabilities</code> tab at the top left, you see the list of all the <code>Vulnerabilities</code> you have access to, in respect with your allowed marking definitions. These vulnerabilities are displayed in a list where you can find certain fields characterizing the entity: CVSS3 severity, labels, dates and creators (in the platform). You can then search and filter on some common and specific attributes of Vulnerabilities.</p> <p></p>"},{"location":"usage/exploring-arsenal/#visualizing-knowledge-associated-with-an-observed-data_1","title":"Visualizing Knowledge associated with an Observed Data","text":"<p>When clicking on a <code>Vulnerabilities</code> in the list, you land on its Overview tab. For a Vulnerability, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Vulnerability. Different thematic views are proposed to easily see the threat actors, the intrusion sets and the malware exploiting the Vulnerability. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-cases/","title":"Cases","text":"<p>When you click on \"Cases\" in the left-side bar, you access all the \"Cases\" tabs, visible on the top bar on the left. By default, the user directly access the \"Incident Responses\" tab, but can navigate to the other tabs as well.</p> <p>As Analyses, <code>Cases</code> can contain other objects. This way, by adding context and results of your investigations in the case, you will be able to get an up-to-date overview of the ongoing situation, and later produce more easily an incident report. </p> <p>From the <code>Cases</code> section, users can access the following tabs:</p> <ul> <li><code>Incident Responses</code>: This type of Cases is dedicated to the management of incidents. An Incident Response case does not represent an incident, but all the context and actions that will encompass the response to a specific incident.</li> <li><code>Request for Information</code>: CTI teams are often asked to provide extensive information and analysis on a specific subject, be it related to an ongoing incident or a particular trending threat. Request for Information cases allow you to store context and actions relative to this type of request and its response.</li> <li><code>Request for Takedown</code>: When an organization is targeted by an attack campaign, a typical response action can be to request the Takedown of elements of the attack infrastructure, for example a domain name impersonating the organization to phish its employees, or an email address used to deliver phishing content. As Takedown needs in most case to reach out to external providers and be effective quickly, it often needs specific workflows. Request for Takedown cases give you a dedicated space to manage these specific actions.</li> <li><code>Tasks</code>: In every case, you need tasks to be performed in order to solve it. The Tasks tab allows you to review all created tasks to quickly see past due date, or quickly see every task assigned to a specific user.</li> <li><code>Feedbacks</code>: If you use your platform to interact with other teams and provide them CTI Knowledge, some users may want to give you feedback about it. Those feedbacks can easily be considered as another type of case to solve, as it will often refer to Knowledge inconsistency or gaps.</li> </ul> <p></p>"},{"location":"usage/exploring-cases/#incident-response-request-for-information-request-for-takedown","title":"Incident Response, Request for Information &amp; Request for Takedown","text":""},{"location":"usage/exploring-cases/#general-presentation","title":"General presentation","text":"<p>Incident responses, Request for Information &amp; Request for Takedown cases are an important part of the case management system in OpenCTI. Here, you can organize the work of your team to respond to cybersecurity situations. You can also give context to the team and other users on the platform about the situation and actions (to be) taken.</p> <p>To manage the situation, you can issue <code>Tasks</code> and assign them to users in the platform, by directly creating a Task or by applying a Case template that will append a list of predefined tasks.</p> <p>To bring context, you can use your Case as a container (like Reports or Groupings), allowing you to add any Knowledge from your platform in it. You can also use this possibility to trace your investigation, your Case playing the role of an Incident report. You will find more information about case management here.</p> <p>Incident Response, Request for Information &amp; Request for Takedown are not STIX 2.1 Objects.</p> <p>When clicking on the Incident Response, Request for Information &amp; Request for Takedown tabs at the top, you see the list of all the Cases you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes.</p>"},{"location":"usage/exploring-cases/#visualizing-knowledge-within-an-incident-response-request-for-information-request-for-takedown","title":"Visualizing Knowledge within an Incident Response, Request for Information &amp; Request for Takedown","text":"<p>When clicking on an Incident Response, Request for Information or Request for Takedown, you land on the Overview tab. The following tabs are accessible:</p> <ul> <li>Overview: Overview of Cases are slightly different from the usual (described here). Cases' Overview displays also the list of the tasks associated with the case. It also let you highlight Incident, Report or Sighting at the origin of the case. If other cases contains some Observables with your Case, they will be displayed as Related Cases in the Overview.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge contained in the Case, accessible through different views (See below for a dive-in). As described here.</li> <li>Content: a tab to upload or creates outcomes document displaying the content of the Case (for example in PDF, text, HTML or markdown files). The Content of the document is displayed to ease the access of Knowledge through a readable format. As described here.</li> <li>Entities: A table containing all SDO (Stix Domain Objects) contained in the Case, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine</li> <li>Observables: A table containing all SCO (Stix Cyber Observable) contained in the Case, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine</li> <li>Data: as described here.</li> </ul> <p>Exploring and modifying the structured Knowledge contained in a Case can be done through different lenses.</p>"},{"location":"usage/exploring-cases/#graph-view","title":"Graph View","text":"<p>In Graph view, STIX SDO are displayed as graph nodes and relationships as graph links. Nodes are colored depending on their type. Direct relationship are displayed as plain link and inferred relationships in dotted link. At the top right, you will find a series of icons. From there you can change the current type of view. Here you can also perform global action on the Knowledge of the Case. Let's highlight 2 of them:</p> <ul> <li>Suggestions: This tool suggests you some logical relationships to add between your contained Object to give more consistency to your Knowledge.</li> <li>Share with an Organization: if you have designated a main Organization in the platform settings, you can here share your Case and its content with users of another Organization. At the bottom, you have many option to manipulate the graph:</li> <li>Multiple option for shaping the graph and applying forces to the nodes and links</li> <li>Multiple selection options</li> <li>Multiple filters, including a time range selector allowing you to see the evolution of the Knowledge within the Case.</li> <li>Multiple creation and edition tools to modify the Knowledge contained in the Case.</li> </ul>"},{"location":"usage/exploring-cases/#content-mapping-view","title":"Content mapping view","text":"<p>Through this view, you can map existing or new Objects directly from a readable content, allowing you to quickly append structured Knowledge in your Case before refining it with relationships and details. This view is a great place to see the continuum between unstructured and structured Knowledge.</p>"},{"location":"usage/exploring-cases/#timeline-view","title":"Timeline view","text":"<p>This view allows you to see the structured Knowledge chronologically. This view is particularly useful in the context of a Case, allowing you to see the chain of events, either from the attack perspectives, the defense perspectives or both. The view can be filtered and displayed relationships too.</p>"},{"location":"usage/exploring-cases/#matrix-view","title":"Matrix view","text":"<p>If your Case contains attack patterns, you will be able to visualize them in a Matrix view.</p>"},{"location":"usage/exploring-cases/#tasks","title":"Tasks","text":"<p>Tasks are actions to be performed in the context of a Case (Incident Response, Request for Information, Request for Takedown). Usually, a task is assigned to a user, but important tasks may involve more participants.</p> <p>When clicking on the Tasks tab at the top of the interface, you see the list of all the Tasks you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of the tasks.</p> <p>Clicking on a Task, you land on its Overview tab. For a Tasks, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-cases/#feedbacks","title":"Feedbacks","text":"<p>When a user fill a feedback form from its Profile/Feedback menu, it will then be accessible here.</p> <p>This feature gives the opportunity to engage with other users of your platform and to respond directly to their concern about it or the Knowledge, without the need of third party software.</p> <p></p> <p>Clicking on a Feedback, you land on its Overview tab. For a Feedback, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Content: as described here. </li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-entities/","title":"Entities","text":"<p>OpenCTI's Entities objects provides a comprehensive framework for modeling various targets and attack victims within your threat intelligence data. With five distinct Entity object types, you can represent sectors, events, organizations, systems, and individuals. This robust classification empowers you to contextualize threats effectively, enhancing the depth and precision of your analysis.</p> <p>When you click on \"Entities\" in the left-side bar, you access all the \"Entities\" tabs, visible on the top bar on the left. By default, the user directly access the \"Sectors\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Entities</code> section, users can access the following tabs:</p> <ul> <li><code>Sectors</code>: areas of activity.</li> <li><code>Events</code>: event in the real world.</li> <li><code>Organizations</code>: groups with specific aims such as companies and government entities.</li> <li><code>Systems</code>: technologies such as platforms and software.</li> <li><code>Individuals</code>: real persons.</li> </ul>"},{"location":"usage/exploring-entities/#sectors","title":"Sectors","text":""},{"location":"usage/exploring-entities/#general-presentation","title":"General presentation","text":"<p>Sectors represent specific domains of activity, defining areas such as energy, government, health, finance, and more. Utilize sectors to categorize targeted industries or sectors of interest, providing valuable context for threat intelligence analysis within distinct areas of the economy.</p> <p>When clicking on the Sectors tab at the top left, you see the list of all the Sectors you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-a-sector","title":"Visualizing Knowledge associated with a Sector","text":"<p>When clicking on a <code>Sector</code> in the list, you land on its Overview tab. For a Sector, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Sector. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Sector. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in the Sector.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-entities/#events","title":"Events","text":""},{"location":"usage/exploring-entities/#general-presentation_1","title":"General presentation","text":"<p>Events encompass occurrences like international sports events, summits (e.g., G20), trials, conferences, or any significant happening in the real world. By modeling events, you can analyze threats associated with specific occurrences, allowing for targeted investigations surrounding high-profile incidents.</p> <p>When clicking on the Events tab at the top left, you see the list of all the Events you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-an-event","title":"Visualizing Knowledge associated with an Event","text":"<p>When clicking on an <code>Event</code> in the list, you land on its Overview tab. For an Event, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Event. Different thematic views are proposed to easily see the related entities, the threats, the locations, etc. linked to the Event. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted during an attack against the Event.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-entities/#organizations","title":"Organizations","text":""},{"location":"usage/exploring-entities/#general-presentation_2","title":"General presentation","text":"<p>Organizations include diverse entities such as companies, government bodies, associations, non-profits, and other groups with specific aims. Modeling organizations enables you to understand the threat landscape concerning various entities, facilitating investigations into cyber-espionage, data breaches, or other malicious activities targeting specific groups.</p> <p>When clicking on the Organizations tab at the top left, you see the list of all the Organizations you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-an-organization","title":"Visualizing Knowledge associated with an Organization","text":"<p>When clicking on an <code>Organization</code> in the list, you land on its Overview tab. For an Organization, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Organization. Different thematic views are proposed to easily see the related entities, the threats, the locations, etc. linked to the Organization. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in the Organization.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p>Furthermore, an Organization can be observed from an \"Author\" perspective. It is possible to change this viewpoint to the right of the entity name, using the \"Display as\" drop-down menu (see screenshot below). This different perspective is accessible in the Overview, Knowledge and Analyses tabs. When switched to \"Author\" mode, the observed data pertains to the entity's description as an author within the platform:</p> <ul> <li>Overview: The \"Latest created relationships\" and \"Latest containers about the object\" panels are replaced by the \"Latest containers authored by this entity\" panel.</li> <li>Knowledge: A tab that presents an overview of the data authored by the Organization (i.e. counters and a graph).</li> <li>Analyses: The list of all Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) for which the Organization is the author.</li> </ul> <p></p>"},{"location":"usage/exploring-entities/#systems","title":"Systems","text":""},{"location":"usage/exploring-entities/#general-presentation_3","title":"General presentation","text":"<p>Systems represent software applications, platforms, frameworks, or specific tools like WordPress, VirtualBox, Firefox, Python, etc. Modeling systems allows you to focus on threats related to specific software or technology, aiding in vulnerability assessments, patch management, and securing critical applications.</p> <p>When clicking on the Systems tab at the top left, you see the list of all the Systems you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-a-system","title":"Visualizing Knowledge associated with a System","text":"<p>When clicking on a <code>System</code> in the list, you land on its Overview tab. For a System, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the System. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the System. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in the System.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p>Furthermore, a System can be observed from an \"Author\" perspective. It is possible to change this viewpoint to the right of the entity name, using the \"Display as\" drop-down menu (see screenshot below). This different perspective is accessible in the Overview, Knowledge and Analyses tabs. When switched to \"Author\" mode, the observed data pertains to the entity's description as an author within the platform:</p> <ul> <li>Overview: The \"Latest created relationships\" and \"Latest containers about the object\" panels are replaced by the \"Latest containers authored by this entity\" panel.</li> <li>Knowledge: A tab that presents an overview of the data authored by the System (i.e. counters and a graph).</li> <li>Analyses: The list of all Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) for which the System is the author.</li> </ul>"},{"location":"usage/exploring-entities/#individuals","title":"Individuals","text":""},{"location":"usage/exploring-entities/#general-presentation_4","title":"General presentation","text":"<p>Individuals represent specific persons relevant to your threat intelligence analysis. This category includes targeted individuals, or influential figures in various fields. Modeling individuals enables you to analyze threats related to specific people, enhancing investigations into cyber-stalking, impersonation, or other targeted attacks.</p> <p>When clicking on the Individuals tab at the top left, you see the list of all the Individuals you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-an-individual","title":"Visualizing Knowledge associated with an Individual","text":"<p>When clicking on an <code>Individual</code> in the list, you land on its Overview tab. For an Individual, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Individual. Different thematic views are proposed to easily see the related entities, the threats, the locations, etc. linked to the Individual. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in the Individual.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p>Furthermore, an Individual can be observed from an \"Author\" perspective. It is possible to change this viewpoint to the right of the entity name, using the \"Display as\" drop-down menu (see screenshot below). This different perspective is accessible in the Overview, Knowledge and Analyses tabs. When switched to \"Author\" mode, the observed data pertains to the entity's description as an author within the platform:</p> <ul> <li>Overview: The \"Latest created relationships\" and \"Latest containers about the object\" panels are replaced by the \"Latest containers authored by this entity\" panel.</li> <li>Knowledge: A tab that presents an overview of the data authored by the Individual (i.e. counters and a graph).</li> <li>Analyses: The list of all Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) for which the Individual is the author.</li> </ul>"},{"location":"usage/exploring-events/","title":"Events","text":"<p>When you click on \"Events\" in the left-side bar, you access all the \"Events\" tabs, visible on the top bar on the left. By default, the user directly access the \"Incidents\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Events</code> section, users can access the following tabs:</p> <ul> <li><code>Incidents</code>: In OpenCTI, <code>Incidents</code> correspond to a negative event happening on an information system. This can include a cyberattack (intrusion, phishing, etc.), a consolidated security alert generated by a SIEM or EDR that need to be qualified, and so on. It can also refer to an information warfare attack in the context of countering disinformation.</li> <li><code>Sightings</code>: <code>Sightings</code> correspond to the event in which an <code>Observable</code> (IP, domain name, certificate, etc.) is detected by or within an information system, an individual or an organization. Most often, this corresponds to a security event transmitted by a SIEM or an EDR.</li> <li><code>Observed Data</code>: <code>Observed Data</code> has been added in OpenCTI by compliance with the STIX 2.1 standard. You can see it has a pseudo-container that contains Observables, like a line of firewall log for example. Currently, it is rarely used.</li> </ul>"},{"location":"usage/exploring-events/#incidents","title":"Incidents","text":""},{"location":"usage/exploring-events/#general-presentation","title":"General presentation","text":"<p>Incidents usually represents negative events impacting resources you want to protect, but local definitions can vary a lot, from a simple security events send by a SIEM to a massive scale supply chain attack impacting a whole activity sector.</p> <p>In the MITRE STIX 2.1, the <code>Incident</code> SDO has not yet been finalized and is the object of important work as part of a forthcoming STIX Extension.</p> <p>When clicking on the Incidents tab at the top left, you see the list of all the Incidents you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-events/#visualizing-knowledge-associated-with-an-incident","title":"Visualizing Knowledge associated with an Incident","text":"<p>When clicking on an <code>Incident</code> in the list, you land on its Overview tab. For an Incident, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display two distribution graphs of its related Entities (STIX SDO) and Observable (STIX SCO).</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Incident. Different thematic views are proposed to easily see the victimology, arsenal, techniques and so on used in the context of the Incident. As described here.</li> <li>Content: This specific tab allows to previzualize, manage and write deliverable associated with the Incident. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-events/#sightings","title":"Sightings","text":""},{"location":"usage/exploring-events/#general-presentation_1","title":"General presentation","text":"<p>The <code>Sightings</code> correspond to events in which an <code>Observable</code> (IP, domain name, url, etc.) is detected by or within an information system, an individual or an organization. Most often, this corresponds to a security event transmitted by a SIEM or EDR. </p> <p>In OpenCTI, as we are in a cybersecurity context, <code>Sightings</code> are associated with <code>Indicators</code> of Compromise (IoC) and the notion of \"True positive\" and \"False positive\". </p> <p>It is important to note that Sightings are a type of relationship (not a STIX SDO or STIX SCO), between an Observable and an Entities or Locations.</p> <p>When clicking on the Sightings tab at the top left, you see the list of all the Sightings you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-events/#visualizing-knowledge-associated-with-a-sighting","title":"Visualizing Knowledge associated with a Sighting","text":"<p>When clicking on a <code>Sighting</code> in the list, you land on its Overview tab. As other relationships in the platform, Sighting's overview displays common related metadata, containers, external references, notes and entities linked by the relationship. </p> <p>In addition, this overview displays: - Qualification : if the Sighting is a True Positive or a False Positive - Count : number of times the event has been seen</p>"},{"location":"usage/exploring-events/#observed-data","title":"Observed Data","text":""},{"location":"usage/exploring-events/#general-presentation_2","title":"General presentation","text":"<p><code>Observed Data</code> correspond to an extract from a log that contains Observables. </p> <p>In the MITRE STIX 2.1, the <code>Observed Data</code> SDO is defined as such:</p> <p>Observed Data conveys information about cybersecurity related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, Observed Data can capture information about an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply the raw information without any context for what it means.</p> <p>When clicking on the <code>Observed Data</code> tab at the top left, you see the list of all the <code>Observed Data</code> you have access to, in respect with your allowed marking definitions.</p>"},{"location":"usage/exploring-events/#visualizing-knowledge-associated-with-an-observed-data","title":"Visualizing Knowledge associated with an Observed Data","text":"<p>When clicking on an <code>Observed Data</code> in the list, you land on its Overview tab. The following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display a distribution graphs of its related Observables (STIX SCO).</li> <li>Entities : a sortable and filterable list of all Entities (SDO) </li> <li>Observables: a sortable and filterable list of all Observables (SCO) in relation with the Observed Data</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-locations/","title":"Location","text":"<p>OpenCTI's Locations objects provides a comprehensive framework for representing various geographic entities within your threat intelligence data. With five distinct Location object types, you can precisely define regions, countries, areas, cities, and specific positions. This robust classification empowers you to contextualize threats geographically, enhancing the depth and accuracy of your analysis.</p> <p>When you click on \"Locations\" in the left-side bar, you access all the \"Locations\" tabs, visible on the top bar on the left. By default, the user directly access the \"Regions\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Locations</code> section, users can access the following tabs:</p> <ul> <li><code>Regions</code>: very large geographical territories, such as a continent.</li> <li><code>Countries</code>: the world's countries.</li> <li><code>Areas</code>: more or less extensive geographical areas and often not having a very defined limit</li> <li><code>Cities</code>: the world's cities.</li> <li><code>Positions</code>: very precise positions on the globe.</li> </ul>"},{"location":"usage/exploring-locations/#regions","title":"Regions","text":""},{"location":"usage/exploring-locations/#general-presentation","title":"General presentation","text":"<p>Regions encapsulate broader geographical territories, often representing continents or significant parts of continents. Examples include EMEA (Europe, Middle East, and Africa), Asia, Western Europe, and North America. Utilize regions to categorize large geopolitical areas and gain macro-level insights into threat patterns.</p> <p>When clicking on the Regions tab at the top left, you see the list of all the Regions you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-a-region","title":"Visualizing Knowledge associated with a Region","text":"<p>When clicking on a <code>Region</code> in the list, you land on its Overview tab. For a Region, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity of not having a <code>Details</code> section but a map locating the Region.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Region. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Region. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in a Region.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-locations/#countries","title":"Countries","text":""},{"location":"usage/exploring-locations/#general-presentation_1","title":"General presentation","text":"<p>Countries represent individual nations across the world. With this object type, you can specify detailed information about a particular country, enabling precise localization of threat intelligence data. Countries are fundamental entities in geopolitical analysis, offering a focused view of activities within national borders.</p> <p>When clicking on the Countries tab at the top left, you see the list of all the Countries you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-a-country","title":"Visualizing Knowledge associated with a Country","text":"<p>When clicking on a <code>Country</code> in the list, you land on its Overview tab. For a Country, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity of not having a <code>Details</code> section but a map locating the Country.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Country. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Country. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in a Country.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-locations/#areas","title":"Areas","text":""},{"location":"usage/exploring-locations/#general-presentation_2","title":"General presentation","text":"<p>Areas define specific geographical regions of interest, such as the Persian Gulf, the Balkans, or the Caucasus. Use areas to identify unique zones with distinct geopolitical, cultural, or strategic significance. This object type facilitates nuanced analysis of threats within defined geographic contexts.</p> <p>When clicking on the Areas tab at the top left, you see the list of all the Areas you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-an-area","title":"Visualizing Knowledge associated with an Area","text":"<p>When clicking on an <code>Area</code> in the list, you land on its Overview tab. For an Area, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity of not having a <code>Details</code> section but a map locating the Area.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Area. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Area. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in an Area.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-locations/#cities","title":"Cities","text":""},{"location":"usage/exploring-locations/#general-presentation_3","title":"General presentation","text":"<p>Cities provide granular information about urban centers worldwide. From major metropolises to smaller towns, cities are crucial in understanding localized threat activities. With this object type, you can pinpoint threats at the urban level, aiding in tactical threat assessments and response planning.</p> <p>When clicking on the Cities tab at the top left, you see the list of all the Cities you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-a-city","title":"Visualizing Knowledge associated with a City","text":"<p>When clicking on a <code>City</code> in the list, you land on its Overview tab. For a City, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity of not having a <code>Details</code> section but a map locating the City.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the City. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the City. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in a City.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-locations/#positions","title":"Positions","text":""},{"location":"usage/exploring-locations/#general-presentation_4","title":"General presentation","text":"<p>Positions represent highly precise geographical points, such as monuments, buildings, or specific event locations. This object type allows you to define exact coordinates, enabling accurate mapping of events or incidents. Positions enhance the granularity of your threat intelligence data, facilitating precise geospatial analysis.</p> <p>When clicking on the Positions tab at the top left, you see the list of all the Positions you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-a-position","title":"Visualizing Knowledge associated with a Position","text":"<p>When clicking on a <code>Position</code> in the list, you land on its Overview tab. For a Position, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display a map locating the Position.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Position. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Position. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted at a Position.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-observations/","title":"Observations","text":"<p>When you click on \"Observations\" in the left-side bar, you access all the \"Observations\" tabs, visible on the top bar on the left. By default, the user directly access the \"Observables\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Observations</code> section, users can access the following tabs:</p> <ul> <li><code>Observables</code>: An <code>Observable</code> represents an immutable object. Observables can encompass a wide range of entities such as IPv4 addresses, domain names, email addresses, and more.</li> <li><code>Artefacts</code>: In OpenCTI, the <code>Artefacts</code> is a particular Observable. It may contain a file, such as a malware sample.</li> <li><code>Indicators</code>: An <code>Indicator</code> is a detection object. It is defined by a search pattern, which could be expressed in various formats such as STIX, Sigma, YARA, among others.</li> <li><code>Infrastructures</code>: An <code>Infrastructure</code> describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g. C2 servers used as part of an attack, devices or servers that are part of defense, database servers targeted by an attack, etc.).</li> </ul>"},{"location":"usage/exploring-observations/#observables","title":"Observables","text":""},{"location":"usage/exploring-observations/#general-presentation","title":"General presentation","text":"<p>An Observable is a distinct entity from the Indicator within OpenCTI and represents an immutable object. Observables can encompass a wide range of entities such as IPv4 addresses, domain names, email addresses, and more. Importantly, Observables don't inherently imply malicious intent, they can include items like legitimate IP addresses or domains associated with an organization. Additionally, they serve as raw data points without the additional detection context found in Indicators.</p> <p>When clicking on the Observables tab at the top left, you see the list of all the Observables you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-observations/#visualizing-knowledge-associated-with-an-observable","title":"Visualizing Knowledge associated with an Observable","text":"<p>When clicking on an <code>Observable</code> in the list, you land on its Overview tab. For an Observable, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display Indicators composed with the Observable.</li> <li>Knowledge: a tab listing all its relationships and nested objects.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which the <code>Observable</code> (IP, domain name, url, etc.) has been sighted.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-observations/#artefacts","title":"Artefacts","text":""},{"location":"usage/exploring-observations/#general-presentation_1","title":"General presentation","text":"<p>An Artefact is a particular Observable. It may contain a file, such as a malware sample. Files can be uploaded or downloaded in encrypted archives, providing an additional layer of security against potential manipulation of malicious payloads.</p> <p>When clicking on the Artefacts tab at the top left, you see the list of all the Artefacts you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-observations/#visualizing-knowledge-associated-with-an-artefact","title":"Visualizing Knowledge associated with an Artefact","text":"<p>When clicking on an <code>Artefact</code> in the list, you land on its Overview tab. For an Artefact, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to be able to download the attached file.</li> <li>Knowledge: a tab listing all its relationships and nested objects.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which the <code>Artefact</code> has been sighted.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-observations/#indicators","title":"Indicators","text":""},{"location":"usage/exploring-observations/#general-presentation_2","title":"General presentation","text":"<p>An Indicator is a detection object. It is defined by a search pattern, which could be expressed in various formats such as STIX, Sigma, YARA, among others. This pattern serves as a key to identify potential threats within the data. Furthermore, an Indicator includes additional information that enriches its detection context. This information encompasses:</p> <ul> <li>Validity dates: Indicators are accompanied by a time frame, specifying the duration of their relevance, and modeled by the <code>Valid from</code> and <code>Valid until</code> dates.</li> <li>Actionable fields: Linked to the validity dates, the <code>Revoked</code> and <code>Detection</code> fields can be used to sort Indicators for detection purposes.</li> <li>Kill chain phase: They indicate the phase within the cyber kill chain where they are applicable, offering insights into the progression of a potential threat.</li> <li>Types: Indicators are categorized based on their nature, aiding in classification and analysis.</li> </ul> <p>When clicking on the Indicators tab at the top left, you see the list of all the Indicators you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-observations/#visualizing-knowledge-associated-with-an-indicator","title":"Visualizing Knowledge associated with an Indicator","text":"<p>When clicking on an <code>Indicator</code> in the list, you land on its Overview tab. For an Indicator, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display the Observables on which it is based.</li> <li>Knowledge: a tab listing all its relationships.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which the <code>Indicator</code> has been sighted.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-observations/#infrastructures","title":"Infrastructures","text":""},{"location":"usage/exploring-observations/#general-presentation_3","title":"General presentation","text":"<p>An Infrastructure refers to a set of resources, tools, systems, or services employed by a threat to conduct their activities. It represents the underlying framework or support system that facilitates malicious operations, such as the command and control (C2) servers in an attack. Notably, like Observables, an Infrastructure doesn't inherently imply malicious intent. It can also represent legitimate resources affiliated with an organization (e.g. devices or servers that are part of defense, database servers targeted by an attack, etc.).</p> <p>When clicking on the Infrastructures tab at the top left, you see the list of all the Infrastructures you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-observations/#visualizing-knowledge-associated-with-an-infrastructure","title":"Visualizing Knowledge associated with an Infrastructure","text":"<p>When clicking on an <code>Infrastructure</code> in the list, you land on its Overview tab. For an Infrastructure, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display distribution graphs of its related Observable (STIX SCO).</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Infrastructure. Different thematic views are proposed to easily see the threats, the arsenal, the observations, etc. linked to the Infrastructure. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-techniques/","title":"Techniques","text":"<p>When you click on \"Techniques\" in the left-side bar, you access all the \"Techniques\" tabs, visible on the top bar on the left. By default, the user directly access the \"Attack pattern\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Techniques</code> section, users can access the following tabs:</p> <ul> <li><code>Attack pattern</code>: attacks pattern used by the threat actors to perform their attacks. By default, OpenCTI is provisionned with attack patterns from MITRE ATT&amp;CK matrices (for CTI) and DISARM matrix (for FIMI).</li> <li><code>Narratives</code>: In OpenCTI, narratives used by threat actors can be represented and linked to other Objects. Narratives are mainly used in the context of disinformation campaigns where it is important to trace which narratives have been and are still used by threat actors.</li> <li><code>Courses of action</code>: A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it.</li> <li><code>Data sources</code>: Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Data sources also include data components, </li> <li><code>Data components</code>: Data components identify specific properties/values of a data source relevant to detecting a given ATT&amp;CK technique or sub-technique.</li> </ul>"},{"location":"usage/exploring-techniques/#attack-pattern","title":"Attack pattern","text":""},{"location":"usage/exploring-techniques/#general-presentation","title":"General presentation","text":"<p>Attacks pattern used by the threat actors to perform their attacks. By default, OpenCTI is provisionned with attack patterns from MITRE ATT&amp;CK matrices and CAPEC (for CTI) and DISARM matrix (for FIMI).</p> <p>In the MITRE STIX 2.1 documentation, an <code>Attack pattern</code> is defined as such :</p> <p>Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is \"spear phishing\": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern.</p> <p>When clicking on the Attack pattern tab at the top left, you access the list of all the attack pattern you have access too, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of attack patterns.</p>"},{"location":"usage/exploring-techniques/#visualizing-knowledge-associated-with-an-attack-pattern","title":"Visualizing Knowledge associated with an Attack pattern","text":"<p>When clicking on an Attack pattern, you land on its Overview tab. For an Attack pattern, the following tabs are accessible:</p> <ul> <li> <p>Overview: Overview of Attack pattern is a bit different as the usual described here. The \"Details\" box is more structured and contains information about:</p> </li> <li> <p>parent or subtechniques (as in the MITRE ATT&amp;CK matrices), </p> </li> <li>related kill chain phases</li> <li>Platform on which the Attack pattern is usable,</li> <li>permission required to apply it</li> <li>Related detection technique</li> <li>Courses of action to mitigate the Attack pattern</li> <li>Data components in which find data to detect the usage of the Attack pattern</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Attack pattern. Different thematic views are proposed to easily see Threat Actors and Intrusion Sets using this techniques, linked incidents, etc.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-techniques/#narratives","title":"Narratives","text":""},{"location":"usage/exploring-techniques/#general-presentation_1","title":"General presentation","text":"<p>In OpenCTI, narratives used by threat actors can be represented and linked to other Objects. Narratives are mainly used in the context of disinformation campaigns where it is important to trace which narratives have been and are still used by threat actors.</p> <p>An example of Narrative can be \"The country A is weak and corrupted\" or \"The ongoing operation aims to free people\". </p> <p>Narrative can be a mean in the context of a more broad attack or the goal of the operation, a vision to impose.</p> <p>When clicking on the Narrative tab at the top left, you access the list of all the Narratives you have access too, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of narratives.</p>"},{"location":"usage/exploring-techniques/#visualizing-knowledge-associated-with-a-narrative","title":"Visualizing Knowledge associated with a Narrative","text":"<p>When clicking on a Narrative, you land on its Overview tab. For a Narrative, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Narratives. Different thematic views are proposed to easily see the Threat actors and Intrusion Set using the Narrative, etc. </li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-techniques/#courses-of-action","title":"Courses of action","text":""},{"location":"usage/exploring-techniques/#general-presentation_2","title":"General presentation","text":"<p>In the MITRE STIX 2.1 documentation, an <code>Course of action</code> is defined as such :</p> <p>A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it.</p> <p>When clicking on the <code>Courses of action</code> tab at the top left, you access the list of all the Courses of action you have access too, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of course of action.</p>"},{"location":"usage/exploring-techniques/#visualizing-knowledge-associated-with-a-course-of-action","title":"Visualizing Knowledge associated with a Course of action","text":"<p>When clicking on a <code>Course of Action</code>, you land on its Overview tab. For a Course of action, the following tabs are accessible:</p> <ul> <li>Overview: Overview of Course of action is a bit different as the usual described here. In \"Details\" box, mitigated attack pattern are listed.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Narratives. Different thematic views are proposed to easily see the Threat actors and Intrusion Set using the Narrative, etc. </li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-techniques/#data-sources-data-components","title":"Data sources &amp; Data components","text":""},{"location":"usage/exploring-techniques/#general-presentation_3","title":"General presentation","text":"<p>In the MITRE ATT&amp;CK documentation, <code>Data sources</code> are defined as such :</p> <p>Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Data sources also include data components, which identify specific properties/values of a data source relevant to detecting a given ATT&amp;CK technique or sub-technique.</p>"},{"location":"usage/exploring-techniques/#visualizing-knowledge-associated-with-a-data-source-or-a-data-components","title":"Visualizing Knowledge associated with a Data source or a Data components","text":"<p>When clicking on a <code>Data source</code> or a <code>Data component</code>, you land on its Overview tab. For a Course of action, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-threats/","title":"Threats","text":"<p>When you click on \"Threats\" in the left-side bar, you access all the \"Threats\" tabs, visible on the top bar on the left. By default, the user directly access the \"Threat Actor (Group)\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Threats</code> section, users can access the following tabs:</p> <ul> <li><code>Threat actors (Group)</code>: Threat actor (Group) represents a physical group of attackers operating an Intrusion set, using malware and attack infrastructure, etc.</li> <li><code>Threat actors (Indvidual)</code>: Threat actor (Individual) represents a real attacker that can be described by physical and personal attributes and motivations. Threat actor (Individual) operates Intrusion set, uses malware and infrastructure, etc.</li> <li><code>Intrusion sets</code>: Intrusion set is an important concept in Cyber Threat Intelligence field. It is a consistent set of technical and non-technical elements corresponding of what, how and why a Threat actor acts. it is particularly useful for associating multiple attacks and malicious actions to a defined Threat, even without sufficient information regarding who did them. Often, with you understanding of the threat growing, you will link an Intrusion set to a Threat actor (either a Group or an Individual).</li> <li><code>Campaigns</code>: Campaign represents a series of attacks taking place in a certain period of time and/or targeting a consistent subset of Organization/Individual.</li> </ul>"},{"location":"usage/exploring-threats/#threat-actors-group-and-individual","title":"Threat actors (Group and Individual)","text":""},{"location":"usage/exploring-threats/#general-presentation","title":"General presentation","text":"<p>Threat actors are the humans who are building, deploying and operating intrusion sets. A threat actor can be an single individual or a group of attackers (who may be composed of individuals). A group of attackers may be a state-nation, a state-sponsored group, a corporation, a group of hacktivists, etc. </p> <p>Beware, groups of attackers might be modelled as \"Intrusion sets\" in feeds, as there is sometimes a misunderstanding in the industry between group of people and the technical/operational intrusion set they operate.</p> <p></p> <p>When clicking on the Threat actor (Group or Individual) tabs at the top left, you see the list of all the groups of Threat actors or Individual Threat actors you have access to, in respect with your allowed marking definitions. These groups or individual are displayed as Cards where you can find a summary of the important Knowledge associated with each of them: description, aliases, malware they used, countries and industries they target, labels. You can then search and filter on some common and specific attributes of Threat actors.</p> <p>At the top right of each Card, you can click the star icon to put it as favorite. It will pin the card on top of the list. You will also be able to display all your favorite easily in your Custom Dashboards.</p>"},{"location":"usage/exploring-threats/#demographic-and-biographic-information","title":"Demographic and Biographic Information","text":"<p>Individual Threat actors have unique properties to represent demographic and biographic information. Currently tracked demographics include their countries of residence, citizenships, date of birth, gender, and more.</p> <p></p> <p>Biographic information includes their eye and hair color, as well as known heights and weights.</p> <p></p> <p>An Individual Threat actor can also be tracked as employed by an Organization or a Threat Actor group. This relationship can be set under the knowledge tab.</p>"},{"location":"usage/exploring-threats/#visualizing-knowledge-associated-with-a-threat-actor","title":"Visualizing Knowledge associated with a Threat actor","text":"<p>When clicking on a Threat actor Card, you land on its Overview tab. For a Threat actor, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Threat actor. Different thematic views are proposed to easily see the victimology, arsenal and techniques used by the Threat actor, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-threats/#intrusion-sets","title":"Intrusion Sets","text":"<p>An intrusion set is a consistent group of technical elements such as \"tactics, technics and procedures\" (TTP), tools, malware and infrastructure used by a threat actor against one or a number of victims who are usually sharing some characteristics (field of activity, country or region) to reach a similar goal whoever the victim is. The intrusion set may be deployed once or several times and may evolve with time. Several intrusion sets may be linked to one threat actor. All the entities described below may be linked to one intrusion set. There are many debates in the Threat Intelligence community on how to define an intrusion set and how to distinguish several intrusion sets with regards to:</p> <ul> <li>their differences</li> <li>their evolutions</li> <li>the possible reuse</li> <li>\"false flag\" type of attacks</li> </ul> <p>As OpenCTI is very customizable, each organization or individual may use these categories as they wish. Instead, it is also possible to use the import feed for the choice of categories.</p> <p></p> <p>When clicking on the Intrusion set tab on the top left, you see the list of all the Intrusion sets you have access to, in respect with your allowed marking definitions. These intrusion sets are displayed as Cards where you can find a summary of the important Knowledge associated with each of them: description, aliases, malware they used, countries and industries they target, labels. You can then search and filter on some common and specific attributes of Intrusion set.</p> <p>At the top right of each Card, you can click the star icon to put it as favorite. It will pin the card on top of the list. You will also be able to display all your favorite easily in your Custom Dashboards.</p>"},{"location":"usage/exploring-threats/#visualizing-knowledge-associated-with-an-intrusion-set","title":"Visualizing Knowledge associated with an Intrusion set","text":"<p>When clicking on an Intrusion set Card, you land on its Overview tab. The following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Intrusion Set. Different thematic views are proposed to easily see the victimology, arsenal and techniques used by the Intrusion Set, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-threats/#campaigns","title":"Campaigns","text":"<p>A campaign can be defined as \"a series of malicious activities or attacks (sometimes called a \"wave of attacks\") taking place within a limited period of time, against a defined group of victims, associated to a similar intrusion set and characterized by the use of one or several identical malware towards the various victims and common TTPs\". However, a campaign is an investigation element and may not be widely recognized. Thus, a provider might define a series of attacks as a campaign and another as an intrusion set. Campaigns can be attributed to an Intrusion set.</p> <p></p> <p>When clicking on the Campaign tab on the top left, you see the list of all the Campaigns you have access to, in respect with your allowed marking definitions. These campaigns are displayed as Cards where you can find a summary of the important Knowledge associated with each of them: description, aliases, malware used, countries and industries they target, labels. You can then search and filter on some common and specific attributes of Campaigns.</p> <p>At the top right of each Card, you can click the star icon to put it as favorite. It will pin the card on top of the list. You will also be able to display all your favorite easily in your Custom Dashboards.</p>"},{"location":"usage/exploring-threats/#visualizing-knowledge-associated-with-a-campaign","title":"Visualizing Knowledge associated with a Campaign","text":"<p>When clicking on an Campaign Card, you land on its Overview tab. The following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Campaign. Different thematic views are proposed to easily see the victimology, arsenal and techniques used in the context of the Campaign. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/export/","title":"Manual export","text":""},{"location":"usage/export/#introduction","title":"Introduction","text":"<p>With the OpenCTI platform, you can manually export your intelligence content in the following formats:</p> <ul> <li>JSON,</li> <li>CSV,</li> <li>PDF,</li> <li>TXT.</li> </ul> <p></p>"},{"location":"usage/export/#export-in-structured-or-document-format","title":"Export in structured or document format","text":""},{"location":"usage/export/#generate-an-export","title":"Generate an export","text":"<p>To export one or more entities you have two possibilities. First you can click on the button \"Open export panel\". The list of pre-existing exports will open, and in the bottom right-hand corner you can configure and generate a new export.</p> <p></p> <p>This opens the export settings panel, where you can customize your export according to three fields:</p> <ul> <li>desired export format (text/csv, application/pdf, application/vnd.oasis.stix+json, text/plain)</li> <li>export type (simple or full),</li> <li>the max marking definition level of the elements in the entity to be exported (a TLP level, for instance).</li> </ul> <p></p> <p>The second way is to click directly on the \"Generate an Export\" button to export the content of an entity in the desired format. The same settings panel will open.</p> <p></p>"},{"location":"usage/export/#export-possibilities","title":"Export possibilities","text":"<p>All entities in your instance can be exported either directly via Generate Export or indirectly via Export List in .json and .csv formats.</p>"},{"location":"usage/export/#export-a-list-entities","title":"Export a list entities","text":"<p>You have the option to export either a single element, such as a report, or a collection of elements, such as multiple reports. These exports may contain not only the entity itself but also related elements, depending on the type of export you select: \"simple\" or \"full\". See the Export types (simple and full) section.</p> <p>You can also choose to export a list of entities within a container. To do so, go to the container's entities tab. For example, for a report, if you only want to retrieve entity type attack pattern and indicators to design a detection strategy, go to the entities tab and select specific elements for export.</p> <p></p> <p></p>"},{"location":"usage/export/#export-types-simple-and-full","title":"Export types (simple and full)","text":"<p>When you wish to export only the content of a specific entity such as a report, you can choose a \"simple\" export type.</p> <p>If you also wish to export associated content, you can choose a \"full\" export. With this type of export, the entity will be exported along with all entities directly associated with the central one (first neighbors).</p> <p></p>"},{"location":"usage/export/#exports-list-panel","title":"Exports list panel","text":"<p>Once an export has been created, you can find it in the export list panel. Simply click on a particular export to download it.</p> <p>You can also generate a new export directly from the Exports list, as explained in the Generate an export section.</p> <p></p>"},{"location":"usage/feeds/","title":"Native feeds","text":"<p>OpenCTI provides versatile mechanisms for sharing data through its built-in feeds, including Live streams, TAXII collections, and CSV feeds.</p>"},{"location":"usage/feeds/#feed-configuration","title":"Feed configuration","text":"<p>Feeds are configured in the \"Data &gt; Data sharing\" window. Configuration for all feed types is uniform and relies on the following parameters:</p> <ul> <li>Filter setup: The feed can have specific filters to publish only a subset of the platform overall knowledge. Any data that meets the criteria established by the user's feed filters will be shared (e.g. specific types of entities, labels, marking definitions, etc.).</li> <li>Access control: A feed can be either public, i.e. accessible without authentication, or restricted. By default, it's accessible to any user with the \"Access data sharing\" capability, but it's possible to increase restrictions by limiting access to a specific user, group, or organization.</li> </ul> <p></p> <p>By carefully configuring filters and access controls, you can tailor the behavior of Live streams, TAXII collections, and CSV feeds to align with your specific data-sharing needs.</p>"},{"location":"usage/feeds/#live-streams","title":"Live streams","text":""},{"location":"usage/feeds/#introduction","title":"Introduction","text":"<p>Live streams, an exclusive OpenCTI feature, increase the capacity for real-time data sharing by serving STIX 2.1 bundles as TAXII collections with advanced capabilities. What distinguishes them is their dynamic nature, which includes the creation, updating, and deletion of data. Unlike TAXII, Live streams comprehensively resolve relationships and dependencies, ensuring a more nuanced and interconnected exchange of information. This is particularly beneficial in scenarios where sharing involves entities with complex relationships, providing a richer context for the shared data.</p> <p>In scenarios involving data sharing between two OpenCTI platforms, Live streams emerge as the preferred mechanism. These streams operate like TAXII collections but are notably enhanced, supporting:</p> <ul> <li>create, update and delete events depending on the parameters,</li> <li>caching already created entities in the last 5 minutes,</li> <li>resolving relationships and dependencies even out of the filters,</li> <li>can be public (without authentication).</li> </ul> <p></p> <p>Resolve relationships and dependencies</p> <p>Dependencies and relationships of entities shared via Live streams, as determined by specified filters, are automatically shared even beyond the confines of these filters. This means that interconnected data, which may not directly meet the filter criteria, is still included in the Live stream. However, OpenCTI data segregation mechanisms are still applied. They allow to restrict access to shared data based on factors such as markings or organization. It's imperative to carefully configure and manage these access controls to ensure that no confidential data is shared.</p>"},{"location":"usage/feeds/#illustrative-scenario","title":"Illustrative scenario","text":"<p>To better understand how live streams are working, let's take a few examples, from simple to complex.</p> <p>Given a live stream with filters Entity type: Indicator <code>AND</code> Label: detection. Let's see what happens with an indicator with:</p> <ul> <li>Marking definition: <code>TLP:GREEN</code></li> <li>Author <code>Crowdstrike</code></li> <li>Relation <code>indicates</code> to the malware <code>Emotet</code></li> </ul> Action Result in stream (with <code>Avoid dependencies resolution=true</code>) Result in stream (with <code>Avoid dependencies resolution=false</code>) 1. Create an indicator Nothing Nothing 2. Add the label <code>detection</code> Create <code>TLP:GREEN</code>, create <code>CrowdStrike</code>, create the indicator Create <code>TLP:GREEN</code>, create <code>CrowdStrike</code>, create the malware <code>Emotet</code>, create the indicator, create the relationship <code>indicates</code> 3. Remove the label <code>detection</code> Delete the indicator Delete the indicator and the relationship 4. Add the label <code>detection</code> Create the indicator Create the indicator, create the relationship <code>indicates</code> 5. Delete the indicator Delete the indicator Delete the indicator  and the relationship <p>Details on how to consume these Live streams can be found on the dedicated page.</p>"},{"location":"usage/feeds/#taxii-collections","title":"TAXII Collections","text":"<p>OpenCTI has an embedded TAXII API endpoint which provides valid STIX 2.1 bundles. If you wish to know more about the TAXII standard, please read the official introduction.</p> <p>In OpenCTI you can create as many TAXII 2.1 collections as needed. </p> <p></p> <p>After creating a new collection, every system with a proper access token can consume the collection using different kinds of authentication (basic, bearer, etc.). </p> <p>As when using the GraphQL API, TAXII 2.1 collections have a classic pagination system that should be handled by the consumer. Also, it's important to understand that element dependencies (nested IDs) inside the collection are not always contained/resolved in the bundle, so consistency needs to be handled at the client level.</p>"},{"location":"usage/feeds/#csv-feeds","title":"CSV feeds","text":"<p>The CSV feed facilitates the automatic generation of a CSV file, accessible via a URL. The CSV file is regenerated and updated at user-defined intervals, providing flexibility.</p> <p></p>"},{"location":"usage/getting-started/","title":"Getting started","text":"<p>This guide aims to give you a full overview of the OpenCTI features and workflows. The platform can be used in various contexts to handle threats management use cases from a technical to a more strategic level. OpenCTI has been designed as a knowledge graph, taking inputs (threat intelligence feeds, sightings &amp; alerts, vulnerabilities, assets, artifacts, etc.) and generating outputs based on built-in capabilities and / or connectors.</p> <p>Here are some examples of use cases:</p> <ul> <li>Cyber Threat Intelligence knowledge base</li> <li>Detection as code feeds for XDR, EDR, SIEMs, firewalls, proxies, etc.</li> <li>Incident response artifacts &amp; cases management</li> <li>Vulnerabilities management</li> <li>Reporting, alerting and dashboarding on a subset of data</li> </ul> <p></p> <p></p>"},{"location":"usage/getting-started/#welcome-dashboard","title":"Welcome dashboard","text":"<p>The welcome gives any visitor on the OpenCTI platform an outlook on the live of the platform. It can be replaced by a custom dashboard, created by a user (or the default dashboard in a role, a group or an organization).</p> <p></p>"},{"location":"usage/getting-started/#indicators-in-the-dashboard","title":"Indicators in the dashboard","text":""},{"location":"usage/getting-started/#numbers","title":"Numbers","text":"Component Description Total entities Number of entities (<code>threat actor</code>, <code>intrusion set</code>, <code>indicator</code>, etc.). Total relationships Number of relationships (<code>targets</code>, <code>uses</code>, <code>indicates</code>, etc.). Total reports Number of reports. Total observables Number of observables (<code>IPv4-Addr</code>, <code>File</code>, etc.)."},{"location":"usage/getting-started/#charts-lists","title":"Charts &amp; lists","text":"Component Description Top labels Top labels given to entities during the last 3 months. Ingested entities Number of entities ingested by month. Top 10 active entities List of the entities with the greatest number of relations over the last 3 months. Targeted countries Intensity of the targeting tied to the number of relations <code>targets</code> for a given country. Observable distribution Distribution of the number of observables by type. Last ingested reports Last reports ingested in the platform."},{"location":"usage/import-automated/","title":"Automated import","text":"<p>Automated imports in OpenCTI streamline the process of data ingestion, allowing users to effortlessly bring in valuable intelligence from diverse sources. This page focuses on the automated methods of importing data, which serve as bridges between OpenCTI and diverse external systems, formatting it into a STIX bundle, and importing it into the OpenCTI platform.</p>"},{"location":"usage/import-automated/#connectors","title":"Connectors","text":"<p>Connectors in OpenCTI serve as dynamic gateways, facilitating the import of data from a wide array of sources and systems. Every connector is designed to handle specific data types and structures of the source, allowing OpenCTI to efficiently ingest the data.</p>"},{"location":"usage/import-automated/#connector-behaviors","title":"Connector behaviors","text":"<p>The behavior of each connector is defined by its development, determining the types of data it imports and its configuration options. This flexibility allows users to customize the import process to their specific needs, ensuring a seamless and personalized data integration experience.</p> <p>The level of configuration granularity regarding the imported data type varies with each connector. Nevertheless, connectors empower users to specify the date from which they wish to fetch data. This capability is particularly useful during the initial activation of a connector, enabling the retrieval of historical data. Following this, the connector operates in real-time, continuously importing new data from the source.</p>"},{"location":"usage/import-automated/#connector-ecosystem","title":"Connector Ecosystem","text":"<p>OpenCTI's connector ecosystem covers a broad spectrum of sources, enhancing the platform's capability to integrate data from various contexts, from threat intelligence providers to specialized databases. The list of available connectors can be found in our connectors catalog. Connectors are categorized into three types: import connectors (the focus here), enrichment connectors, and stream consumers. Further documentation on connectors is available on the dedicated documentation page.</p> <p>In summary, automated imports through connectors empower OpenCTI users with a scalable, efficient, and customizable mechanism for data ingestion, ensuring that the platform remains enriched with the latest and most relevant intelligence.</p>"},{"location":"usage/import-automated/#native-automated-import","title":"Native automated import","text":"<p>In OpenCTI, the \"Data &gt; Ingestion\" section provides users with built-in functions for automated data import. These functions are designed for specific purposes and can be configured to seamlessly ingest data into the platform. Here, we'll explore the configuration process for the three built-in functions: Live Streams, TAXII Feeds, and RSS Feeds.</p>"},{"location":"usage/import-automated/#live-streams","title":"Live streams","text":"<p>Live Streams enable users to consume data from another OpenCTI platform, fostering collaborative intelligence sharing. Here's a step-by-step guide to configure Live streams synchroniser:</p> <ol> <li>Remote OpenCTI URL: Provide the URL of the remote OpenCTI platform (e.g., <code>https://[domain]</code>; don't include the path).</li> <li>Remote OpenCTI token: Provide the user token. An administrator from the remote platform must supply this token, and the associated user must have the \"Access data sharing\" privilege.</li> <li>After filling in the URL and user token, validate the configuration.</li> <li>Once validated, select a live stream to which you have access.</li> </ol> <p></p> <p>Additional configuration options:</p> <ul> <li>User responsible for data creation: Define the user responsible for creating data received from this stream. Best practice is to dedicate one user per source for organizational clarity. Please see the section \"Best practices\" below for more information.</li> <li>Starting synchronization: Specify the date of the oldest data to retrieve. Leave the field empty to import everything.</li> <li>Take deletions into account: Enable this option to delete data from your platform if it was deleted on the providing stream. (Note: Data won't be deleted if another source has imported it previously.)</li> <li>Verify SSL certificate: Check the validity of the certificate of the domain hosting the remote platform.</li> <li>Avoid dependencies resolution: Import only entities without their relationships. For instance, if the stream shares malware, all the malware's relationships will be retrieved by default. This option enables you to choose not to recover them.</li> <li>Use perfect synchronization: This option is specifically for synchronizing two platforms. If an imported entity already exists on the platform, the one from the stream will overwrite it.</li> </ul> <p></p>"},{"location":"usage/import-automated/#taxii-feeds","title":"TAXII feeds","text":"<p>TAXII Feeds in OpenCTI provide a robust mechanism for ingesting TAXII collections from TAXII servers or other OpenCTI instances. Configuring TAXII ingester involves specifying essential details to seamlessly integrate threat intelligence data. Here's a step-by-step guide to configure TAXII ingesters:</p> <ol> <li>TAXII server URL: Provide the root API URL of the TAXII server. For collections from another OpenCTI instance, the URL is in the form <code>https://[domain]/taxii2/root</code>.</li> <li>TAXII collection: Enter the ID of the TAXII collection to be ingested. For collections from another OpenCTI instance, the ID follows the format <code>426e3acb-db50-4118-be7e-648fab67c16c</code>.</li> <li>Authentication type (if necessary): Enter the authentication type. For non-public collections from another OpenCTI instance, the authentication type is \"Bearer token.\" Enter the token of a user with access to the collection (similar to the point 2 of the Live streams configuration above).</li> </ol> <p>Additional configuration options:</p> <ul> <li>User responsible for data creation: Define the user responsible for creating data received from this TAXII feed. Best practice is to dedicate one user per source for organizational clarity. Please see the section \"Best practices\" below for more information.</li> <li>Import from date: Specify the date of the oldest data to retrieve. Leave the field empty to import everything.</li> </ul> <p></p>"},{"location":"usage/import-automated/#rss-feeds","title":"RSS feeds","text":"<p>RSS Feeds functionality enables users to seamlessly ingest items in report form from specified RSS feeds. Configuring RSS Feeds involves providing essential details and selecting preferences to tailor the import process. Here's a step-by-step guide to configure RSS ingesters:</p> <ol> <li>RSS Feed URL: Provide the URL of the RSS feed from which items will be imported.</li> </ol> <p>Additional configuration options:</p> <ul> <li>User responsible for data creation: Define the user responsible for creating data received from this RSS feed. Best practice is to dedicate one user per source for organizational clarity. Please see the section \"Best practices\" below for more information.</li> <li>Import from date: Specify the date of the oldest data to retrieve. Leave the field empty to import everything.</li> <li>Default report types: Indicate the report type to be applied to the imported report.</li> <li>Default author: Indicate the default author to be applied to the imported report. Please see the section \"Best practices\" below for more information.</li> <li>Default marking definitions: Indicate the default markings to be applied to the imported reports.</li> </ul> <p></p> <p></p>"},{"location":"usage/import-automated/#best-practices-for-feed-import","title":"Best practices for feed import","text":"<p>Ensuring a secure and well-organized environment is paramount in OpenCTI. Here are two recommended best practices to enhance security, traceability, and overall organizational clarity:</p> <ol> <li>Create a dedicated user for each source: Generate a user specifically for feed import, following the convention <code>[F] Source name</code> for clear identification. Assign the user to the \"Connectors\" group to streamline user management and permission related to data creation. Please see here for more information on this good practice.</li> <li>Establish a dedicated Organization for the source: Create an organization named after the data source for clear identification. Assign the newly created organization to the \"Default author\" field in feed import configuration if available.</li> </ol> <p>By adhering to these best practices, you ensure independence in managing rights for each import source through dedicated user and organization structures. In addition, you enable clear traceability to the entity's creator, facilitating source evaluation, dashboard creation, data filtering and other administrative tasks.</p>"},{"location":"usage/import-automated/#digest","title":"Digest","text":"<p>Users can streamline the data ingestion process using various automated import capabilities. Each method proves beneficial in specific circumstances.</p> <ul> <li>Connectors act as bridges to retrieve data from diverse sources and format it for seamless ingestion into OpenCTI.</li> <li>Live Streams enable collaborative intelligence sharing across OpenCTI instances, fostering real-time updates and efficient data synchronization.</li> <li>TAXII Feeds provide a standardized mechanism for ingesting threat intelligence data from TAXII servers or other OpenCTI instances.</li> <li>RSS Feeds facilitate the import of items in report form from specified RSS feeds, offering a straightforward way to stay updated on relevant intelligence.</li> </ul> <p>By leveraging these automated import functionalities, OpenCTI users can build a comprehensive, up-to-date threat intelligence database. The platform's adaptability and user-friendly configuration options ensure that intelligence workflows remain agile, scalable, and tailored to the unique needs of each organization.</p>"},{"location":"usage/import-files/","title":"Import from files","text":""},{"location":"usage/import-files/#import-mechanisms","title":"Import mechanisms","text":"<p>The platform provides a seamless process for automatically parsing data from various file formats. This capability is facilitated by two distinct mechanisms.</p> <p>File import connectors: Currently, there are two connectors designed for importing files and automatically identifying entities.</p> <ul> <li><code>ImportFileStix</code>: Designed to handle STIX-structured files (json or xml format).</li> <li><code>ImportDocument</code>: Versatile connector supporting an array of file formats, including pdf, text, html, and markdown.</li> </ul> <p>CSV mappers: The CSV mapper is a tailored functionality to facilitate the import of data stored in CSV files. For more in-depth information on using CSV mappers, refer to the CSV Mappers documentation page.</p> <p></p>"},{"location":"usage/import-files/#usage","title":"Usage","text":""},{"location":"usage/import-files/#locations","title":"Locations","text":"<p>Both mechanisms can be employed wherever file uploads are possible. This includes the \"Data\" tabs of all entities and the dedicated panel named \"Data import and analyst workbenches\" located in the top right-hand corner (database logo with a small gear). Importing files from these two locations is not entirely equal; refer to the \"Relationship handling from entity's Data tab\" section below for details on this matter.</p>"},{"location":"usage/import-files/#entity-identification-process","title":"Entity identification process","text":"<p>For <code>ImportDocument</code> connector, the identification process involves searching for existing entities in the platform and scanning the document for relevant information. In additions, the connector use regular expressions (regex) to detect IP addresses and domains within the document.</p> <p>As for the <code>ImportFileStix</code> connector and the CSV mappers, there is no identification mechanism. The imported data will be, respectively, the data defined in the STIX bundle or according to the configuration of the CSV mapper used.</p>"},{"location":"usage/import-files/#workflow-overview","title":"Workflow overview","text":"<ol> <li>Upload file: Navigate to the desired location, such as the \"Data\" tabs of an entity or the \"Data import and analyst workbenches\" panel. Then, upload the file containing the relevant data by clicking on the small cloud with the arrow inside next to \"Uploaded files\".</li> <li>Entity identification: For a CSV file, select the connector and CSV mapper to be used by clicking on the icon with an upward arrow in a circle. If it's not a CSV file, the connector will launch automatically. Then, the file import connectors or CSV mappers will identify entities within the uploaded document.</li> <li>Workbench review and validation: Entities identified by connectors are not immediately integrated into the platform's knowledge base. Instead, they are thoughtfully placed in a workbench, awaiting review and validation by an analyst. Workbenches function as draft spaces, ensuring that no data is officially entered into the platform until the workbench has undergone the necessary validation process. For more information on workbenches, refer to the Analyst workbench documentation page.</li> </ol> <p>Review workbenches</p> <p>Import connectors may introduce errors in identifying object types or add \"unknown\" entities. Workbenches were established with the intent of reviewing the output of connectors before validation. Therefore, it is crucial to be vigilant when examining the workbench to prevent the import of incorrect data into the platform.</p> <p></p>"},{"location":"usage/import-files/#additional-information","title":"Additional information","text":""},{"location":"usage/import-files/#no-workbench-for-csv-mapper","title":"No workbench for CSV mapper","text":"<p>It's essential to note that CSV mappers operate differently from other import mechanisms. Unlike connectors, CSV mappers do not generate workbenches. Instead, the data identified by CSV mappers is imported directly into the platform without an intermediary workbench stage.</p>"},{"location":"usage/import-files/#relationship-handling-from-entitys-data-tab","title":"Relationship handling from entity's \"Data\" tab","text":"<p>When importing a document directly from an entity's \"Data\" tab, there can be an automatic addition of relationships between the objects identified by connectors and the entity in focus. The process differs depending on the type of entity in which the import occurs:</p> <ul> <li>If the entity is a container (e.g., Report, Grouping, and Cases), the identified objects in the imported file will be linked to the entity (upon workbench validation). In the context of a container, the object is said to be \"contained\".</li> <li>For entities that are not containers, a distinct behavior unfolds. In this scenario, the identified objects are not linked to the entity, except for Observables. <code>Related to</code> relationships between the Observables and the entity are automatically added to the workbench and created after validation of this one.</li> </ul>"},{"location":"usage/import-files/#file-import-in-content-tab","title":"File import in Content tab","text":"<p>Expanding the scope of file imports, users can seamlessly add files in the <code>Content</code> tab of Analyses or Cases. In this scenario, the file is directly added as an attachment without utilizing an import mechanism.</p>"},{"location":"usage/import-files/#user-capability-requirement","title":"User capability requirement","text":"<p>In order to initiate file imports, users must possess the requisite capability: \"Upload knowledge files.\" This capability ensures that only authorized users can contribute and manage knowledge files within the OpenCTI platform, maintaining a controlled and secure environment for data uploads.</p> <p>Deprecation warning</p> <p>Using the <code>ImportDocument</code> connector to parse CSV file is now disallowed as it produces inconsistent results. Please configure and use CSV mappers dedicated to your specific CSV content for a reliable parsing. CSV mappers can be created and configured in the administration interface.   </p>"},{"location":"usage/indicators-lifecycle/","title":"Indicators Lifecycle Management","text":""},{"location":"usage/indicators-lifecycle/#introduction","title":"Introduction","text":"<p>OpenCTI enforces strict rules to determine the period during which an indicator is effective for usage. This period is defined by the <code>valid_from</code> and <code>valid_until</code> dates. All along its lifecycle, the indicator <code>score</code> will decrease according to configured decay rules. After the indicator expires, the object is marked as <code>revoked</code> and the <code>detection</code> field is automatically set to <code>false</code>. Here, we outline how these dates are calculated within the OpenCTI platform and how the score is updated with decay rules.</p>"},{"location":"usage/indicators-lifecycle/#setting-validity-dates","title":"Setting validity dates","text":""},{"location":"usage/indicators-lifecycle/#data-source-provided-the-dates","title":"Data source provided the dates","text":"<p>If a data source provides <code>valid_from</code> and <code>valid_until</code> dates when creating an indicator on the platform, these dates are used without modification. But, if the creation is performed from the UI and the indicator is elligible to be manages by a decay rule, the platform will change this valid_until with the one calculated by the Decay rule.</p>"},{"location":"usage/indicators-lifecycle/#fallback-rules-for-unspecified-dates","title":"Fallback rules for unspecified dates","text":"<p>If a data source does not provide validity dates, OpenCTI applies the decay rule matching the indicator to determine these dates. The <code>valid_until</code> date is computed based on the revoke score of the decay rule : it is set at the exact time at which the indicator will reach the revoke score. Past <code>valid_until</code> date, the indicator is marked as revoked.</p>"},{"location":"usage/indicators-lifecycle/#score-decay","title":"Score decay","text":"<p>Indicators have an initial score at creation, either provided by data source, or 50 by default. Over time, this score is going to decrease according to the configured decay rules. Score is updated at each reaction point defined for the decay rule matching the indicator at creation.</p>"},{"location":"usage/indicators-lifecycle/#example","title":"Example","text":"<p>This URL indicator has matched the <code>Built-in IP and URL</code> decay rule. Its initial score at creation is 100. </p> <p></p> <p>Right next to the indicator score, there is a button <code>Lifecycle</code> which enables to open a dialog to see the details of the indicator's lifecyle.</p> <p></p>"},{"location":"usage/indicators-lifecycle/#conclusion","title":"Conclusion","text":"<p>Understanding how OpenCTI calculates validity periods and scores is essential for effective threat intelligence analysis. These rules ensure that your indicators are accurate and up-to-date, providing a reliable foundation for threat intelligence data.</p>"},{"location":"usage/inferences/","title":"Inferences and reasoning","text":""},{"location":"usage/inferences/#overview","title":"Overview","text":"<p>OpenCTI\u2019s inferences and reasoning capability is a robust engine that automates the process of relationship creation within your threat intelligence data. This capability, situated at the core of OpenCTI, allows logical rules to be applied to existing relationships, resulting in the automatic generation of new, pertinent connections.</p>"},{"location":"usage/inferences/#understanding-inferences-and-reasoning","title":"Understanding inferences and reasoning","text":"<p>Inferences and reasoning serve as OpenCTI\u2019s intelligent engine. It interprets your data logically. By activating specific predefined rules (of which there are around twenty), OpenCTI can deduce new relationships from the existing ones. For instance, if there's a connection indicating an Intrusion Set targets a specific country, and another relationship stating that this country is part of a larger region, OpenCTI can automatically infer that the Intrusion Set also targets the broader region.</p>"},{"location":"usage/inferences/#key-benefits","title":"Key benefits","text":"<ul> <li>Efficiency: Reduces manual workload by automating relationship creation, saving valuable analyst time.</li> <li>Completeness: Fills relationship gaps, ensuring a comprehensive and interconnected threat intelligence database.</li> <li>Accuracy: Minimizes manual input errors by deriving relationships from predefined, accurate logic.</li> </ul>"},{"location":"usage/inferences/#how-it-operates","title":"How it operates","text":"<p>When you activate an inference rule, OpenCTI continuously analyzes your existing relationships and applies the defined logical rules. These rules are logical statements that define conditions for new relationships. When the set of conditions is met, the OpenCTI creates the corresponding relationship automatically.</p> <p>For example, if you activate a rule as follows:</p> <p>IF [Entity A targets Identity B] AND [Identity B is part of Identity C] THEN [Entity A targets Identity C]</p> <p>OpenCTI will apply this rule to existing data. If it finds an Intrusion Set (\"Entity A\") targeting a specific country (\"Identity B\") and that country is part of a larger region (\"Identity C\"), the platform will automatically establish a relationship between the Intrusion Set and the region.</p>"},{"location":"usage/inferences/#identifying-inferred-relationships","title":"Identifying inferred relationships","text":"<p>In the knowledge graphs: Inferred relationships are represented by dotted lines of a different color, distinguishing them from non-inferred relations.</p> <p></p> <p>In the lists: In a relationship list, a magic wand icon at the end of the line indicates relationship created by inference.</p> <p></p>"},{"location":"usage/inferences/#additional-resources","title":"Additional resources","text":"<ul> <li>Administration: To find out about existing inference rules and enable/disable them, refer to the Rules engine page in the Administration section of the documentation.</li> <li>Playbooks: OpenCTI playbooks are highly customizable automation scenarios. This seamless integration allows for further automation, making your threat intelligence processes even more efficient and tailored to your specific needs. More information in our blog post</li> </ul>"},{"location":"usage/manual-creation/","title":"Manual creations","text":"<p>Manual data creation in OpenCTI is an intuitive process that occurs throughout the platform. This page provides guidance on two key aspects of manual creation: Entity creation and Relationship creation.</p>"},{"location":"usage/manual-creation/#entity-creation","title":"Entity creation","text":"<p>To create an entity:</p> <ol> <li>Navigate to the relevant section: Be on the section of the platform related to the object type you want to create.</li> <li>Click on the \"+\" icon: Locate the \"+\" icon located at the bottom right of the window. </li> <li>Fill in entity-specific fields: A form on the right side of the window will appear, allowing to fill in specific fields of the entity. Certain fields are inherently obligatory, and administrators have the option to designate additional mandatory fields (See here for more information). </li> <li>Click on \"Create\": Once you've filled in the desired fields, click on \"create\" to initiate the entity creation process.</li> </ol> <p></p>"},{"location":"usage/manual-creation/#relationship-creation","title":"Relationship creation","text":"<p>Before delving into the creation of relationships between objects in OpenCTI, it's crucial to grasp some foundational concepts. Here are key points to understand:</p> <ul> <li>On several aspects, including relationships, two categories of objects must be differentiated: containers (e.g., Reports, Groupings, and Cases) and others. Containers aren't related to but contains objects.</li> <li>Relationships, like all other entities, are objects. They possess fields, can be linked, and share characteristics identical to other entities.</li> <li>Relationships are inherently directional, comprising a \"from\" entity and a \"to\" entity. Understanding this directionality is essential for accurate relationship creation.</li> <li>OpenCTI supports various relationship types, and their usage depends on the entity types being linked. For example, a \"target\" relationship might link malware to an organization, while linking malware to an intrusion set might involve a different relationship type.</li> </ul> <p>Now, let\u2019s explore the process of creating relationships. To do this, we will differentiate the case of containers from the others. </p>"},{"location":"usage/manual-creation/#for-container","title":"For container","text":"<p>When it comes to creating relationships within containers in OpenCTI, the process is straightforward. Follow these steps to attach objects to a container:</p> <ol> <li>Navigate to the container: Go to the specific container to which you want to attach an object. This could be a Report, Grouping, or Cases.</li> <li>Access the \"Entities\" tab: Within the container, locate and access the \"Entities\" tab.</li> <li>Click on the \"+\" icon: Find the \"+\" icon located at the bottom right of the window. </li> <li>Search for entities: A side window will appear. Search for the entities you want to add to the container. </li> <li>Add entities to the container: Click on the desired entities. They will be added directly to the container.</li> </ol>"},{"location":"usage/manual-creation/#for-other","title":"For other","text":"<p>When creating relationships not involving a container, the creation method is distinct. Follow these steps to create relationships between entities:</p> <ol> <li>Navigate to one of the entities: Go to one of the entities you wish to link. Please be aware that the entity from which you create the relationship will be designated as the \"from\" entity for that relationship. So the decision of which entity to choose for creating the relationship should be considered, as it will impact the outcome. </li> <li>Access the \"Knowledge\" tab: Within the entity, go to the \"Knowledge\" tab.</li> <li>Select the relevant categories: In the right banner, navigate to the categories that correspond to the object to be linked. The available categories depend on the type of entity you are currently on. For example, if you are on malware and want to link to a sector, choose \"victimology.\"</li> <li>Click on the \"+\" icon: Find the \"+\" icon located at the bottom right of the window. </li> <li>Search for entities: A side window will appear. Search for the entities you want to link.</li> <li>Add entities and click on \"Continue\": Click on the entities you wish to link. Multiple entities can be selected. Then click on \"Continue\" at the bottom right. </li> <li>Fill in the relationship form: As relationships are objects, a creation form similar to creating an entity will appear. </li> <li>Click on \"Create\": Once you've filled in the desired fields, click on \"create\" to initiate the relationship creation process.</li> </ol> <p></p>"},{"location":"usage/manual-creation/#additional-methods","title":"Additional methods","text":"<p>While the aforementioned methods are primary for creating entities and relationships, OpenCTI offers versatility, allowing users to create objects in various locations within the platform. Here's a non-exhaustive list of additional places that facilitate on-the-fly creation:</p> <ul> <li>Creating entities during relationship creation: During the \"Search for entities\" phase (see above) of the relationship creation process, click on the \"+\" icon to create a new entity directly.</li> <li>Knowledge graph: Within the knowledge graph - found in the knowledge tab of the containers or in the investigation functionality - users can seamlessly create entities or relationships.</li> <li>Inside a workbench: The workbench serves as another interactive space where users can create entities and relationships efficiently.</li> </ul> <p>These supplementary methods offer users flexibility and convenience, allowing them to adapt their workflow to various contexts within the OpenCTI platform. As users explore the platform, they will naturally discover additional means of creating entities and relationships.</p> <p>Max confidence level</p> <p>When creating knowledge in the platform, the maximum confidence level of the users is used. Please navigate to this page to understand this concept and the impact it can have on the knowledge creation.</p>"},{"location":"usage/merging/","title":"Merge objects","text":""},{"location":"usage/merging/#introduction","title":"Introduction","text":"<p>OpenCTI\u2019s merge capability stands as a pivotal tool for optimizing threat intelligence data, allowing to consolidate multiple entities of the same type. This mechanism serves as a powerful cleanup tool, harmonizing the platform and unifying scattered information. In this section, we explore the significance of this feature, the process of merging entities, and the strategic considerations involved.</p>"},{"location":"usage/merging/#data-streamlining","title":"Data streamlining","text":"<p>In the ever-expanding landscape of threat intelligence and the multitude of names chosen by different data sources, data cleanliness is essential. Duplicates and fragmented information hinder efficient analysis. The merge capability is a strategic solution for amalgamating related entities into a cohesive unit. Central to the merging process is the selection of a main entity. This primary entity becomes the anchor, retaining crucial attributes such as name and description. Other entities, while losing specific fields like descriptions, are aliased under the primary entity. This strategic decision preserves vital data while eliminating redundancy.</p>"},{"location":"usage/merging/#preserving-entity-relationships","title":"Preserving entity relationships","text":"<p>One of the key feature of the merge capability is its ability to preserve relationships. While merging entities, their interconnected relationships are not lost. Instead, they seamlessly integrate into the new, merged entity. This ensures that the intricate web of relationships within the data remains intact, fostering a comprehensive understanding of the threat landscape.</p>"},{"location":"usage/merging/#conclusion","title":"Conclusion","text":"<p>OpenCTI\u2019s merge capability helps improve the quality of threat intelligence data. By consolidating entities and centralizing relationships, OpenCTI empowers analysts to focus on insights and strategies, unburdened by data silos or fragmentation. However, exercising caution and foresight in the merging process is essential, ensuring a robust and streamlined knowledge basis.</p>"},{"location":"usage/merging/#additional-resources","title":"Additional resources","text":"<ul> <li>Administration: To understand how to merge entities and the consideration to take into account, refer to the Merging page in the Administration section of the documentation.</li> <li>Deduplication mechanism: the platform is equipped with deduplication processes that automatically merge data at creation (either manually or by importing data from different sources) if it meets certain conditions.</li> </ul>"},{"location":"usage/nested/","title":"Nested references and objects","text":""},{"location":"usage/nested/#stix-standard","title":"STIX standard","text":""},{"location":"usage/nested/#definition","title":"Definition","text":"<p>In the STIX 2.1 standard, objects can:</p> <ol> <li>Refer to other objects in directly in their <code>attributes</code>, by referencing one or multiple IDs.</li> <li>Have other objects directly embedded in the entity.</li> </ol>"},{"location":"usage/nested/#example","title":"Example","text":"<pre><code>{\n   \"type\": \"intrusion-set\",\n   \"spec_version\": \"2.1\",\n   \"id\": \"intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29\",\n   \"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\", // nested reference to an identity\n   \"object_marking_refs\": [\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"], // nested reference to multiple marking defintions\n   \"external_references\": [\n      {\n         \"source_name\": \"veris\",\n         \"external_id\": \"0001AA7F-C601-424A-B2B8-BE6C9F5164E7\",\n         \"url\": \"https://github.com/vz-risk/VCDB/blob/125307638178efddd3ecfe2c267ea434667a4eea/data/json/validated/0001AA7F-C601-424A-B2B8-BE6C9F5164E7.json\",    \n      }\n   ],\n   \"created\": \"2016-04-06T20:03:48.000Z\",\n   \"modified\": \"2016-04-06T20:03:48.000Z\",\n   \"name\": \"Bobcat Breakin\",\n   \"description\": \"Incidents usually feature a shared TTP of a bobcat being released within the building containing network access...\",\n   \"aliases\": [\"Zookeeper\"],\n   \"goals\": [\"acquisition-theft\", \"harassment\", \"damage\"]\n}\n</code></pre> <p>In the previous example, we have 2 nested references to other objects in:</p> <pre><code>\"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\", // nested reference to an identity\n\"object_marking_refs\": [\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"], // nested reference to multiple marking defintions\n</code></pre> <p>But we also have a nested object within the entity (an <code>External Reference</code>):</p> <pre><code>\"external_references\": [\n   {\n      \"source_name\": \"veris\",\n      \"external_id\": \"0001AA7F-C601-424A-B2B8-BE6C9F5164E7\",\n      \"url\": \"https://github.com/vz-risk/VCDB/blob/125307638178efddd3ecfe2c267ea434667a4eea/data/json/validated/0001AA7F-C601-424A-B2B8-BE6C9F5164E7.json\",    \n   }\n]\n</code></pre>"},{"location":"usage/nested/#implementation","title":"Implementation","text":""},{"location":"usage/nested/#modelization","title":"Modelization","text":"<p>In OpenCTI, all nested references and objects are modelized as relationships, to be able to pivot more easily on labels, external references, kill chain phases, marking definitions, etc.</p> <p></p>"},{"location":"usage/nested/#import-export","title":"Import &amp; export","text":"<p>When importing and exporting data to/from OpenCTI, the translation between nested references and objects to full-fledged nodes and edges is automated and therefore transparent for the users. Here is an example with the object in the graph above:</p> <pre><code>{\n   \"id\": \"file--b6be3f04-e50f-5220-af3a-86c2ca66b719\",\n   \"spec_version\": \"2.1\",\n   \"x_opencti_description\": \"...\",\n   \"x_opencti_score\": 50,\n   \"hashes\": {\n       \"MD5\": \"b502233b34256285140676109dcadde7\"\n   },\n   \"labels\": [\n       \"cookiecutter\",\n       \"clouddata-networks-1\"\n   ],\n   \"external_references\": [\n       {\n           \"source_name\": \"Sekoia.io\",\n           \"url\": \"https://app.sekoia.io/intelligence/objects/indicator--3e6d61b4-d5f0-48e0-b934-fdbe0d87ab0c\"\n       }\n   ],\n   \"x_opencti_id\": \"8a3d108f-908c-4833-8ff4-4d6fc996ce39\",\n   \"type\": \"file\",\n   \"created_by_ref\": \"identity--b5b8f9fc-d8bf-5f85-974e-66a7d6f8d4cb\",\n   \"object_marking_refs\": [\n       \"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9\"\n   ]\n}\n</code></pre>"},{"location":"usage/notifications/","title":"Notifications and alerting","text":"<p>In the evolving landscape of cybersecurity, timely awareness is crucial. OpenCTI empowers users to stay informed and act swiftly through its robust notifications and alerting system. This feature allows users to create personalized triggers that actively monitor the platform for specific events and notify them promptly when these conditions are met.</p> <p>From individual users tailoring their alert preferences to administrators orchestrating collaborative triggers for Groups or Organizations, OpenCTI's notification system is a versatile tool for keeping cybersecurity stakeholders in the loop.</p> <p>The main menu \"Notifications and triggers\" for creating and managing notifications is located in the top right-hand corner with the bell icon.</p> <p> </p>"},{"location":"usage/notifications/#triggers","title":"Triggers","text":"<p>In OpenCTI, triggers serve as personalized mechanisms for users to stay informed about specific events that align with their cybersecurity priorities. Users can create and manage triggers to tailor their notification experience. Each trigger operates by actively listening to events based on predefined filters and event types, promptly notifying users via chosen notifiers when conditions are met.</p> <p></p>"},{"location":"usage/notifications/#trigger-management","title":"Trigger management","text":"<p>Individual user triggers: Each user possesses the autonomy to craft their own triggers, finely tuned to their unique preferences and responsibilities. By setting up personalized filters and selecting preferred notifiers, users ensure that they receive timely and relevant notifications aligned with their specific focus areas.</p> <p>Administrative control: Platform administrators have the capability to create and manage triggers for Users, Groups and Organizations. This provides centralized control and the ability to configure triggers that address collective cybersecurity objectives. Users within the designated Group or Organization will benefit from triggers with read-only access rights. These triggers are to be created directly on the User|Group|Organization with whom to share them in \"Settings &gt; Security &gt; Users|Groups|Organizations\".</p> <p></p>"},{"location":"usage/notifications/#trigger-filters","title":"Trigger filters","text":"<p>Leveraging the filters, users can meticulously define the criteria that activate their triggers. This level of granularity ensures that triggers are accurate, responding precisely to events that matter most. Users can tailor filters to consider various parameters such as object types, markings, sources, or other contextual details. They can also allow notifications for the assignment of a Task, a Case, etc.</p> <p>Beyond filters, a trigger can be configured to respond to three event types: creation, modification, and deletion.</p> <p></p>"},{"location":"usage/notifications/#instance-triggers","title":"Instance triggers","text":"<p>Instance triggers offer a targeted approach to live monitoring by allowing users to set up triggers specific to one or several entities. These triggers, when activated, keep a vigilant eye on a predefined set of events related to the selected entities, ensuring that you stay instantly informed about crucial changes.</p>"},{"location":"usage/notifications/#creating-instance-triggers","title":"Creating instance triggers","text":"<p>Method 1: Using the general trigger creation form</p> <ol> <li>Go on the \"Notifications and triggers\" window.</li> <li>Navigate to the \"Triggers and digests\" tab.</li> <li>Access the general trigger creation form.</li> <li>Toggle the switch \"Instance trigger\".</li> <li>Choose the entities to monitor.</li> </ol> <p></p> <p>Method 2: Quick subscription</p> <ol> <li>On an entity's overview, locate the \"Instance trigger quick subscription\" button with the bell icon at the top right.</li> <li>Click on the button to create the instance trigger.</li> <li>(Optional) Click on it again to modify the instance trigger created.</li> </ol> <p></p>"},{"location":"usage/notifications/#events-monitored-by-instance-triggers","title":"Events monitored by instance triggers","text":"<p>An instance trigger set on an entity X actively monitors the following events:</p> <ul> <li>Update/Deletion of X: Stay informed when the selected entity undergoes changes or is deleted.</li> <li>Creation/Deletion of relationships: Receive notifications about relationships being added or removed from/to X.</li> <li>Creation/Deletion of related entities: Be alerted when entities that have X in its refs - i.e. contains X, is shared with X, is created by X, etc. - are created or deleted.</li> <li>Adding/Removing X in ref: Stay in the loop when X is included or excluded from the ref of other entities - i.e. adding X in the author of an entity, adding X in a report, etc.).</li> </ul> <p>Entity deletion notification</p> <p>It's important to note that the notification of entity deletion can occur in two scenarios:     - Real entity deletion: When the entity is genuinely deleted from the platform.     - Visibility loss: When a modification to the entity results in the user losing visibility for that entity.</p>"},{"location":"usage/notifications/#digest","title":"Digest","text":"<p>Digests provide an efficient way to streamline and organize your notifications. By grouping notifications based on selected triggers and specifying the delivery period (daily, weekly, monthly), you gain the flexibility to receive consolidated updates at your preferred time, as opposed to immediate notifications triggered by individual events.</p>"},{"location":"usage/notifications/#creating-digests","title":"Creating digests","text":"<ol> <li>Go on the \"Notifications and triggers\" window.</li> <li>Navigate to the \"Triggers and digests\" tab.</li> <li>Create a new digest.</li> <li>Configure digest: Set the parameters, including triggers to be included and the frequency of notifications (daily, weekly, monthly). </li> <li>Choose the notifier(s): Select the notification method(s) (e.g. within the OpenCTI interface, via email, etc.).</li> </ol>"},{"location":"usage/notifications/#benefits-of-digests","title":"Benefits of digests","text":"<ul> <li>Organized notifications: Digests enable you to organize and categorize notifications, preventing a flood of individual alerts.</li> <li>Customized delivery: Choose the frequency of digest delivery based on your preferences, whether it's a daily overview, a weekly summary, or a monthly roundup.</li> <li>Reduced distractions: Receive notifications at a scheduled time, minimizing interruptions and allowing you to focus on critical tasks.</li> </ul> <p>Digests enhance your control over notification management, ensuring a more structured and convenient approach to staying informed about important events.</p>"},{"location":"usage/notifications/#notifiers","title":"Notifiers","text":"<p>In OpenCTI, notifiers serve as the channels for delivering notifications, allowing users to stay informed about critical events. The platform offers two built-in notifiers, \"Default mailer\" for email notifications and \"User interface\" for in-platform alerts.</p> <p></p>"},{"location":"usage/notifications/#notifier-connectors","title":"Notifier connectors","text":"<p>OpenCTI features built-in notifier connectors that empower users to create personalized notifiers for notification and activity alerting. Three essential connectors are available:</p> <ul> <li>Platform mailer connector: Enables sending notifications directly within the OpenCTI platform.</li> <li>Simple mailer connector: Offers a straightforward approach to email notifications with simplified configuration options.</li> <li>Generic webhook connector: Facilitates communication through webhooks.</li> </ul> <p>OpenCTI provides two samples of webhook notifiers designed for Teams integration.</p> <p></p>"},{"location":"usage/notifications/#configuration-and-access","title":"Configuration and Access","text":"<p>Notifiers are manageable in the \"Settings &gt; Customization &gt; Notifiers\" window and can be restricted through Role-Based Access Control (RBAC). Administrators can restrict access to specific Users, Groups, or Organizations, ensuring controlled usage.</p> <p>For guidance on configuring custom notifiers and explore detailed setup instructions, refer to the dedicated documentation page.</p>"},{"location":"usage/overview/","title":"Overview","text":""},{"location":"usage/overview/#introduction","title":"Introduction","text":"<p>The following chapter aims at giving the reader a step-by-step description of what is available on the platform and the meaning of the different tabs and entries.</p> <p>When the user connects to the platform, the home page is the <code>Dashboard</code>. This <code>Dashboard</code> contains several visuals summarizing the types and quantity of data recently imported into the platform.</p> <p>Dashboard</p> <p>To get more information about the components of the default dashboard, you can consult the Getting started.</p> <p>The left side panel allows the user to navigate through different windows and access different views and categories of knowledge.</p> <p></p>"},{"location":"usage/overview/#structure","title":"Structure","text":""},{"location":"usage/overview/#the-hot-knowledge","title":"The \"hot knowledge\"","text":"<p>The first part of the platform in the left menu is dedicated to what we call the \"hot knowledge\", which means this is the entities and relationships which are added on a daily basis in the platform and which generally require work / analysis from the users.</p> <ul> <li><code>Analyses</code>: all containers which convey relevant knowledge such as reports, groupings and malware analyses.</li> <li><code>Cases</code>: all types of case like incident responses, requests for information, for takedown, etc.</li> <li><code>Events</code>: all incidents &amp; alerts coming from operational systems as well as sightings.</li> <li><code>Observations</code>: all technical data in the platform such as observables, artifacts and indicators.</li> </ul>"},{"location":"usage/overview/#the-cold-knowledge","title":"The \"cold knowledge\"","text":"<p>The second part of the platform in the left menu is dedicated to the \"cold knowledge\", which means this is the entities and relationships used in the hot knowledge. You can see this as the \"encyclopedia\" of all pieces of knowledge you need to get context: threats, countries, sectors, etc.</p> <ul> <li><code>Threats</code>: all threats entities from campaigns to threat actors, including intrusion sets.</li> <li><code>Arsenal</code>: all tools and pieces of malware used and/or targeted by threats, including vulnerabilities.</li> <li><code>Techniques</code>: all objects related to tactics and techniques used by threats (TTPs, etc.).</li> <li><code>Entities</code>: all non-geographical contextual information such as sectors, events, organizations, etc.</li> <li><code>Locations</code>: all geographical contextual information, from cities to regions, including precise positions.</li> </ul>"},{"location":"usage/overview/#hide-categories","title":"Hide categories","text":"<p>You can customize the experience in the platform by hiding some categories in the left menu, whether globally or for a specific role.</p>"},{"location":"usage/overview/#hide-categories-globally","title":"Hide categories globally","text":"<p>In the <code>Settings &gt; Parameters</code>, it is possible for the platform administrator to hide categories in the platform for all users.</p> <p></p>"},{"location":"usage/overview/#hide-categories-in-roles","title":"Hide categories in roles","text":"<p>In OpenCTI, the different roles are highly customizable. It is possible to defined default dashboards, triggers, etc. but also be able to hide categories in the roles:</p> <p></p>"},{"location":"usage/overview/#presentation-of-a-typical-page-in-opencti","title":"Presentation of a typical page in OpenCTI","text":"<p>While OpenCTI features numerous entities and tabs, many of them share similarities, with only minor differences arising from specific characteristics. These differences may involve the inclusion or exclusion of certain fields, depending on the nature of the entity.</p> <p>In this part will only be detailed a general outline of a \"typical\" OpenCTI page. The specifies of the different entities will be detailed in the corresponding pages below (Activities and Knowledge).</p> <p></p> <p></p>"},{"location":"usage/overview/#overview_1","title":"Overview","text":"<p>In the <code>Overview</code> tab on the entity, you will find all properties of the entity as well as the recent activities.</p> <p>First, you will find the <code>Details</code> section, where are displayed all properties specific to the type of entity you are looking at, an example below with a piece of malware:</p> <p></p> <p>Thus, in the <code>Basic information</code> section, are displayed all common properties to all objects in OpenCTI, such as the marking definition, the author, the labels (i.e. tags), etc.</p> <p></p> <p>Below these two sections, you will find latest modifications in the Knowledge base related to the Entity:</p> <ul> <li><code>Latest created relationships</code>: display the latest relationships that have been created from or to this Entity. For example, latest Indicators of Compromise and associated Threat Actor of a Malware.</li> <li><code>latest containers about the object</code>: display all the Cases and Analyses that contains this Entity. For example, the latest Reports about a Malware.</li> <li><code>External references</code>: display all the external sources associated with the Entity. You will often find here links to external reports or webpages from where Entity's information came from.</li> <li><code>History</code>: display the latest chronological modifications of the Entity and its relationships that occurred in the platform, in order to traceback any alteration.</li> </ul> <p> </p> <p>Last, all Notes written by users of the platform about this Entity are displayed in order to access unstructured analysis comments.</p> <p></p>"},{"location":"usage/overview/#knowledge","title":"Knowledge","text":"<p>In the <code>Knowledge</code> tab, which is the central part of the entity, you will find all the Knowledge related to the current entity. The <code>Knowledge</code> tab is different for Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) entities than for all the other entity types.</p> <ul> <li>The <code>Knowledge</code> tab of those entities (who represents Analyses or Cases that can contains a collection of Objects) is the place to integrate and link together entities. For more information on how to integrate information in OpenCTI using the knowledge tab of a report, please refer to the part Manual creation.</li> <li>The <code>Knowledge</code> tabs of any other entity (that does not aim to contain a collection of Objects) gather all the entities which have been at some point linked to the entity the user is looking at. For instance, as shown in the following capture, the <code>Knowledge</code> tab of Intrusion set APT29, gives access to the list of all entities APT29 is attributed to, all victims the intrusion set has targeted, all its campaigns, TTPs, malware etc. For entities to appear in these tabs under <code>Knowledge</code>, they need to have been linked to the entity directly or have been computed with the inference engine.</li> </ul> <p></p>"},{"location":"usage/overview/#focus-on-indicators-and-observables","title":"Focus on Indicators and Observables","text":"<p>The <code>Indicators</code> and <code>Observables</code> section offers 3 display modes: - The <code>entities view</code>, which displays the indicators/observables linked to the entity. - The <code>relationship view</code>, which displays the various relationships between the indicators/observables linked to the entity and the entity itself. - The <code>contextual view</code>, which displays the indicators/observables contained in the cases and analyses that contain the entity.</p> <p></p> <p></p>"},{"location":"usage/overview/#content","title":"Content","text":"<p>The <code>Content</code> tab allows for uploading and creating outcomes documents related to the content of the current entity (in PDF, text, HTML or markdown files). This specific tab enable to previzualize, manage and write deliverable associated with the entity. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc.</p> <p>The <code>Content</code> tab is available for a subset of entities: <code>Report</code>, <code>Incident</code>, <code>Incident response</code>, <code>Request for Information</code>, and <code>Request for Takedown</code>.</p> <p></p> <p></p>"},{"location":"usage/overview/#analyses","title":"Analyses","text":"<p>The <code>Analyses</code> tab contains the list of all Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) in which the entity has been identified.</p> <p></p> <p>By default, this tab display the list, but you can also display the content of all the listed Analyses on a graph, allowing you to explore all their Knowledge and have a glance of the context around the Entity.</p> <p></p> <p></p>"},{"location":"usage/overview/#data","title":"Data","text":"<p>The <code>Data</code> tab contains documents that are associated to the object and were either:</p> <ul> <li>Uploaded to the platform : for instance the PDF document containing the text of the report</li> <li>Generated from the platform to be downloaded : a JSON or CSV file containing information on the object and generated by the user.</li> <li>associated to an external reference</li> </ul> <p>Analyst Workbench can also be created from here. They will contain the entity by default.</p> <p></p> <p>In addition, the <code>Data</code> tab of <code>Threat actors (group)</code>, <code>Threat actors (individual)</code>, <code>Intrusions sets</code>, <code>Organizations</code>, <code>Individuals</code> have an extra panel:</p> <ul> <li>Pictures Management: allows to manage the profile pictures attached to the entity.</li> </ul> <p> </p> <p></p>"},{"location":"usage/overview/#history","title":"History","text":"<p>The <code>History</code> tab displays the history of change of the Entity, update of attributes, creation of relations, ...</p> <p>Because of the volumes of information the history is written in a specific index that consume the redis stream to rebuild the history for the UI. </p>"},{"location":"usage/overview/#less-frequent-tabs","title":"Less frequent tabs","text":"<ul> <li>The <code>Observables</code> tab (for Reports and Observed data): A table containing all SCO (Stix Cyber Observable) contained in the Report or the Observed data, with search and filters available. It also displays if the SCO has been added directly or through inferences with the reasoning engine</li> <li>the <code>Entities</code> tab (for Reports and Observed data): A table containing all SDO (Stix Domain Objects) contained in the Report or the Observed data, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine</li> <li>Observables:</li> <li>the <code>Sightings</code> tab (for Indicators and Observables): A table containing all <code>Sightings</code> relationships corresponding to events in which <code>Indicators</code> (IP, domain name, URL, etc.) are detected by or within an information system, an individual or an organization. Most often, this corresponds to a security event transmitted by a SIEM or EDR.</li> </ul>"},{"location":"usage/pivoting/","title":"Pivot and investigate","text":"<p>In OpenCTI, all data are structured as an extensive knowledge graph, where every element is interconnected. The investigation functionality provides a powerful tool for pivoting on any entity or relationship within the platform. Pivoting enables users to explore and analyze connections between entities and relationships, facilitating a comprehensive understanding of the data.</p> <p>To access investigations, navigate to the top right corner of the toolbar:</p> <p></p> <p>Access restriction</p> <p>When an investigation is created, it is initially visible only to the creator, allowing them to work on the investigation before deciding to share it. The sharing mechanism is akin to that of dashboards. For further details, refer to the Access control section in the dashboard documentation page.</p>"},{"location":"usage/pivoting/#perform-investigation","title":"Perform investigation","text":""},{"location":"usage/pivoting/#manipulate-entity","title":"Manipulate entity","text":"<p>We can add any existing entity of the platform to your investigation.</p> <p></p> <p>After adding an entity, we can choose the entity and view its details in the panel that appears on the right of the screen.</p> <p>On each node, we'll notice a bullet with a number inside, serving as a visual indication of how many entities are linked to it but not currently displayed in the graph. Keep in mind that this number is an approximation, which is why there's a \"+\" next to it. If there's no bullet displayed, it means there's nothing to expand from this node.</p> <p></p> <p>To incorporate these linked entities into the graph, we just have to expand the nodes. Utilize the button with a 4-arrows logo in the mentioned menu, or double-click on the entity directly. This action opens a new window where we can choose the types of entities and relationships we wish to expand.</p> <p></p> <p>For instance, in the image above, selecting the target Malware and the relationship Uses implies expanding in my investigation graph all Malware linked to this node with a relationship of type Uses.</p>"},{"location":"usage/pivoting/#manipulate-relationship","title":"Manipulate relationship","text":"<p>We can create a relationship between entities directly within our investigation. To achieve this, select multiple entities by clicking on them while holding down the shift key. Subsequently, a button appears at the bottom right to create one (or more, depending on the number of entities selected) relationships.</p> <p></p> <p>Relationship creation</p> <p>Creating a relationship in the investigation graph will generate the relationship in your knowledge base.</p>"},{"location":"usage/pivoting/#capitalize-on-an-investigation","title":"Capitalize on an investigation","text":""},{"location":"usage/pivoting/#export-investigation","title":"Export investigation","text":"<p>Users have the capability to export investigations, providing a way to share, document, or archive their findings.</p> <ul> <li>PDF and image formats: Users can export investigations in either PDF or image format, offering flexibility in sharing and documentation.</li> <li>STIX bundle: The platform allows the export of the entire content of an investigation graph as a STIX bundle. In the STIX format, all objects within the investigation graph are automatically aggregated into a Report object.</li> </ul> <p></p>"},{"location":"usage/pivoting/#turn-investigation-into-a-container","title":"Turn investigation into a container","text":"<p>Users can efficiently collect and consolidate the findings of an investigation by adding the content into dedicated containers. The contents of an investigation can be imported into various types of containers, including:</p> <ul> <li>Grouping</li> <li>Incident Response</li> <li>Report</li> <li>Request for Information</li> <li>Request for Takedown</li> </ul> <p></p> <p>We have the flexibility to choose between creating a new container on the fly or adding investigation content to an existing container. </p> <p></p> <p></p> <p>After clicking on the <code>ADD</code> button, the browser will redirect to the Knowledge tab of the container where we added the content of our investigation. If we added it to multiple containers, the redirection will be to the first of the list.</p> <p></p>"},{"location":"usage/reliability-confidence/","title":"Reliability and Confidence","text":""},{"location":"usage/reliability-confidence/#generalities","title":"Generalities","text":"<p>In (Cyber) Threat Intelligence, evaluation of information sources and of information quality is one of the most important aspect of the work. It is of the utter most importance to assess situations by taking into account reliability of the sources and credibility of the information.</p> <p>This concept is foundational in OpenCTI, and have real impact on:</p> <ul> <li>the data deduplication process</li> <li>the data stream filtering for ingestion and sharing</li> </ul>"},{"location":"usage/reliability-confidence/#what-is-the-reliability-of-a-source","title":"What is the Reliability of a source?","text":"<p>Reliability of a source of information is a measurement of the trust that the analyst can have about the source, based on the technical capabilities or history of the source. Is the source a reliable partner with long sharing history? A competitor? Unknown?</p> <p>Reliability of sources are often stated at organizational level, as it requires an overview of the whole history with it. </p> <p>In the Intelligence field, Reliability is often notated with the NATO Admiralty code.</p>"},{"location":"usage/reliability-confidence/#what-is-confidence-of-an-information","title":"What is Confidence of an information?","text":"<p>Reliability of a source is important but even a trusted source can be wrong. Information in itself has a credibility, based on what is known about the subject and the level of corroboration by other sources.</p> <p>Credibility is often stated at the analyst team level, expert of the subject, able to judge the information with its context.</p> <p>In the Intelligence field, Confidence is often notated with the NATO Admiralty code.</p> <p>Why Confidence instead of Credibility?</p> <p>Using both Reliability and Credibility is an advanced use case for most of CTI teams. It requires a mature organization and a well staffed team. For most of internal CTI team, a simple confidence level is enough to forge assessment, in particular for teams that concentrate on technical CTI. </p> <p>Thus in OpenCTI, we have made the choice to fuse the notion of Credibility with the Confidence level that is commonly used by the majority of users. They have now the liberty to push forward their practice and use both Confidence and Reliability in their daily assessments.</p>"},{"location":"usage/reliability-confidence/#reliability-open-vocabulary","title":"Reliability open vocabulary","text":"<p>Reliability value can be set for every Entity in the platform that can be Author of Knowledge:</p> <ul> <li><code>Organizations</code></li> <li><code>Individuals</code></li> <li><code>Systems</code></li> <li>and also <code>Reports</code></li> </ul> <p>Reliability on <code>Reports</code> allows you to specify the reliability associated to the original author of the report if you received it through a provider.</p> <p>For all Knowledge in the platform, the reliability of the source of the Knowledge (author) is displayed in the Overview. This way, you can always forge your assessment of the provided Knowledge regarding the reliability of the author.</p> <p></p> <p>You can also now filter entities by the reliability of its author.</p> <p>Tip</p> <p>This way, you may choose to feed your work with only Knowledge provided by reliable sources.</p> <p>Reliability is an open vocabulary that can be customized in Settings -&gt; Taxonomies -&gt; Vocabularies : reliability_ov. </p> <p>Info</p> <p>The setting by default is the Reliability scale from NATO Admiralty code. But you can define whatever best fit your organization.</p> <p></p>"},{"location":"usage/reliability-confidence/#confidence-scale","title":"Confidence scale","text":"<p>Confidence level can be set for:</p> <ul> <li>Analyses: <code>Report</code>, <code>Grouping</code>, <code>Malware analysis</code>, <code>Notes</code></li> <li>Cases: <code>Incident Response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>, <code>Feedback</code></li> <li>Events: <code>Incident</code>, <code>Sighting</code>, <code>Observed data</code></li> <li>Observations: <code>Indicator</code>, <code>Infrastructure</code></li> <li>Threats: <code>Threat actor (Group)</code>, <code>Threat actor (Individual)</code>, <code>Intrusion Set</code>, <code>Campaign</code></li> <li>Arsenal: <code>Malware</code>, <code>Channel</code>, <code>Tool</code>, <code>Vulnerability</code></li> </ul> <p>For all of these entities, the Confidence level is displayed in the Overview, along with the Reliability. This way, you can rapidly assess the Knowledge with the Confidence level representing the credibility/quality of the information.</p>"},{"location":"usage/reliability-confidence/#confidence-scale-customization","title":"Confidence scale customization","text":"<p>Confidence level is a numerical value between 0 and 100. But Multiple \"Ticks\" can be defined and labelled to provide a meaningful scale.</p> <p>Confidence level can be customized for each entity type in Settings &gt; Customization &gt; Entity type.</p> <p></p> <p>As such customization can be cumbersome, three confidence level templates are provided in OpenCTI:</p> <ul> <li>Admiralty: corresponding to the Admiralty code's credibility scale</li> <li>Objective: corresponding to a full objective scale, aiming to leave any subjectivity behind. With this scale, an information confidence is:<ul> <li>\"Cannot be judged\": there is no data regarding the credibility of the information</li> <li>\"Told\": the information is known because it has been told to the source. The source doesn't verify it by any means.</li> <li>\"Induced\": the information is the result of an analysis work and is based on other similar information assumed to be true.</li> <li>\"Deduced\": the information is the result of an analysis work, and is a logical conclusion of other information assumed to be true.</li> <li>\"Witnessed\": the source have observed itself the described situation or object.</li> </ul> </li> <li>standard: the historic confidence level scale in OpenCTI defining a Low, Med and High level of confidence.</li> </ul> <p>It is always possible to modify an existing template to define a custom scale adapted to your context.</p> <p>Tip</p> <p>If you use the Admiralty code setting for both reliability and Confidence, you will find yourself with the equivalent of NATO confidence notation in the Overview of your different entities (A1, B2, C3, etc.)</p>"},{"location":"usage/reliability-confidence/#max-confidence-level","title":"Max confidence level","text":""},{"location":"usage/reliability-confidence/#overview","title":"Overview","text":"<p>We know that in organizations, different users do not always have the same expertise or seniority.  As a result, some specific users can be more \"trusted\" when creating or updating knowledge than others. Additionnaly, because connectors, TAXII feeds and streams are all linked to respectively one user, it is important to be able to differentiate which connector, stream or TAXII feed is more trustable than others.</p> <p>This is why we have introduced the concept of max confidence level to tackle this use case.</p> <p>Max confidence level per user allows organizations to fine tune their users to ensure knowledge updated and created stays as consistent as possible.</p>"},{"location":"usage/reliability-confidence/#overall-way-of-working","title":"Overall way of working","text":"<p>The overall idea is that users with a max confidence level lower than a confidence level of an entity cannot update or delete this entity.</p> <p>Also, in a conservative approach, when 2 confidence levels are possible, we would always take the lowest one.</p> <p>To have a detailed understanding of the concept, please browse through this diagram:</p>"},{"location":"usage/reliability-confidence/#how-to-set-a-confidence-level","title":"How to set a confidence level","text":"<p>To see how to set up the confidence level, please go in this page.</p>"},{"location":"usage/reliability-confidence/#usage-in-opencti","title":"Usage in OpenCTI","text":""},{"location":"usage/reliability-confidence/#example-with-the-admiralty-code-template","title":"Example with the admiralty code template","text":"<p>Your organization have received a report from a CTI provider. At your organization level, this provider is considered as reliable most of the time and its reliability level has been set to \"B - Usually Reliable\" (your organization uses the Admiralty code).</p> <p>This report concerns ransomware threat landscape and have been analysed by your CTI analyst specialized in cybercrime. This analyst has granted a confidence level of \"2 - Probably True\" to the information. </p> <p>As a technical analyst, through the cumulated reliability and Confidence notations, you now know that the technical elements of this report are probably worth consideration.</p> <p></p>"},{"location":"usage/reliability-confidence/#example-with-the-objective-template","title":"Example with the Objective template","text":"<p>As a CTI analyst in a governmental CSIRT, you build up Knowledge that will be shared within the platform to beneficiaries. Your CSIRT is considered as a reliable source by your beneficiaries, even if you play a role of a proxy with other sources, but your beneficiaries need some insights about how the Knowledge has been built/gathered. </p> <p>For that, you use the \"Objective\" confidence scale in your platform to provide beneficiaries with that. When the Knowledge is the work of the investigation of your CSIRT, either from incident response or attack infrastructure investigation, you set the confidence level to \"Witnessed\", \"Deduced\" or \"Induced\" (depending on if you observed directly the data, or inferred it during your research). When the information has not been verified by the CSIRT but has value to be shared with beneficiaries, you can use the \"Told\" level to make it clear to them that the information is probably valuable but has not been verified.</p> <p></p>"},{"location":"usage/search/","title":"Search for knowledge","text":"<p>In OpenCTI, you have access to different capabilities to be able to search for knowledge in the platform. In most cases, a search by keyword can be refined with additional filters for instance on the type of object, the author etc.</p>"},{"location":"usage/search/#global-search","title":"Global search","text":"<p>The global search is always available in the top bar of the platform.</p> <p></p> <p>This search covers all STIX Domain Objects (SDOs) and STIX Cyber Observables (SCOs) in the platform. The search results are sorted according to the following behaviour:</p> <ul> <li>Priority 1 for exact matching of the keyword in one attribute of the objects.</li> <li>Priority 2 for partial matching of the keyword in the <code>name</code>, the <code>aliases</code> and the <code>description</code> attributes (full text search).</li> <li>Priority 3 for partial matching of the keyword in all other attributes (full text search).</li> </ul> <p>If you get unexpected result, it is always possible to add some filters after the initial search:</p> <p></p> <p>Also, using the <code>Advanced search</code> button, it is possible to directly put filters in a global search:</p> <p></p> <p>Advanced filters</p> <p>You have access to advanced filters all accross the UI, if you want to know more about how to use these  filters with the API or the Python library, don't hesitate to read the dedicated page</p>"},{"location":"usage/search/#full-text-search-in-files-content","title":"Full text search in files content","text":"<p>Enterprise edition</p> <p>Full text search in files content is available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p> <p>It's possible to extend the global search by keywords to the content of documents uploaded to the platform via the Data import tab, or directly linked to an entity via its Data tab.</p> <p>It is particularly useful to enable <code>Full text indexing</code> to avoid missing important information that may not have been structured within the platform. This situation can arise due to a partial automatic import of document content, limitations of a connector, and, of course, errors during manual processing.</p> <p></p> <p>In order to search in files, you need to configure file indexing.</p>"},{"location":"usage/search/#bulk-search","title":"Bulk search","text":"<p>The bulk search capabilities is available in the top bar of the platform and allows you to copy paste a list of keyword or objects (ie. list of domains, list of IP addresses, list of vulnerabilities, etc.) to search in the platform:</p> <p></p> <p>When searching in bulk, OpenCTI is only looking for an exact match in some properties:</p> <ul> <li><code>name</code></li> <li><code>aliases</code></li> <li><code>x_opencti_aliases</code></li> <li><code>x_mitre_id</code></li> <li><code>value</code></li> <li><code>subject</code></li> <li><code>abstract</code></li> <li><code>hashes.MD5</code></li> <li><code>hashes.SHA-1</code></li> <li><code>hashes.SHA-256</code></li> <li><code>hashes.SHA-512</code></li> <li><code>x_opencti_additional_names</code></li> </ul> <p>When something is not found, it appears in the list as <code>Unknown</code> and will be excluded if you choose to export your search result in a JSON STIX bundle or in a CSV file.</p> <p></p>"},{"location":"usage/search/#contextual-search","title":"Contextual search","text":"<p>In most of the screens of knowledge, you always have a contextual search bar allowing you to filter the list you are on:</p> <p></p> <p>The search keyword used here is taken into account if you decide to export the current view in a file such as a JSON STIX bundle or a CSV file.</p>"},{"location":"usage/search/#other-search-bars","title":"Other search bars","text":"<p>Some other screens can contain search bars for specific purposes. For instance, in the graph views to filter the nodes displayed on the graph:</p> <p></p>"},{"location":"usage/tips-widget-creation/","title":"Pro-tips on widget creation","text":"<p>Previously, the creation of widgets has been covered. To help users being more confident in creating widgets, here are some details to master the widget creation.</p> <p></p>"},{"location":"usage/tips-widget-creation/#how-to-choose-the-appropriate-widget-visualization-for-your-use-case","title":"How to choose the appropriate widget visualization for your use case?","text":"<p>We can classify the widgets in 3 different types.</p>"},{"location":"usage/tips-widget-creation/#single-dimension-widgets","title":"Single dimension widgets","text":"<p>Use these widgets when you would like to display information about one single type of object (entity or relation).</p> <ul> <li>Widget visualizations: number, list, list (distribution), timeline, donuts, radar, map, bookmark, tree map.</li> <li>Use case example: view the amount of malware in platform (number widget), view the top 10 threat actor group target a specific country (distribution list widget), etc.</li> </ul>"},{"location":"usage/tips-widget-creation/#multi-dimension-widgets","title":"Multi dimension widgets","text":"<p>Use these widgets if you would like to compare or have some insights about similar types of object (up to 5).</p> <ul> <li>Widget visualizations: line, area, heatmap, vertical bars.</li> <li>Use case example: view the amount of malware, intrusion sets, threat actor groups added in the course of last month in the platform (line or area widget).</li> </ul> <p>Type of object in widget</p> <p>These widgets need to use the same \"type\" of object to work properly. You always need to add relationships in the filter view if you have selected a \"knowledge graph\" perspective. If you have selected the knowledge graph entity, adding \"Entities\" (click on <code>+ entities</code>) will not work, since you are not counting the same things.</p>"},{"location":"usage/tips-widget-creation/#break-down-widgets","title":"Break down widgets","text":"<p>Use this widget if you want to divide your data set into smaller parts to make it clearer and more useful for analysis.</p> <ul> <li>Widget visualization: horizontal bars.</li> <li>Use case example: view the list of malware targeting a country breakdown by the type of malware.</li> </ul> <p></p>"},{"location":"usage/tips-widget-creation/#adding-datasets-to-your-widget","title":"Adding datasets to your widget","text":"<p>Adding datasets can serve two purposes: comparing data or breakdown a view to have deeper understanding on what a specific dataset is composed of. </p>"},{"location":"usage/tips-widget-creation/#use-case-1-compare-several-datasets","title":"Use Case 1: compare several datasets","text":"<p>As mentioned in How to choose the appropriate widget visualization for your use case? section you can add data sets to compare different data. Make sure to add the same type of objects (entities or relations) to be able to compare the same objects, by using access buttons like <code>+</code>, <code>+ Relationships</code>, or <code>+ Entities</code>.</p> <p>You can add up to 5 different data sets.  The <code>Label</code> field allows you to name a data set, and this label can then be shown as a legend in the widget using the <code>Display legend</code> button in the widget parameters (see the next section).</p>"},{"location":"usage/tips-widget-creation/#use-case-2-break-down-your-chart","title":"Use case 2: break down your chart","text":"<p>As mentioned in How to choose the appropriate widget visualization for your use case? section you can add data sets to decompose your graph into smaller meaningful chunks. In the below points, you can find some use cases that will help you understand how to structure your data.</p> <p>You can break down a view either by entity or by relations, depending on what you need to count.</p>"},{"location":"usage/tips-widget-creation/#break-down-by-entity","title":"Break down by entity","text":"<p>Use case example: I need to understand what are the most targeted countries by malware, and have a breakdown for each country by malware type.</p> <p>Process:</p> <ol> <li>To achieve this use case, you first need to select the horizontal bar vizualisation.</li> <li>Then you need to select the knowledge graph perspective.</li> </ol> <p>In the filters view:</p> <ol> <li>Then input your main query <code>Source type = Malware AND Target type = Countries AND Relation type = Targets</code>. Add a label to your dataset. </li> <li>Add an entity data set by using access button <code>+ Entities</code>.</li> <li>Add the following filters <code>Entity type = Malware AND In regards of = targets</code>. Add a label to your dataset.</li> </ol> <p></p> <p>In the parameter view:</p> <ol> <li>Attribute (of your relation) = entity (so that you display the different entities values)</li> <li>Display the source toggle = off</li> <li>Attribute (of your entity malware) = Malware type (since you want to break down your relations by the malware types)</li> </ol> <p></p> <p>As a result, you get a list of countries broken down by malware types.</p> <p></p>"},{"location":"usage/tips-widget-creation/#break-down-by-relation","title":"Break down by relation","text":"<p>Use case example: I need to understand what are the top targeting malware and have a breakdown of the top targets per malware</p> <p>Process:</p> <ol> <li>To achieve this use case, you first need to select the horizontal bar vizualisation.</li> <li>Then you need to select the knowledge graph perspective.</li> </ol> <p>In the filters view:</p> <ol> <li>Then input your main query <code>Source type = Malware AND Relation type = Targets</code>. Add a label to your dataset. </li> <li>Add a relation data set by using access button  <code>+ Relationships</code></li> <li>Add the following filters <code>Source type = Malware AND Relation type = targets</code>. Add a label to your dataset.</li> </ol> <p></p> <p>In the parameter view:</p> <ol> <li>Attribute (of your relation): entity (so that you display the different entities values)</li> <li>Display the source toggle = on</li> <li>Attribute (of your entity malware) = Malware type (since you want to break down your relations by the malware types)</li> <li>Display the source toggle = off</li> </ol> <p></p> <p>As a result, you get a list of malware with the breakdown of their top targets.</p> <p></p>"},{"location":"usage/tips-widget-creation/#more-use-cases","title":"More use cases","text":"<p>To see more use cases, feel free to have a look at this blog post that will provide you additional information.</p>"},{"location":"usage/widgets/","title":"Widget creation","text":"<p>Creating widgets on the dashboard involves a four-step configuration process. By navigating through these configuration steps, users can design widgets that meet their specific requirements.</p>"},{"location":"usage/widgets/#widget-configuration","title":"Widget configuration","text":""},{"location":"usage/widgets/#1-visualization","title":"1. Visualization","text":"<p>Users can select from 15 diverse visualization options to highlight different aspects of their data. This includes simple views like counters and lists, as well as more intricate views like heatmaps and trees. The chosen visualization impacts the available perspectives and parameters, making it crucial to align the view with the desired data observations. Here are a few insights:</p> <ul> <li>Line and Area views: Ideal for visualizing activity volumes over time.</li> <li>Horizontal bar views: Designed to identify top entities that best satisfy applied filters (e.g., top malware targeting the Finance sector).</li> <li>Tree views: Useful for comparing activity volumes.</li> <li>...</li> </ul> <p></p>"},{"location":"usage/widgets/#2-perspective","title":"2. Perspective","text":"<p>A perspective is the way the platform will count the data to display in your widgets:</p> <ul> <li>Entities Perspective: Focuses on entities, allowing observation of simple knowledge based on defined filters and criteria. The count will be based on entities only.</li> <li>Knowledge Graph Perspective: Concentrates on relationships, displaying intricate knowledge derived from relationships between entities and specified filters.  The count will be based on relations only.</li> <li>Activity &amp; History Perspective: Centers on activities within the platform, not the knowledge content. This perspective is valuable for monitoring user and connector activities, evaluating data sources, and more.</li> </ul> <p></p>"},{"location":"usage/widgets/#3-filters","title":"3. Filters","text":""},{"location":"usage/widgets/#generic-knowledge","title":"Generic knowledge","text":"<p>Filters vary based on the selected perspective, defining the dataset to be utilized in the widget. Filters are instrumental in narrowing down the scope of data for a more focused analysis.</p> <p>While filters in the \"Entities\" and \"Activity &amp; History\" perspectives align with the platform's familiar search and feed creation filters, the \"Knowledge Graph\" perspective introduces a more intricate filter configuration.Therefore, they need to be addressed in more detail.</p>"},{"location":"usage/widgets/#filter-in-the-context-of-knowledge-graph","title":"Filter in the context of Knowledge Graph","text":"<p>Two types of filters are available in the Knowledge Graph perspective:</p> <ul> <li> <p>Main query filter</p> <ul> <li>Classic filters (gray): Define the relationships to be retrieved, forming the basis on which the widget displays data. Remember, statistics in the Knowledge Graph perspective are based on relationships.</li> </ul> </li> <li> <p>Pre-query filters</p> <ul> <li>Pre-query filters are used to provide to your main query a specific dataset. In other words, instead of making a query on the whole data set of your platform, you can already target a subset of data that will match certain criteria. They are two types of pre-query filters:<ul> <li>Dynamic filters on the source (orange): Refine data by filtering on entities positioned as the source (in the \"from\" position) of the relationship.</li> <li>Dynamic filters on the target (green): Refine data by filtering on entities positioned as the target (in the \"to\" position) of the relationship.</li> </ul> </li> </ul> </li> </ul> <p>Pre-query limitation</p> <p>The pre-query is limited to 5000 results. If your pre-query results in having more than 5000 results, your widget will only display statistics based on these 5000 results matching your pre-query, resulting in a wrong view. To avoid this issue, be specific in your pre-query filters.</p> <p>Example scenario:</p> <p>Let's consider an example scenario: Analyzing the initial access attack patterns used by intrusion sets targeting the finance sector.</p> <ol> <li>Classic filters: Define the relationships associated with the use of attack patterns by intrusion sets</li> <li>Dynamic filters on the source (Orange): Narrow down the data by filtering on intrusion sets targeting the finance sector.</li> <li>Dynamic filters on the target (Green): Narrow down the data by filtering on attack patterns associated with the kill chain's initial access phase.</li> </ol> <p>By leveraging these advanced filters, users can conduct detailed analyses within the Knowledge Graph perspective, unlocking insights that are crucial for understanding intricate relationships and statistics.</p> <p></p> <p>In certain views, you can access buttons like <code>+</code>, <code>+ Relationships,</code> or <code>+ Entities</code>. These buttons enable you to incorporate different data into the same widget for comparative analysis. For instance, in a Line view, adding a second set of filters will display two curves in the widget, each corresponding to one of the filtered data sets. Depending on the view, you can work with 1 to 5 sets of filters. The <code>Label</code> field allows you to name a data set, and this label can then be shown as a legend in the widget using the <code>Display legend</code> button in the widget parameters (see the next section).</p> <p></p>"},{"location":"usage/widgets/#4-parameters","title":"4. Parameters","text":"<p>Parameters depend on the chosen visualization and allow users to define widget titles, choose displayed elements from the filtered data, select data reference date, and configure various other parameters specific to each visualization.</p> <p>For the \"Knowledge Graph\" perspective, a critical parameter is the <code>Display the source</code> toggle. This feature empowers users to choose whether the widget displays entities from the source side or the target side of the relationships.</p> <ul> <li>Toggle ON (\"Display the source\"): The widget focuses on entities positioned as the source of the relationships (in the \"from\" position).</li> <li>Toggle OFF (\"Display the target\"): The widget shifts its focus to entities positioned as the target of the relationships (in the \"to\" position).</li> </ul> <p>This level of control ensures that your dashboard aligns precisely with your analytical objectives, offering a tailored perspective based on your data and relationship.</p> <p></p>"},{"location":"usage/widgets/#prerequisite-knowledge","title":"Prerequisite knowledge","text":"<p>To successfully configure widgets in OpenCTI, having a solid understanding of the platform's data modeling is essential. Knowing specific relationships, entities, and their attributes helps refine filters accurately. Let's explore two examples.</p> <p>Scenarios 1:</p> <p>Consider the scenario where you aim to visualize relationships between intrusion sets and attack patterns. In this case, the relevant relationship type connecting intrusion sets to attack patterns is labeled as \"Uses\" (as illustrated in the \"Filters\" section).</p> <p>Scenarios 2:</p> <p>Suppose your goal is to retrieve all reports associated with the finance sector. In this case, it's essential to use the correct filter for the finance sector. Instead of placing the finance sector in the \"Related entity\" filter, it should be placed in the \"Contains\" filter. Since a Report is a container object (like Cases and Groupings), it contains entities within it and is not related to entities.</p>"},{"location":"usage/widgets/#key-data-modeling-aspects","title":"Key data modeling aspects","text":"<ul> <li>Entities: Recognizing container (e.g. Reports, Cases and Groupings) and understanding the difference with non-container.</li> <li>Relationships: Identifying the relationship types connecting entities.</li> <li>Attributes: Understanding entities and relationships attributes for effective filtering.</li> </ul> <p>Having this prerequisite knowledge allows you to navigate the widget configuration process seamlessly, ensuring accurate and insightful visualizations based on your specific data requirements.</p>"},{"location":"usage/workbench/","title":"Analyst workbench","text":"<p>Workbenches serve as dedicated workspaces for manipulating data before it is officially imported into the platform. </p>"},{"location":"usage/workbench/#location-of-use","title":"Location of use","text":"<p>The workbenches are located at various places within the platform:</p>"},{"location":"usage/workbench/#data-import-and-analyst-workbenches-window","title":"Data import and analyst workbenches window","text":"<p>This window encompasses all the necessary tools for importing a file. Files imported through this interface will subsequently be processed by the import connectors, resulting in the creation of workbenches. Additionally, analysts can manually create a workbench by clicking on the \"+\" icon at the bottom right of the window.</p> <p></p>"},{"location":"usage/workbench/#data-tabs-of-all-entities","title":"Data tabs of all entities","text":"<p>Workbenches are also accessible through the \"Data\" tabs of entities, providing convenient access to import data associated with the entity.</p> <p></p>"},{"location":"usage/workbench/#operation","title":"Operation","text":"<p>Workbenches are automatically generated upon the import of a file through an import connector. When an import connector is initiated, it scans files for recognizable entities and subsequently creates a workbench. All identified entities are placed within this workbench for analyst reviews. Alternatively, analysts have the option to manually create a workbench by clicking on the \"+\" icon at the bottom right of the \"Data import and analyst workbenches\" window.</p> <p></p> <p>The workbench being a draft space, the analysts use it to review connector proposals before finalizing them for import. Within the workbench, analysts have the flexibility to add, delete, or modify entities to meet specific requirements.</p> <p></p> <p>Once the content within the workbench is deemed acceptable, the analyst must initiate the ingestion process by clicking on <code>Validate this workbench</code>. This action signifies writing the data in the knowledge base.</p> <p>Workbenches are drafting spaces</p> <p>Until the workbench is validated, the contained data remains in draft form and is not recorded in the knowledge base. This ensures that only reviewed and approved data is officially integrated into the platform.</p> <p>For more information on importing files, refer to the Import from files documentation page.</p> <p>Confidence level of created knowledge through workbench</p> <p>The confidence level of knowledge created through workbench is affected by the confidence level of the user. Please navigate to this page to understand in more details.</p>"},{"location":"usage/workflows/","title":"Workflows and assignation","text":"<p>Efficiently manage and organize your work within the OpenCTI platform by leveraging workflows and assignment. These capabilities provide a structured approach to tracking the status of objects and assigning responsibilities to users.</p>"},{"location":"usage/workflows/#workflows","title":"Workflows","text":"<p>Workflows are designed to trace the status of objects in the system. They are represented by the \"Processing status\" field embedded in each object. By default, this field is disabled for most objects but can be activated through the platform settings. For details on activating and configuring workflows, refer to the dedicated documentation page.</p> <p>Enabling workflows enhances visibility into the progress and status of different objects, providing a comprehensive view for effective management.</p> <p></p>"},{"location":"usage/workflows/#assignment-attributes","title":"Assignment attributes","text":"<p>Certain objects, including Reports, Cases, and Tasks, come equipped with \"Assignees\" and \"Participants\" attributes. These attributes serve the purpose of designating individuals responsible for the object and those who actively participate in it.</p> <p>Attributes can be set as mandatory or with default values, streamlining the assignment process. Users can also be assigned or designated as participants manually, contributing to a collaborative and organized workflow. For details on configuring attributes, refer to the dedicated documentation page.</p> <p></p> <p>Users can stay informed about assignments through notification triggers. By setting up notification triggers, users receive alerts when an object is assigned to them. This ensures timely communication and proactive engagement with assigned tasks or responsibilities.</p>"}]}
\ No newline at end of file
+{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"],"fields":{"title":{"boost":1000.0},"text":{"boost":1.0},"tags":{"boost":1000000.0}}},"docs":[{"location":"","title":"OpenCTI Documentation Space","text":"<p>Welcome to the OpenCTI Documentation space. Here you will be able to find all documents, meeting notes and presentations about the platform.</p> <p>Release notes</p> <p>Please, be sure to also take a look at the OpenCTI releases notes, they may contain important information about releases and deployments.</p>"},{"location":"#introduction","title":"Introduction","text":"<p>OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.</p>"},{"location":"#getting-started","title":"Getting started","text":"<ul> <li> <p> Deployment &amp; Setup</p> <p>Learn how to deploy and configure the platform as well as launch connectors to get the first data in OpenCTI.</p> <p> Deploy now</p> </li> <li> <p> User Guide</p> <p>Understand how to use the platform, explore the knowledge, import and export information, create dashboard, etc.</p> <p> Explore</p> </li> <li> <p> Administration</p> <p>Know how to administrate OpenCTI, create users and groups using RBAC / segregation, put retention policies and custom taxonomies.</p> <p> Customize</p> </li> </ul> <p>Need more help?</p> <p>We are doing our best to keep this documentation complete, accurate and up to date. </p> <p>If you still have questions or you find something which is not sufficiently explained, join the Filigran Community on Slack.</p>"},{"location":"#latest-blog-posts","title":"Latest blog posts","text":"<p>All tutorials are published directly on the Medium blog, this section provides a comprehensive list of the most important ones.</p> <ul> <li> <p>Introducing malware analysis: enhance your cybersecurity triage with OpenCTI <sub><sup>Jul 22, 2023</sup></sub></p> <p>As a cybersecurity analyst, you understand the importance of quickly identifying and analyzing suspicious or malicious files, URLs, and network traffic...</p> <p> Read</p> </li> <li> <p>OpenCTI case management is ready for takeoff: what is available and what\u2019s next <sub><sup>Jul 3, 2023</sup></sub></p> <p>As part of our 2023 strategic roadmap, we\u2019ve worked since January on the case management system within the OpenCTI platform. This initiative comes from 2 simple statements...</p> <p> Read</p> </li> <li> <p>Progressive rollout of the OpenCTI Enterprise Edition: why, what and how? <sub><sup>June 10, 2023</sup></sub></p> <p>We are thrilled to announce that, from OpenCTI 5.8, Filigran is now providing some customers with an Enterprise Edition of the platform, whether on-premise...</p> <p> Read</p> </li> </ul>"},{"location":"#additional-resources","title":"Additional resources","text":"<p>Below, you will find external resources which may be useful along your OpenCTI journey.</p> <p> OpenCTI Ecosystem List of available connectors and integrations to expand platform usage.</p> <p> Training Courses Training courses for analysts and administrators in the Filigran training center.</p> <p> Performances tests &amp; metrics Regular performance tests based on default configuration and datasets.</p> <p></p>"},{"location":"administration/csv-mappers/","title":"CSV Mappers","text":"<p>In OpenCTI, CSV Mappers allow to parse CSV files in a STIX 2.1 Objects. The mappers are created and configured by users with the Manage CSV mappers capability. Then, they are available to users who import CSV files, for instance inside a report or in the global import view.</p>"},{"location":"administration/csv-mappers/#principles","title":"Principles","text":"<p>The mapper contains representations of STIX 2.1 entities and relationships, in order for the parser to properly extract them. One mapper is dedicated to parsing a specific CSV file structure, and thus dedicated mappers should be created for every specific CSV structure you might need to ingest in the platform.</p>"},{"location":"administration/csv-mappers/#create-a-new-csv-mapper","title":"Create a new CSV Mapper","text":"<p>In menu Data, select the submenu Processing, and on the right menu select CSV Mappers. You are presented with a list of all the mappers set in the platform. Note that you can delete or update any mapper from the context menu via the burger button beside each mapper.</p> <p>Click on the button + in the bottom-right corner to add a new Mapper.</p> <p>Enter a name for your mapper and some basic information about your CSV files: </p> <ul> <li>The line separator used (defaults to the standard comma character)</li> <li>The presence of a header on the first line</li> </ul> <p>header management</p> <p>The parser will not extract any information from the CSV header if any ; it will just skip the first line during parsing.</p> <p></p> <p>Then, you need to create every representation, one per entity and relationship type represented in the CSV file. Click on the + button to add an empty representation in the list, and click on the chevron to expand the section and configure the representation.</p> <p>Depending on the entity type, the form contains the fields that are either required (input outlined in red) or optional. For each field, set the corresponding columns mapping (the letter-based index of the column in the CSV table, as presented in common spreadsheet tools). </p> <p>References to other entities should be picked from the list of all the other representations already defined earlier in the mapper.</p> <p>You can do the same for all the relationships between entities that might be defined in this particular CSV file structure.</p> <p></p> <p>Fields might have options besides the mandatory column index, to help extract relevant data:</p> <ul> <li>Date values are expected in ISO 8601 format, but you can set your own format to the time parser</li> <li>Multiple values can be extracted by specifying the separator used inside the cell (e.g. <code>+</code> or <code>|</code>)</li> </ul> <p>Or to set default values in case some data is missing in the imported file.</p> <p></p>"},{"location":"administration/csv-mappers/#csv-mapper-validity","title":"CSV Mapper validity","text":"<p>The only parameter required to save a CSV Mapper is a name ; creating and refining its representations can be done iteratively.</p> <p>Nonetheless, all CSV Mappers go through a quick validation that checks if all the representations have all their mandatory fields set.  Only valid mappers can be run by the users on their CSV files.</p> <p>Mapper validity is visible in the list of CSV Mappers as shown below.</p> <p></p>"},{"location":"administration/csv-mappers/#test-your-csv-mapper","title":"Test your CSV mapper","text":"<p>In the creation or edition form, hit the button Test to open a dialog. Select a sample CSV file and hit the Test button.</p> <p>The code block contains the raw result of the parsing attempt, in the form of a STIX 2.1 bundle in JSON format.</p> <p>You can then check if the extracted values match the expected entities and relationships.</p> <p></p>"},{"location":"administration/csv-mappers/#use-a-mapper-for-importing-a-csv-file","title":"Use a mapper for importing a CSV file","text":"<p>You can change the default configuration of the import csv connector in your configuration file. <pre><code>\"import_csv_built_in_connector\": {\n  \"enabled\": true, \n  \"interval\": 10000, \n  \"validate_before_import\": false\n},\n</code></pre></p> <p>In Data import section, or Data tab of an entity, when you upload a CSV, you can select a mapper to apply to the file.  The file will then be parsed following the representation rules set in the mapper.</p> <p>By default, the imported elements will be added in a new Analyst Workbench where you will be able to check the result of the import.</p>"},{"location":"administration/csv-mappers/#default-values-for-attributes","title":"Default values for attributes","text":"<p>In the case of the CSV file misses some data, you can complete it with default values. To achieve this you have two possibilities:</p> <ul> <li>Set default values in the settings of the entities,</li> <li>Set specific default values directly in the CSV mapper.</li> </ul>"},{"location":"administration/csv-mappers/#set-default-values-in-the-settings-of-the-entities","title":"Set default values in the settings of the entities","text":"<p>Default value mechanisms</p> <p>Note that adding default values in settings have an impact at entity creation globally on the platform, not only on CSV mappers. If you want to apply those default values only at CSV mapper level, please use the second option.</p> <p>In settings &gt; Customization, you can select an entity type and then set default values for its attributes.</p> <p></p> <p>In the configuration of the entity, you have access to the entity's attributes that can be managed.</p> <p>Click on the attribute to add a default value information.</p> <p></p> <p>Enter the default value in the input and save the update.</p> <p></p> <p>The value filled will be used in the case where the CSV file lacks data for this attribute.</p>"},{"location":"administration/csv-mappers/#set-specific-default-values-directly-in-the-csv-mapper","title":"Set specific default values directly in the CSV mapper","text":"<p>Information retained in case of default value</p> <p>If you fill a default value in entity settings and the CSV mapper, the one from CSV mapper will be used.</p> <p>In the mapper form, you will see next to the column index input a gear icon to add extra information for the attribute. If the attribute can have a customizable default value, then you will be able to set one here.</p> <p></p> <p>The example above shows the case of the attribute <code>architecture implementation</code> of a malware. You have some information here. First, it seems we have a default value already set in entity settings for this attribute with the value <code>[powerpc, x86]</code>. However, we want to override this value with another one for our case: <code>[alpha]</code>.</p>"},{"location":"administration/csv-mappers/#specific-case-of-marking-definitions","title":"Specific case of marking definitions","text":"<p>For marking definitions, setting a default value is different from other attributes. We are not choosing a particular marking definition to use if none is specified in the CSV file. Instead, we will choose a default policy and we have two:</p> <p></p> <ul> <li>Use the default marking definitions of the user. In this case the default marking definitions of the connected user importing the CSV file will be used,</li> <li>Let the user choose marking definitions. Here the user importing the CSV file will choose marking definitions (among the ones they can see) when selecting the CSV mapper.</li> </ul>"},{"location":"administration/csv-mappers/#additional-resources","title":"Additional resources","text":"<ul> <li>Usefulness: To additional content on entity customization, refers to the Customize entities page in the Administration section of the documentation.</li> </ul>"},{"location":"administration/decay-rules/","title":"Decay rules","text":"<p>Decay rules are used to update automatically indicators score in order to represent their lifecycle.</p>"},{"location":"administration/decay-rules/#configuration","title":"Configuration","text":"<p>Decay rules can be configured in the \"Settings &gt; Customization &gt; Decay rule\" menu.</p> <p></p> <p>There are built-in decay rules that can't be modified and are applied by default to indicators depending on their main observable type. Decay rules are applied following their order : from highest to lowest (lowest being 0).</p> <p>You can create new decay rules with higher order to apply them along with (or instead of) the built-in rules.</p> <p></p> <p>When you create a decay rule, you can specify on which indicators' main observable types it will apply. If you don't enter any, it will apply to all indicators.</p> <p>You can also add reaction points which represent the scores at which indicators are updated. For example if you add one reaction point at 60 and another one at 40, indicators that have an initial score of 80 will be updated with a score of 60, then 40, depending on the decay curve.</p> <p>The decay curve is based on two parameters : lifetime and decay factor. Decay factor represent the speed at which the score drops, and lifetime is how long (in days) it will drop until reaching 0.</p> <p>Finally, the revoke score is the score at which the indicator can be revoked automatically.</p> <p></p> <p>Once you have created a new decay rule, you will be able to view its details, along with a life curve graph showing the score evolution over time.</p> <p>You will also be able to edit your rule, change all its parameters and order, activate or deactivate it (only activated rules are applied), or delete it.</p> <p></p> <p>Indicator decay manager</p> <p>Decay rules are only applied, and indicators score updated, if indicator decay manager is enabled (enabled by default). </p> <p>Please read the dedicated page to have all information</p>"},{"location":"administration/enterprise/","title":"Enterprise edition","text":"<p>Filigran</p> <p>Filigran is providing an Enterprise Edition of the platform, whether on-premise or in the SaaS.</p>"},{"location":"administration/enterprise/#what-is-opencti-ee","title":"What is OpenCTI EE?","text":"<p>OpenCTI Enterprise Edition is based on the open core concept. This means that the source code of OCTI EE remains open source and included in the main GitHub repository of the platform but is published under a specific license. As specified in the GitHub license file:</p> <p>The OpenCTI Community Edition is licensed under the Apache License, Version 2.0 (the \u201cApache License\u201d). The OpenCTI Enterprise Edition is licensed under the OpenCTI Non-Commercial License (the \u201cNon-Commercial License\u201d). The source files in this repository have a header indicating which license they are under. If no such header is provided, this means that the file is belonging to the Community Edition under the Apache License, Version 2.0.</p> <p>We wrote a complete article to explain the enterprise edition, feel free to read it to have more information</p>"},{"location":"administration/enterprise/#ee-activation","title":"EE Activation","text":"<p>Enterprise edition is easy to activate. You need to go the platform settings and click on the Activate button.</p> <p></p> <p>Then you will need to agree to the Filigran EULA. </p> <p></p> <p>As a reminder:</p> <ul> <li>OpenCTI EE is free-to-use for development, testing and research purposes as well as for non-profit organizations.</li> <li>OpenCTI EE is included for all Filigran SaaS customers without additional fee.</li> <li>For all other usages, OpenCTI EE is reserved to organizations that have signed a Filigran Enterprise agreement.</li> </ul>"},{"location":"administration/enterprise/#available-features","title":"Available features","text":""},{"location":"administration/enterprise/#activity-monitoring","title":"Activity monitoring","text":"<p>Audit logs help you answer \"who did what, where, and when?\" within your data with the maximum level of transparency. Please read Activity monitoring page to get all information.</p>"},{"location":"administration/enterprise/#playbooks-and-automation","title":"Playbooks and automation","text":"<p>OpenCTI playbooks are flexible automation scenarios which can be fully customized and enabled by platform administrators to enrich, filter and modify the data created or updated in the platform. Please read Playbook automation page to get all information.</p>"},{"location":"administration/enterprise/#organizations-management-and-segregation","title":"Organizations management and segregation","text":"<p>Organizations segregation is a way to segregate your data considering the organization associated to the users. Useful when your platform aims to share data to multiple organizations that have access to the same OpenCTI platform. Please read Organizations RBAC to get more information.</p>"},{"location":"administration/enterprise/#full-text-indexing","title":"Full text indexing","text":"<p>Full text indexing grants improved searches across structured and unstructured data. OpenCTI classic searches are based on metadata fields (e.g. title, description, type) while advanced indexing capability  enables  searches  to  be  extended  to  the document\u2019s contents. Please read File indexing to get all information.</p>"},{"location":"administration/enterprise/#more-to-come","title":"More to come","text":"<p>More features will be available in OpenCTI in the future. Features like:</p> <ul> <li>Generative AI for correlation and content generation.</li> <li>Supervised machine learning for natural language processing.</li> </ul>"},{"location":"administration/entities/","title":"Customize entities","text":""},{"location":"administration/entities/#introduction","title":"Introduction","text":"<p>A variety of entity customization options are available to optimize data representation, workflow management, and enhance overall user experience. Whether you're fine-tuning processing statuses, configuring entities' attributes, or hiding entities, OpenCTI's customization capabilities provide the flexibility you need to create a tailored environment for your threat intelligence and cybersecurity workflows.</p> <p>The following chapter aims to provide readers with an understanding of the available customization options by entity type. Customize entities can be done in \"Settings &gt; Customization\".</p> <p></p>"},{"location":"administration/entities/#hidden-in-interface","title":"Hidden in interface","text":"<p>This configuration allows to hide a specific entity type throughout the entire platform. It provides a potent means to simplify the interface and tailor it to your domain expertise. For instance, if you have no interest in disinformation campaigns, you can conceal related entities such as Narratives and Channels from the menus.</p> <p>You can specify which entities to hide on a platform-wide basis from \"Settings &gt; Customization\" and from \"Settings &gt; Parameters\", providing you with a list of hidden entities. Furthermore, you can designate hidden entities for specific Groups and Organizations from \"Settings &gt; Security &gt; Groups/Organizations\" by editing a Group/Organization.</p> <p>An overview of hidden entity types is available in the \"Hidden entity types\" field in \"Settings &gt; Parameters.\"</p>"},{"location":"administration/entities/#automatic-references-at-file-upload","title":"Automatic references at file upload","text":"<p>This configuration enables an entity to automatically construct an external reference from the uploaded file.</p>"},{"location":"administration/entities/#enforce-references","title":"Enforce references","text":"<p>This configuration enables the requirement of a reference message on an entity creation or modification. This option is helpful if you want to keep a strong consistency and traceability of your Knowledge and is well suited for manual creation and update.</p> <p></p> <p></p>"},{"location":"administration/entities/#workflow","title":"Workflow","text":"<p>For now, OpenCTI has a simple workflow approach. They're represented by the \"Processing status\" field embedded in each object. By default, this field is disabled for most objects but can be activated through the platform settings:</p> <ol> <li>Navigate to \"Settings &gt; Customization &gt; Entity types &gt; [Desired object type].\"</li> <li>Click on the small pink pen icon next to \"Workflow\" to access the object customization window.</li> <li>Add and configure the desired statuses, defining their order within the workflow.</li> </ol> <p></p> <p>In addition, the available statuses are defined by a collection of status templates visible in \"Settings &gt; Taxonomies &gt; Status templates\". This collection can be customized.</p> <p></p>"},{"location":"administration/entities/#attributes","title":"Attributes","text":"<p>Each attribute in an Entity offers several customization options:</p> <ul> <li>It can be set as mandatory if not already defined as such in the STIX standard.</li> <li>A default value can be established to streamline entity creation through the creation forms.</li> <li>Different thresholds and their corresponding labels for scalable attributes can be defined.</li> </ul> <p></p>"},{"location":"administration/entities/#confidence-scale-configuration","title":"Confidence scale configuration","text":"<p>Confidence scale can be customized for each entity type by selecting another scale template or by editing directly the scale values. Once you have customized your scale, click on \"Update\" to save your configuration.</p> <p></p> <p>Max confidence level</p> <p>The above scale also needs to take into account the confidence level per user. To understand the concept, please navigate to this page</p>"},{"location":"administration/file-indexing/","title":"File indexing","text":""},{"location":"administration/file-indexing/#files-search-requirements","title":"Files search requirements","text":"<p>In order to search in files, we need to extract and index files text content, which requires to have one of these database configurations :</p> <ul> <li>Elasticsearch &gt;= 8.4</li> <li>Elasticsearch &lt; 8.4 with ingest-attachment plugin</li> <li>OpenSearch with ingest-attachment plugin</li> </ul>"},{"location":"administration/file-indexing/#file-indexing-configuration","title":"File indexing configuration","text":"<p>File indexing can be configured via the <code>File indexing</code> tab in the <code>Settings</code> menu.</p> <p>The configuration and impact panel shows all file types that can be indexed, as well as the volume of storage used.</p> <p>It is also possible to include or exclude files uploaded from the global Data import panel and that are not associated with a specific entity in the platform.</p> <p>Finally, it is possible to set a maximum file size for indexing (5 Mb by default).</p> <p>Currently supported content types : <code>application/pdf</code>, <code>text/plain</code>, <code>text/csv</code>, <code>text/html</code>, <code>application/vnd.ms-excel</code>, <code>application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</code> (excel sheets).</p> <p></p> <p>Once indexing has been launched by pressing the <code>Start</code> button, you can follow its progress. </p> <p>You will also be able to <code>Pause</code> it and restart from the beginning by pressing <code>Reset</code> button which deletes all indexed files from the database.</p> <p>If you change the configuration while file indexing is running, you might need to reset in order to include newly impacted files.</p> <p>File indexing runs every 5 minutes to index last uploaded files.</p> <p></p>"},{"location":"administration/introduction/","title":"Introduction","text":"<p>This guide aims to give you a full overview of the OpenCTI features and workflows. The platform can be used in various contexts to handle threats management use cases from a technical to a more strategic level.</p>"},{"location":"administration/introduction/#administrative-settings","title":"Administrative Settings","text":"<p>The OpenCTI Administrative settings console allows administrators to configure many options dynamically within the system. As an Administrator, you can access this settings console, by clicking the settings link. </p> <p>The Settings Console allows for configuration of various aspects of the system.</p>"},{"location":"administration/introduction/#general-configuration","title":"General Configuration","text":"<ul> <li>Platform Title (Default: OpenCTI - Cyber Threat Intelligence Platform)</li> <li>Platform Favicon</li> <li>Platform General Sender email (Default: admin@opencti.io) </li> <li>Platform Default Theme (Default: Dark)</li> <li>Language (Default: Automatic Detection)</li> <li>Hidden Entity Types (Default: None)</li> </ul>"},{"location":"administration/introduction/#authentication-strategies-display","title":"Authentication Strategies Display","text":"<ul> <li>This section will show configured and enabled/disabled strategies. The configuration is done in the config/default.json file or via ENV variables detected at launch.</li> </ul>"},{"location":"administration/introduction/#platform-messages","title":"Platform Messages","text":"<ul> <li>Platform Login Message (optional) - if configured this will be displayed on the login page. This is usually used to have a welcome type message for users before login.</li> <li>Platform Consent Message (optional) - if configured this will be displayed on the login page. This is usually used to display some type of consent message for users to agree to before login. If enabled, a user must check the checkbox displayed to allow login.</li> <li>Platform Consent Confirm Text (optional) - This is displayed next to the platform consent checkbox, if Platform Consent Message is configured. Users must agree to the checkbox before the login prompt will be displayed. This message can be configured, but by default reads: I have read and comply with the above statement</li> </ul>"},{"location":"administration/introduction/#dark-theme-color-scheme","title":"Dark Theme Color Scheme","text":"<p>Various aspects of the Dark Theme can be dynamically configured in this section.</p>"},{"location":"administration/introduction/#light-theme-color-scheme","title":"Light Theme Color Scheme","text":"<p>Various aspects of the Light Theme can be dynamically configured in this section.</p>"},{"location":"administration/introduction/#tools-configuration-display","title":"Tools Configuration Display","text":"<p>This section will give general status on the various tools and enabled components of the currently configured OpenCTI deployment.</p>"},{"location":"administration/merging/","title":"Merging","text":""},{"location":"administration/merging/#data-merging","title":"Data merging","text":"<p>Within the OpenCTI platform, the merge capability is present into the \"Data &gt; Entities\" tab, and is fairly straightforward to use. To execute a merge, select the set of entities to be merged, then click on the Merge icon. NB: it is not possible to merge entities of different types, nor is it possible to merge more than 4 entities at a time (it will have to be done in several stages).</p> <p></p> <p>Central to the merging process is the selection of a main entity. This primary entity becomes the anchor, retaining crucial attributes such as name and description. Other entities, while losing specific fields like descriptions, are aliased under the primary entity. This strategic decision preserves vital data while eliminating redundancy.</p> <p></p> <p>Once the choice has been made, simply validate to run the task in the background. Depending on the number of entity relationships, and the current workload on the platform, the merge may take more or less time. In the case of a healthy platform and around a hundred relationships per entity, merge is almost instantaneous.</p>"},{"location":"administration/merging/#data-preservation-and-relationship-continuity","title":"Data preservation and relationship continuity","text":"<p>A common concern when merging entities lies in the potential loss of information. In the context of OpenCTI, this worry is alleviated. Even if the merged entities were initially created by distinct sources, the platform ensures that data is not lost. Upon merging, the platform automatically generates relationships directly on the merged entity. This strategic approach ensures that all connections, regardless of their origin, are anchored to the consolidated entity. Post-merge, OpenCTI treats these once-separate entities as a singular, unified entity. Subsequent information from varied sources is channeled directly into the entity resulting from the merger. This unified entity becomes the focal point for all future relationships, ensuring the continuity of data and relationships without any loss or fragmentation.</p>"},{"location":"administration/merging/#important-considerations","title":"Important considerations","text":"<ul> <li>Irreversible process: It's essential to know that a merge operation is irreversible. Once completed, the merged entities cannot be reverted to their original state. Consequently, careful consideration and validation are crucial before initiating the merge process.</li> <li>Loss of fields in aliased entities: Fields, such as descriptions, in aliased entities - entities that have not been chosen as the main - will be lost during the merge. Ensuring that essential information is captured in the primary entity is crucial to prevent data loss.</li> </ul>"},{"location":"administration/merging/#additional-resources","title":"Additional resources","text":"<ul> <li>Usefulness: To understand the benefits of entity merger, refer to the Merge objects page in the User Guide section of the documentation.</li> <li>Deduplication mechanism: the platform is equipped with deduplication processes that automatically merge data at creation (either manually or by importing data from different sources) if it meets certain conditions.</li> </ul>"},{"location":"administration/notifier-samples/","title":"Notifier samples","text":""},{"location":"administration/notifier-samples/#configure-teams-webhook","title":"Configure Teams webhook","text":"<p>To configure a notifier for Teams, allowing to send notifications via Teams messages, we followed the guidelines outlined in the Microsoft documentation.</p> <p></p>"},{"location":"administration/notifier-samples/#template-message-for-live-trigger","title":"Template message for live trigger","text":"<p>The Teams template message sent through webhook for a live notification is:</p> <pre><code>{\n        \"type\": \"message\",\n        \"attachments\": [\n            {\n                \"contentType\": \"application/vnd.microsoft.card.thumbnail\",\n                \"content\": {\n                    \"subtitle\": \"Operation : &lt;%=content[0].events[0].operation%&gt;\",\n                    \"text\": \"&lt;%=(new Date(notification.created)).toLocaleString()%&gt;\",\n                    \"title\": \"&lt;%=content[0].events[0].message%&gt;\",\n                    \"buttons\": [\n                        {\n                            \"type\": \"openUrl\",\n                            \"title\": \"See in OpenCTI\",\n                            \"value\": \"https://YOUR_OPENCTI_URL/dashboard/id/&lt;%=content[0].events[0].instance_id%&gt;\"\n                        }\n                    ]\n                }\n            }\n        ]\n    }\n</code></pre>"},{"location":"administration/notifier-samples/#template-message-for-digest","title":"Template message for digest","text":"<p>The Teams template message sent through webhook for a digest notification is:</p> <pre><code>{\n    \"type\": \"message\",\n    \"attachments\": [\n        {\n            \"contentType\": \"application/vnd.microsoft.card.adaptive\",\n            \"content\": {\n                \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n                \"type\": \"AdaptiveCard\",\n                \"version\": \"1.0\",\n                \"body\": [\n                    {\n                        \"type\": \"Container\",\n                        \"items\": [\n                            {\n                                \"type\": \"TextBlock\",\n                                \"text\": \"&lt;%=notification.name%&gt;\",\n                                \"weight\": \"bolder\",\n                                \"size\": \"extraLarge\"\n                            }, {\n                                \"type\": \"TextBlock\",\n                                \"text\": \"&lt;%=(new Date(notification.created)).toLocaleString()%&gt;\",\n                                \"size\": \"medium\"\n                            }\n                        ]\n                    },\n                    &lt;% for(var i=0; i&lt;content.length; i++) { %&gt;\n                    {\n                        \"type\": \"Container\",\n                        \"items\": [&lt;% for(var j=0; j&lt;content[i].events.length; j++) { %&gt;\n                            {\n                                \"type\" : \"TextBlock\",\n                                \"text\" : \"[&lt;%=content[i].events[j].message%&gt;](https://YOUR_OPENCTI_URL/dashboard/id/&lt;%=content[i].events[j].instance_id%&gt;)\"\n                            }&lt;% if(j&lt;(content[i].events.length - 1)) {%&gt;,&lt;% } %&gt;\n                        &lt;% } %&gt;]\n           }&lt;% if(i&lt;(content.length - 1)) {%&gt;,&lt;% } %&gt;\n                    &lt;% } %&gt;\n                ]\n            }\n        }\n    ],\n   \"dataString\": &lt;%-JSON.stringify(notification)%&gt;\n}\n</code></pre>"},{"location":"administration/notifiers/","title":"Custom notifiers","text":"<p>Leveraging the platform's built-in connectors, users can create custom notifiers tailored to their unique needs. OpenCTI features three built-in connectors: a webhook connector, a simple mailer connector, and a platform mailer connector. These connectors operate based on registered schemas that describe their interaction methods.</p> <p></p>"},{"location":"administration/notifiers/#built-in-notifier-connectors","title":"Built-In notifier connectors","text":""},{"location":"administration/notifiers/#platform-mailer","title":"Platform mailer","text":"<p>This notifier connector enables customization of notifications raised within the platform. It's simple to configure, requiring only:</p> <ul> <li>Title: The title for the platform notification.</li> <li>Template: Specifies the message template for the notification.</li> </ul>"},{"location":"administration/notifiers/#simple-mailer","title":"Simple mailer","text":"<p>This notifier connector offers a straightforward approach to email notifications with simplified configuration options. Users can set:</p> <ul> <li>Title: The title for the email notification.</li> <li>Header: Additional content to include at the beginning of the email.</li> <li>Footer: Additional content to include at the end of the email.</li> <li>Logo: The option to add a logo to the email.</li> <li>Background Color: Customize the background color of the email.</li> </ul> <p></p>"},{"location":"administration/notifiers/#webhook","title":"Webhook","text":"<p>This notifier connector enables users to send notifications to external applications or services through HTTP requests. Users can specify:</p> <ul> <li>Verb: Specifies the HTTP method (GET, POST, PUT, DELETE).</li> <li>URL: Defines the destination URL for the webhook.</li> <li>Template: Specifies the message template for the notification.</li> <li>Parameters and Headers: Customizable parameters and headers sent through the webhook request.</li> </ul> <p>OpenCTI provides two notifier samples by default, designed to communicate with Microsoft Teams through a webhook. A documentation page providing details on these samples is available.</p>"},{"location":"administration/notifiers/#configuration-and-access","title":"Configuration and access","text":"<p>Custom notifiers are manageable in the \"Settings &gt; Customization &gt; Notifiers\" window and can be restricted through Role-Based Access Control (RBAC). Administrators can control access, limiting usage to specific Users, Groups, or Organizations.</p> <p>For guidance on configuring notification triggers and exploring the usages of notifiers, refer to the dedicated documentation page.</p>"},{"location":"administration/ontologies/","title":"Taxonomies","text":"<p>Taxonomies in OpenCTI refer to the structured classification systems that help in organizing and categorizing cyber threat intelligence data. They play a crucial role in the platform by allowing analysts to systematically tag and retrieve information based on predefined categories and terms.</p> <p>Along with the Customization page, these pages allow the administrator to customize the platform.</p>"},{"location":"administration/ontologies/#labels","title":"Labels","text":"<p>Labels in OpenCTI serve as a powerful tool for organizing, categorizing, and prioritizing data. Here\u2019s how they can be used effectively:</p> <ol> <li>Tagging and Categorization: Labels can be used to tag malware, incidents, or indicators (IOCs) with specific categories, making it easier to filter and search through large datasets.</li> <li>Prioritization: By labeling threats based on their severity or impact, security analysts can prioritize their response efforts accordingly.</li> <li>Correlation and Analysis: Labels help in correlating different pieces of intelligence. For example, if multiple indicators are tagged with the same label, it might indicate a larger campaign or a common adversary.</li> <li>Automation and Integration: Labels can trigger automated workflows (also called playbooks) within OpenCTI. For instance, a label might automatically initiate further investigation or escalate an incident.</li> <li>Reporting and Metrics: Labels facilitate the generation of reports and metrics, allowing organizations to track trends through dashboards, measure response effectiveness, and make data-driven decisions.</li> <li>Sharing and Collaboration: When sharing intelligence with other organizations or platforms, labels provide a common language that helps in understanding the context and relevance of the shared data.</li> </ol> <p>Tip</p> <p>In order to achieve effective data labeling methods, it is recommended to establish a clear and consistent criteria for your labeling and document them in a policy or guideline.</p>"},{"location":"administration/ontologies/#kill-chain-phases","title":"Kill chain phases","text":"<p>Kill chain phases are used in OpenCTI to structure and analyze the data related to cyber threats and attacks. They describe the stages of an attack from the perspective of the attacker and provide a framework for identifying, analysing and responding to threats.</p> <p>OpenCTI supports the following kill chain models:</p> <ul> <li>Lockheed Martin Cyber Kill Chain</li> <li>MITRE ATT&amp;CK Framework (Entreprise, PRE, Mobile and ICS)</li> <li>DISARM framework</li> </ul> <p>You can add, edit, or delete kill chain phases in the settings page, and assign them to indicators, attack patterns, incidents, or courses of action in the platform. You can also filter the data by kill chain phase, and view the kill chain phases in a timeline or as a matrix.</p> <p></p>"},{"location":"administration/ontologies/#vocabularies","title":"Vocabularies","text":"<p>Open vocabularies are sets of terms and definitions that are agreed upon by the CTI community. They help to standardize the communication documentation of cyber threat information. This section allows you to customize a set of available fields by adding vocabulary. Almost all of the drop-down menus available in the entities can be modified from this panel.</p> <p>Open vocabularies in OpenCTI are mainly based on the STIX standard.</p> <p></p>"},{"location":"administration/ontologies/#status-templates","title":"Status templates","text":"<p>Status templates are predefined statuses that can be assigned to different entities in OpenCTI, such as reports, incidents, or cases (incident responses, requests for information and requests for takedown).</p> <p>They help to track the progress of the analysis and response activities by defining statuses that are used in the workflows.</p> <p></p>"},{"location":"administration/ontologies/#case-templates","title":"Case templates","text":"<p>Customizable case templates help to streamline the process of creating cases with predefined lists of tasks.</p> <p></p>"},{"location":"administration/parameters/","title":"Parameters","text":""},{"location":"administration/parameters/#description","title":"Description","text":"<p>This part of the interface wil let you configure global platform settings, like title, favicon, etc.</p> <p>It will also give you important information about the platform.</p>"},{"location":"administration/parameters/#the-configuration-section","title":"The \"Configuration\" section","text":"<p>This section allows the administrator to edit the following settings:</p> <ul> <li>Platform title</li> <li>Platform favicon URL</li> <li>Sender email address: email address displayed as sender when sending notifications. The technical sender is defined in the SMTP configuration.</li> <li>Theme</li> <li>Language</li> <li>Hidden entity types: allows you to customize which types of entities you want to see or hide in the platform. This can help you focus on the relevant information and avoid cluttering the platform with unnecessary data.</li> </ul>"},{"location":"administration/parameters/#opencti-platform","title":"OpenCTI Platform","text":"<p>This is where the Enterprise edition can be enabled.</p> <p>This section gives important information about the platform like the used version, the edition, the architecture mode (can be Standalone or Cluster) and the number used nodes.</p> <p>Through the \"Remove Filigran logos\" toggle, the administrator has the option to hide the Filigran logo on the login page and the sidebar.</p>"},{"location":"administration/parameters/#platform-announcement","title":"Platform Announcement","text":"<p>This section gives you the possibility to set and display Announcements in the platform. Those announcements will be visible to every user in the platform, on top of the interface.</p> <p>They can be used to inform some of your users or all of important information, like a scheduled downtime, an incoming upgrade, or even to share important tips regarding the usage of the platform.</p> <p>An Announcement can be accompanied by a \"Dismiss\u201d button. When clicked by a user, it makes the message disappear for this user.</p> <p></p> <p>This option can be deactivated to have a permanent announcement.</p> <p> \u26a0\ufe0f Only one announcement is shown at a time, with priority given to dismissible ones. If there are no dismissible announcements, the most recent non-dismissible one is shown.</p>"},{"location":"administration/parameters/#third-party-analytics","title":"Third-party Analytics","text":"<p>Enterprise edition</p> <p>Analytics is available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have more information</p> <p>This is where you can configure analytics providers. At the moment only Google Analytics v4 is supported.</p>"},{"location":"administration/parameters/#theme-customization","title":"Theme customization","text":"<p>In this section, the administrator can customize the two OpenCTI themes </p>"},{"location":"administration/parameters/#tools","title":"Tools","text":"<p>This section informs the administrator of the statuses of the different managers used in the Platform. More information about the managers can be found here. It shows also the used versions of the search engine database, RabbitMQ and Redis.</p> <p>In cluster mode, the fact that a manager appears as enabled means that it is active in at least one node. </p> <p></p>"},{"location":"administration/policies/","title":"Policies","text":"<p>The Policies configuration window (in \"Settings &gt; Security &gt; Policies\") encompasses essential settings that govern the organizational sharing, authentication strategies, password policies, login messages, and banner appearance within the OpenCTI platform.</p>"},{"location":"administration/policies/#platform-main-organization","title":"Platform main organization","text":"<p>Allow to set a main organization for the entire platform. Users belonging to the main organization enjoy unrestricted access to all data stored in the platform. In contrast, users affiliated with other organizations will only have visibility into data explicitly shared with them.</p> <p></p>"},{"location":"administration/policies/#authentication-strategies","title":"Authentication strategies","text":"<p>The authentication strategies section provides insights into the configured authentication methods. Additionally, an \"Enforce Two-Factor Authentication\" button is available, allowing administrators to mandate 2FA activation for users, enhancing overall account security.</p> <p>Please see the Authentication section for further details on available authentication strategies.</p> <p></p>"},{"location":"administration/policies/#local-password-policies","title":"Local password policies","text":"<p>This section encompasses a comprehensive set of parameters defining the local password policy. Administrators can specify requirements such as minimum/maximum number of characters, symbols, digits, and more to ensure robust password security across the platform. Here are all the parameters available:</p> Parameter Description <code>Number of chars must be greater than or equals to</code> Define the minimum length required for passwords. <code>Number of chars must be lower or equals to (0 equals no maximum)</code> Set an upper limit for password length. <code>Number of symbols must be greater or equals to</code> Specify the minimum number of symbols required in a password. <code>Number of digits must be greater or equals to</code> Set the minimum number of numeric characters in a password. <code>Number of words (split on hyphen, space) must be greater or equals to</code> Enforce a minimum count of words in a password. <code>Number of lowercase chars must be greater or equals to</code> Specify the minimum number of lowercase characters. <code>Number of uppercase chars must be greater or equals to</code> Specify the minimum number of uppercase characters. <p></p>"},{"location":"administration/policies/#login-messages","title":"Login messages","text":"<p>Allow to define messages on the login page to customize and highlight your platform's security policy. Three distinct messages can be customized:</p> <ul> <li>Platform login message: Appears above the login form to convey important information or announcements.</li> <li>Platform consent message: A consent message that obscures the login form until users check the approval box, ensuring informed user consent.</li> <li>Platform consent confirm text: A message accompanying the consent box, providing clarity on the consent confirmation process.</li> </ul> <p></p> <p></p>"},{"location":"administration/policies/#platform-banner-configuration","title":"Platform banner configuration","text":"<p>The platform banner configuration section allows administrators to display a custom banner message at the top and bottom of the screen. This feature enables customization for enhanced visual communication and branding within the OpenCTI platform. It can be used to add a disclaimer or system purpose.</p> <p>This configuration has two parameters:</p> <ul> <li>Platform banner level: Options defining the banner background color (Green, Red, or Yellow).</li> <li>Platform banner text: Field referencing the message to be displayed within the banner.</li> </ul> <p></p>"},{"location":"administration/reasoning/","title":"Rules engine","text":""},{"location":"administration/reasoning/#inference-rules","title":"Inference rules","text":"<p>The rules engine comprises a set of predefined rules (named inference rules) that govern how new relationships are inferred based on existing data. These rules are carefully crafted to ensure logical and accurate relationship creation. Here is the list of existing inference rules:</p>"},{"location":"administration/reasoning/#raise-incident-based-on-sighting","title":"Raise incident based on sighting","text":"Conditions Creations A non-revoked Indicator is sighted in an Entity Creation of an Incident linked to the sighted Indicator and the targeted Entity"},{"location":"administration/reasoning/#sightings-of-observables-via-observed-data","title":"Sightings of observables via observed data","text":"Conditions Creations An Indicator is based on an Observable contained in an Observed Data Creation of a sighting between the Indicator and the creating Identity of the Observed Data"},{"location":"administration/reasoning/#sightings-propagation-from-indicator","title":"Sightings propagation from indicator","text":"Conditions Creations An Indicator based on an Observable is sighted in an Entity The Observable is sighted in the Entity"},{"location":"administration/reasoning/#sightings-propagation-from-observable","title":"Sightings propagation from observable","text":"Conditions Creations An Indicator is based on an Observable sighted in an Entity The Indicator is sighted in the Entity"},{"location":"administration/reasoning/#relation-propagation-via-an-observable","title":"Relation propagation via an observable","text":"Conditions Creations An observable is related to two Entities Create a related to relationship between the two Entities"},{"location":"administration/reasoning/#attribution-propagation","title":"Attribution propagation","text":"Conditions Creations An Entity A is attributed to an Entity B and this Entity B is itself attributed to an Entity C The Entity A is attributed to Entity C"},{"location":"administration/reasoning/#belonging-propagation","title":"Belonging propagation","text":"Conditions Creations An Entity A is part of an Entity B and this Entity B is itself part of an Entity C The Entity A is part of Entity C"},{"location":"administration/reasoning/#location-propagation","title":"Location propagation","text":"Conditions Creations A Location A is located at a Location B and this Location B is itself located at a Location C The Location A is located at Location C"},{"location":"administration/reasoning/#organization-propagation-via-participation","title":"Organization propagation via participation","text":"Conditions Creations A User is affiliated with an Organization B, which is part of an Organization C The User is affiliated to the Organization C"},{"location":"administration/reasoning/#identities-propagation-in-reports","title":"Identities propagation in reports","text":"Conditions Creations A Report contains an Identity B and this Identity B is part of an Identity C The Report contains Identity C, as well as the Relationship between Identity B and Identity C"},{"location":"administration/reasoning/#locations-propagation-in-reports","title":"Locations propagation in reports","text":"Conditions Creations A Report contains a Location B and this Location B is located at a Location C The Report contains Location B, as well as the Relationship between Location B and Location C"},{"location":"administration/reasoning/#observables-propagation-in-reports","title":"Observables propagation in reports","text":"Conditions Creations A Report contains an Indicator and this Indicator is based on an Observable The Report contains the Observable, as well as the Relationship between the Indicator and the Observable"},{"location":"administration/reasoning/#usage-propagation-via-attribution","title":"Usage propagation via attribution","text":"Conditions Creations An Entity A, attributed to an Entity C, uses an Entity B The Entity C uses the Entity B"},{"location":"administration/reasoning/#inference-of-targeting-via-a-sighting","title":"Inference of targeting via a sighting","text":"Conditions Creations An Indicator, sighted at an Entity C, indicates an Entity B The Entity B targets the Entity C"},{"location":"administration/reasoning/#targeting-propagation-via-attribution","title":"Targeting propagation via attribution","text":"Conditions Creations An Entity A, attributed to an Entity C, targets an Entity B The Entity C targets the Entity B"},{"location":"administration/reasoning/#targeting-propagation-via-belonging","title":"Targeting propagation via belonging","text":"Conditions Creations An Entity A targets an Identity B, part of an Identity C The Entity A targets the Identity C"},{"location":"administration/reasoning/#targeting-propagation-via-location","title":"Targeting propagation via location","text":"Conditions Creations An Entity targets a Location B and this Location B is located at a Location C The Entity targets the Location C"},{"location":"administration/reasoning/#targeting-propagation-when-located","title":"Targeting propagation when located","text":"Conditions Creations An Entity A targets an Entity B and this target is located at Location D. The Entity A targets the Location D"},{"location":"administration/reasoning/#rule-execution","title":"Rule execution","text":""},{"location":"administration/reasoning/#rule-activation","title":"Rule activation","text":"<p>When a rule is activated, a background task is initiated. This task scans all platform data, identifying existing relationships that meet the conditions defined by the rule. Subsequently, it creates new objects (entities and/or relationships), expanding the network of insights within your threat intelligence environment. Then, activated rules operate continuously. Whenever a relationship is created or modified, and this change aligns with the conditions specified in an active rule, the reasoning mechanism is triggered. This ensures real-time relationship inference.</p>"},{"location":"administration/reasoning/#rule-deactivation","title":"Rule deactivation","text":"<p>Deactivating a rule leads to the deletion of all objects and relationships created by it. This cleanup process maintains the accuracy and reliability of your threat intelligence database.</p>"},{"location":"administration/reasoning/#access-restrictions-and-data-impact","title":"Access restrictions and data impact","text":"<p>Access to the rule engine panel is restricted to administrators only. Regular users do not have visibility into this section of the platform. Administrators possess the authority to activate or deactivate rules.</p> <p>The rules engine empowers OpenCTI with the capability to automatically establish intricate relationships within your data. However, these rules can lead to a very large number of objects created. Even if the operation is reversible, an administrator should consider the impact of activating a rule.</p>"},{"location":"administration/reasoning/#additional-resources","title":"Additional resources","text":"<ul> <li>Usefulness: To understand the benefits and results of these rules, refer to the Inferences and reasoning page in the User Guide section of the documentation.</li> <li>New inference rule: Given the potential impact of a rule on your data, users are not allowed to add new rules. However, users can submit rule suggestions via a GitHub issue for evaluation. These suggestions are carefully evaluated by our team, ensuring continuous improvement and innovation.</li> </ul>"},{"location":"administration/retentions/","title":"Retention policies","text":"<p>Retention rules serve the purpose of establishing data retention times, specifying when data should be automatically deleted from the platform. Users can define filters to target specific objects. Any object meeting these criteria that haven't been updated within the designated time frame will be deleted.</p>"},{"location":"administration/retentions/#configuration","title":"Configuration","text":"<p>Retention rules can be configured in the \"Settings &gt; Customization &gt; Retention policies\" window. A set of parameters must be configured:</p> <ul> <li>Maximum retention days: Set the maximum number of days an object can remain unchanged before being eligible for deletion.</li> <li>Filters: Define filters based on specific criteria to select the types of objects subject to retention rules.</li> </ul> <p>An object will be removed if it meets the specified filters and hasn't been updated for the duration set in the \"Maximum retention days\" field.</p> <p></p>"},{"location":"administration/retentions/#verification-process","title":"Verification process","text":"<p>Before activating a retention rule, users have the option to verify its impact using the \"Verify\" button. This action provides insight into the number of objects that currently match the rule's criteria and would be deleted if the rule is activated.</p> <p></p> <p>Verify before activation</p> <p>Always use the \"Verify\" feature to assess the potential impact of a retention rule before activating it. Once the rule is activated, data deletion will begin, and retrieval of the deleted data will not be possible.</p> <p>Retention rules contribute to maintaining a streamlined and efficient data lifecycle within OpenCTI, ensuring that outdated or irrelevant information is systematically removed from the platform, thereby optimizing disk space usage.</p>"},{"location":"administration/segregation/","title":"Data segregation","text":""},{"location":"administration/segregation/#introduction","title":"Introduction","text":"<p>Data segregation in the context of Cyber Threat Intelligence refers to the practice of categorizing and separating different types of data or information related to cybersecurity threats based on specific criteria.</p> <p>This separation helps organizations manage and analyze threat intelligence more effectively and securely and the goal of data segregation is to ensure that only those individuals who are authorized to view a particular set of data have access to that set of data.</p> <p>Practically, \"Need-to-know basis\" and \"classification level\" are data segregation measures.</p>"},{"location":"administration/segregation/#marking-definitions","title":"Marking Definitions","text":""},{"location":"administration/segregation/#description","title":"Description","text":"<p>Marking definitions are essential in the context of data segregation to ensure that data is appropriately categorized and protected based on its sensitivity or classification level. Marking definitions establish a standardized framework for classifying data.</p> <p>Marking Definition objects are unique among STIX objects in the STIX 2.1 standard in that they cannot be versioned.  This restriction is in place to prevent the possibility of indirect alterations to the markings associated with a STIX Object.</p> <p>Multiple markings can be added to the same object. Certain categories of marking definitions or trust groups may enforce rules that specify which markings take precedence over others or how some markings can be added to complement existing ones.</p> <p>In OpenCTI, data is segregated based on knowledge marking. The diagram provided below illustrates the manner in which OpenCTI establishes connections between pieces of information to authorize data access for a user:</p> <p></p>"},{"location":"administration/segregation/#traffic-light-protocol","title":"Traffic Light Protocol","text":"<p>The Traffic Light Protocol is implemented by default as marking definitions in OpenCTI. It allows you to segregate information by TLP level in your platform and restrict access to marked data if users are not authorized to see the corresponding marking.</p> <p>The Traffic Light Protocol (TLP) was designed by the Forum of Incidence Response and Security Teams (FIRST) to provide a standardized method for classifying and handling sensitive information, based on four categories of sensitivity.</p> <p>For more details, the diagram provided below illustrates how are categorized the marking definitions:</p> <p></p>"},{"location":"administration/segregation/#create-new-markings","title":"Create new markings","text":"<p>In order to create a marking, you must first have the ability to access the Settings tab. For example, a user who is in a group with the role of Administrator can bypass all capabilities or a user who is in a group with the role that has <code>Access administration</code> checked can access the Settings tab. For more details about user administration here: Users and Role Based Access Control</p> <p></p> <p>Once you have access to the settings, you can create your new marking in <code>Security</code> -&gt; <code>Marking Definitions</code></p> <p>A marking has:</p> <ul> <li>a type</li> <li>a definition</li> <li>a color</li> <li>an order</li> </ul> <p></p>"},{"location":"administration/segregation/#allowed-marking-definitions","title":"Allowed marking definitions","text":"<p>In order for all users in a group to be able to see entities and relationships that have specific markings on them, allowed markings can be checked when updating a group:</p> <p></p>"},{"location":"administration/segregation/#default-marking-definitions","title":"Default marking definitions","text":"<p>To apply a default marking when creating a new entity or relationship, you can choose which marking to add by default from the list of allowed markings. You can add only one marking per type, but you can have multiple types.</p> <p></p> <p>Be careful, add markings as default markings is not enough to see the markings when you create an entity or relationship, you need to enable default markings in an entity or relationship customization.</p> <p>For example, if you create a new report, got to <code>Settings</code> -&gt; <code>Customization</code> -&gt; <code>Report</code> -&gt; <code>Markings</code> and click on <code>Activate/Desactivate default values</code></p> <p></p>"},{"location":"administration/segregation/#authorize-a-group-to-new-marking-definition","title":"Authorize a group to new marking definition","text":"<p>To authorize a group to automatically have access to a newly created marking definition in allowed marking definitions, you can check <code>Automatically authorize this group to new marking definition</code> when update a group:</p> <p></p>"},{"location":"administration/segregation/#behavior-on-the-opencti-platform","title":"Behavior on the OpenCTI Platform","text":""},{"location":"administration/segregation/#create-a-new-entity-or-relationship","title":"Create a new entity or relationship","text":"<p>When a new entity or a new relationship is created, if multiple markings of the same type and different order are added, the platform will only keep the highest order for each type.</p> <p>For example:</p> <p>Create a new report and add markings <code>PAP:AMBER</code>,<code>PAP:RED</code>,<code>TLP:AMBER+STRICT</code>,<code>TLP:CLEAR</code> and a statement <code>CC-BY-SA-4.0 DISARM Foundation</code></p> <p></p> <p>The final markings kept are: <code>PAP:RED</code>, <code>TLP:AMBER+STRICT</code> and <code>CC-BY-SA-4.0 DISARM Foundation</code></p> <p></p>"},{"location":"administration/segregation/#update-an-entity-or-a-relationship","title":"Update an entity or a relationship","text":"<p>When update an entity or a relationship:</p> <ul> <li>add a marking with same type and different order, a pop-up will be displayed to confirm the choice</li> <li>add a marking with same type and same order, the marking will be added</li> <li>add a marking with different type, the marking will be added</li> </ul> <p></p>"},{"location":"administration/segregation/#merge-entities","title":"Merge entities","text":"<p>When you merge multiple entities, the platform will keep the highest order for each type of markings when the merge is complete:</p> <p>For example, merging 2 observables, one with <code>TLP:CLEAR</code> and <code>PAP:CLEAR</code> and the other one with <code>PAP:RED</code> and <code>TLP:GREEN</code> from 198.250.250.11 to 197.250.251.12.</p> <p></p> <p>As final result, you will have the observable with the value 197.250.251.12 with <code>PAP:RED</code> and <code>TLP:GREEN</code></p> <p></p>"},{"location":"administration/segregation/#import-data-from-a-connector","title":"Import data from a connector","text":"<p>When you import data from a connector, the connector cannot downgrade a marking for the same entity, if a same type of marking is set on it.</p> <p>For example, if you create a new observable with same values as Alien Vault data and change marking in the platform as <code>TLP:AMBER</code>, when importing data, the platform will keep the highest rank for the same type of markings.</p>"},{"location":"administration/users/","title":"Users and Role Based Access Control","text":""},{"location":"administration/users/#introduction","title":"Introduction","text":"<p>In OpenCTI, the RBAC system not only related to what users can do or cannot do in the platform (aka. <code>Capabilities</code>) but also to the system of data segregation. Also, platform behaviour such as default home dashboards, default triggers and digests as well as default hidden menus or entities can be defined across groups and organizations.</p>"},{"location":"administration/users/#high-level-design","title":"High level design","text":""},{"location":"administration/users/#roles","title":"Roles","text":"<p>Roles are used in the platform to grant the given groups with some capabilities to define what users in those groupes can do or cannot do.</p>"},{"location":"administration/users/#list-of-capabilities","title":"List of capabilities","text":"Capability Description <code>Bypass all capabilities</code> Just bypass everything including data segregation and enforcements. <code>Access knowledge</code> Access in read-only to all the knowledge in the platform. <code>Access to collaborative creation</code> Create notes and opinions (and modify its own) on entities and relations. <code>Create / Update knowledge</code> Create and update existing entities and relationships. <code>Restrict organization access</code> Share entities and relationships with other organizations. <code>Delete knowledge</code> Delete entities and relationships. <code>Upload knowledge files</code> Upload files in the <code>Data</code> and <code>Content</code> section of entities. <code>Download knowledge export</code> Download the exports generated in the entities (in the <code>Data</code> section). <code>Ask for knowledge enrichment</code> Trigger an enrichment for a given entity. <code>Access exploration</code> Access to workspaces whether custom dashboards or investigations. <code>Create / Update exploration</code> Create and update existing workspaces whether custom dashboards or investigations. <code>Delete exploration</code> Delete workspaces whether custom dashboards or investigations. <code>Access connectors</code> Read information in the <code>Data &gt; Connectors</code> section. <code>Manage connector state</code> Reset the connector state to restart ingestion from the beginning. <code>Access data sharing &amp; ingestion</code> Access and consume data such as TAXII collections. <code>Manage data sharing &amp; ingestion</code> Create, update and delete data such as TAXII collections. <code>Manage CSV mappers</code> Create, update and delete CSV mappers. <code>Access administration</code> Access and manage overall parameters of the platform in <code>Settings &gt; Parameters</code>. <code>Manage credentials</code> Access and manage roles, groups, users, organizations and security policies. <code>Manage marking definitions</code> Update and delete marking definitions. <code>Manage labels &amp; Attributes</code> Update and delete labels, custom taxonomies, workflow and case templates. <code>Connectors API usage: register, ping, export push ...</code> Connectors specific permissions for register, ping, push export files, etc. <code>Connect and consume the platform streams (/stream, /stream/live)</code> List and consume the OpenCTI live streams. <code>Bypass mandatory references if any</code> If external references enforced in a type of entity, be able to bypass the enforcement."},{"location":"administration/users/#manage-roles","title":"Manage roles","text":"<p>You can manage the roles in <code>Settings &gt; Security &gt; Roles</code>.</p> <p>To create a role, just click on the <code>+</code> button:</p> <p></p> <p>Then you will be able to define the capabilities of the role:</p> <p></p>"},{"location":"administration/users/#users","title":"Users","text":"<p>You can manage the users in <code>Settings &gt; Security &gt; Users</code>. If you are using Single-Sign-On (SSO), the users in OpenCTI are automatically created upon login.</p> <p>To create a user, just click on the <code>+</code> button:</p> <p></p>"},{"location":"administration/users/#manage-a-user","title":"Manage a user","text":"<p>When access to a user, it is possible to:</p> <ul> <li>Visualize information including the token</li> <li>Modify it, reset 2FA if necessary</li> <li>Manage its sessions</li> <li>Manage its triggers and digests</li> <li>Visualize the history and operations</li> <li>Manage its max confidence level (override the value inherited from the group)</li> </ul> <p></p> <p>In the below image, you can see how to override the value inherited from the group.</p> <p></p> <p>Mandatory max confidence level</p> <p>A user without Max confidence level won't have the ability to create, delete or update any data in our platform. Please be sure that your users are always either assigned to group that have a confidence level defined or that have an override of this group confidence level.</p>"},{"location":"administration/users/#groups","title":"Groups","text":"<p>Groups is the main vehicule to manage permissions and data segregation as well as platform customization for the given users part of this group. You can manage the groups in <code>Settings &gt; Security &gt; Groups</code>.</p> <p>Here is the description of the group available parameters.</p> Parameter Description <code>Auto new markings</code> If a new marking definition is created, this group will automatically be granted to it. <code>Default membership</code> If a new user is created (manually or upon SSO), it will be added to this group. <code>Roles</code> Roles and capabilities granted to the users belonging to this group. <code>Default dashboard</code> Customize the home dashboard for the users belonging to this group. <code>Default markings</code> In <code>Settings &gt; Customization &gt; Entity types</code>, if default marking definitions is enabled, default markings of the group is used. <code>Allowed markings</code> Grant access to the group to the defined marking definitions, more details in data segregation. <code>Triggers and digests</code> Define defaults triggers and digests for the users belonging to this group. <code>Max confidence level</code> Define the maximum confidence level for the group: it will impact the capacity to update entities, the confidence level of a newly created entity by a user of the group <p></p> <p>Max confidence level when a user has multiple groups</p> <p>A user with multiple groups will have the the highest confidence level of all its groups.  For instance, if a user is part of group A (max confidence level = 100) and group B (max confidence level = 50), then the user max confidence level will be 100.</p>"},{"location":"administration/users/#manage-a-group","title":"Manage a group","text":"<p>When managing a group, you can define the members and all above configurations.</p> <p></p> <p></p>"},{"location":"administration/users/#organizations","title":"Organizations","text":"<p>Users can belong to organizations, which is an additional layer of data segregation and customization.</p>"},{"location":"administration/users/#organization-administration","title":"Organization administration","text":"<p>Platform administrators can promote members of an organization as \"Organization administrator\". This elevated role grants them the necessary capabilities to create, edit and delete users from the corresponding Organization. Additionally, administrators have the flexibility to define a list of groups that can be granted to newly created members by the organization administrators. This feature simplifies the process of granting appropriate access and privileges to individuals joining the organization.</p> <p></p> <p>The platform administrator can promote/demote an organization admin through its user edition form.</p> <p></p> <p>The \"Organization admin\" has restricted access to Settings. They can only manage the members of the organizations for which they have been promoted as \"admins\".</p>"},{"location":"administration/audit/configuration/","title":"Configuration","text":"<p>Enterprise edition</p> <p>Activity unified interface and logging are available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p> <p>As explained in overview page, all administration actions are listen by default.  However, all knowledge are not listened by default due to performance impact on the platform. </p> <p>For this reason you need to explicitly activate extended listening on user / group or organization.</p> <p></p> <p>Listening will start just after the configuration. Every past events will not be taken into account.</p>"},{"location":"administration/audit/events/","title":"Events","text":"<p>Enterprise edition</p> <p>Activity unified interface and logging are available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p>"},{"location":"administration/audit/events/#description","title":"Description","text":"<p>OpenCTI activity capability is the way to unified whats really happen in the platform. In events section you will have access to the UI that will answer to \"who did what, where, and when?\" within your data with the maximum level of transparency. </p> <p></p>"},{"location":"administration/audit/events/#include-knowledge","title":"Include knowledge","text":"<p>By default, the events screen only show you the administration actions done by the users.</p> <p>If you want to see also the information about the knowledge, you can simply activate the filter in the bar to get the complete overview of all user actions.</p> <p>Don't hesitate to read again the overview page to have a better understanding of the difference between Audit, Basic/Extended knowledge.</p>"},{"location":"administration/audit/overview/","title":"Overview","text":""},{"location":"administration/audit/overview/#overview","title":"Overview","text":"<p>Enterprise edition</p> <p>Activity unified interface and logging are available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p> <p>OpenCTI activity capability is the way to unified whats really happen in the platform. With this feature you will be able to answer \"who did what, where, and when?\" within your data with the maximum level of transparency.  Enabling activity helps your security, auditing, and compliance entities monitor platform for possible vulnerabilities or external data misuse.</p>"},{"location":"administration/audit/overview/#categories","title":"Categories","text":"<p>The activity groups 3 different concepts that need to be explained.</p>"},{"location":"administration/audit/overview/#basic-knowledge","title":"Basic knowledge","text":"<p>The basic knowledge refers to all STIX data knowledge inside OpenCTI. Every create/update/delete actions on that knowledge is accessible through the history. That basic activity is handled by the history manager and can be also found directly on each entity.</p>"},{"location":"administration/audit/overview/#extended-knowledge","title":"Extended knowledge","text":"<p>The extended knowledge refers to extra information data to track specific user activity. As this kind of tracking is expensive, the tracking will only be done for specific user/group/organization explicitly configured.</p>"},{"location":"administration/audit/overview/#audit-knowledge","title":"Audit knowledge","text":"<p>Audit is focusing on user administration or security actions. Audit will produce console/logs files along with user interface elements.</p> <pre><code>{\n  \"auth\": \"&lt;User information&gt;\",\n  \"category\": \"AUDIT\",\n  \"level\": \"&lt;info | error&gt;\",\n  \"message\": \"&lt;human readable explanation&gt;\",\n  \"resource\": {\n    \"type\": \"&lt;authentication | mutation&gt;\",\n    \"event_scope\": \"&lt;depends on type&gt;\",\n    \"event_access\": \"&lt;administration&gt;\",\n    \"data\": \"&lt;contextual data linked to the event type&gt;\",\n    \"version\": \"&lt;version of audit log format&gt;\"\n  },\n  \"timestamp\": \"&lt;event date&gt;\",\n  \"version\": \"&lt;platform version&gt;\"\n}\n</code></pre>"},{"location":"administration/audit/overview/#architecture","title":"Architecture","text":"<p>OpenCTI uses different mechanisms to be able to publish actions (audit) or data modification (history)</p>"},{"location":"administration/audit/overview/#audit-knowledge_1","title":"Audit knowledge","text":"<p>Administration or security actions</p> <p>With Enterprise edition activated, Administration and security actions are always written; you can't configure, exclude, or disable them</p> <p> Supported</p> <p> Not supported for now</p> <p> Not applicable</p>"},{"location":"administration/audit/overview/#ingestion","title":"Ingestion","text":"Create Delete Edit Remote OCTI Streams"},{"location":"administration/audit/overview/#data-sharing","title":"Data sharing","text":"Create Delete Edit CSV Feeds TAXII Feeds Stream Feeds"},{"location":"administration/audit/overview/#connectors","title":"Connectors","text":"Create Delete Edit Connectors  State reset Works"},{"location":"administration/audit/overview/#parameters","title":"Parameters","text":"Create Delete Edit Platform parameters"},{"location":"administration/audit/overview/#security","title":"Security","text":"Create Delete Edit Roles Groups Users Sessions Policies"},{"location":"administration/audit/overview/#customization","title":"Customization","text":"Create Delete Edit Entity types Rules engine Retention policies"},{"location":"administration/audit/overview/#taxonomies","title":"Taxonomies","text":"Create Delete Edit Status templates Case templates + tasks"},{"location":"administration/audit/overview/#accesses","title":"Accesses","text":"Listen Login (success or fail) Logout Unauthorized access"},{"location":"administration/audit/overview/#extended-knowledge_1","title":"Extended knowledge","text":"<p>Extended knowledge</p> <p>Extented knowledge activity are written only if you activate the feature for a subset of users / groups or organizations</p>"},{"location":"administration/audit/overview/#data-management","title":"Data management","text":"<p>Some history actions are already included in the \"basic knowledge\". (basic marker) </p> Read Create Delete Edit Platform knowledge basic basic basic Background tasks Knowledge Knowledge files basic basic Global data import files Analyst workbenches files Triggers Workspaces Investigations User profile"},{"location":"administration/audit/overview/#user-actions","title":"User actions","text":"Supported Ask for file import Ask for data enrichment Ask for export generation Execute global search"},{"location":"administration/audit/triggers/","title":"Activity triggers","text":"<p>Enterprise edition</p> <p>Activity unified interface and logging are available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p>"},{"location":"administration/audit/triggers/#description","title":"Description","text":"<p>Having all the history in the user interface (events) its sometimes not enough to have a proactive monitoring. For this reason you can configure some specific triggers to receive notifications on audit events. You can configure like personal triggers, lives one that will be sent directly or digest depending on your needs. </p>"},{"location":"administration/audit/triggers/#configuration","title":"Configuration","text":"<p>In this kind of trigger you will have to configure different options: - Notification target: User interface or email - Recipients: who will receive the notification - Filters: a set of filters to get only events that really interested you. (who is responsible for this event, kind of events, ...)</p>"},{"location":"administration/audit/triggers/#event-structure","title":"Event structure","text":"<p>In order to correctly configure the filters, here's a definition of the event structure</p> <ul> <li>Event type: <code>authentication</code></li> <li> <p>Event scopes: <code>login</code> and <code>logout</code> </p> </li> <li> <p>Event type: <code>read</code></p> <ul> <li>Event scopes: <code>read</code> and <code>unauthorized</code> </li> </ul> </li> <li> <p>Event type: <code>file</code></p> <ul> <li>Event scopes: <code>read</code>, <code>create</code> and <code>delete</code></li> </ul> </li> <li> <p>Event type: <code>mutation</code></p> <ul> <li>Event scopes: <code>unauthorized</code>, <code>update</code>, <code>create</code> and <code>delete</code></li> </ul> </li> <li> <p>Event type: <code>command</code></p> <ul> <li>Event scopes: <code>search</code>, <code>enrich</code>, <code>import</code> and <code>export</code></li> </ul> </li> </ul>"},{"location":"deployment/authentication/","title":"Authentication","text":""},{"location":"deployment/authentication/#introduction","title":"Introduction","text":"<p>OpenCTI supports several authentication providers. If you configure multiple strategies, they will be tested in the order you declared them.</p> <p>Activation</p> <p>You need to configure/activate only the strategy that you really want to propose to your users in term of authentication</p> <p>The product proposes two kinds of authentication strategies:</p> <ul> <li>Form (asking user for a user/password)</li> <li>Buttons (click with authentication on an external system)</li> </ul>"},{"location":"deployment/authentication/#supported-strategies","title":"Supported Strategies","text":"<p>Under the hood we technically use the strategies provided by PassportJS. We integrate a subset of the strategies available with passport. If you need more, we can integrate other strategies.</p>"},{"location":"deployment/authentication/#local-users-form","title":"Local users (form)","text":"<p>This strategy uses the OpenCTI database as a user management.</p> <p>OpenCTI use this strategy as the default but its not the one we recommend for security reasons.</p> <pre><code>\"local\": {\n    \"strategy\": \"LocalStrategy\",\n    \"config\": {\n        \"disabled\": false\n    }\n}\n</code></pre> <p>Production deployment</p> <p>Please use the LDAP/Auth0/OpenID/SAML strategy for production deployment.</p>"},{"location":"deployment/authentication/#ldap-form","title":"LDAP (form)","text":"<p>This strategy can be used to authenticate your user with your company LDAP and is based on Passport - LDAPAuth.</p> <pre><code>\"ldap\": {\n    \"strategy\": \"LdapStrategy\",\n    \"config\": {\n        \"url\": \"ldaps://mydc.domain.com:686\",\n        \"bind_dn\": \"cn=Administrator,cn=Users,dc=mydomain,dc=com\",\n        \"bind_credentials\": \"MY_STRONG_PASSWORD\",\n        \"search_base\": \"cn=Users,dc=mydomain,dc=com\",\n        \"search_filter\": \"(cn={{username}})\",\n        \"mail_attribute\": \"mail\",\n        // \"account_attribute\": \"givenName\",\n        // \"firstname_attribute\": \"cn\",\n        // \"lastname_attribute\": \"cn\",\n        \"account_attrgroup_search_filteribute\": \"givenName\",\n        \"allow_self_signed\": true\n    }\n}\n</code></pre> <p>If you would like to use LDAP groups to automatically associate LDAP groups and OpenCTI groups/organizations:</p> <pre><code>\"ldap\": {\n    \"config\": {\n        ...\n        \"group_search_base\": \"cn=Groups,dc=mydomain,dc=com\",\n        \"group_search_filter\": \"(member={{dn}})\",\n        \"groups_management\": { // To map LDAP Groups to OpenCTI Groups\n            \"group_attribute\": \"cn\",\n            \"groups_mapping\": [\"LDAP_Group_1:OpenCTI_Group_1\", \"LDAP_Group_2:OpenCTI_Group_2\", ...]\n        },\n        \"organizations_management\": { // To map LDAP Groups to OpenCTI Organizations\n            \"organizations_path\": \"cn\",\n            \"organizations_mapping\": [\"LDAP_Group_1:OpenCTI_Organization_1\", \"LDAP_Group_2:OpenCTI_Organization_2\", ...]\n        }\n    }\n}\n</code></pre>"},{"location":"deployment/authentication/#saml-button","title":"SAML (button)","text":"<p>This strategy can be used to authenticate your user with your company SAML and is based on Passport - SAML.</p> <pre><code>\"saml\": {\n    \"identifier\": \"saml\",\n    \"strategy\": \"SamlStrategy\",\n    \"config\": {\n        \"issuer\": \"mytestsaml\",\n        // \"account_attribute\": \"nameID\",\n        // \"firstname_attribute\": \"nameID\",\n        // \"lastname_attribute\": \"nameID\",\n        \"entry_point\": \"https://auth.mydomain.com/auth/realms/mydomain/protocol/saml\",\n        \"saml_callback_url\": \"http://localhost:4000/auth/saml/callback\",\n        // \"private_key\": \"MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg...\",\n        \"cert\": \"MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w...\",\n        \"logout_remote\": false\n    }\n}\n</code></pre> <p>For the SAML strategy to work:</p> <ul> <li>The <code>cert</code> parameter is mandatory (PEM format) because it is used to validate the SAML response.</li> <li>The <code>private_key</code> (PEM format) is optional and is only required if you want to sign the SAML client request.</li> </ul> <p>Certificates</p> <p>Be careful to put the <code>cert</code> / <code>private_key</code>  key in PEM format. Indeed, a lot of systems generally export the keys in X509 / PCKS12 formats and so you will need to convert them.  Here is an example to extract PEM from PCKS12: <pre><code>openssl pkcs12 -in keystore.p12 -out newfile.pem -nodes\n</code></pre></p> <p>Here is an example of SAML configuration using environment variables:</p> <pre><code>- PROVIDERS__SAML__STRATEGY=SamlStrategy \n- \"PROVIDERS__SAML__CONFIG__LABEL=Login with SAML\"\n- PROVIDERS__SAML__CONFIG__ISSUER=mydomain\n- PROVIDERS__SAML__CONFIG__ENTRY_POINT=https://auth.mydomain.com/auth/realms/mydomain/protocol/saml\n- PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL=http://opencti.mydomain.com/auth/saml/callback\n- PROVIDERS__SAML__CONFIG__CERT=MIICmzCCAYMCBgF3Rt3X1zANBgkqhkiG9w0BAQsFADARMQ8w\n- PROVIDERS__SAML__CONFIG__LOGOUT_REMOTE=false\n</code></pre> <p>OpenCTI supports mapping SAML Roles/Groups on OpenCTI Groups. Here is an example:</p> <pre><code>\"saml\": {\n    \"config\": {\n        ...,\n        // Groups mapping\n        \"groups_management\": { // To map SAML Groups to OpenCTI Groups\n            \"group_attributes\": [\"Group\"],\n            \"groups_mapping\": [\"SAML_Group_1:OpenCTI_Group_1\", \"SAML_Group_2:OpenCTI_Group_2\", ...]\n        },\n        \"groups_management\": { // To map SAML Roles to OpenCTI Groups\n            \"group_attributes\": [\"Role\"],\n            \"groups_mapping\": [\"SAML_Role_1:OpenCTI_Group_1\", \"SAML_Role_2:OpenCTI_Group_2\", ...]\n        },\n        // Organizations mapping\n        \"organizations_management\": { // To map SAML Groups to OpenCTI Organizations\n            \"organizations_path\": [\"Group\"],\n            \"organizations_mapping\": [\"SAML_Group_1:OpenCTI_Organization_1\", \"SAML_Group_2:OpenCTI_Organization_2\", ...]\n        },\n        \"organizations_management\": { // To map SAML Roles to OpenCTI Organizations\n            \"organizations_path\": [\"Role\"],\n            \"organizations_mapping\": [\"SAML_Role_1:OpenCTI_Organization_1\", \"SAML_Role_2:OpenCTI_Organization_2\", ...]\n        }\n    }\n}\n</code></pre> <p>Here is an example of SAML Groups mapping configuration using environment variables:</p> <pre><code>- \"PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUP_ATTRIBUTES=[\\\"Group\\\"]\"\n- \"PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING=[\\\"SAML_Group_1:OpenCTI_Group_1\\\", \\\"SAML_Group_2:OpenCTI_Group_2\\\", ...]\"\n</code></pre>"},{"location":"deployment/authentication/#auth0-button","title":"Auth0 (button)","text":"<p>This strategy allows to use Auth0 Service to handle the authentication and is based on Passport - Auth0.</p> <pre><code>\"authzero\": {\n    \"identifier\": \"auth0\",\n    \"strategy\": \"Auth0Strategy\",\n    \"config\": {\n        \"clientID\": \"XXXXXXXXXXXXXXXXXX\",\n        \"baseURL\": \"https://opencti.mydomain.com\",\n        \"clientSecret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"callback_url\": \"https://opencti.mydomain.com/auth/auth0/callback\",\n        \"domain\": \"mycompany.eu.auth0.com\",\n        \"audience\": \"XXXXXXXXXXXXXXX\",\n        \"scope\": \"openid email profile XXXXXXXXXXXXXXX\",\n        \"logout_remote\": false\n    }\n}\n</code></pre> <p>Here is an example of Auth0 configuration using environment variables:</p> <pre><code>- PROVIDERS__AUTHZERO__STRATEGY=Auth0Strategy\n- PROVIDERS__AUTHZERO__CONFIG__CLIENT_ID=${AUTH0_CLIENT_ID}\n- PROVIDERS__AUTHZERO__CONFIG__BASEURL=${AUTH0_BASE_URL}\n- PROVIDERS__AUTHZERO__CONFIG__CLIENT_SECRET=${AUTH0_CLIENT_SECRET}\n- PROVIDERS__AUTHZERO__CONFIG__CALLBACK_URL=${AUTH0_CALLBACK_URL}\n- PROVIDERS__AUTHZERO__CONFIG__DOMAIN=${AUTH0_DOMAIN}\n- \"PROVIDERS__AUTHZERO__CONFIG__SCOPE=openid email profile\"\n- PROVIDERS__AUTHZERO__CONFIG__LOGOUT_REMOTE=false\n</code></pre>"},{"location":"deployment/authentication/#openid-connect-button","title":"OpenID Connect (button)","text":"<p>This strategy allows to use the OpenID Connect Protocol to handle the authentication and is based on Node OpenID Client which is more powerful than the passport one.</p> <pre><code>\"oic\": {\n    \"identifier\": \"oic\",\n    \"strategy\": \"OpenIDConnectStrategy\",\n    \"config\": {\n        \"label\": \"Login with OpenID\",\n        \"issuer\": \"https://auth.mydomain.com/auth/realms/mydomain\",\n        \"client_id\": \"XXXXXXXXXXXXXXXXXX\",\n        \"client_secret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"redirect_uris\": [\"https://opencti.mydomain.com/auth/oic/callback\"],\n        \"logout_remote\": false\n    }\n}\n</code></pre> <p>Here is an example of OpenID configuration using environment variables:</p> <pre><code>- PROVIDERS__OPENID__STRATEGY=OpenIDConnectStrategy \n- \"PROVIDERS__OPENID__CONFIG__LABEL=Login with OpenID\"\n- PROVIDERS__OPENID__CONFIG__ISSUER=https://auth.mydomain.com/auth/realms/xxxx\n- PROVIDERS__OPENID__CONFIG__CLIENT_ID=XXXXXXXXXXXXXXXXXX\n- PROVIDERS__OPENID__CONFIG__CLIENT_SECRET=XXXXXXXXXXXXXXXXXX\n- \"PROVIDERS__OPENID__CONFIG__REDIRECT_URIS=[\\\"https://opencti.mydomain.com/auth/oic/callback\\\"]\"\n- PROVIDERS__OPENID__CONFIG__LOGOUT_REMOTE=false\n</code></pre> <p>OpenCTI support mapping OpenID Claims on OpenCTI Groups (everything is tied to a group in the platform). Here is an example:</p> <pre><code>\"oic\": {\n    \"config\": {\n        ...,\n        // Groups mapping\n        \"groups_management\": { // To map OpenID Claims to OpenCTI Groups\n            \"groups_scope\": \"groups\",\n            \"groups_path\": [\"groups\", \"realm_access.groups\", \"resource_access.account.groups\"],\n            \"groups_mapping\": [\"OpenID_Group_1:OpenCTI_Group_1\", \"OpenID_Group_2:OpenCTI_Group_2\", ...]\n        },\n        // Organizations mapping  \n        \"organizations_management\": { // To map OpenID Claims to OpenCTI Organizations\n            \"organizations_scope\": \"groups\",\n            \"organizations_path\": [\"groups\", \"realm_access.groups\", \"resource_access.account.groups\"],\n            \"organizations_mapping\": [\"OpenID_Group_1:OpenCTI_Group_1\", \"OpenID_Group_2:OpenCTI_Group_2\", ...]\n        },\n    }\n}\n</code></pre> <p>Here is an example of OpenID Groups mapping configuration using environment variables:</p> <pre><code>- PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_SCOPE=groups\n- \"PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_PATH=[\\\"groups\\\", \\\"realm_access.groups\\\", \\\"resource_access.account.groups\\\"]\"\n- \"PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING=[\\\"OpenID_Group_1:OpenCTI_Group_1\\\", \\\"OpenID_Group_2:OpenCTI_Group_2\\\", ...]\"\n</code></pre> <p>By default, the claims are mapped based on the content of the JWT <code>access_token</code>. If you want to map claims which are in other JWT (such as <code>id_token</code>), you can define the following environment variables:</p> <pre><code>- PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__TOKEN_REFERENCE=id_token\n- PROVIDERS__OPENID__CONFIG__ORGANISATIONS_MANAGEMENT__TOKEN_REFERENCE=id_token\n</code></pre> <p>Alternatively, you can request OpenCTI to use claims from the <code>userinfo</code> endpoint instead of a JWT. <pre><code>- PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__READ_USERINFO=true\n- PROVIDERS__OPENID__CONFIG__ORGANISATIONS_MANAGEMENT__READ_USERINFO=true\n</code></pre></p>"},{"location":"deployment/authentication/#facebook-button","title":"Facebook (button)","text":"<p>This strategy can authenticate your users with Facebook and is based on Passport - Facebook</p> <pre><code>\"facebook\": {\n    \"identifier\": \"facebook\",\n    \"strategy\": \"FacebookStrategy\",\n    \"config\": {\n        \"client_id\": \"XXXXXXXXXXXXXXXXXX\",\n        \"client_secret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"callback_url\": \"https://opencti.mydomain.com/auth/facebook/callback\",\n        \"logout_remote\": false\n    }\n}\n</code></pre>"},{"location":"deployment/authentication/#google-button","title":"Google (button)","text":"<p>This strategy can authenticate your users with Google and is based on Passport - Google</p> <pre><code>\"google\": {\n    \"identifier\": \"google\",\n    \"strategy\": \"GoogleStrategy\",\n    \"config\": {\n        \"client_id\": \"XXXXXXXXXXXXXXXXXX\",\n        \"client_secret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"callback_url\": \"https://opencti.mydomain.com/auth/google/callback\",\n        \"logout_remote\": false\n    }\n}\n</code></pre>"},{"location":"deployment/authentication/#github-button","title":"GitHub (button)","text":"<p>This strategy can authenticate your users with GitHub and is based on Passport - GitHub</p> <pre><code>\"github\": {\n    \"identifier\": \"github\",\n    \"strategy\": \"GithubStrategy\",\n    \"config\": {\n        \"client_id\": \"XXXXXXXXXXXXXXXXXX\",\n        \"client_secret\": \"XXXXXXXXXXXXXXXXXX\",\n        \"callback_url\": \"https://opencti.mydomain.com/auth/github/callback\",\n        \"logout_remote\": false\n  }\n}\n</code></pre>"},{"location":"deployment/authentication/#client-certificate-button","title":"Client certificate (button)","text":"<p>This strategy can authenticate a user based on SSL client certificates. For this you need to configure your OCTI to start in HTTPS, for example:</p> <pre><code>\"port\": 443,\n\"https_cert\": {\n    \"key\": \"/cert/server_key.pem\",\n    \"crt\": \"/cert/server_cert.pem\",\n    \"reject_unauthorized\": true\n}\n</code></pre> <p>And then add the <code>ClientCertStrategy</code>:</p> <pre><code>\"cert\": {\n    \"strategy\":\"ClientCertStrategy\",\n    \"config\": {\n        \"label\":\"CLIENT CERT\"\n    }\n}\n</code></pre> <p>Then when accessing for the first time OCTI, the browser will ask for the certificate you want to use.</p>"},{"location":"deployment/authentication/#proxy-headers-automatic","title":"Proxy headers (automatic)","text":"<p>This strategy can authenticate your users with directly from trusted headers</p> <pre><code>{\n  \"header\": {\n    \"strategy\": \"HeaderStrategy\",\n    \"config\": {\n      \"disabled\": false,\n      \"header_email\": \"auth_email_address\",\n      \"header_name\": \"auth_name\",\n      \"header_firstname\": \"auth_firstname\",\n      \"header_lastname\": \"auth_lastname\",\n      \"logout_uri\": \"https://www.filigran.io\",\n      \"groups_management\": {\n        \"groups_header\": \"auth_groups\",\n        \"groups_splitter\": \",\",\n        \"groups_mapping\": [\"admin:admin\", \"root:root\"]\n      },\n      \"organizations_management\": {\n        \"organizations_header\": \"auth_institution\",\n        \"organizations_splitter\": \",\",\n        \"organizations_mapping\": [\"test:test\"]\n      }\n    }\n  }\n}\n</code></pre> <p>If this mode is activated and the headers are available the user will be automatically logged without any action or notice. The logout uri will remove the session and redirect the configured uri. If not specified the redirect will be done to the request referer and so the header authentication will be done again.</p>"},{"location":"deployment/authentication/#automatically-create-group-on-sso","title":"Automatically create group on SSO","text":"<p>The variable auto_create_group can be added in the options of some strategies (LDAP, SAML and OpenID). If this variable is true, the groups of a user that logins will automatically be created if they don\u2019t exist.</p> <p>More precisely, if the user that tries to authenticate has groups that don\u2019t exist in OpenCTI but exist in the SSO configuration, there are two cases:</p> <ul> <li>if auto_create_group= true in the SSO configuration: the groups are created at the platform initialization and the user will be mapped on them.</li> <li>else: an error is raised.</li> </ul>"},{"location":"deployment/authentication/#example","title":"Example","text":"<p>We assum that Group1 exists in the platform, and newGroup doesn\u2019t exist. The user that tries to log in has the group newGroup. If auto_create_group = true in the SSO configuration, the group named newGroup will be created at the platform initialization and the user will be mapped on it. If auto_create_group = false or is undefined, the user can\u2019t login and an error is raised.</p> <pre><code>\"groups_management\": {\n  \"group_attribute\": \"cn\",\n  \"groups_mapping\": [\"SSO_GROUP_NAME1:group1\", \"SSO_GROUP_NAME_2:newGroup\", ...]\n},\n\"auto_create_group\": true\n</code></pre>"},{"location":"deployment/authentication/#examples","title":"Examples","text":""},{"location":"deployment/authentication/#ldap-then-fallback-to-local","title":"LDAP then fallback to local","text":"<p>In this example the users have a login form and need to enter login and password. The authentication is done on LDAP first, then locally if user failed to authenticate and finally fail if none of them succeded. Here is an example for the <code>production.json</code> file:</p> <pre><code>\"providers\": {\n    \"ldap\": {\n        \"strategy\": \"LdapStrategy\",\n        \"config\": {\n            \"url\": \"ldaps://mydc.mydomain.com:636\",\n            \"bind_dn\": \"cn=Administrator,cn=Users,dc=mydomain,dc=com\",\n            \"bind_credentials\": \"MY_STRONG_PASSWORD\",\n            \"search_base\": \"cn=Users,dc=mydomain,dc=com\",\n            \"search_filter\": \"(cn={{username}})\",\n            \"mail_attribute\": \"mail\",\n            \"account_attribute\": \"givenName\"\n        }\n    },\n    \"local\": {\n        \"strategy\": \"LocalStrategy\",\n        \"config\": {\n            \"disabled\": false\n        }\n    }\n}\n</code></pre> <p>If you use a container deployment, here is an example using environment variables:</p> <pre><code>- PROVIDERS__LDAP__STRATEGY=LdapStrategy\n- PROVIDERS__LDAP__CONFIG__URL=ldaps://mydc.mydomain.org:636\n- PROVIDERS__LDAP__CONFIG__BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=com\n- PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=XXXXXXXXXX\n- PROVIDERS__LDAP__CONFIG__SEARCH_BASE=cn=Users,dc=mydomain,dc=com\n- PROVIDERS__LDAP__CONFIG__SEARCH_FILTER=(cn={{username}})\n- PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail\n- PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=givenName\n- PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true\n- PROVIDERS__LOCAL__STRATEGY=LocalStrategy\n</code></pre>"},{"location":"deployment/clustering/","title":"Clustering","text":""},{"location":"deployment/clustering/#introduction","title":"Introduction","text":"<p>The OpenCTI platform technological stack has been designed to be able to scale horizontally. All dependencies such as Elastic or Redis can be deployed in cluster mode and performances can be drastically increased by deploying multiple platform and worker instances.</p>"},{"location":"deployment/clustering/#high-level-architecture","title":"High level architecture","text":"<p>Here is the high level architecture for customers and Filigran cloud platform to ensure both high availability and throughput.</p> <p></p>"},{"location":"deployment/clustering/#configuration","title":"Configuration","text":""},{"location":"deployment/clustering/#dependencies","title":"Dependencies","text":""},{"location":"deployment/clustering/#elasticsearch","title":"ElasticSearch","text":"<p>In the ElasticSearch configuration of OpenCTI, it is possible to declare all nodes.</p> <pre><code>- \"ELASTICSEARCH__URL=[\\\"https://user:pass@node1:9200\\\", \\\"https://user:pass@node2:9200\\\", ...]\"\n</code></pre> <p>Compatibility</p> <p>OpenCTI is also compatible with OpenSearch and AWS / GCP / Azure native search services based on the ElasticSearch query language.</p>"},{"location":"deployment/clustering/#redis","title":"Redis","text":"<p>Redis should be turned to cluster mode:</p> <pre><code>- REDIS__MODE=cluster\n- \"REDIS__HOSTNAMES=[\\\"node1:6379\\\", \\\"node2:6379\\\", ...]\"\n</code></pre> <p>Compatibility</p> <p>OpenCTI is also compatible with ElastiCache, MemoryStore and AWS / GCP / Azure native services based on the Redis protocol.</p>"},{"location":"deployment/clustering/#rabbitmq","title":"RabbitMQ","text":"<p>For the RabbitMQ cluster, you will need a TCP load balancer on top of the nodes since the configuration does not support multi-nodes for now:</p> <pre><code>- RABBITMQ__HOSTNAME=load-balancer-rabbitmq\n</code></pre> <p>Compatibility</p> <p>OpenCTI is also compatible with Amazon MQ, CloudAMQP and AWS / GCP / Azure native services based on the AMQP protocol.</p>"},{"location":"deployment/clustering/#s3-bucket-minio","title":"S3 bucket / MinIO","text":"<p>MinIO is an open source server able to serve S3 buckets. It can be deployed in cluster mode and is compatible with several storage backend. OpenCTI is compatible with any tool following the S3 standard.</p>"},{"location":"deployment/clustering/#platform","title":"Platform","text":"<p>As showed on the schema, best practices for cluster mode and to avoid any congestion in the technological stack are:</p> <ul> <li>Deploy platform(s) dedicated to end users and connectors registration</li> <li>Deploy platform(s) dedicated to workers / ingestion process<ul> <li>We recommend 3 to 4 workers maxiumum by OpenCTI instance.</li> <li>The ingestion platforms will never be accessed directly by end users.</li> </ul> </li> </ul> <p>When enabling clustering, the number of nodes is displayed in Settings &gt; Parameters.</p> <p></p>"},{"location":"deployment/clustering/#managers-and-schedulers","title":"Managers and schedulers","text":"<p>Also, since some managers like the rule engine, the task manager and the notification manager can take some resources in the OpenCTI NodeJS process, it is highly recommended to disable them in the frontend cluster. OpenCTI automatically handle the distribution and the launching of the engines across all nodes in the cluster except where they are explicitely disabled in the configuration.</p>"},{"location":"deployment/configuration/","title":"Configuration","text":"<p>The purpose of this section is to learn how to configure OpenCTI to have it tailored for your production and development needs. It is possible to check all default parameters implemented in the platform in the <code>default.json</code> file.</p> <p>Here are the configuration keys, for both containers (environment variables) and manual deployment.</p> <p>Parameters equivalence</p> <p>The equivalent of a config variable in environment variables is the usage of a double underscores (<code>__</code>) for a level of config.</p> <p>For example: <pre><code>\"providers\": {\n  \"ldap\": {\n    \"strategy\": \"LdapStrategy\"\n  }\n}\n</code></pre></p> <p>will become: <pre><code>PROVIDERS__LDAP__STRATEGY=LdapStrategy\n</code></pre></p> <p>If you need to put a list of elements for the key, it must have a special formatting. Here is an example for redirect URIs for OpenID config: <pre><code>\"PROVIDERS__OPENID__CONFIG__REDIRECT_URIS=[\\\"https://demo.opencti.io/auth/oic/callback\\\"]\"\n</code></pre></p>"},{"location":"deployment/configuration/#platform","title":"Platform","text":""},{"location":"deployment/configuration/#api-frontend","title":"API &amp; Frontend","text":""},{"location":"deployment/configuration/#basic-parameters","title":"Basic parameters","text":"Parameter Environment variable Default value Description app:port APP__PORT 4000 Listen port of the application app:base_path APP__BASE_PATH Specific URI (ie. /opencti) app:base_url APP__BASE_URL http://localhost:4000 Full URL of the platform (should include the <code>base_path</code> if any) app:request_timeout APP__REQUEST_TIMEOUT 1200000 Request timeout, in ms (default 20 minutes) app:session_timeout APP__SESSION_TIMEOUT 1200000 Session timeout, in ms (default 20 minutes) app:session_idle_timeout APP__SESSION_IDLE_TIMEOUT 0 Idle timeout (locking the screen), in ms (default 0 minute - disabled) app:session_cookie APP__SESSION_COOKIE false Use memory/session cookie instead of persistent one app:admin:email APP__ADMIN__EMAIL admin@opencti.io Default login email of the admin user app:admin:password APP__ADMIN__PASSWORD ChangeMe Default password of the admin user app:admin:token APP__ADMIN__TOKEN ChangeMe Default token (must be a valid UUIDv4) app:health_access_key APP__HEALTH_ACCESS_KEY ChangeMe Access key that enables access to the <code>/health</code> endpoint. Must be changed - will not respond to default value. Access with <code>/health?health_access_key=ChangeMe</code>"},{"location":"deployment/configuration/#network-and-security","title":"Network and security","text":"Parameter Environment variable Default value Description http_proxy HTTP_PROXY Proxy URL for HTTP connection (example: http://proxy:80080) https_proxy HTTPS_PROXY Proxy URL for HTTPS connection (example: http://proxy:80080) no_proxy NO_PROXY Comma separated list of hostnames for proxy exception (example: localhost,127.0.0.0/8,internal.opencti.io) app:https_cert:cookie_secure APP__HTTPS_CERT__COOKIE_SECURE false Set the flag \"secure\" for session cookies. app:https_cert:ca APP__HTTPS_CERT__CA Empty list [] Certificate authority paths or content, only if the client uses a self-signed certificate. app:https_cert:key APP__HTTPS_CERT__KEY Certificate key path or content app:https_cert:crt APP__HTTPS_CERT__CRT Certificate crt path or content app:https_cert:reject_unauthorized APP__HTTPS_CERT__REJECT_UNAUTHORIZED If not false, the server certificate is verified against the list of supplied CAs"},{"location":"deployment/configuration/#logging","title":"Logging","text":""},{"location":"deployment/configuration/#errors","title":"Errors","text":"Parameter Environment variable Default value Description app:app_logs:logs_level APP__APP_LOGS__LOGS_LEVEL info The application log level app:app_logs:logs_files APP__APP_LOGS__LOGS_FILES <code>true</code> If application logs is logged into files app:app_logs:logs_console APP__APP_LOGS__LOGS_CONSOLE <code>true</code> If application logs is logged to console (useful for containers) app:app_logs:logs_max_files APP__APP_LOGS__LOGS_MAX_FILES 7 Maximum number of daily files in logs app:app_logs:logs_directory APP__APP_LOGS__LOGS_DIRECTORY ./logs File logs directory"},{"location":"deployment/configuration/#audit","title":"Audit","text":"Parameter Environment variable Default value Description app:audit_logs:logs_files APP__AUDIT_LOGS__LOGS_FILES <code>true</code> If audit logs is logged into files app:audit_logs:logs_console APP__AUDIT_LOGS__LOGS_CONSOLE <code>true</code> If audit logs is logged to console (useful for containers) app:audit_logs:logs_max_files APP__AUDIT_LOGS__LOGS_MAX_FILES 7 Maximum number of daily files in logs app:audit_logs:logs_directory APP__AUDIT_LOGS__LOGS_DIRECTORY ./logs Audit logs directory"},{"location":"deployment/configuration/#telemetry","title":"Telemetry","text":"Parameter Environment variable Default value Description app:telemetry:metrics:enabled APP__TELEMETRY__METRICS__ENABLED <code>false</code> Enable the metrics collection. app:telemetry:metrics:exporter_otlp APP__TELEMETRY__METRICS__EXPORTER_OTLP Port to expose the OTLP endpoint. app:telemetry:metrics:exporter_prometheus APP__TELEMETRY__METRICS__EXPORTER_PROMETHEUS 14269 Port to expose the Prometheus endpoint. app:health_access_key APP__HEALTH_ACCESS_KEY ChangeMe Access key for the <code>/health</code> endpoint."},{"location":"deployment/configuration/#maps-references","title":"Maps &amp; references","text":"Parameter Environment variable Default value Description app:map_tile_server_dark APP__MAP_TILE_SERVER_DARK https://map.opencti.io/styles/luatix-dark/{z}/{x}/{y}.png The address of the OpenStreetMap provider with dark theme style app:map_tile_server_light APP__MAP_TILE_SERVER_LIGHT https://map.opencti.io/styles/luatix-light/{z}/{x}/{y}.png The address of the OpenStreetMap provider with light theme style app:reference_attachment APP__REFERENCE_ATTACHMENT <code>false</code> External reference mandatory attachment"},{"location":"deployment/configuration/#functional-customization","title":"Functional customization","text":"Parameter Environment variable Default value Description relations_deduplication:past_days RELATIONS_DEDUPLICATION__PAST_DAYS 30 De-duplicate relations based on <code>start_time</code> and <code>stop_time</code> - n days relations_deduplication:next_days RELATIONS_DEDUPLICATION__NEXT_DAYS 30 De-duplicate relations based on <code>start_time</code> and <code>stop_time</code> + n days relations_deduplication:created_by_based RELATIONS_DEDUPLICATION__CREATED_BY_BASED <code>false</code> Take into account the author to duplicate even if <code>stat_time</code> / <code>stop_time</code> are matching relations_deduplication:types_overrides:relationship_type:past_days RELATIONS_DEDUPLICATION__RELATIONSHIP_TYPE__PAST_DAYS Override the past days for a specific type of relationship (ex. targets) relations_deduplication:types_overrides:relationship_type:next_days RELATIONS_DEDUPLICATION__RELATIONSHIP_TYPE__NEXT_DAYS Override the next days for a specific type of relationship (ex. targets) relations_deduplication:types_overrides:relationship_type:created_by_based RELATIONS_DEDUPLICATION__RELATIONSHIP_TYPE__CREATED_BY_BASED Override the author duplication for a specific type of relationship (ex. targets) Parameter Environment variable Default value Description app:graphql:playground:enabled APP__GRAPHQL__PLAYGROUND__ENABLED <code>true</code> Enable the playground on /graphql app:graphql:playground:force_disabled_introspection APP__GRAPHQL_PLAYGROUND__FORCE_DISABLED_INTROSPECTION <code>false</code> Introspection is allowed to auth users but can be disabled in needed app:concurrency:retry_count APP__CONCURRENCY__RETRY_COUNT 200 Number of try to get the lock to work an element (create/update/merge, ...) app:concurrency:retry_delay APP__CONCURRENCY__RETRY_DELAY 100 Delay between 2 lock retry (in milliseconds) app:concurrency:retry_jitter APP__CONCURRENCY__RETRY_JITTER 50 Random jitter to prevent concurrent retry  (in milliseconds) app:concurrency:max_ttl APP__CONCURRENCY__MAX_TTL 30000 Global maximum time for lock retry (in milliseconds)"},{"location":"deployment/configuration/#technical-customization","title":"Technical customization","text":"Parameter Environment variable Default value Description app:graphql:playground:enabled APP__GRAPHQL__PLAYGROUND__ENABLED <code>true</code> Enable the playground on /graphql app:graphql:playground:force_disabled_introspection APP__GRAPHQL_PLAYGROUND__FORCE_DISABLED_INTROSPECTION <code>false</code> Introspection is allowed to auth users but can be disabled in needed app:concurrency:retry_count APP__CONCURRENCY__RETRY_COUNT 200 Number of try to get the lock to work an element (create/update/merge, ...) app:concurrency:retry_delay APP__CONCURRENCY__RETRY_DELAY 100 Delay between 2 lock retry (in milliseconds) app:concurrency:retry_jitter APP__CONCURRENCY__RETRY_JITTER 50 Random jitter to prevent concurrent retry  (in milliseconds) app:concurrency:max_ttl APP__CONCURRENCY__MAX_TTL 30000 Global maximum time for lock retry (in milliseconds)"},{"location":"deployment/configuration/#dependencies","title":"Dependencies","text":""},{"location":"deployment/configuration/#elasticsearch","title":"ElasticSearch","text":"Parameter Environment variable Default value Description elasticsearch:engine_selector ELASTICSEARCH__ENGINE_SELECTOR auto <code>elk</code> or <code>opensearch</code>, default is <code>auto</code>, please put <code>elk</code> if you use token auth. elasticsearch:engine_check ELASTICSEARCH__ENGINE_CHECK false Disable Search Engine compatibility matrix verification.  Caution: OpenCTI was developed in compliance with the compatibility matrix. Setting the parameter to <code>true</code> may result in negative impacts. elasticsearch:url ELASTICSEARCH__URL http://localhost:9200 URL(s) of the ElasticSearch (supports http://user:pass@localhost:9200 and list of URLs) elasticsearch:username ELASTICSEARCH__USERNAME Username can be put in the URL or with this parameter elasticsearch:password ELASTICSEARCH__PASSWORD Password can be put in the URL or with this parameter elasticsearch:api_key ELASTICSEARCH__API_KEY API key for ElasticSearch token auth. Please set also <code>engine_selector</code> to <code>elk</code> elasticsearch:index_prefix ELASTICSEARCH__INDEX_PREFIX opencti Prefix for the indices elasticsearch:ssl:reject_unauthorized ELASTICSEARCH__SSL__REJECT_UNAUTHORIZED <code>true</code> Enable TLS certificate check elasticsearch:ssl:ca ELASTICSEARCH__SSL__CA Custom certificate path or content elasticsearch:search_wildcard_prefix ELASTICSEARCH__SEARCH_WILDCARD_PREFIX <code>false</code> Search includes words with automatic fuzzy comparison elasticsearch:search_fuzzy ELASTICSEARCH__SEARCH_FUZZY <code>false</code> Search will include words not starting with the search keyword"},{"location":"deployment/configuration/#redis","title":"Redis","text":"Parameter Environment variable Default value Description redis:mode REDIS__MODE single Connect to redis \"single\" or \"cluster\" redis:namespace REDIS__NAMESPACE Namespace (to use as prefix) redis:hostname REDIS__HOSTNAME localhost Hostname of the Redis Server redis:hostnames REDIS__HOSTNAMES Hostnames definition for Redis cluster mode: a list of host/port objects. redis:port REDIS__PORT 6379 Port of the Redis Server redis:use_ssl REDIS__USE_SSL <code>false</code> Is the Redis Server has TLS enabled redis:username REDIS__USERNAME Username of the Redis Server redis:password REDIS__PASSWORD Password of the Redis Server redis:ca REDIS__CA [] List of path(s) of the CA certificate(s) redis:trimming REDIS__TRIMMING 2000000 Number of elements to maintain in the stream. (0 = unlimited)"},{"location":"deployment/configuration/#rabbitmq","title":"RabbitMQ","text":"Parameter Environment variable Default value Description rabbitmq:hostname RABBITMQ__HOSTNAME localhost Hostname of the RabbitMQ server rabbitmq:port RABBITMQ__PORT 5672 Port of the RabbitMQ server rabbitmq:port_management RABBITMQ__PORT_MANAGEMENT 15672 Port of the RabbitMQ Management Plugin rabbitmq:username RABBITMQ__USERNAME guest RabbitMQ user rabbitmq:password RABBITMQ__PASSWORD guest RabbitMQ password rabbitmq:queue_type RABBITMQ__QUEUE_TYPE \"classic\" RabbitMQ Queue Type (\"classic\" or \"quorum\") - - - - rabbitmq:use_ssl RABBITMQ__USE_SSL <code>false</code> Use TLS connection rabbitmq:use_ssl_cert RABBITMQ__USE_SSL_CERT Path or cert content rabbitmq:use_ssl_key RABBITMQ__USE_SSL_KEY Path or key content rabbitmq:use_ssl_pfx RABBITMQ__USE_SSL_PFX Path or pfx content rabbitmq:use_ssl_ca RABBITMQ__USE_SSL_CA [] List of path(s) of the CA certificate(s) rabbitmq:use_ssl_passphrase RABBITMQ__SSL_PASSPHRASE Passphrase for the key certificate rabbitmq:use_ssl_reject_unauthorized RABBITMQ__SSL_REJECT_UNAUTHORIZED <code>false</code> Reject rabbit self signed certificate - - - - rabbitmq:management_ssl RABBITMQ__MANAGEMENT_SSL <code>false</code> Is the Management Plugin has TLS enabled rabbitmq:management_ssl_reject_unauthorized RABBITMQ__SSL_REJECT_UNAUTHORIZED <code>true</code> Reject management self signed certificate"},{"location":"deployment/configuration/#s3-bucket","title":"S3 Bucket","text":"Parameter Environment variable Default value Description minio:endpoint MINIO__ENDPOINT localhost Hostname of the S3 Service. Example if you use AWS Bucket S3: s3.us-east-1.amazonaws.com (if <code>minio:bucket_region</code> value is us-east-1). This parameter value can be omitted if you use Minio as an S3 Bucket Service. minio:port MINIO__PORT 9000 Port of the S3 Service. For AWS Bucket S3 over HTTPS, this value can be changed (usually 443). minio:use_ssl MINIO__USE_SSL <code>false</code> Indicates whether the S3 Service has TLS enabled. For AWS Bucket S3 over HTTPS, this value could be <code>true</code>. minio:access_key MINIO__ACCESS_KEY ChangeMe Access key for the S3 Service. minio:secret_key MINIO__SECRET_KEY ChangeMe Secret key for the S3 Service. minio:bucket_name MINIO__BUCKET_NAME opencti-bucket S3 bucket name. Useful to change if you use AWS. minio:bucket_region MINIO__BUCKET_REGION us-east-1 Region of the S3 bucket if you are using AWS. This parameter value can be omitted if you use Minio as an S3 Bucket Service. minio:use_aws_role MINIO__USE_AWS_ROLE <code>false</code> Indicates whether to use AWS role auto credentials. When this parameter is configured, the <code>minio:access_key</code> and <code>minio:secret_key</code> parameters are not necessary."},{"location":"deployment/configuration/#smtp-service","title":"SMTP Service","text":"Parameter Environment variable Default value Description smtp:hostname SMTP__HOSTNAME SMTP Server hostname smtp:port SMTP__PORT 9000 SMTP Port (25 or 465 for TLS) smtp:use_ssl SMTP__USE_SSL <code>false</code> SMTP over TLS smtp:reject_unauthorized SMTP__REJECT_UNAUTHORIZED <code>false</code> Enable TLS certificate check smtp:username SMTP__USERNAME SMTP Username if authentication is needed smtp:password SMTP__PASSWORD SMTP Password if authentication is needed"},{"location":"deployment/configuration/#ai-service","title":"AI Service","text":"<p>AI deployment and cloud services</p> <p>There are several possibilities for Enterprise Edition customers to use OpenCTI AI endpoints:</p> <ul> <li>Use the Filigran AI Service leveraging our custom AI model using the token given by the support team.</li> <li>Use OpenAI or MistralAI cloud endpoints using your own tokens.</li> <li>Deploy or use local AI endpoints (Filigran can provide you with the custom model).</li> </ul> Parameter Environment variable Default value Description ai:enabled AI__ENABLED true Enable AI capabilities ai:type AI__TYPE mistralai AI type (<code>mistralai</code> or <code>openai</code>) ai:endpoint AI__ENDPOINT Endpoint URL (empty means default cloud service) ai:token AI__TOKEN Token for endpoint credentials ai:model AI__MODEL Model to be used for text generation (depending on type) ai:model_images AI__MODEL_IMAGES Model to be used for image generation (depending on type)"},{"location":"deployment/configuration/#engines-schedules-and-managers","title":"Engines, Schedules and Managers","text":"Parameter Environment variable Default value Description rule_engine:enabled RULE_ENGINE__ENABLED <code>true</code> Enable/disable the rule engine rule_engine:lock_key RULE_ENGINE__LOCK_KEY rule_engine_lock Lock key of the engine in Redis - - - - history_manager:enabled HISTORY_MANAGER__ENABLED <code>true</code> Enable/disable the history manager history_manager:lock_key HISTORY_MANAGER__LOCK_KEY history_manager_lock Lock key for the manager in Redis - - - - task_scheduler:enabled TASK_SCHEDULER__ENABLED <code>true</code> Enable/disable the task scheduler task_scheduler:lock_key TASK_SCHEDULER__LOCK_KEY task_manager_lock Lock key for the scheduler in Redis task_scheduler:interval TASK_SCHEDULER__INTERVAL 10000 Interval to check new task to do (in ms) - - - - sync_manager:enabled SYNC_MANAGER__ENABLED <code>true</code> Enable/disable the sync manager sync_manager:lock_key SYNC_MANAGER__LOCK_KEY sync_manager_lock Lock key for the manager in Redis sync_manager:interval SYNC_MANAGER__INTERVAL 10000 Interval to check new sync feeds to consume (in ms) - - - - expiration_scheduler:enabled EXPIRATION_SCHEDULER__ENABLED <code>true</code> Enable/disable the scheduler expiration_scheduler:lock_key EXPIRATION_SCHEDULER__LOCK_KEY expired_manager_lock Lock key for the scheduler in Redis expiration_scheduler:interval EXPIRATION_SCHEDULER__INTERVAL 300000 Interval to check expired indicators (in ms) - - - - retention_manager:enabled RETENTION_MANAGER__ENABLED <code>true</code> Enable/disable the retention manager retention_manager:lock_key RETENTION_MANAGER__LOCK_KEY retention_manager_lock Lock key for the manager in Redis retention_manager:interval RETENTION_MANAGER__INTERVAL 60000 Interval to check items to be deleted (in ms) - - - - notification_manager:enabled NOTIFICATION_MANAGER__ENABLED <code>true</code> Enable/disable the notification manager notification_manager:lock_live_key NOTIFICATION_MANAGER__LOCK_LIVE_KEY notification_live_manager_lock Lock live key for the manager in Redis notification_manager:lock_digest_key NOTIFICATION_MANAGER__LOCK_DIGEST_KEY notification_digest_manager_lock Lock digest key for the manager in Redis notification_manager:interval NOTIFICATION_MANAGER__INTERVAL 10000 Interval to push notifications - - - - publisher_manager:enabled PUBLISHER_MANAGER__ENABLED <code>true</code> Enable/disable the publisher manager publisher_manager:lock_key PUBLISHER_MANAGER__LOCK_KEY publisher_manager_lock Lock key for the manager in Redis publisher_manager:interval PUBLISHER_MANAGER__INTERVAL 10000 Interval to send notifications / digests (in ms) - - - - ingestion_manager:enabled INGESTION_MANAGER__ENABLED <code>true</code> Enable/disable the ingestion manager ingestion_manager:lock_key INGESTION_MANAGER__LOCK_KEY ingestion_manager_lock Lock key for the manager in Redis ingestion_manager:interval INGESTION_MANAGER__INTERVAL 300000 Interval to check for new data in remote feeds - - - - playbook_manager:enabled PLAYBOOK_MANAGER__ENABLED <code>true</code> Enable/disable the playbook manager playbook_manager:lock_key PLAYBOOK_MANAGER__LOCK_KEY publisher_manager_lock Lock key for the manager in Redis playbook_manager:interval PLAYBOOK_MANAGER__INTERVAL 60000 Interval to check new playbooks - - - - activity_manager:enabled ACTIVITY_MANAGER__ENABLED <code>true</code> Enable/disable the activity manager activity_manager:lock_key ACTIVITY_MANAGER__LOCK_KEY activity_manager_lock Lock key for the manager in Redis - - - - connector_manager:enabled CONNECTOR_MANAGER__ENABLED <code>true</code> Enable/disable the connector manager connector_manager:lock_key CONNECTOR_MANAGER__LOCK_KEY connector_manager_lock Lock key for the manager in Redis connector_manager:works_day_range CONNECTOR_MANAGER__WORKS_DAY_RANGE 7 Days range before considering the works as too old connector_manager:interval CONNECTOR_MANAGER__INTERVAL 10000 Interval to check the state of the works - - - - import_csv_built_in_connector:enabled IMPORT_CSV_CONNECTOR__ENABLED <code>true</code> Enable/disable the csv import connector import_csv_built_in_connector:validate_before_import IMPORT_CSV_CONNECTOR__VALIDATE_BEFORE_IMPORT <code>false</code> Validates the bundle before importing - - - - file_index_manager:enabled FILE_INDEX_MANAGER__ENABLED <code>true</code> Enable/disable the file indexing manager file_index_manager:stream_lock_key FILE_INDEX_MANAGER__STREAM_LOCK file_index_manager_stream_lock Stream lock key for the manager in Redis file_index_manager:interval FILE_INDEX_MANAGER__INTERVAL 60000 Interval to check for new files - - - - indicator_decay_manager:enabled INDICATOR_DECAY_MANAGER__ENABLED <code>true</code> Enable/disable the file indexing manager indicator_decay_manager:lock_key INDICATOR_DECAY_MANAGER__LOCK_LOCK indicator_decay_manager_lock Lock key for the manager in Redis indicator_decay_manager:interval INDICATOR_DECAY_MANAGER__INTERVAL 60000 Interval to check for indicators to update indicator_decay_manager:batch_size INDICATOR_DECAY_MANAGER__BATCH_SIZE 10000 Number of indicators handled by the manager <p>Manager's duties</p> <p>A description of each manager's duties is available on a dedicated page.</p>"},{"location":"deployment/configuration/#worker-and-connector","title":"Worker and connector","text":"<p>Can be configured manually using the configuration file <code>config.yml</code> or through environment variables.</p> Parameter Environment variable Default value Description opencti:url OPENCTI_URL The URL of the OpenCTI platform opencti:token OPENCTI_TOKEN A token of an administrator account with bypass capability - - - - mq:use_ssl / / Depending of the API configuration (fetch from API) mq:use_ssl_ca MQ_USE_SSL_CA Path or cacert content mq:use_ssl_cert MQ_USE_SSL_CERT Path or cert content mq:use_ssl_key MQ_USE_SSL_KEY Path or key content mq:use_ssl_passphrase MQ_USE_SSL_PASSPHRASE Passphrase for the key certificate mq:use_ssl_reject_unauthorized MQ_USE_SSL_REJECT_UNAUTHORIZED <code>false</code> Reject rabbit self signed certificate"},{"location":"deployment/configuration/#worker-specific-configuration","title":"Worker specific configuration","text":""},{"location":"deployment/configuration/#logging_1","title":"Logging","text":"Parameter Environment variable Default value Description worker:log_level WORKER_LOG_LEVEL info The log level (error, warning, info or debug)"},{"location":"deployment/configuration/#telemetry_1","title":"Telemetry","text":"Parameter Environment variable Default value Description worker:telemetry_enabled WORKER_TELEMETRY_ENABLED false Enable the Prometheus endpoint worker:telemetry_prometheus_port WORKER_PROMETHEUS_TELEMETRY_PORT 14270 Port of the Prometheus endpoint worker:telemetry_prometheus_host WORKER_PROMETHEUS_TELEMETRY_HOST 0.0.0.0 Listen address of the Prometheus endpoint"},{"location":"deployment/configuration/#connector-specific-configuration","title":"Connector specific configuration","text":"<p>For specific connector configuration, you need to check each connector behavior.</p>"},{"location":"deployment/configuration/#elasticsearch_1","title":"ElasticSearch","text":"<p>If you want to adapt the memory consumption of ElasticSearch, you can use these options:</p> <pre><code># Add the following environment variable:\n\"ES_JAVA_OPTS=-Xms8g -Xmx8g\"\n</code></pre> <p>This can be done in configuration file in the <code>jvm.conf</code> file.</p>"},{"location":"deployment/connectors/","title":"Connectors","text":""},{"location":"deployment/connectors/#introduction","title":"Introduction","text":"<p>Connectors list</p> <p>You are looking for the available connectors? The list is in the OpenCTI Ecosystem.</p> <p>Connectors are the cornerstone of the OpenCTI platform and allow organizations to easily ingest, enrich or export data in the platform. According to their functionality and use case, they are categorized in the following classes.</p> <p></p>"},{"location":"deployment/connectors/#import","title":"Import","text":"<p>These connectors automatically retrieve information from an external organization, application or service, convert it to STIX 2.1 bundles and import it into OpenCTI using the workers.</p>"},{"location":"deployment/connectors/#enrichment","title":"Enrichment","text":"<p>When a new object is created in the platform or on the user request, it is possible to trigger the internal enrichment connector to lookup and/or search the object in external organizations, applications or services. If the object is found, the connectors will generate a STIX 2.1 bundle which will increase the level of knowledge about the concerned object.</p> <p></p>"},{"location":"deployment/connectors/#stream","title":"Stream","text":"<p>These connectors connect to a platform data stream and continously do something with the received events. In most cases, they are used to consume OpenCTI data and insert them in third-party platforms such as SIEMs, XDRs, EDRS, etc. In some cases, stream connectors can also query the external system on a regular basis and act as import connector for instance to gather alerts and sightings related to CTI data and push them to OpenCTI (bi-directional).</p>"},{"location":"deployment/connectors/#import-files","title":"Import files","text":"<p>Information from an uploaded file can be extracted and ingested into OpenCTI. Examples are files attached to a report or a STIX 2.1 file.</p>"},{"location":"deployment/connectors/#export-files","title":"Export files","text":"<p>Information stored in OpenCTI can be extracted into different file formats like .csv or .json (STIX 2).</p>"},{"location":"deployment/connectors/#connector-configuration","title":"Connector configuration","text":"<p>All connectors have to be able to access the OpenCTI API. To allow this connection, they have 2 mandatory configuration parameters, the <code>OPENCTI_URL</code> and the <code>OPENCTI_TOKEN</code>. In addition to these 2 parameters, connectors have other mandatory parameters that need to be set in order to get them work.</p> <p>Connectors tokens</p> <p>Be careful, we strongly recommend to use a dedicated token for each connector running in the platform. So you have to create a specific user for each of them.</p> <p>Also, if all connectors users can run in with a user belonging to the <code>Connectors</code> group (with the <code>Connector</code> role), the <code>Internal Export Files</code> should be run with a user who is Administrator (with bypass capability) because they impersonate the user requesting the export to avoid data leak.</p> Type Required role Used permissions EXTERNAL_IMPORT Connector Import data with the connector user. INTERNAL_ENRICHMENT Connector Enrich data with the connector user. INTERNAL_IMPORT_FILE Connector Import data with the connector user. INTERNAL_EXPORT_FILE Administrator Export data with the user who requested the export. STREAM Connector Consume the streams the connector user. <p>Here is an example of a connector <code>docker-compose.yml</code> file: <pre><code>- CONNECTOR_ID=ChangeMe\n- CONNECTOR_TYPE=EXTERNAL_IMPORT\n- CONNECTOR_NAME=MITRE ATT&amp;CK\n- CONNECTOR_SCOPE=identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report\n- CONNECTOR_CONFIDENCE_LEVEL=3\n- CONNECTOR_UPDATE_EXISTING_DATA=true\n- CONNECTOR_LOG_LEVEL=info\n</code></pre></p> <p>Here is an example in a connector <code>config.yml</code> file:</p> <pre><code>-connector:\n  id: 'ChangeMe'\n  type: 'EXTERNAL_IMPORT'\n  name: 'MITRE ATT&amp;CK'\n  scope: 'identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report'\n  confidence_level: 3\n  update_existing_data: true\n  log_level: 'info'\n</code></pre>"},{"location":"deployment/connectors/#networking","title":"Networking","text":"<p>Be aware that all connectors are reaching RabbitMQ based the RabbitMQ configuration provided by the OpenCTI platform. The connector must be able to reach RabbitMQ on the specified hostname and port. If you have a specific Docker network configuration, please be sure to adapt your <code>docker-compose.yml</code> file in such way that the connector container gets attached to the OpenCTI Network, e.g.:</p> <pre><code>networks:\n  default:\n    external: true\n    name: opencti-docker_default\n</code></pre> <p></p>"},{"location":"deployment/connectors/#connector-token","title":"Connector token","text":""},{"location":"deployment/connectors/#create-the-user","title":"Create the user","text":"<p>As mentioned previously, it is strongly recommended to run each connector with its own user. The <code>Internal Export File</code> connectors should be launched with a user that belongs to a group which has an \u201cAdministrator\u201d role (with bypass all capabilities enabled).</p> <p>By default, in platform, a group named \"Connectors\" already exists. So just create a new user with the name <code>[C] Name of the connector</code> in Settings &gt; Security &gt; Users.</p> <p></p>"},{"location":"deployment/connectors/#put-the-user-in-the-group","title":"Put the user in the group","text":"<p>Just go to the user you have just created and add it to the <code>Connectors</code> group.</p> <p></p> <p>Then just get the token of the user displayed in the interface.</p> <p></p>"},{"location":"deployment/connectors/#docker-activation","title":"Docker activation","text":"<p>You can either directly run the Docker image of connectors or add them to your current <code>docker-compose.yml</code> file.</p>"},{"location":"deployment/connectors/#add-a-connector-to-your-deployment","title":"Add a connector to your deployment","text":"<p>For instance, to enable the MISP connector, you can add a new service to your <code>docker-compose.yml</code> file:</p> <pre><code>  connector-misp:\n    image: opencti/connector-misp:latest\n    environment:\n      - OPENCTI_URL=http://localhost\n      - OPENCTI_TOKEN=ChangeMe\n      - CONNECTOR_ID=ChangeMe\n      - CONNECTOR_TYPE=EXTERNAL_IMPORT\n      - CONNECTOR_NAME=MISP\n      - CONNECTOR_SCOPE=misp\n      - CONNECTOR_CONFIDENCE_LEVEL=3\n      - CONNECTOR_UPDATE_EXISTING_DATA=false\n      - CONNECTOR_LOG_LEVEL=info\n      - MISP_URL=http://localhost # Required\n      - MISP_KEY=ChangeMe # Required\n      - MISP_SSL_VERIFY=False # Required\n      - MISP_CREATE_REPORTS=True # Required, create report for MISP event\n      - MISP_REPORT_CLASS=MISP event # Optional, report_class if creating report for event\n      - MISP_IMPORT_FROM_DATE=2000-01-01 # Optional, import all event from this date\n      - MISP_IMPORT_TAGS=opencti:import,type:osint # Optional, list of tags used for import events\n      - MISP_INTERVAL=1 # Required, in minutes\n    restart: always\n</code></pre>"},{"location":"deployment/connectors/#launch-a-standalone-connector","title":"Launch a standalone connector","text":"<p>To launch standalone connector, you can use the <code>docker-compose.yml</code> file of the connector itself. Just download the latest release and start the connector:</p> <pre><code>$ wget https://github.com/OpenCTI-Platform/connectors/archive/{RELEASE_VERSION}.zip\n$ unzip {RELEASE_VERSION}.zip\n$ cd connectors-{RELEASE_VERSION}/misp/\n</code></pre> <p>Change the configuration in the <code>docker-compose.yml</code> according to the parameters of the platform and of the targeted service. Then launch the connector:</p> <pre><code>$ docker-compose up\n</code></pre>"},{"location":"deployment/connectors/#manual-activation","title":"Manual activation","text":"<p>If you want to manually launch connector, you just have to install Python 3 and pip3 for dependencies:</p> <pre><code>$ apt install python3 python3-pip\n</code></pre> <p>Download the release of the connectors:</p> <pre><code>$ wget &lt;https://github.com/OpenCTI-Platform/connectors/archive/{RELEASE_VERSION}.zip&gt;\n$ unzip {RELEASE_VERSION}.zip\n$ cd connectors-{RELEASE_VERSION}/misp/src/\n</code></pre> <p>Install dependencies and initialize the configuration:</p> <pre><code>$ pip3 install -r requirements.txt\n$ cp config.yml.sample config.yml\n</code></pre> <p>Change the <code>config.yml</code> content according to the parameters of the platform and of the targeted service and launch the connector:</p> <pre><code>$ python3 misp.py\n</code></pre>"},{"location":"deployment/connectors/#connectors-status","title":"Connectors status","text":"<p>The connector status can be displayed in the dedicated section of the platform available in Data &gt; Connectors. You will be able to see the statistics of the RabbitMQ queue of the connector:</p> <p></p> <p>Problem</p> <p>If you encounter problems deploying OpenCTI or connectors, you can consult the troubleshooting page page.</p>"},{"location":"deployment/installation/","title":"Installation","text":"<p>All components of OpenCTI are shipped both as Docker images and manual installation packages.</p> <p>Production deployment</p> <p>For production deployment, we recommend to deploy all components in containers, including dependencies, using native cloud services or orchestration systems such as Kubernetes.</p> <p>To have more details about deploying OpenCTI and its dependencies in cluster mode, please read the dedicated section.</p> <ul> <li> <p> Use Docker</p> <p>Deploy OpenCTI using Docker and the default <code>docker-compose.yml</code> provided in the docker.</p> <p> Setup</p> </li> <li> <p> Manual installation</p> <p>Deploy dependencies and launch the platform manually using the packages released in the GitHub releases.</p> <p> Explore</p> </li> </ul>"},{"location":"deployment/installation/#using-docker","title":"Using Docker","text":"<p>Deploy FIPS 140-2 compliant components</p> <p>We are providing FIPS 140-2 compliant images, please read the dedicated documentation to understand how to deploy OpenCTI in FIPS-compliant mode.</p>"},{"location":"deployment/installation/#introduction","title":"Introduction","text":"<p>OpenCTI can be deployed using the docker-compose command.</p>"},{"location":"deployment/installation/#pre-requisites","title":"Pre-requisites","text":"<p> Linux</p> <pre><code>$ sudo apt install docker-compose\n</code></pre> <p> Windows and MacOS</p> <p>Just download the appropriate Docker for Desktop version for your operating system.</p>"},{"location":"deployment/installation/#clone-the-repository","title":"Clone the repository","text":"<p>Docker helpers are available in the Docker GitHub repository.</p> <pre><code>$ mkdir -p /path/to/your/app &amp;&amp; cd /path/to/your/app\n$ git clone https://github.com/OpenCTI-Platform/docker.git\n$ cd docker\n</code></pre>"},{"location":"deployment/installation/#configure-the-environment","title":"Configure the environment","text":"<p>ElasticSearch / OpenSearch configuration</p> <ul> <li>We highly recommend to put the ElasticSearch / OpenSearch following parameter:</li> </ul> <pre><code>thread_pool.search.queue_size=5000\n</code></pre> <ul> <li>Check the OpenCTI Integration User Permissions in OpenSearch/ElasticSearch for detailed information about the necessary user permissions for the OpenSearch/ElasticSearch integration.</li> </ul> <p>Before running the <code>docker-compose</code> command, the <code>docker-compose.yml</code> file should be configured. By default, the <code>docker-compose.yml</code> file is using environment variables available in the file <code>.env.sample</code>.</p> <p>You can either rename the file <code>.env.sample</code> in <code>.env</code> and put the expected values or just fill directly the <code>docker-compose.yml</code> with the values corresponding to your environment.</p> <p>Configuration static parameters</p> <p>The complete list of available static parameters is available in the configuration section.</p> <p>Here is an example to quickly generate the <code>.env</code> file under Linux, especially all the default UUIDv4:</p> <pre><code>$ sudo apt install -y jq\n$ cd ~/docker\n$ (cat &lt;&lt; EOF\nOPENCTI_ADMIN_EMAIL=admin@opencti.io\nOPENCTI_ADMIN_PASSWORD=ChangeMePlease\nOPENCTI_ADMIN_TOKEN=$(cat /proc/sys/kernel/random/uuid)\nOPENCTI_BASE_URL=http://localhost:8080\nMINIO_ROOT_USER=$(cat /proc/sys/kernel/random/uuid)\nMINIO_ROOT_PASSWORD=$(cat /proc/sys/kernel/random/uuid)\nRABBITMQ_DEFAULT_USER=guest\nRABBITMQ_DEFAULT_PASS=guest\nELASTIC_MEMORY_SIZE=4G\nCONNECTOR_HISTORY_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_EXPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_EXPORT_FILE_CSV_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_IMPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_EXPORT_FILE_TXT_ID=$(cat /proc/sys/kernel/random/uuid)\nCONNECTOR_IMPORT_DOCUMENT_ID=$(cat /proc/sys/kernel/random/uuid)\nSMTP_HOSTNAME=localhost\nEOF\n) &gt; .env\n</code></pre> <p>If your <code>docker-compose</code> deployment does not support <code>.env</code> files, just export all environment variables before launching the platform:</p> <pre><code>$ export $(cat .env | grep -v \"#\" | xargs)\n</code></pre> <p>As OpenCTI has a dependency on ElasticSearch, you have to set the <code>vm.max_map_count</code> before running the containers, as mentioned in the ElasticSearch documentation.</p> <pre><code>$ sudo sysctl -w vm.max_map_count=1048575\n</code></pre> <p>To make this parameter persistent, add the following to the end of your <code>/etc/sysctl.conf</code>:</p> <pre><code>$ vm.max_map_count=1048575\n</code></pre>"},{"location":"deployment/installation/#persist-data","title":"Persist data","text":"<p>The default for OpenCTI data is to be persistent.</p> <p>In the <code>docker-compose.yml</code>, you will find at the end the list of necessary persitent volumes for the dependencies:</p> <pre><code>volumes:\n  esdata:     # ElasticSearch data\n  s3data:     # S3 bucket data\n  redisdata:  # Redis data\n  amqpdata:   # RabbitMQ data\n</code></pre>"},{"location":"deployment/installation/#run-opencti","title":"Run OpenCTI","text":""},{"location":"deployment/installation/#using-single-node-docker","title":"Using single node Docker","text":"<p>After changing your <code>.env</code> file run <code>docker-compose</code> in detached (-d) mode:</p> <pre><code>$ sudo systemctl start docker.service\n# Run docker-compose in detached\n$ docker-compose up -d\n</code></pre>"},{"location":"deployment/installation/#using-docker-swarm","title":"Using Docker swarm","text":"<p>In order to have the best experience with Docker, we recommend using the Docker stack feature. In this mode you will have the capacity to easily scale your deployment.</p> <pre><code># If your virtual machine is not a part of a Swarm cluster, please use:\n$ docker swarm init\n</code></pre> <p>Put your environment variables in <code>/etc/environment</code>:</p> <pre><code># If you already exported your variables to .env from above:\n$ sudo cat .env &gt;&gt; /etc/environment\n$ sudo bash -c 'cat .env &gt;&gt; /etc/environment\u2019\n$ sudo docker stack deploy --compose-file docker-compose.yml opencti\n</code></pre> <p>Installation done</p> <p>You can now go to http://localhost:8080 and log in with the credentials configured in your environment variables.</p>"},{"location":"deployment/installation/#manual-installation","title":"Manual installation","text":""},{"location":"deployment/installation/#prerequisites","title":"Prerequisites","text":""},{"location":"deployment/installation/#prepare-the-installation","title":"Prepare the installation","text":""},{"location":"deployment/installation/#installation-of-dependencies","title":"Installation of dependencies","text":"<p>You have to install all the needed dependencies for the main application and the workers. The example below is for Debian-based systems:</p> <pre><code>$ sudo apt-get install build-essential nodejs npm python3 python3-pip python3-dev\n</code></pre>"},{"location":"deployment/installation/#download-the-application-files","title":"Download the application files","text":"<p>First, you have to download and extract the latest release file. Then select the version to install depending of your operating system:</p> <p>For Linux:</p> <ul> <li>If your OS supports libc (Ubuntu, Debian, ...) you have to install the <code>opencti-release_{RELEASE_VERSION}.tar.gz</code> version.</li> <li>If your OS uses musl (Alpine, ...) you have to install the <code>opencti-release-{RELEASE_VERSION}_musl.tar.gz</code> version.</li> </ul> <p>For Windows:</p> <p>We don't provide any Windows release for now. However it is still possible to check the code out, manually install the dependencies and build the software.</p> <pre><code>$ mkdir /path/to/your/app &amp;&amp; cd /path/to/your/app\n$ wget &lt;https://github.com/OpenCTI-Platform/opencti/releases/download/{RELEASE_VERSION}/opencti-release-{RELEASE_VERSION}.tar.gz&gt;\n$ tar xvfz opencti-release-{RELEASE_VERSION}.tar.gz\n</code></pre>"},{"location":"deployment/installation/#install-the-main-platform","title":"Install the main platform","text":""},{"location":"deployment/installation/#configure-the-application","title":"Configure the application","text":"<p>The main application has just one JSON configuration file to change and a few Python modules to install</p> <pre><code>$ cd opencti\n$ cp config/default.json config/production.json\n</code></pre> <p>Change the config/production.json file according to your configuration of ElasticSearch, Redis, RabbitMQ and S3 bucket as well as default credentials (the <code>ADMIN_TOKEN</code> must be a valid UUID).</p>"},{"location":"deployment/installation/#install-the-python-modules","title":"Install the Python modules","text":"<pre><code>$ cd src/python\n$ pip3 install -r requirements.txt\n$ cd ../..\n</code></pre>"},{"location":"deployment/installation/#start-the-application","title":"Start the application","text":"<p>The application is just a NodeJS process, the creation of the database schema and the migration will be done at starting.</p> <pre><code>$ yarn install\n$ yarn build\n$ yarn serv\n</code></pre> <p>The default username and password are those you have put in the <code>config/production.json</code> file.</p>"},{"location":"deployment/installation/#install-the-worker","title":"Install the worker","text":"<p>The OpenCTI worker is used to write the data coming from the RabbitMQ messages broker.</p>"},{"location":"deployment/installation/#configure-the-worker","title":"Configure the worker","text":"<pre><code>$ cd worker\n$ pip3 install -r requirements.txt\n$ cp config.yml.sample config.yml\n</code></pre> <p>Change the config.yml file according to your OpenCTI token.</p>"},{"location":"deployment/installation/#start-as-many-workers-as-you-need","title":"Start as many workers as you need","text":"<pre><code>$ python3 worker.py &amp;\n$ python3 worker.py &amp;\n</code></pre> <p>Installation done</p> <p>You can now go to http://localhost:4000 and log in with the credentials configured in your <code>production.json</code> file.</p>"},{"location":"deployment/installation/#appendix","title":"Appendix","text":""},{"location":"deployment/installation/#community-contributions","title":"Community contributions","text":""},{"location":"deployment/installation/#terraform","title":"Terraform","text":"<ul> <li> <p> Multi-clouds Terraform scripts</p> <p>This repository is here to provide you with a quick and easy way to deploy an OpenCTI instance in the cloud (AWS, Azure, or GCP).</p> <p> GitHub Respository</p> </li> <li> <p> AWS Advanced Terraform scripts</p> <p>A Terraform deployment of OpenCTI designed to make use of native AWS Resources (where feasible). This includes AWS ECS Fargate, AWS OpenSearch, etc.</p> <p> GitHub Repository</p> </li> </ul>"},{"location":"deployment/installation/#helm-charts","title":"Helm Charts","text":"<ul> <li> <p> Kubernetes Helm Charts</p> <p>OpenCTI Helm Charts for Kubernetes with a global configuration file. More information how to deploy here on basic installation and examples.</p> <p> GitHub Repository</p> </li> </ul>"},{"location":"deployment/installation/#deploy-behind-a-reverse-proxy","title":"Deploy behind a reverse proxy","text":"<p>If you want to use OpenCTI behind a reverse proxy with a context path, like <code>https://domain.com/opencti</code>, please change the <code>base_path</code> static parameter.</p> <ul> <li><code>APP__BASE_PATH=/opencti</code></li> </ul> <p>By default OpenCTI use websockets so don't forget to configure your proxy for this usage, an example with <code>Nginx</code>:</p> <pre><code>location / {\n    proxy_cache                 off;\n    proxy_buffering             off;\n    proxy_http_version          1.1;\n    proxy_set_header Upgrade    $http_upgrade;\n    proxy_set_header Connection \"upgrade\";\n    proxy_set_header Host       $host;\n    chunked_transfer_encoding   off;\n    proxy_pass                  http://YOUR_UPSTREAM_BACKEND;\n  }\n</code></pre>"},{"location":"deployment/installation/#additional-memory-information","title":"Additional memory information","text":""},{"location":"deployment/installation/#platform","title":"Platform","text":"<p>OpenCTI platform is based on a NodeJS runtime, with a memory limit of 8GB by default. If you encounter <code>OutOfMemory</code> exceptions, this limit could be changed:</p> <pre><code>- NODE_OPTIONS=--max-old-space-size=8096\n</code></pre>"},{"location":"deployment/installation/#workers-and-connectors","title":"Workers and connectors","text":"<p>OpenCTI workers and connectors are Python processes. If you want to limit the memory of the process, we recommend to directly use Docker to do that. You can find more information in the official Docker documentation.</p>"},{"location":"deployment/installation/#elasticsearch","title":"ElasticSearch","text":"<p>ElasticSearch is also a JAVA process. In order to setup the JAVA memory allocation, you can use the environment variable <code>ES_JAVA_OPTS</code>. You can find more information in the official ElasticSearch documentation.</p>"},{"location":"deployment/installation/#redis","title":"Redis","text":"<p>Redis has a very small footprint on keys but will consume memory for the stream. By default the size of the stream is limited to 2 millions which represents a memory footprint around <code>8 GB</code>. You can find more information in the Redis docker hub.</p>"},{"location":"deployment/installation/#minio-s3-bucket","title":"MinIO / S3 Bucket","text":"<p>MinIO is a small process and does not require a high amount of memory. More information are available for Linux here on the Kernel tuning guide.</p>"},{"location":"deployment/installation/#rabbitmq","title":"RabbitMQ","text":"<p>The RabbitMQ memory configuration can be find in the RabbitMQ official documentation. RabbitMQ will consumed memory until a specific threshold, therefore it should be configure along with the Docker memory limitation.</p>"},{"location":"deployment/integrations/","title":"Integrations","text":""},{"location":"deployment/integrations/#introduction","title":"Introduction","text":"<p>OpenCTI supports multiple ways to integrate with other systems which do not have native connectors or plugins to the platform. Here are the technical features available to ease the connection and the integration of the platform with other applications.</p> <p>Connectors list</p> <p>If you are looking for the list of OpenCTI connectors or native integration, please check the OpenCTI Ecosystem.</p>"},{"location":"deployment/integrations/#native-feeds-and-streams","title":"Native feeds and streams","text":"<p>To ease integrations with other products, OpenCTI has built-in capabilities to deliver the data to third-parties.</p>"},{"location":"deployment/integrations/#csv-feeds","title":"CSV Feeds","text":"<p>It is possible to create as many CSV feeds as needed, based on filters and accessible in HTTP. CSV feeds are available in Data &gt; Data sharing &gt; Feeds (CSV).</p> <p>When creating a CSV feed, you need to select one or multiple types of entities to make available. Then, you must assign a field (of an entity type) to each column in the CSV:</p> <p></p> <p>Details</p> <p>For more information about CSV feeds, filters and configuration, please check the Export in structured format section.</p>"},{"location":"deployment/integrations/#taxii-collections","title":"TAXII collections","text":"<p>Most of the modern cybersecurity systems such as SIEMs, EDRs, XDRs and even firewalls supports the TAXII protocol which is basically a paginated HTTP STIX feed. OpenCTI implements a TAXII 2.1 server with the ability to create as many TAXII collections as needed in Data &gt; Data sharing &gt; TAXII Collections.</p> <p>TAXII collections are a sub-selection of the knowledge available in the platform and rely on filters. For instance, it is possible to create TAXII collections for pieces of malware with a given label, for indicators with a score greater than n, etc.</p> <p></p>"},{"location":"deployment/integrations/#live-streams","title":"Live Streams","text":"<p>After implementing CSV feeds and TAXII collections, we figured out that those 2 stateless APIs are definitely not enough when it comes to tackle advanced information sharing challenges such as:</p> <ul> <li>Real time transmission of the information (i.e. avoid hundreds of systems to pull data every 5 minutes).</li> <li>Dependencies resolution (i.e. an intrusion created by an organization but the organization is not in the TAXII collection).</li> <li>Partial update for huge entities such as report (i.e. just having the update event).</li> <li>Delete events when necessary (i.e. to handle indicators expiration in third party systems for instance).</li> </ul> <p>Live streams are available in Data &gt; Data sharing &gt; Live streams. As TAXII collections, it is possible to create as many streams as needed using filters.</p> <p></p> <p>Streams implement the HTTP SSE (Server-sent events) protocol and give applications the possibility to consume a real time pure STIX 2.1 stream. Stream connectors in the OpenCTI Ecosystem are using live streams to consume data and do something such as create / update / delete information in SIEMs, XDRs, etc.</p>"},{"location":"deployment/integrations/#authentication","title":"Authentication","text":"<p>For all previously explained capabilities, as they are over the HTTP protocol, 3 authentication mechanisms are available to consume them.</p> <ol> <li> <p>Using a bearer header with your OpenCTI API key</p> <pre><code>Authorization: Bearer a17bc103-8420-4208-bd53-e1f80845d15f\n</code></pre> <p>API Key</p> <p>Your API key can be found in your profile available clicking on the top right icon.</p> </li> <li> <p>Using basic authentication</p> <pre><code>Username: Your platform username\nPassword: Your plafrom password\nAuthorization: Basic c2FtdWVsLmhhc3NpbmVBZmlsaWdyYW4uaW86TG91aXNlMTMwNCM=\n</code></pre> </li> <li> <p>Using client certificate authentication</p> <p>To know how to configure the client certificate authentication, please consult the authentication configuration section.</p> </li> </ol>"},{"location":"deployment/integrations/#api-and-libraries","title":"API and libraries","text":""},{"location":"deployment/integrations/#graphql-api","title":"GraphQL API","text":"<p>To allow analysts and developers to implement more custom or complex use cases, a full GraphQL API is available in the application on the <code>/graphql</code> endpoint.</p> <p>The API can be queried using various GraphQL client such as Postman but you can leverage any HTTP client to forge GraphQL queries using <code>POST</code> methods.</p>"},{"location":"deployment/integrations/#authentication_1","title":"Authentication","text":"<p>The API authentication can be performed using the token of a user and a classic Authorization header:</p> <pre><code>Content-Type: application/json\nAuthorization: Bearer 6b6554c4-bb2c-4c80-9cd3-30288c8bf424\n</code></pre>"},{"location":"deployment/integrations/#playground","title":"Playground","text":"<p>The playground is available on the <code>/graphql</code> endpoint. A link button is also available in the profile of your user.</p> <p></p> <p>All the schema documentation is directly available in the playground.</p> <p></p> <p>If you already logged to OpenCTI with the same browser you should be able to directly do some requests. If you are not authenticated or want to authenticate only through the playground you can use a header configuration using your profile token</p> <p>Example of configuration (bottom left of the playground):</p> <p></p>"},{"location":"deployment/integrations/#python-library","title":"Python library","text":"<p>Since not everyone is familiar with GraphQL APIs, we've developed a Python library to ease the interaction with it. The library is pretty easy to use. To initiate the client:</p> <pre><code># coding: utf-8\n\nfrom pycti import OpenCTIApiClient\n\n# Variables\napi_url = \"http://opencti:4000\"\napi_token = \"bfa014e0-e02e-4aa6-a42b-603b19dcf159\"\n\n# OpenCTI initialization\nopencti_api_client = OpenCTIApiClient(api_url, api_token)\n</code></pre> <p>Then just use the available helpers: <pre><code># Search for malware with the keyword \"windows\"\nmalwares = opencti_api_client.malware.list(search=\"windows\")\n\n# Print\nprint(malwares)\n</code></pre></p> <p>Details</p> <p>For more detailed information about the Python library, please read the dedicated section.</p>"},{"location":"deployment/managers/","title":"Platform managers","text":"<p>Platform managers are background components that perform various tasks to support some important functionalities in the platform.</p> <p>Here is a list of all the managers on the platform:</p>"},{"location":"deployment/managers/#rules-engine","title":"Rules engine","text":"<p>Allows users to execute pre-defined actions based on the data and events in the platform.</p> <p>These rules are accessible in Settings &gt; Customization &gt; Rules engine.</p> <p>The rules engine is designed to help users automate and streamline their cyber threat intelligence processes.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#history-manager","title":"History manager","text":"<p>This manager keeps tracks of user/connector interactions on entities in the platform.</p> <p>It is designed to help users audit and understand the evolution of their CTI data.</p>"},{"location":"deployment/managers/#activity-manager","title":"Activity manager","text":"<p>The activity manager in OpenCTI is a component that monitors and logs the user actions in the platform such as login, settings update, and user activities if configured (read, udpate, etc.).</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#background-task-manager","title":"Background task manager","text":"<p>Is a component that handles the execution of tasks, such as importing data, exporting data and mass operations.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#expiration-scheduler","title":"Expiration scheduler","text":"<p>The expiration scheduler is responsible for monitoring expired elements in the platform. It cancels the access rights of expired user accounts and revokes expired indicators from the platform.</p>"},{"location":"deployment/managers/#synchronization-manager","title":"Synchronization manager","text":"<p>The synchronization manager enables the data sharing between multiple OpenCTI platforms.  It allows the user to create and configure synchronizers which are processes that connect to the live streams of remote OpenCTI platforms and import the data into the local platform. </p>"},{"location":"deployment/managers/#retention-manager","title":"Retention manager","text":"<p>The retention manager is a component that allows the user to define rules to help delete data in OpenCTI that is no longer relevant or useful. This helps to optimize the performance and storage of the OpenCTI platform and ensures the quality and accuracy of the data.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#notification-manager","title":"Notification manager","text":"<p>The notification manager is a component that allows the user to customize and receive alerts about events/changes in the platform.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#ingestion-manager","title":"Ingestion manager","text":"<p>The ingestion manager in OpenCTI is a component that manages the ingestion of data from RSS and TAXII feeds.</p>"},{"location":"deployment/managers/#playbook-manager","title":"Playbook manager","text":"<p>The playbook manager handles the automation scenarios which can be fully customized and enabled by platform administrators to enrich, filter and modify the data created or updated in the platform.</p> <p>Please read the Playbook automation page to get more information.</p>"},{"location":"deployment/managers/#file-index-manager","title":"File index manager","text":"<p>The file indexing manager extracts and indexes the text content of the files, and stores it in the database. It allows users to search for text content within files uploaded to the platform.</p> <p>More information can be found here.</p>"},{"location":"deployment/managers/#indicator-decay-manager","title":"Indicator decay manager","text":"<p>The indicator decay manager allows to update indicators score automatically based on configured decay rules.</p> <p>More information can be found here.</p>"},{"location":"deployment/overview/","title":"Overview","text":"<p>Before starting the installation, let's discover how OpenCTI is working, which dependencies are needed and what are the minimal requirements to deploy it in production.</p>"},{"location":"deployment/overview/#architecture","title":"Architecture","text":"<p>The OpenCTI platform relies on several external databases and services in order to work.</p> <p></p>"},{"location":"deployment/overview/#platform","title":"Platform","text":"<p>The platform is the central part of the OpenCTI technological stack. It allows users to access to the user interface but also provides the GraphQL API used by connectors and workers to insert data. In the context of a production deployment, you may need to scale horizontally and launch multiple platforms behind a load balancer connected to the same databases (ElasticSearch, Redis, S3, RabbitMQ).</p>"},{"location":"deployment/overview/#workers","title":"Workers","text":"<p>The workers are standalone Python processes consuming messages from the RabbitMQ broker in order to do asynchronous write queries. You can launch as many workers as you need to increase the write performances. At some point, the write performances will be limited by the throughput of the ElasticSearch database cluster.</p> <p>Number of workers</p> <p>If you need to increase performances, it is better to launch more platforms to handle worker queries. The recommended setup is to have at least one platform for 3 workers (ie. 9 workers distributed over 3 platforms).</p>"},{"location":"deployment/overview/#connectors","title":"Connectors","text":"<p>The connectors are third-party pieces of software (Python processes) that can play five different  roles on the platform:</p> Type Description Examples EXTERNAL_IMPORT Pull data from remote sources, convert it to STIX2 and insert it on the OpenCTI platform. MITRE Datasets, MISP, CVE, AlienVault, Mandiant, etc. INTERNAL_ENRICHMENT Listen for new OpenCTI entities or users requests, pull data from remote sources to enrich. Shodan, DomainTools, IpInfo, etc. INTERNAL_IMPORT_FILE Extract data from files uploaded on OpenCTI trough the UI or the API. STIX 2.1, PDF, Text, HTML, etc. INTERNAL_EXPORT_FILE Generate export from OpenCTI data, based on a single object or a list. STIX 2.1, CSV, PDF, etc. STREAM Consume a platform data stream an do something with events. Splunk, Elastic Security, Q-Radar, etc. <p>List of connectors</p> <p>You can find all currently available connector in the OpenCTI Ecosystem.</p>"},{"location":"deployment/overview/#infrastructure-requirements","title":"Infrastructure requirements","text":""},{"location":"deployment/overview/#dependencies","title":"Dependencies","text":"Component Version CPU RAM Disk type Disk space ElasticSearch / OpenSearch &gt;= 8.0 / &gt;= 2.9 2 cores \u2265 8GB SSD \u2265 16GB Redis &gt;= 7.1 1 core \u2265 1GB SSD \u2265 16GB RabbitMQ &gt;= 3.11 1 core \u2265 512MB Standard \u2265 2GB S3 / MinIO &gt;= RELEASE.2023-02 1 core \u2265 128MB SSD \u2265 16GB"},{"location":"deployment/overview/#platform_1","title":"Platform","text":"Component CPU RAM Disk type Disk space OpenCTI Core 2 cores \u2265 8GB None (stateless) - Worker(s) 1 core \u2265 128MB None (stateless) - Connector(s) 1 core \u2265 128MB None (stateless) - <p>Clustering</p> <p>To have more details about deploying OpenCTI and its dependencies in cluster mode, please read the dedicated section.</p>"},{"location":"deployment/resources/","title":"Other resources","text":""},{"location":"deployment/resources/#introduction","title":"Introduction","text":"<p>OpenCTI is an open and modular platform. A lot of connectors, plugins and clients  are created by Filigran and by the community. You can find here other resources available to complete your OpenCTI journey.</p>"},{"location":"deployment/resources/#videos-training","title":"Videos &amp; training","text":"<ul> <li> <p> YouTube channel</p> <p>Watch demonstration videos, use case explanations, customers and community testimonies and past webinars.</p> <p> Watch</p> </li> <li> <p> Training courses</p> <p>Empower your journey with OpenCTI training courses for both analyst and  administrators and get your certifcate.</p> <p> Learn</p> </li> </ul>"},{"location":"deployment/resources/#articles-news","title":"Articles &amp; news","text":"<ul> <li> <p> Blog articles</p> <p>Read posts written by both Filigran teams and community members about OpenCTI features and use cases.</p> <p> Read</p> </li> <li> <p> Newsletters</p> <p>Subscribe to Filigran newsletters to get informed about the latest evolutions of our product ecosystems.</p> <p> Subscribe</p> </li> </ul>"},{"location":"deployment/resources/#analysis","title":"Analysis","text":"<ul> <li> <p> Verticalized threat landcapes</p> <p>Access to monthly sectorial analysis from our experts team based on knowledge and data collected by our partners.</p> <p> Consult</p> </li> <li> <p> Case studies</p> <p>Explore the Filigran case studies about stories and usages of the platform  among our communities and customers.</p> <p> Download</p> </li> </ul>"},{"location":"deployment/rollover/","title":"Indices and rollover policies","text":"<p>Default rollover policies</p> <p>Since OpenCTI 5.9.0, rollover policies are automatically created when the platform is initialized for the first time. If your platform has been initialized using an older version of OpenCTI or if you would like to understand (and customize) rollover policies please read the following documentation.</p>"},{"location":"deployment/rollover/#introduction","title":"Introduction","text":"<p>ElasticSearch and OpenSearch both support rollover on indices. OpenCTI has been designed to be able to use aliases for indices and so support very well index lifeycle policies. Thus, by default OpenCTI initialized indices with a suffix <code>-00001</code> and use wildcard to query indices. When rollover policies are implemented (default starting OCTI 5.9.X if you initialized your platform at this version), indices are splitted to keep a reasonable volume of data in shards.</p> <p></p>"},{"location":"deployment/rollover/#opencti-integration-user-permissions-in-opensearchelasticsearch","title":"OpenCTI Integration User Permissions in OpenSearch/ElasticSearch","text":"<ul> <li> <p>Index Permissions</p> <ul> <li>Patterns: <code>opencti*</code> (Dependent on the parameter elasticsearch:index_prefix value)</li> <li>Permissions: <code>indices_all</code></li> </ul> </li> <li> <p>Cluster Permissions</p> <ul> <li><code>cluster_composite_ops_ro</code></li> <li><code>cluster_manage_index_templates</code></li> <li><code>cluster:admin/ingest/pipeline/put</code></li> <li><code>cluster:admin/opendistro/ism/policy/write</code></li> <li><code>cluster:monitor/health</code></li> <li><code>cluster:monitor/main</code></li> <li><code>cluster:monitor/state</code></li> <li><code>indices:admin/index_template/put</code></li> <li><code>indices:data/read/scroll/clear</code></li> <li><code>indices:data/read/scroll</code></li> <li><code>indices:data/write/bulk</code></li> </ul> </li> </ul> <p>About<code>indices:*</code> in Cluster Permissions</p> <p>It is crucial to include <code>indices:*</code> permissions in Cluster Permissions for the proper functioning of the OpenCTI integration. Removing these, even if already present in Index Permissions, may result in startup issues for the OpenCTI Platform.</p>"},{"location":"deployment/rollover/#elasticsearch-configuration","title":"ElasticSearch configuration","text":""},{"location":"deployment/rollover/#indices","title":"Indices","text":"<p>By default, a rollover policy is applied on all indices used by OpenCTI.</p> <ul> <li><code>opencti_history</code></li> <li><code>opencti_inferred_entities</code></li> <li><code>opencti_inferred_relationships</code></li> <li><code>opencti_internal_objects</code></li> <li><code>opencti_internal_relationships</code></li> <li><code>opencti_stix_core_relationships</code></li> <li><code>opencti_stix_cyber_observable_relationships</code></li> <li><code>opencti_stix_cyber_observables</code></li> <li><code>opencti_stix_domain_objects</code></li> <li><code>opencti_stix_meta_objects</code></li> <li><code>opencti_stix_meta_relationships</code></li> <li><code>opencti_stix_sighting_relationships</code></li> </ul> <p>For your information, the indices which can grow rapidly are:</p> <ul> <li>Index <code>opencti_stix_meta_relationships</code>: it contains all the nested relationships between objects and labels / marking definitions / external references / authors, etc.</li> <li>Index <code>opencti_history</code>: it contains the history log of all objects in the platform.</li> <li>Index <code>opencti_stix_cyber_observables</code>: it contains all observables stored in the platform.</li> <li>Index <code>opencti_stix_core_relationships</code>: it contains all main STIX relationships stored in the platform.</li> </ul>"},{"location":"deployment/rollover/#default-implemented-licecycle-policy","title":"Default implemented licecycle policy","text":"<p>Here is the recommended policy (initialized starting 5.9.X):</p> <ul> <li>Maximum primary shard size: <code>50 GB</code></li> <li>Maximum age: <code>365 days</code></li> <li>Maximum documents: <code>75,000,000</code></li> </ul>"},{"location":"deployment/rollover/#applying-rollover-policies-on-existing-indices","title":"Applying rollover policies on existing indices","text":"<p>Procedure information</p> <p>Please read the following only if your platform has been initialized before 5.9.0, otherwise lifecycle policies has been created (but you can still cutomize them).</p> <p>Unfortunately, to be able to implement rollover policies on ElasticSearch / OpenSearch indices, it will be needed to re-index all the data in new indices using ElasticSearch capabilities.</p>"},{"location":"deployment/rollover/#shutdown","title":"Shutdown","text":"<p>First step is to shutdown your OpenCTI platform.</p>"},{"location":"deployment/rollover/#change-configuration","title":"Change configuration","text":"<p>Then, in the OpenCTI configuration, change the ElasticSearch / OpenSearch default prefix to <code>octi</code> (default is <code>opencti</code>).</p>"},{"location":"deployment/rollover/#create-the-rollover-policy","title":"Create the rollover policy","text":"<p>Create a rollover policy named <code>octi-ilm-policy</code> (in Kibana, <code>Management &gt; Index Lifecycle Policies</code>):</p> <ul> <li>Maximum primary shard size: <code>50 GB</code></li> <li>Maximum age: <code>365 days</code></li> <li>Maximum documents: <code>75,000,000</code></li> </ul> <p></p>"},{"location":"deployment/rollover/#create-index-templates","title":"Create index templates","text":"<p>In Kibana, clone the <code>opencti-index-template</code> to have one index template by OpenCTI index with the appropriate rollover policy, index pattern and rollover alias (in Kibana, <code>Management &gt; Index Management &gt; Index Templates</code>).</p> <p></p> <p>Create the following index templates:</p> <ul> <li><code>octi_history</code></li> <li><code>octi_inferred_entities</code></li> <li><code>octi_inferred_relationships</code></li> <li><code>octi_internal_objects</code></li> <li><code>octi_internal_relationships</code></li> <li><code>octi_stix_core_relationships</code></li> <li><code>octi_stix_cyber_observable_relationships</code></li> <li><code>octi_stix_cyber_observables</code></li> <li><code>octi_stix_domain_objects</code></li> <li><code>octi_stix_meta_objects</code></li> <li><code>octi_stix_meta_relationships</code></li> <li><code>octi_stix_sighting_relationships</code></li> </ul> <p>Here is the overview of all templates (you should have something with <code>octi_</code> instead of <code>opencti_</code>).</p> <p></p>"},{"location":"deployment/rollover/#apply-rollover-policy-on-all-index-templates","title":"Apply rollover policy on all index templates","text":"<p>Then, going back in the index lifecycle policies screen, you can click on the \"+\" button of the <code>octi-ilm-policy</code> to <code>Add the policy to index template</code>, then add the policy to add previously created template with the proper \"Alias for rollover index\".</p> <p></p>"},{"location":"deployment/rollover/#bootstrap-all-new-indices","title":"Bootstrap all new indices","text":"<p>Before we can re-index, we need to create the new indices with aliases.</p> <pre><code>PUT octi_history-000001\n{\n  \"aliases\": {\n    \"octi_history\": {\n      \"is_write_index\": true\n    }\n  }\n}\n</code></pre> <p>Repeat this step for all indices:</p> <ul> <li><code>octi_history</code></li> <li><code>octi_inferred_entities</code></li> <li><code>octi_inferred_relationships</code></li> <li><code>octi_internal_objects</code></li> <li><code>octi_internal_relationships</code></li> <li><code>octi_stix_core_relationships</code></li> <li><code>octi_stix_cyber_observable_relationships</code></li> <li><code>octi_stix_cyber_observables</code></li> <li><code>octi_stix_domain_objects</code></li> <li><code>octi_stix_meta_objects</code></li> <li><code>octi_stix_meta_relationships</code></li> </ul>"},{"location":"deployment/rollover/#re-index-all-indices","title":"Re-index all indices","text":"<p>Using the <code>reindex</code> API, re-index all indices one by one:</p> <pre><code>curl -X POST \"localhost:9200/_reindex?pretty\" -H 'Content-Type: application/json' -d'\n{\n  \"source\": {\n    \"index\": \"opencti_history-000001\"\n  },\n  \"dest\": {\n    \"index\": \"octi_history\"\n  }\n}\n'\n</code></pre> <p>You will see the rollover policy to be applied and the new indices are automatically rolled-over during reindexation.</p>"},{"location":"deployment/rollover/#delete-all-old-indices","title":"Delete all old indices","text":"<p>Then just delete all indices with the prefix <code>opencti_</code>.</p>"},{"location":"deployment/rollover/#start-your-platform","title":"Start your platform","text":"<p>Start your platform, using the new indices.</p> <p>Rollover documentation</p> <p>To have more details about automatic rollover and lifecycle policies, please read the official ElasticSearch documentation.</p>"},{"location":"deployment/troubleshooting/","title":"Troubleshooting","text":"<p>This page aims to explains the typical errors you can have with your OpenCTI platform.</p>"},{"location":"deployment/troubleshooting/#finding-the-relevant-logs","title":"Finding the relevant logs","text":"<p>It is highly recommended to monitor the error logs of the platforms, workers and connectors. All the components have log outputs in an understandable JSON format. It necessary, it is always possible to increase the log level. In production, it is recommended to have the log level set to <code>error</code>.</p>"},{"location":"deployment/troubleshooting/#platform","title":"Platform","text":"<p>Here are some useful parameters for platform logging:</p> <pre><code>- APP__APP_LOGS__LOGS_LEVEL=[error|warning|info|debug]\n- APP__APP_LOGS__LOGS_CONSOLE=true # Output in the container console\n</code></pre>"},{"location":"deployment/troubleshooting/#connectors","title":"Connectors","text":"<p>All connectors support the same set of parameters to manage the log level and outputs:</p> <pre><code>- OPENCTI_JSON_LOGGING=true # Enable / disable JSON logging\n- CONNECTOR_LOG_LEVEL=info=[error|warning|info|debug]\n</code></pre>"},{"location":"deployment/troubleshooting/#workers","title":"Workers","text":"<p>The workers can have more or less verbose outputs:</p> <pre><code>- OPENCTI_JSON_LOGGING=true # Enable / disable JSON logging\n- WORKER_LOG_LEVEL=[error|warning|info|debug]\n</code></pre>"},{"location":"deployment/troubleshooting/#common-errors","title":"Common errors","text":""},{"location":"deployment/troubleshooting/#ingestion-technical-errors","title":"Ingestion technical errors","text":"<p>Missing reference to handle creation</p> <p>After 5 retries, if an element required to create another element is missing, the platform raises an exception. It usually comes from a connector that generates inconsistent STIX 2.1 bundles.</p> <p>Cant upsert entity. Too many entities resolved</p> <p>OpenCTI received an entity which is matching too many other entities in the platform. In this condition we cannot take a decision. We need to dig into the data bundle to identify why he match too much entities and fix the data in the bundle / or the platform according to what you expect.</p> <p>Execution timeout, too many concurrent call on the same entities</p> <p>The platform supports multi workers and multiple parallel creation but different parameters can lead to some locking timeout in the execution. </p> <ul> <li>Throughput capacity of your ElasticSearch</li> <li>Number of workers started at the same time</li> <li>Dependencies between data</li> <li>Merging capacity of OpenCTI</li> </ul> <p>If you have this kind of error, limit the number of workers deployed. Try to find the right balance of the number of workers, connectors and elasticsearch sizing.</p>"},{"location":"deployment/troubleshooting/#ingestion-functional-errors","title":"Ingestion functional errors","text":"<p>Indicator of type yara is not correctly formatted</p> <p>OpenCTI check the validity of the indicator rule.</p> <p>Observable of type IPv4-Addr is not correctly formatted</p> <p>OpenCTI check the validity of the oversable value.</p>"},{"location":"deployment/troubleshooting/#dependencies-errors","title":"Dependencies errors","text":"<p>TOO_MANY_REQUESTS/12/disk usage exceeded flood-stage watermark...</p> <p>Disk full, no space left on the device for ElasticSearch.</p>"},{"location":"deployment/upgrade/","title":"Upgrade","text":"<p>Depending on your installation mode, upgrade path may change.</p> <p>Migrations</p> <p>The platform is taking care of all necessary underlying migrations in the databases if any, you can upgrade OpenCTI from any version to the latest one, including skipping multiple major releases.</p>"},{"location":"deployment/upgrade/#using-docker","title":"Using Docker","text":"<p>Before applying this procedure, please update your <code>docker-compose.yml</code> file with the new version number of container images.</p>"},{"location":"deployment/upgrade/#for-single-node-docker","title":"For single node Docker","text":"<pre><code>$ sudo docker-compose stop\n$ sudo docker-compose pull\n$ sudo docker-compose up -d\n</code></pre>"},{"location":"deployment/upgrade/#for-docker-swarm","title":"For Docker swarm","text":"<p>For each of services, you have to run the following command:</p> <pre><code>$ sudo docker service update --force service_name\n</code></pre>"},{"location":"deployment/upgrade/#manual-installation","title":"Manual installation","text":"<p>When upgrading the platform, you have to replace all files and restart the platform, the database migrations will be done automatically:</p> <pre><code>$ yarn serv\n</code></pre>"},{"location":"development/api-usage/","title":"GraphQL playground","text":"<p>The GraphQL playground is an integrated development environment (IDE) provided by OpenCTI for exploring and testing GraphQL APIs. It offers a user-friendly interface that allows developers to interactively query the GraphQL schema, experiment with different queries, and visualize the responses.</p>"},{"location":"development/api-usage/#key-features","title":"Key features","text":""},{"location":"development/api-usage/#interactive-querying","title":"Interactive querying","text":"<p>The Playground provides a text editor where developers can write GraphQL queries, mutations, and subscriptions. As you type, the Playground offers syntax highlighting, autocompletion, and error checking to aid in query composition.</p> <p></p>"},{"location":"development/api-usage/#documentation","title":"Documentation","text":"<p>Developers can access comprehensive documentation for the GraphQL schema directly within the Playground. This documentation includes descriptions of all available types, fields, and directives, making it easy to understand the data model and construct queries.</p> <p></p>"},{"location":"development/api-usage/#query-history","title":"Query history","text":"<p>The playground keeps track of previously executed queries, allowing developers to revisit and reuse queries from previous sessions. This feature streamlines the development process by eliminating the need to retype complex queries.</p> <p></p>"},{"location":"development/api-usage/#response-visualization","title":"Response visualization","text":"<p>Upon executing a query, the playground displays the response data in a structured and readable format. JSON responses are presented in a collapsible tree view, making it easy to navigate nested data structures and inspect individual fields.</p> <p></p>"},{"location":"development/api-usage/#schema-exploration","title":"Schema exploration","text":"<p>Developers can explore the GraphQL schema using the built-in schema viewer. This feature provides a graphical representation of the schema, showing types, fields, and their relationships. Developers can explore the schema and understand its structure.</p> <p></p>"},{"location":"development/api-usage/#getting-started","title":"Getting started","text":"<p>To access the GraphQL playground, navigate to the GraphQL endpoint of your OpenCTI instance: <code>https://[your-opencti-instance]/graphql</code>. Then, follow these steps to utilize the playground:</p> <ol> <li>Query editor: Write GraphQL queries, mutations, and subscriptions in the text editor. Use syntax highlighting and autocompletion to speed up query composition.</li> <li>Documentation explorer: Access documentation for the GraphQL schema by clicking on the \"Docs\" tab on the right. Browse types, fields, and descriptions to understand the available data and query syntax.</li> <li>Query history: View and execute previously executed queries from the \"History\" tab on the top. Reuse queries and experiment with variations without retyping.</li> <li>Response pane: Visualize query responses in the response pane. Expand and collapse sections to navigate complex data structures and inspect individual fields.</li> <li>Schema viewer: Explore the GraphQL schema interactively using the \"Schema\" tab on the right. Navigate types, fields, and relationships to understand the data model and plan queries.</li> </ol>"},{"location":"development/connectors/","title":"Connector development","text":""},{"location":"development/connectors/#introduction","title":"Introduction","text":"<p>A connector in OpenCTI is a service that runs next to the platform and can be implemented in almost any programming language that has STIX2 support. Connectors are used to extend the functionality of OpenCTI and allow operators to shift some of the processing workload to external services. To use the conveniently provided OpenCTI connector SDK you need to use Python3 at the moment.</p> <p>We choose to have a very decentralized approach on connectors, in order to bring a maximum freedom to developers and vendors. So a connector on OpenCTI can be defined by a standalone Python 3 process that pushes an understandable format of data to an ingestion queue of messages.</p> <p>Each connector must implement a long-running process that can be launched just by executing the main Python file. The only mandatory dependency is the <code>OpenCTIConnectorHelper</code> class that enables the connector to send data to OpenCTI.</p>"},{"location":"development/connectors/#getting-started","title":"Getting started","text":"<p>In the beginning first think about your use-case to choose and appropriate connector type - what do want to achieve with your connector? The following table gives you an overview of the current connector types and some typical use-cases:</p> <p>Connector types</p> Type Typical use cases Example connector EXTERNAL_IMPORT Integrate external TI provider, Integrate external TI platform AlienVault INTERNAL_ENRICHMENT Enhance existing data with additional knowledge AbuseIP INTERNAL_IMPORT_FILE (Bulk) import knowledge from files Import document INTERNAL_EXPORT_FILE (Bulk) export knowledge to files STIX 2.1, CSV. STREAM Integrate external TI provider, Integrate external TI platform Elastic Security <p>After you've selected your connector type make yourself familiar with STIX2 and the supported relationships in OpenCTI. Having some knowledge about the internal data models with help you a lot with the implementation of your idea.</p>"},{"location":"development/connectors/#preparation","title":"Preparation","text":""},{"location":"development/connectors/#environment-setup","title":"Environment Setup","text":"<p>To develop and test your connector, you need a running OpenCTI instance with the frontend and the messaging broker accessible. If you don't plan on developing anything for the OpenCTI platform or the frontend, the easiest setup for the connector development is using the docker setup, For more details see here.</p>"},{"location":"development/connectors/#coding-setup","title":"Coding Setup","text":"<p>To give you an easy starting point we prepared an example connector in the public repository you can use as template to bootstrap your development.</p> <p>Some prerequisites we recommend to follow this tutorial:</p> <ul> <li>Code editor with good Python3 support (e.g. Visual Studio Code with the Python extension pack)</li> <li>Python3 + setuptools is installed and configured</li> <li>Command shell (either Linux/Mac terminal or WSL on Windows)</li> </ul> <p>In the terminal check out the connectors repository and copy the template connector to <code>$myconnector</code> (replace it with your name throughout the following text examples).</p> <pre><code>$ pip3 install black flake8 pycti\n# Fork the current repository, then clone your fork\n$ git clone https://github.com/YOUR-USERNAME/connectors.git\n$ cd connectors\n$ git remote add upstream https://github.com/OpenCTI-Platform/connectors.git\n# Create a branch for your feature/fix\n$ git checkout -b [branch-name]\n# Copy the appropriate template directory for the connector type\n$ cp -r templates/$connector_type $connector_type/$myconnector\n$ cd $connector_type/$myconnector\n$ ls -R\nDockerfile              docker-compose.yml      requirements.txt\nREADME.md               entrypoint.sh           src\n\n./src:\nlib     main.py\n\n./src/lib:\n$connector_type.py\n</code></pre>"},{"location":"development/connectors/#changing-the-template","title":"Changing the template","text":"<p>There are a few files in the template we need to change for our connector to be unique. You can check for all places you need to change you connector name with the following command (the output will look similar):</p> <pre><code>$ grep -Ri template .\n\nREADME.md:# OpenCTI Template Connector\nREADME.md:| `connector_type`                     | `CONNECTOR_TYPE`                    | Yes          | Must be `Template_Type` (this is the connector type).                                                                                                      |\nREADME.md:| `connector_name`                     | `CONNECTOR_NAME`                    | Yes          | Option `Template`                                                                                                                                          |\nREADME.md:| `connector_scope`                    | `CONNECTOR_SCOPE`                   | Yes          | Supported scope: Template Scope (MIME Type or Stix Object)                                                                                                 |\nREADME.md:| `template_attribute`                 | `TEMPLATE_ATTRIBUTE`                | Yes          | Additional setting for the connector itself                                                                                                                |\ndocker-compose.yml:  connector-template:\ndocker-compose.yml:    image: opencti/connector-template:4.5.5\ndocker-compose.yml:      - CONNECTOR_TYPE=Template_Type\ndocker-compose.yml:      - CONNECTOR_NAME=Template\ndocker-compose.yml:      - CONNECTOR_SCOPE=Template_Scope # MIME type or Stix Object\nentrypoint.sh:cd /opt/opencti-connector-template\nDockerfile:COPY src /opt/opencti-template\nDockerfile:    cd /opt/opencti-connector-template &amp;&amp; \\\nsrc/main.py:class Template:\nsrc/main.py:            \"TEMPLATE_ATTRIBUTE\", [\"template\", \"attribute\"], config, True\nsrc/main.py:        connectorTemplate = Template()\nsrc/main.py:        connectorTemplate.run()\nsrc/config.yml.sample:  type: 'Template_Type'\nsrc/config.yml.sample:  name: 'Template'\nsrc/config.yml.sample:  scope: 'Template_Scope' # MIME type or SCO\n</code></pre> <p>Required changes:</p> <ul> <li> Change <code>Template</code> or <code>template</code>mentions to your connector name e.g. <code>ImportCsv</code> or <code>importcsv</code></li> <li> Change <code>TEMPLATE</code> mentions to your connector name e.g. <code>IMPORTCSV</code></li> <li> Change <code>Template_Scope</code> mentions to the required scope of your connector. For processing imported files, that can be the Mime type e.g. <code>application/pdf</code> or for enriching existing information in OpenCTI, define the STIX object's name e.g. <code>Report</code>. Multiple scopes can be separated by a simple <code>,</code></li> <li> Change <code>Template_Type</code> to the connector type you wish to develop. The OpenCTI types (OpenCTI flags) are defined in this table.</li> </ul>"},{"location":"development/connectors/#development","title":"Development","text":""},{"location":"development/connectors/#initialize-the-opencti-connector-helper","title":"Initialize the OpenCTI connector helper","text":"<p>After getting the configuration parameters of your connector, you have to initialize the OpenCTI connector helper by using the <code>pycti</code> Python library. This is shown in the following example:</p> <pre><code>class TemplateConnector:\n    def __init__(self):\n                # Instantiate the connector helper from config\n        config_file_path = os.path.dirname(os.path.abspath(__file__)) + \"/config.yml\"\n        config = (\n            yaml.load(open(config_file_path), Loader=yaml.SafeLoader)\n            if os.path.isfile(config_file_path)\n            else {}\n        )\n        self.helper = OpenCTIConnectorHelper(config)\n                self.custom_attribute = get_config_variable(\n            \"TEMPLATE_ATTRIBUTE\", [\"template\", \"attribute\"], config\n        )\n</code></pre> <p>Since there are some basic differences in the tasks of the different connector classes, the structure is also a bit class dependent. While the external-import and the stream connector run independently in a regular interval or constantly, the other 3 connector classes only run when being requested by the OpenCTI platform.</p> <p>The self-triggered connectors run independently, but the OpenCTI need to define a callback function, which can be executed for the connector to start its work. This is done via         <code>self.helper.listen(self._process_message)</code> . In the appended examples, the difference of the setup can be seen.</p> <p>Self-triggered Connectors</p> <ul> <li>external-import</li> <li>stream</li> </ul> <p>OpenCTI triggered</p> <ul> <li>internal-enrichment</li> <li>internal-import</li> <li>internal-export</li> </ul> <pre><code>from pycti import OpenCTIConnectorHelper, get_config_variable\n\nclass TemplateConnector:\n    def __init__(self) -&gt; None:\n                # Initialization procedures\n                [...]\n        self.template_interval = get_config_variable(\n            \"TEMPLATE_INTERVAL\", [\"template\", \"interval\"], config, True\n        )\n\n    def get_interval(self) -&gt; int:\n        return int(self.template_interval) * 60 * 60 * 24\n\n    def run(self) -&gt; None:\n                # Main procedure\n\nif __name__ == \"__main__\":\n    try:\n        template_connector = TemplateConnector()\n        template_connector.run()\n    except Exception as e:\n        print(e)\n        time.sleep(10)\n        exit(0)\n</code></pre> <pre><code>from pycti import OpenCTIConnectorHelper, get_config_variable\n\nclass TemplateConnector:\n    def __init__(self) -&gt; None:\n                # Initialization procedures\n                [...]\n\n    def _process_message(self, data: dict) -&gt; str:\n                # Main procedure                \n\n    # Start the main loop\n    def start(self) -&gt; None:\n        self.helper.listen(self._process_message)\n\nif __name__ == \"__main__\":\n    try:\n        template_connector = TemplateConnector()\n        template_connector.start()\n    except Exception as e:\n        print(e)\n        time.sleep(10)\n        exit(0)\n</code></pre>"},{"location":"development/connectors/#write-and-read-operations","title":"Write and Read Operations","text":"<p>When using the <code>OpenCTIConnectorHelper</code> class, there are two way for reading from or writing data to the OpenCTI platform.</p> <ol> <li>via the OpenCTI API interface via <code>self.helper.api</code></li> <li>via the OpenCTI worker via <code>self.send_stix2_bundle</code></li> </ol>"},{"location":"development/connectors/#sending-data-to-the-opencti-platform","title":"Sending data to the OpenCTI platform","text":"<p>The recommended way for creating or updating data in the OpenCTI platform is via the OpenCTI worker. This enables the connector to just send and forget about thousands of entities at once to without having to think about the ingestion order, performance or error handling.</p>  \u26a0\ufe0f **Please DO NOT use the api interface to create new objects in connectors.**   <p>The OpenCTI connector helper method <code>send_stix2_bundle</code> must be used to send data to OpenCTI. The <code>send_stix2_bundle</code> function takes 2 arguments.</p> <ol> <li>A serialized STIX2 bundle as a <code>string</code> (mandatory)</li> <li>A <code>list</code> of entities types that should be ingested (optional)</li> </ol> <p>Here is an example using the STIX2 Python library:</p> <pre><code>from stix2 import Bundle, AttackPattern\n\n[...]\n\nattack_pattern = AttackPattern(name='Evil Pattern')\n\nbundle_objects = []\nbundle_objects.append(attack_pattern)\n\nbundle = Bundle(objects=bundle_objects).serialize()\nbundles_sent = self.opencti_connector_helper.send_stix2_bundle(bundle)\n</code></pre>"},{"location":"development/connectors/#reading-from-the-opencti-platform","title":"Reading from the OpenCTI platform","text":"<p>Read queries to the OpenCTI platform can be achieved using the API and the STIX IDs can be attached to reports to create the relationship between those two entities.</p> <pre><code>entity = self.helper.api.vulnerability.read(\n    filters={\"key\": \"name\", \"values\": [\"T1234\"]}\n)\n</code></pre> <p>If you want to add the found entity via <code>objects_refs</code> to another SDO, simple add a list of <code>stix_ids</code> to the SDO. Here's an example using the entity from the code snippet above:</p> <pre><code>from stix2 import Report\n\n[...]\n\nreport = Report(\n    id=report[\"standard_id\"],\n  object_refs=[entity[\"standard_id\"]],\n)\n</code></pre>"},{"location":"development/connectors/#logging","title":"Logging","text":"<p>When something crashes at a user's, you as a developer want to know as much as possible about this incident to easily improve your code and remove this issue. To do so, it is very helpful if your connector documents what it does. Use <code>info</code> messages for big changes like the beginning or the finishing of an operation, but to facilitate your bug removal attempts, implement <code>debug</code> messages for minor operation changes to document different steps in your code.</p> <p>When encountering a crash, the connector's user can easily restart the troubling connector with the debug logging activated.</p> <ul> <li><code>CONNECTOR_LOG_LEVEL=debug</code></li> </ul> <p>Using those additional log messages, the bug report is more enriched with information about the possible cause of the problem. Here's an example of how the logging should be implemented:</p> <pre><code>        def run(self) -&gt; None:\n                self.helper.log_info('Template connector starts')\n                results = self._ask_for_news()\n                [...]\n\n        def _ask_for_news() -&gt; None:\n                overall = []\n                for i in range(0, 10):\n                        self.log_debug(f\"Asking about news with count '{i}'\")\n                        # Do something\n                        self.log_debug(f\"Resut: '{result}'\")\n                        overall.append(result)\n                return overall\n</code></pre> <p>Please make sure that the debug messages rich of useful information, but that they are not redundant and that the user is not drowned by unnecessary information.</p>"},{"location":"development/connectors/#additional-implementations","title":"Additional implementations","text":"<p>If you are still unsure about how to implement certain things in your connector, we advise you to have a look at the code of other connectors of the same type. Maybe they are already using approach which is suitable for addressing to your problem.</p>"},{"location":"development/connectors/#opencti-triggered-connector-special-cases","title":"OpenCTI triggered Connector - Special cases","text":""},{"location":"development/connectors/#data-layout-of-dictionary-from-callback-function","title":"Data Layout of Dictionary from Callback function","text":"<p>OpenCTI sends the connector a few instructions via the <code>data</code> dictionary in the callback function. Depending on the connector type, the data dictionary content is a bit different. Here are a few examples for each connector type.</p> <p>Internal Import Connector</p> <p>Internal Enrichment Connector</p> <pre><code>{ \n  \"file_id\": \"&lt;fileId&gt;\",\n  \"file_mime\": \"application/pdf\", \n  \"file_fetch\": \"storage/get/&lt;file_id&gt;\", // Path to get the file\n  \"entity_id\": \"report--82843863-6301-59da-b783-fe98249b464e\", // Context of the upload\n}\n</code></pre> <pre><code>{ \n  \"entity_id\": \"&lt;stixCoreObjectId&gt;\" // StixID of the object wanting to be enriched\n}\n</code></pre> <p>Internal Export Connector</p> <pre><code>{ \n  \"export_scope\": \"single\", // 'single' or 'list'\n  \"export_type\": \"simple\", // 'simple' or 'full'\n  \"file_name\": \"&lt;fileName&gt;\", // Export expected file name\n  \"max_marking\": \"&lt;maxMarkingId&gt;\", // Max marking id\n  \"entity_type\": \"AttackPattern\", // Exported entity type\n  // ONLY for single entity export\n  \"entity_id\": \"&lt;entity.id&gt;\", // Exported element\n  // ONLY for list entity export\n  \"list_params\": \"[&lt;parameters&gt;]\" // Parameters for finding entities\n}\n</code></pre>"},{"location":"development/connectors/#self-triggered-connector-special-cases","title":"Self triggered Connector - Special cases","text":""},{"location":"development/connectors/#initiating-a-work-before-pushing-data","title":"Initiating a 'Work' before pushing data","text":"<p>For self-triggered connectors, OpenCTI has to be told about new jobs to process and to import. This is done by registering a so called <code>work</code> before sending the stix bundle and signalling the end of a work. Here an example:</p> <p>By implementing the work registration, they will show up as shown in this screenshot for the MITRE ATT&amp;CK connector:</p> <pre><code>def run() -&gt; None:\n        # Anounce upcoming work\n        timestamp = int(time.time())\n        now = datetime.utcfromtimestamp(timestamp)\n    friendly_name = \"Template run @ \" + now.strftime(\"%Y-%m-%d %H:%M:%S\")\n    work_id = self.helper.api.work.initiate_work(\n                self.helper.connect_id, friendly_name\n        )\n\n        [...]\n        # Send Stix bundle\n        self.helper.send_stix2_bundle(\n                bundle,\n                entities_types=self.helper.connect_scope,\n                update=True,\n                work_id=work_id,\n        )\n        # Finish the work\n        self.helper.log_info(\n            f\"Connector successfully run, storing last_run as {str(timestamp)}\"\n    )              \n        message = \"Last_run stored, next run in: {str(round(self.get_interval() / 60 / 60 / 24, 2))} days\"\n        self.helper.api.work.to_processed(work_id, message)\n</code></pre>"},{"location":"development/connectors/#interval-handling","title":"Interval handling","text":"<p>The connector is also responsible for making sure that it runs in certain intervals. In most cases, the intervals are definable in the connector config and then only need to be set and updated during the runtime.</p> <pre><code>class TemplateConnector:\n    def __init__(self) -&gt; None:\n                # Initialization procedures\n                [...]\n        self.template_interval = get_config_variable(\n            \"TEMPLATE_INTERVAL\", [\"template\", \"interval\"], config, True\n        )\n\n    def get_interval(self) -&gt; int:\n        return int(self.template_interval) * 60 * 60 * 24\n\n        def run(self) -&gt; None:\n        self.helper.log_info(\"Fetching knowledge...\")\n        while True:\n            try:\n                # Get the current timestamp and check\n                timestamp = int(time.time())\n                current_state = self.helper.get_state()\n                if current_state is not None and \"last_run\" in current_state:\n                    last_run = current_state[\"last_run\"]\n                    self.helper.log_info(\n                        \"Connector last run: \"\n                        + datetime.utcfromtimestamp(last_run).strftime(\n                            \"%Y-%m-%d %H:%M:%S\"\n                        )\n                    )\n                else:\n                    last_run = None\n                    self.helper.log_info(\"Connector has never run\")\n                # If the last_run is more than interval-1 day\n                if last_run is None or (\n                    (timestamp - last_run)\n                    &gt; ((int(self.template_interval) - 1) * 60 * 60 * 24)\n                ):\n                    timestamp = int(time.time())\n                    now = datetime.utcfromtimestamp(timestamp)\n                    friendly_name = \"Connector run @ \" + now.strftime(\"%Y-%m-%d %H:%M:%S\")\n\n                                        ###\n                                        # RUN CODE HERE     \n                                        ###\n\n                    # Store the current timestamp as a last run\n                    self.helper.log_info(\n                        \"Connector successfully run, storing last_run as \"\n                        + str(timestamp)\n                    )\n                    self.helper.set_state({\"last_run\": timestamp})\n                    message = (\n                        \"Last_run stored, next run in: \"\n                        + str(round(self.get_interval() / 60 / 60 / 24, 2))\n                        + \" days\"\n                    )\n                    self.helper.api.work.to_processed(work_id, message)\n                    self.helper.log_info(message)\n                    time.sleep(60)\n                else:\n                    new_interval = self.get_interval() - (timestamp - last_run)\n                    self.helper.log_info(\n                        \"Connector will not run, next run in: \"\n                        + str(round(new_interval / 60 / 60 / 24, 2))\n                        + \" days\"\n                    )\n                    time.sleep(60)\n</code></pre>"},{"location":"development/connectors/#running-the-connector","title":"Running the connector","text":"<p>For development purposes, it is easier to simply run the python script locally until everything works as it sould.</p> <pre><code>$ virtualenv env\n$ source ./env/bin/activate\n$ pip3 install -r requirements\n$ cp config.yml.sample config.yml\n# Define the opencti url and token, as well as the connector's id\n$ vim config.yml\n$ python3 main.py\nINFO:root:Listing Threat-Actors with filters null.\nINFO:root:Connector registered with ID: a2de809c-fbb9-491d-90c0-96c7d1766000\nINFO:root:Starting ping alive thread\n...\n</code></pre>"},{"location":"development/connectors/#final-testing","title":"Final Testing","text":"<p>Before submitting a Pull Request, please test your code for different use cases and scenarios. We don't have an automatic testing suite for the connectors yet, thus we highly depend on developers thinking about creative scenarios their code could encounter.</p>"},{"location":"development/connectors/#prepare-for-release","title":"Prepare for release","text":"<p>If you plan to provide your connector to be used by the community (\u2764\ufe0f) your code should pass the following (minimum) criteria.</p> <pre><code># Linting with flake8 contains no errors or warnings\n$ flake8 --ignore=E,W\n# Verify formatting with black\n$ black .\nAll done! \u2728 \ud83c\udf70 \u2728\n1 file left unchanged.\n# Verify import sorting\n$ isort --profile black .\nFixing /path/to/connector/file.py\n# Push you feature/fix on Github\n$ git add [file(s)]\n$ git commit -m \"[connector_name] descriptive message\"\n$ git push origin [branch-name]\n# Open a pull request with the title \"[connector_name] message\"\n</code></pre> <p>If you have any trouble with this just reach out to the OpenCTI core team. We are happy to assist with this.</p>"},{"location":"development/environment_ubuntu/","title":"Prerequisites Ubuntu","text":"<p>Development stack require some base software that need to be installed.</p>"},{"location":"development/environment_ubuntu/#docker-or-podman","title":"Docker or podman","text":"<p>Platform dependencies in development are deployed through container management, so you need to install a container stack.</p> <p>We currently support docker and podman.</p> <pre><code>$ sudo apt-get install docker docker-compose curl\n</code></pre> <pre><code>sudo apt-get -y install podman\n</code></pre> <p>As OpenCTI has a dependency to ElasticSearch, you have to set the vm.max_map_count before running the containers, as mentioned in the ElasticSearch documentation.</p> <pre><code>$ sudo sysctl -w vm.max_map_count=262144\n</code></pre>"},{"location":"development/environment_ubuntu/#nodejs-and-yarn","title":"NodeJS and yarn","text":"<p>The platform is developed on nodejs technology, so you need to install node and the yarn package manager.</p> <pre><code>$ sudo apt-get install nodejs\n$ sudo curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -\n$ sudo echo \"deb https://dl.yarnpkg.com/debian/ stable main\" | sudo tee /etc/apt/sources.list.d/yarn.list\n$ sudo apt-get update &amp;&amp; sudo apt-get install yarn\n</code></pre>"},{"location":"development/environment_ubuntu/#python-runtime","title":"Python runtime","text":"<p>For worker and connectors, a python runtime is needed.</p> <pre><code>$ sudo apt-get install python3 python3-pip\n</code></pre>"},{"location":"development/environment_ubuntu/#git-and-dev-tool","title":"Git and dev tool","text":"<ul> <li>Install Git from apt</li> </ul> <pre><code>$ sudo apt-get install git-all\n</code></pre> <ul> <li>Install your preferred IDE<ul> <li>Intellij community edition - https://www.jetbrains.com/idea/download/</li> <li>VSCode - https://code.visualstudio.com/</li> </ul> </li> </ul>"},{"location":"development/environment_windows/","title":"Prerequisites Windows","text":"<p>Development stack require some base software that need to be installed.</p>"},{"location":"development/environment_windows/#docker-or-podman","title":"Docker or podman","text":"<p>Platform dependencies in development are deployed through container management, so you need to install a container stack.</p> <p>We currently support docker and postman.</p> <p>Docker Desktop from - https://docs.docker.com/desktop/install/windows-install/</p> <ul> <li>Install new version of - https://docs.microsoft.com/windows/wsl/wsl2-kernel. This will require a reboot.</li> <li>Shell out to CMD as Administrator and run the following powershell command: </li> </ul> <p><code>wsl --set-default-version 2</code></p> <ul> <li>Reboot computer and continue to next step       </li> <li>Load Docker Application</li> <li>NOTE DOCKER LICENSE - You are agreeing to the licence for Non-commercial Open Source Project use. OpenCTI is Open Source and the version you would be possibly contributing to enhancing is the unpaid non-commercial/non-enterprise version. If you intention is different - please consult with your organization's legal/licensing department.</li> <li>Leave Docker Desktop running</li> </ul>"},{"location":"development/environment_windows/#nodejs-and-yarn","title":"NodeJS and yarn","text":"<p>The platform is developed on nodejs technology, so you need to install node and the yarn package manager.</p> <ul> <li>Install NodeJS from - https://nodejs.org/download/release/v16.20.0/node-v16.20.0-x64.msi</li> <li>Select the option for installing Chocolatey on the Tools for Native Modules screen<ul> <li>Will do this install for you automatically - https://chocolatey.org/packages/visualstudio2019-workload-vctools</li> <li>Includes Python 3.11.4</li> </ul> </li> <li> <p>Shell out to CMD prompt as Administrator and install/run:</p> <ul> <li><code>pip3 install pywin32</code></li> </ul> </li> <li> <p>Configure Yarn (https://yarnpkg.com/getting-started/install)</p> </li> <li>Open CMD as Administrator and run the following command:<ul> <li><code>corepack enable</code></li> </ul> </li> </ul>"},{"location":"development/environment_windows/#python-runtime","title":"Python runtime","text":"<p>For worker and connectors, a python runtime is needed. Even if you already have a python runtime installed through node installation,  on windows some nodejs package will be recompiled with python and C++ runtime. </p> <p>For this reason Visual Studio Build Tools is required.</p> <ul> <li>Install Visual Studio Build Tools from - https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=BuildTools</li> <li>Check off Desktop Development with C++</li> <li>Run install</li> </ul>"},{"location":"development/environment_windows/#git-and-dev-tool","title":"Git and dev tool","text":"<ul> <li>Download GIT for Windows (64-bit Setup)- https://git-scm.com/download/win</li> <li> <p>Just use defaults on each screen</p> </li> <li> <p>Install your preferred IDE</p> </li> <li>Intellij community edition - https://www.jetbrains.com/idea/download/</li> <li>VSCode - https://code.visualstudio.com/docs/?dv=win64</li> </ul>"},{"location":"development/platform/","title":"Platform development","text":""},{"location":"development/platform/#introduction","title":"Introduction","text":"<p>This summary should give you a detailed setup description for initiating the OpenCTI setup environment  necessary for developing on the OpenCTI platform, a client library or the connectors.  This page document how to set up an \"All-in-One\" development environment for OpenCTI.  The devenv will contain data of 3 different repositories:</p> <ul> <li>Platform: https://github.com/OpenCTI-Platform/opencti</li> <li>Connectors: https://github.com/OpenCTI-Platform/connectors</li> <li>Client python: https://github.com/OpenCTI-Platform/client-python</li> </ul>"},{"location":"development/platform/#platform","title":"Platform","text":"<p>Contains the platform OpenCTI project code base:</p> <ul> <li>docker-compose (docker or podman) <code>~/opencti/opencti-platform/opencti-dev</code></li> <li>Web frontend (nodejs / react) <code>~/opencti/opencti-platform/opencti-graphql</code></li> <li>Backend (nodejs) <code>~/opencti/opencti-platform/opencti-frontend</code></li> <li>Worker (nodejs / python) <code>~/opencti/opencti-worker</code></li> </ul>"},{"location":"development/platform/#connectors","title":"Connectors","text":"<p>Contains a lot of developed connectors, as a source of inspiration for your new connector.</p>"},{"location":"development/platform/#client-python","title":"Client python","text":"<p>Contains the source code of the python library used in worker or connectors.</p>"},{"location":"development/platform/#prerequisites","title":"Prerequisites","text":"<p>Some tools are needed before starting to develop. Please check Ubuntu prerequisites or Windows prerequisites</p>"},{"location":"development/platform/#clone-the-projects","title":"Clone the projects","text":"<p>Fork and clone the git repositories</p> <ul> <li>https://github.com/OpenCTI-Platform/opencti/ - frontend / backend</li> <li>https://github.com/OpenCTI-Platform/connectors - connectors</li> <li>https://github.com/OpenCTI-Platform/docker - docker stack</li> <li>https://github.com/OpenCTI-Platform/client-python/ - python client</li> </ul>"},{"location":"development/platform/#dependencies-containers","title":"Dependencies containers","text":"<p>In development dependencies are deployed trough containers. A development compose file is available in <code>~/opencti/opencti-platform/opencti-dev</code></p> <pre><code>cd ~/docker\n#Start the stack in background\ndocker-compose -f ./docker-compose-dev.yml up -d\n</code></pre> <p>You have now all the dependencies of OpenCTI running and waiting for product to run.</p>"},{"location":"development/platform/#backend-api","title":"Backend / API","text":""},{"location":"development/platform/#python-virtual-env","title":"Python virtual env","text":"<p>The GraphQL API is developed in JS and with some python code.  As it's an \"all-in-one\" installation, the python environment will be installed in a virtual environment.</p> <pre><code>cd ~/opencti/opencti-platform/opencti-graphql\npython3 -m venv .venv --prompt \"graphql\"\nsource .venv/bin/activate\npip install --upgrade pip wheel setuptools\nyarn install\nyarn install:python \ndeactivate\n</code></pre>"},{"location":"development/platform/#development-configuration","title":"Development configuration","text":"<p>The API can be specifically configured with files depending on the starting profile. By default, the default.json file is used and will be correctly configured for local usage except for admin password</p> <p>So you need to create a development profile file. You can duplicate the default file and adapt if for you need. <pre><code>cd ~/opencti/opencti-platform/opencti-graphql/config\ncp default.json development.json\n</code></pre></p> <p>At minimum adapt the admin part for the password and token. <pre><code>    \"admin\": {\n      \"email\": \"admin@opencti.io\",\n      \"password\": \"MyNewPassord\",\n      \"token\": \"UUID generated with https://www.uuidgenerator.net\"\n    }\n</code></pre></p>"},{"location":"development/platform/#install-start","title":"Install / start","text":"<p>Before starting the backend you need to install the nodejs modules</p> <pre><code>cd ~/opencti/opencti-platform/opencti-graphql\nyarn install\n</code></pre> <p>Then you can simply start the backend API with the yarn start command</p> <pre><code>cd ~/opencti/opencti-platform/opencti-graphql\nyarn start\n</code></pre> <p>The platform will start logging some interesting information</p> <pre><code>{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[OPENCTI] Starting platform\",\"timestamp\":\"2023-07-02T16:37:10.984Z\",\"version\":\"5.8.7\"}\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[OPENCTI] Checking dependencies statuses\",\"timestamp\":\"2023-07-02T16:37:10.987Z\",\"version\":\"5.8.7\"}\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[SEARCH] Elasticsearch (8.5.2) client selected / runtime sorting enabled\",\"timestamp\":\"2023-07-02T16:37:11.014Z\",\"version\":\"5.8.7\"}\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[CHECK] Search engine is alive\",\"timestamp\":\"2023-07-02T16:37:11.015Z\",\"version\":\"5.8.7\"}\n...\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[INIT] Platform initialization done\",\"timestamp\":\"2023-07-02T16:37:11.622Z\",\"version\":\"5.8.7\"}\n{\"category\":\"APP\",\"level\":\"info\",\"message\":\"[OPENCTI] API ready on port 4000\",\"timestamp\":\"2023-07-02T16:37:12.382Z\",\"version\":\"5.8.7\"}\n</code></pre> <p>If you want to start on another profile you can use the -e parameter. For example here to use the profile.json configuration file.</p> <pre><code>yarn start -e profile\n</code></pre>"},{"location":"development/platform/#code-check","title":"Code check","text":"<p>Before pushing your code you need to validate the syntax and ensure the testing will be validated.</p>"},{"location":"development/platform/#for-validation","title":"For validation","text":"<p><code>yarn lint</code></p> <p><code>yarn check-ts</code></p>"},{"location":"development/platform/#for-testing","title":"For testing","text":"<p>For starting the test you will need to create a test.json file. You can use the same dependencies by only adapting all prefix for all dependencies.</p> <p><code>yarn test:dev</code></p>"},{"location":"development/platform/#frontend","title":"Frontend","text":""},{"location":"development/platform/#install-start_1","title":"Install / start","text":"<p>Before starting the backend you need to install the nodejs modules</p> <pre><code>cd ~/opencti/opencti-platform/opencti-front\nyarn install\n</code></pre> <p>Then you can simply start the frontend with the yarn start command</p> <pre><code>cd ~/opencti/opencti-platform/opencti-front\nyarn start\n</code></pre> <p>The frontend will start with some interesting information</p> <pre><code>[INFO] [default] compiling...\n[INFO] [default] compiled documents: 1592 reader, 1072 normalization, 1596 operation text\n[INFO] Compilation completed.\n[INFO] Done.\n[HPM] Proxy created: /stream  -&gt; http://localhost:4000\n[HPM] Proxy created: /storage  -&gt; http://localhost:4000\n[HPM] Proxy created: /taxii2  -&gt; http://localhost:4000\n[HPM] Proxy created: /feeds  -&gt; http://localhost:4000\n[HPM] Proxy created: /graphql  -&gt; http://localhost:4000\n[HPM] Proxy created: /auth/**  -&gt; http://localhost:4000\n[HPM] Proxy created: /static/flags/**  -&gt; http://localhost:4000\n</code></pre> <p>The web UI should be accessible on http://127.0.0.1:3000</p>"},{"location":"development/platform/#code-check_1","title":"Code check","text":"<p>Before pushing your code you need to validate the syntax and ensure the testing will be validated.</p>"},{"location":"development/platform/#for-validation_1","title":"For validation","text":"<p><code>yarn lint</code></p> <p><code>yarn check-ts</code></p>"},{"location":"development/platform/#for-testing_1","title":"For testing","text":"<p><code>yarn test</code></p>"},{"location":"development/platform/#worker","title":"Worker","text":"<p>Running a worker is required when you want to develop on the ingestion or import/export connectors.</p>"},{"location":"development/platform/#python-virtual-env_1","title":"Python virtual env","text":"<pre><code>cd ~/opencti/opencti-worker/src\npython3 -m venv .venv --prompt \"worker\"\nsource .venv/bin/activate\npip3 install --upgrade pip wheel setuptools\npip3 install -r requirements.txt\ndeactivate\n</code></pre>"},{"location":"development/platform/#install-start_2","title":"Install / start","text":"<pre><code>cd ~/opencti/opencti-worker/src\nsource .venv/bin/activate\npython worker.py\n</code></pre>"},{"location":"development/platform/#connectors_1","title":"Connectors","text":"<p>For connectors development, please take a look to Connectors development dedicated page.</p>"},{"location":"development/platform/#production-build","title":"Production build","text":"<p>Based on development source you can build the package for production. This package will be minified and optimized with esbuild.</p> <pre><code>$ cd opencti-frontend\n$ yarn build\n$ cd ../opencti-graphql\n$ yarn build\n</code></pre> <p>After the build you can start the production build with yarn serv. This build will use the production.json configuration file</p> <pre><code>$ cd ../opencti-graphql\n$ yarn serv\n</code></pre>"},{"location":"development/python/","title":"Python library","text":"<p>The PyCTI library is the official Python client for OpenCTI. It is made to help developers interact with the openCTI plaform.</p>"},{"location":"development/python/#installation","title":"Installation","text":"<p>To install the latest Python client library, please use <code>pip</code>:</p> <pre><code>$ pip3 install pycti\n</code></pre>"},{"location":"development/python/#using-the-helper-functions","title":"Using the helper functions","text":"<p>The main class <code>OpenCTIApiClient</code> contains all what you need to interact with the platform, you just have to initialize it.</p> <p>The following example shows how you create an indicator in OpenCTI using the python library with TLP marking and OpenCTI compatible date format.</p> <pre><code>from dateutil.parser import parse\nfrom pycti import OpenCTIApiClient\nfrom stix2 import TLP_GREEN\n\n# OpenCTI API client initialization\nopencti_api_client = OpenCTIApiClient(\"https://myopencti.server\", \"mysupersecrettoken\")\n\n# Define an OpenCTI compatible date\ndate = parse(\"2019-12-01\").strftime(\"%Y-%m-%dT%H:%M:%SZ\")\n\n# Get the OpenCTI marking for stix2 TLP_GREEN\nTLP_GREEN_CTI = opencti_api_client.marking_definition.read(id=TLP_GREEN[\"id\"])\n\n# Use the client to create an indicator in OpenCTI\nindicator = opencti_api_client.indicator.create(\n    name=\"C2 server of the new campaign\",\n    description=\"This is the C2 server of the campaign\",\n    pattern_type=\"stix\",\n    pattern=\"[domain-name:value = 'www.5z8.info']\",\n    x_opencti_main_observable_type=\"IPv4-Addr\",\n    valid_from=date,\n    update=True,\n    markingDefinitions=[TLP_GREEN_CTI[\"id\"]],\n)\n</code></pre>"},{"location":"development/python/#examples","title":"Examples","text":"<p>A suite of illustrative examples is available in the PyCTI GitHub repository to aid in better understanding.</p>"},{"location":"reference/api/","title":"GraphQL API","text":"<p>OpenCTI provides a comprehensive API based on GraphQL, allowing users to perform various actions programmatically. The API enables users to interact with OpenCTI's functionality and data, offering a powerful tool for automation, integration, and customization. All actions that can be performed through the platform's graphical interface are also achievable via the API.</p>"},{"location":"reference/api/#authentication","title":"Authentication","text":"<p>Access to the OpenCTI API requires authentication using standard authentication mechanisms. Access rights to data via the API will be determined by the access privileges of the user associated with the API key. For authentication, users need to include the following headers in their API requests:</p> <pre><code>Content-Type: application/json\nAuthorization: Bearer [API key]\n</code></pre>"},{"location":"reference/api/#documentation","title":"Documentation","text":"<p>The OpenCTI API consists of various endpoints corresponding to different functionalities and operations within the platform. These endpoints allow users to perform actions such as querying data, creating or updating entities, and more. Users can refer to the Understand GraphQL section to understand how it works.</p> <p>Documentation for the OpenCTI API, including schema definitions, the list of filters available and queryable fields, is available through the OpenCTI platform. It can be found on the GraphQL playground. However, query examples and mutation examples are not yet available. In the meantime, users can explore the available endpoints and their functionality by inspecting network traffic in the browser's developer tools or by examining the source code of the Python client.</p> <p></p> <p></p>"},{"location":"reference/api/#understand-graphql","title":"Understand GraphQL","text":"<p>GraphQL is a powerful query language for APIs that enables clients to request exactly the data they need. Unlike traditional REST APIs, which expose fixed endpoints and return predefined data structures, GraphQL APIs allow clients to specify the shape and structure of the data they require.</p>"},{"location":"reference/api/#core-concepts","title":"Core concepts","text":""},{"location":"reference/api/#schema-definition-language-sdl","title":"Schema Definition Language (SDL)","text":"<p>GraphQL APIs are defined by a schema, which describes the types of data that can be queried and the relationships between them. The schema is written using the Schema Definition Language (SDL), which defines types, fields, and their relationships.</p>"},{"location":"reference/api/#query-language","title":"Query language","text":"<p>GraphQL uses a query language to request data from the server. Clients can specify exactly which fields they need and how they are related, enabling precise data retrieval without over-fetching or under-fetching.</p> <p>Example:</p> <pre><code>query IntrusionSets {\n    intrusionSets (\n        filters:\n        {\n            mode: and,\n            filters: [\n                {\n                    key: \"name\",\n                    values: [\"Ajax Security Team\"],\n                    operator: eq,\n                    mode: or,\n                }\n            ],\n            filterGroups: [],\n        }\n    )\n    {\n        edges{\n            node{\n                id\n                name\n                description\n                externalReferences{\n                    edges{\n                        node{\n                            url\n                            source_name\n                        }\n                    }\n                }\n            }\n        }\n    }\n}\n</code></pre>"},{"location":"reference/api/#resolvers","title":"Resolvers","text":"<p>Resolvers are functions responsible for fetching the requested data. Each field in the GraphQL schema corresponds to a resolver function, which determines how to retrieve the data from the underlying data sources.</p>"},{"location":"reference/api/#how-it-works","title":"How it Works","text":"<ol> <li>Schema definition: The API provider defines a GraphQL schema using SDL, specifying the types and fields available for querying.</li> <li>Query execution: Clients send GraphQL queries to the server, specifying the data they need. The server processes the query, resolves each field, and constructs a response object with the requested data.</li> <li>Validation and execution: The server validates the query against the schema to ensure it is syntactically and semantically correct. If validation passes, the server executes the query, invoking the appropriate resolver functions to fetch the requested data.</li> <li>Data retrieval: Resolvers fetch data from the relevant data sources, such as databases, APIs, or other services. They transform the raw data into the shape specified in the query and return it to the client.</li> <li>Response formation: Once all resolvers have completed, the server assembles the response object containing the requested data and sends it back to the client.</li> </ol>"},{"location":"reference/api/#external-resources","title":"External Resources","text":"<p>For a more in-depth understanding of GraphQL and its usage, consider exploring the following external resources:</p> <ul> <li>GraphQL Official Documentation</li> <li>GraphQL query documentation</li> <li>How to GraphQL</li> </ul>"},{"location":"reference/data-intelligence/","title":"Data intelligence","text":"<p>As a cyber threat intelligence platform, OpenCTI offers functionalities that enable users to move quickly from raw data to operational intelligence by building up high-quality, structured information.</p> <p>To do so, the platform provides a number of essential capabilities, such as automated data deduplication, merging of similar entities while preserving relationship integrity, the ability to modulate the confidence levels on your intelligence, and the presence of inference rules to automate the creation of logical relationships among your data.</p>"},{"location":"reference/data-intelligence/#data-intelligence-feature-deduplication","title":"Data intelligence feature: Deduplication","text":"<p>The first essential data intelligence mechanism in OpenCTI is the deduplication of information and relations.</p> <p>This advanced functionality not only enables you to check whether a piece of data, information or a relationship is not a duplicate of an existing element, but will also, under certain conditions, enrich the element already present.</p> <p>If the new duplicated entity has new content, the pre-existing entity can be enriched with the new information from the duplicate.</p> <p>It works as follows (see details in deduplication):</p> <ul> <li>For entities: based on the entity's properties based on a specific ID generated by the \"ID Contributing Properties\" platform (properties listed on the dedicated page).</li> <li>For relationships: based on type, source, target, start time, and stop time.</li> <li>For observables: a specific ID is also generated by the platform, this time based on the specifications of the STIX model.</li> </ul> <p>The ability to update and enrich is determined by the confidence level and quality level of the entities and relationships (see diagram on page deduplication).</p>"},{"location":"reference/data-intelligence/#data-intelligence-feature-merging","title":"Data intelligence feature: Merging","text":"<p>OpenCTI's merging function is one of the platform's crucial data intelligence elements.</p> <p>From the Data &gt; Entities tab, this feature lets you merge up to 4 entities of the same type. A parent entity is selected and assigned up to three child entities.</p> <p>The benefit of this feature is to centralize a number of similar elements from different sources without losing data or degrading the quality of the information. During merging, the platform will create relationships to anchor all the data to the consolidated entity.</p> <p>This enrichment function consolidates the data and avoids duplication, but above all initiates a structured intelligence process while preserving the integrity of pre-existing relationships as presented here.</p>"},{"location":"reference/data-intelligence/#data-intelligence-feature-confidence-level-and-data-segregation","title":"Data intelligence feature: Confidence level and data segregation","text":"<p>Another key element of OpenCTI's data intelligence is its ability to apply confidence levels and to segregate the data present in the platform.</p> <p>The confidence level is directly linked to Users and Role Based Access Control. It is applied to a user directly or indirectly via the confidence level of the group to which the user belongs. This element is fundamental as it defines the levels of data manipulation to which the user (real or connector) is entitled.</p> <p>The correct application of confidence levels is all the more important as it will determine the confidence level of the data manipulated by a user. It is therefore a decisive mechanism, since it underpins the confidence you have in the content of your instance.</p> <p>While it is important to apply a level of trust to your users or groups, it is also important to define a way of categorizing and protecting your data.</p> <p>Data segregation makes it possible to apply marking definitions and therefore establish a standardized framework for classifying data.</p> <p>These marking definitions, like the classic Trafic Light Protocols (TLP) implemented by default in the platform, will determine whether or not a user can access a specific data set. The marking will be applied at the group level to which the user belongs, which will determine the data to which the user has access and therefore the data that the user can potentially handle.</p>"},{"location":"reference/data-intelligence/#data-intelligence-feature-inference-rules","title":"Data intelligence feature: Inference rules","text":"<p>In OpenCTI, data intelligence is not just about the ability to segregate, qualify or enrich data. OpenCTI's inference rules enable you to mobilize the data on your platform effectively and operationally.</p> <p>These predefined rules enable the user to speed up cyber threat management. For example, inferences can be used to automatically identify incidents based on a sighting, to create sightings on observables based on new observed data, to propagate relationships based on an observable, etc.</p> <p>In all, the platform includes some twenty high-performance inference rules that considerably speed up the analysis and response to threats (see the full list here).</p> <p>These rules are based on a logical interpretation of the data, resulting in a pre-analysis of the information by creating relationships that will enrich the intelligence in the platform. There are three main benefits: efficiency, completeness and accuracy. These user benefits can be found here.</p> <p>Note: If these rules are present in the platform, they are not activated by default.</p> <p>Once activated, they scan all the data in your platform in the background to identify all the existing relationships that meet the conditions of the rules. Then, the rules operate continuously to create relationships. If you deactivate a rule, all the objects and relationships it has created will be deleted.</p> <p>These actions can only be carried out by an administrator of the instance.</p>"},{"location":"reference/data-model/","title":"Data model","text":"<p>Under construction</p> <p>We are doing our best to complete this page.  If you want to participate, don't hesitate to join the Filigran Community on Slack  or submit your pull request on the Github doc repository.</p>"},{"location":"reference/filters-migration/","title":"Filters format migration for OpenCTI 5.12","text":"<p>The version 5.12 of OpenCTI introduces breaking changes to the filters format used in the API. This documentation describes how you can migrate your scripts or programs that call the OpenCTI API, when updating from a version of OpenCTI inferior to 5.12.</p>"},{"location":"reference/filters-migration/#context-why-this-migration","title":"Context: why this migration?","text":"<p>Before OpenCTI 5.12, it was not possible to construct complex filters combinations: we couldn't embed filters within filters, using different boolean modes (and/or), filter on all available attributes or relations for a given entity type, or even test for empty fields of any sort.</p> <p>Legacy of years of development, the former format and filtering mechanics were not adapted for such task, and a profound refactoring was necessary to make it happen.</p> <p>Here are the main pain points we identified beforehand:</p> <ul> <li>the filters frontend and backend formats were very different, requiring careful conversions</li> <li>the filter keys were enums, i.e. the keys would belong to static lists of keys, depending on each given entity type and maintained by hands</li> <li>the operator (<code>eq</code>, <code>not_eq</code>, etc.) was inside the key (e.g. <code>entity_type_not_eq</code>), limiting operator combination and requiring error-prone parsing</li> <li>the frontend format imposed a unique form of combination (<code>and</code> between filters, <code>or</code> between values inside each filter, and nothing else possible)</li> <li>the flat list structure made impossible filter imbrication by nature</li> <li>Filters and query options were mixed in GQL queries for the same purpose (for instance, option <code>types</code> analog to a filter on key <code>entity_type</code>)</li> </ul> <pre><code>// filter formats in OpenCTI &lt;= 5.11\n\ntype Filter = {\n    key: string, // an enum that should be in the list of the available filter keys for given the entity type\n    values: string[],\n    operator: string,\n    filterMode: 'and' | 'or',\n}\n\n// \"give me Reports labelled with labelX or labelY\"\nconst filters = [\n  { \n    \"key\": \"entity_type\",\n    \"values\": [\"Report\"],\n    \"operator\": \"eq\",\n    \"filterMode\": \"or\"\n  },\n  { \n    \"key\": \"labelledBy\",\n    \"values\": [\"&lt;id-for-labelX&gt;\", \"id-for-labelY&gt;\"],\n    \"operator\": \"eq\",\n    \"filterMode\": \"or\"\n  },\n]\n</code></pre> <p>The new format brings a lot of short-term benefits and is compatible with our long-term vision of the filtering capabilities in OpenCTI. We chose a simple recursive structure that allow complex combination of any sort with respect to basic boolean logic.</p> <p>The list of operator is fixed and can be extended during future developments.</p> <pre><code>// filter formats in OpenCTI &gt;= 5.12\n\ntype FilterGroup = {\n  mode: 'and' | 'or'\n  filters: Filter[]\n  filterGroups: FilterGroup[] // recursive definition\n}\n\ntype Filter  = {\n  key: string[]\n  values: string[]\n  operator: 'eq' | 'not_eq' | 'gt' // ... and more\n  mode: 'and' | 'or',\n}\n\n// \"give me Reports and RFIs, not marked TLP;RED with no label or labelX\"\nconst filters = {\n  mode: 'and',\n  filters: [\n    { key: 'entity_type', values: ['Report', 'Case-Rfi'], operator: 'eq', mode: 'or', },\n    { key: 'objectMarking', values: ['&lt;id-for-TLP;RED&gt;'], operator: 'not_eq', mode: 'or', },\n  ],\n  filterGroups: [{\n    mode: 'or',\n    filters: [\n      { key: 'objectLabel', values: [\"&lt;id-for-labelX&gt;\"], operator: 'eq', mode: 'or', },\n      { key: 'objectLabel', values: [], operator: 'nil', mode: 'or', },\n    ],\n    filterGroups: [],\n  }],\n};\n</code></pre> <p>Because changing filters format impacts almost everything in the platform, we decided to do a complete refactoring once and for all. We want this migration process to be clear and easy.</p>"},{"location":"reference/filters-migration/#what-has-been-changed","title":"What has been changed","text":"<p>The new filter implementation bring major changes in the way filters are processed and executed.</p> <ul> <li>We change the filters formats (see <code>FilterGroup</code> type above):</li> <li>In the frontend, an operator and a mode are stored for each key</li> <li>The new format enables filters imbrication thanks to the new attribute 'filterGroups'</li> <li>The keys are of type string (no more static list of enums)</li> <li> <p>The 'values' attribute can no longer contain null values (use the <code>nil</code> operator instead)</p> </li> <li> <p>We also renamed some filter keys, to be consistent with the entities schema definitions.</p> </li> <li> <p>We implemented the handling of the different operators and modes in the backend.</p> </li> <li> <p>We introduced new void operators (<code>nil</code> / <code>not_nil</code>) to test the presence or absence of value in any field</p> </li> </ul>"},{"location":"reference/filters-migration/#how-to-migrate-your-own-filters","title":"How to migrate your own filters","text":"<p>We wrote a migration script to convert all filters created and stored in database prior to version 5.12 (filters contained in streams, taxii collections, feeds, triggers, playbooks, dashboards). These filters will thus be migrated automatically when starting your updated platform.</p> <p>However, you might have your own connectors, queries, or python scripts that use the graphql API or the python client. If this is the case, you must change the filter format if you want to run the code against OpenCTI 5.12.</p> <p>To convert filters prior to version 5.12 in the new format:</p> <ul> <li>update the <code>key</code> field if it has been changed in 5.12 (see the full list below)</li> <li>rename the field <code>filterMode</code> in <code>mode</code></li> <li><code>operator</code> unchanged</li> <li>if <code>values</code> does not contain <code>null</code>, you can keep the array as-is</li> </ul> <p>Now you can build your new <code>FilterGroup</code> object with:</p> <ul> <li><code>mode: 'and'</code></li> <li><code>filters</code> = array of converted filters (following previous steps),</li> <li><code>filterGroups: []</code></li> </ul> <pre><code>const oldFilter = {\n    key: 'old_key',\n    values: ['value1', 'value2'],\n    operator: 'XX',\n    filterMode: 'XX',\n}\n\nconst convertedFilter = {\n    key: 'converted_key_if_necessary',\n    values: ['value1', 'value2'],\n    operator: 'XX',\n    mode: 'XX',\n}\n\nconst newFilters = {\n    mode: 'and',\n    filters: [convertedFilter1, convertedFilter2...], // array with all converted filter\n    filterGroups: [],\n}\n</code></pre> <p>if <code>values</code> contains a <code>null</code> value (for instance <code>['XXX', null]</code>), you need to convert the filter using the new <code>nil</code> / <code>not_nil</code> operators. This will happen if you have old filters on labels with the \"no label\" value, which is actually a <code>null</code> in <code>values</code>.</p> <ul> <li>Extract one filter dedicated to <code>null</code></li> <li><code>operator: 'nil'</code> if operator was <code>'eq'</code>, <code>operator = 'not_nil'</code> if operator was <code>not_eq</code></li> <li><code>values = []</code></li> <li>extract another filter for all the other values</li> </ul> <pre><code>// \"Must have a label that is not Label1 or Label2\"\nconst oldFilter = {\n    key: 'labelledBy',\n    values: [null, 'id-for-Label1', 'id-for-Label2'],\n    operator: 'not_eq',\n    filterMode: 'and',\n}\n\nconst newFilters = {\n    mode: 'and',\n    filters: [\n      {\n        key: 'objectLabel',\n        values: ['id-label-1', 'id-for-Label2'],\n        operator: 'not_eq',\n        mode: 'and',\n      },\n      {\n        key: 'objectLabel',\n        values: [],\n        operator: 'not_nil',\n        mode: 'and',\n      },\n    ],\n    filterGroups: [],\n}\n</code></pre> <p>To preserve the logic of your old filter you might need to compose nested filter groups. This could happen for instance when using <code>eq</code> operator with <code>null</code> values for one filter, combined in <code>and</code> mode with other filters</p> <p>for example:</p> <p>\"All Reports that have either the label \"label1\" or \"label2\", or no label at all\"</p> <p><code>(entity_type = Report) AND (label = \"No label\" OR label1 OR label2)</code></p> <p>Cannot be expressed a simple list of filters, it requires a <code>filterGroup</code>. This case is detailed in the examples below.</p>"},{"location":"reference/filters-migration/#filter-keys-that-have-been-renamed","title":"Filter keys that have been renamed","text":"<p>Make sure you address all the filter keys that require conversion, following the map below:</p> <pre><code>// array of [oldKey, newKey] for the renamed keys\nconst keyConversion = [\n    ['labelledBy', 'objectLabel'],\n    ['markedBy', 'objectMarking'],\n    ['objectContains', 'objects'],\n    ['killChainPhase', 'killChainPhases'],\n    ['assigneeTo', 'objectAssignee'],\n    ['participant', 'objectParticipant'],\n    ['creator', 'creator_id'],\n    ['hasExternalReference', 'externalReferences'],\n    ['hashes_MD5', 'hashes.MD5'],\n    ['hashes_SHA1', 'hashes.SHA-1'],\n    ['hashes_SHA256', 'hashes.SHA-256'],\n    ['hashes_SHA512', 'hashes.SHA-512']\n]\n</code></pre>"},{"location":"reference/filters-migration/#examples","title":"Examples","text":"<p>Let's start with a simple case:</p> <p>All Reports with label \"label1\" or \"label2\"</p> <p><code>(entity_type = Report) AND (label = label1 OR label2)</code></p> <pre><code>const oldBackendFilter = [\n  {\n    key: 'entity_type',\n    values: ['Report'],\n    operator: 'eq',\n    filterMode: 'or',\n  },\n  {\n   key: 'labelledBy',\n    values: [label1_id, label2_id],\n    operator: 'eq',\n    filterMode: 'or',\n  },\n];\n\nconst newFilters = {\n  mode: 'and',\n  filters: [\n    {\n      key: 'entity_type',\n      values: ['Report'],\n      operator: 'eq',\n      mode: 'or',\n    },\n    {\n      key: 'objectLabel',\n      values: [label1_id, label2_id],\n      operator: 'eq',\n      mode: 'or',\n    }\n  ],\n  filterGroups: [],\n};\n</code></pre> <p>And now for a more complex case involving filter group nesting:</p> <p>\"All Reports that have either the label \"label1\" or \"label2\", or no label at all\"</p> <p><code>(entity_type = Report) AND (label = \"No label\" OR label1 OR label2)</code></p> <pre><code>const oldBackendFilter = [\n    {\n      key: 'labelledBy',\n      values: [label1_id, label2_id, null],\n      operator: 'eq',\n      filterMode: 'or',\n    },\n    {\n      key: 'entity_type',\n      values: ['Report'],\n      operator: 'eq',\n      filterMode: 'or',\n    },\n];\n\nconst newFilters = {\n    mode: 'and',\n    filters: [\n      {\n        key: 'entity_type',\n        values: ['Report'],\n        operator: 'eq',\n        mode: 'or',\n      },\n    ],\n    // the combination mode/operator in this case requires nested filter groups\n    filterGroups: [\n      {\n        mode: 'or',\n        filters: [\n          {\n            key: 'objectLabel',\n            values: [label1_id, label2_id],\n            operator: 'eq',\n            mode: 'or',\n          },\n          {\n            key: 'objectLabel',\n            operator: 'nil',\n            values: [], // empty, does not matter\n            mode: 'or', // and/or, does not matter \n          },\n        ],\n        filterGroups: [],\n      }\n    ],\n};\n</code></pre>"},{"location":"reference/filters-migration/#local-filters-in-url-and-local-storage","title":"Local Filters in URL and Local storage","text":"<p>Please note that the filters saved in local storage are not migrated automatically and are lost when moving to 5.12. This concerns the filters saved for each view, that are restored when coming back to the same view. You will need to reconstruct the filters by hand in the UI ; these new filters will be properly saved and restored afterward.</p> <p>Also, when going to an url with filters in the old format, OpenCTI will display a warning and remove the filter parameters. Only URLs built by OpenCTI 5.12 are compatible with it, so you will need to reconstruct the filters by hand and save / share your updated links.</p> <p></p>"},{"location":"reference/filters/","title":"Filter knowledge","text":"<p>In OpenCTI, you can filter data to target or view entities that have particular attributes.</p>"},{"location":"reference/filters/#filters-usages","title":"Filters usages","text":"<p>Filters are used in many locations in the platform.</p> <ul> <li>in entities lists: to display only the entities matching the filters. If an export or a background task is generated, only the filtered data will be taken into account.</li> <li>in investigations and knowledge graphs: to display only the entities matching the filters.</li> <li>in dashboards: to create Widget graphs and lists with only the entities matching the filters.</li> <li>in feeds, taxii collections, triggers, streams, playbooks, background tasks: to process only the data  or events matching the filters.</li> </ul> <p>There are two types of filters:</p> <ul> <li>dynamic filters: they are not stored in the database, they enable to filter view in the UI. Examples: filters in entities list, investigations, knowledge graphs;</li> <li>stored filters: They are attributes of an entity, they are stored as an attribute in the object. Examples: filters in dashboards, feeds, taxii collections, triggers, streams, playbooks.</li> </ul> <p></p>"},{"location":"reference/filters/#create-a-filter","title":"Create a filter","text":"<p>To create a filter, add every key you need using the 'Add filter' select box. It will give you the possible attributes on which you can filter in the current view.</p> <p>A grey box appears and allows to select:</p> <ul> <li>the operator to use</li> <li>the values to compare (if operator is not 'empty' or 'not_empty')</li> </ul> <p>You can add as many filters as you like, even use the same key twice with different operators and values.</p> <p>The boolean modes (and /or) are either global (between every attribute filters) or local (between values inside a filter). Both can be switched with a single click, changing the logic of your filtering.</p>"},{"location":"reference/filters/#dynamic-filters-persistence","title":"Dynamic filters persistence","text":"<p>Dynamic filters are not saved in database, but they are still persistent in the platform frontend side. The filters used in a view are saved as URL parameters, so you can save and share links of these filtered views.</p> <p>Also, your web browser saves in local storage the filters that you are setting in various places of the platform, allowing to retrieve them when you come back to the same view. You can then keep working from where you left of.</p>"},{"location":"reference/filters/#filters-format-since-512","title":"Filters format (since 5.12)","text":"<p>Since OpenCTI 5.12, the OpenCTI platform uses a new filter format called <code>FilterGroup</code>, that must be used in API calls. The <code>FilterGroup</code> model enables to do complex filters imbrication with different boolean operators, which extends greatly the filtering capabilities in every parts of the platform.</p> <p>The new format used internally by OpenCTI and exposed through its API, can be described as below:</p> <pre><code>// filter formats in OpenCTI &gt;= 5.12\n\ntype FilterGroup = {\n  mode: 'and' | 'or'\n  filters: Filter[]\n  filterGroups: FilterGroup[] // recursive definition\n}\n\ntype Filter  = {\n  key: string[] // or single string (input coercion)\n  values: string[]\n  operator: 'eq' | 'not_eq' | 'gt' // ... and more\n  mode: 'and' | 'or',\n}\n\n// \"give me Reports and RFIs, not marked TLP;RED, with no label or labelX\"\nconst filters = {\n  mode: 'and',\n  filters: [\n    { key: 'entity_type', values: ['Report', 'Case-Rfi'], operator: 'eq', mode: 'or', },\n    { key: 'objectMarking', values: ['&lt;id-for-TLP;RED&gt;'], operator: 'not_eq', mode: 'or', },\n  ],\n  filterGroups: [{\n    mode: 'or',\n    filters: [\n      { key: 'objectLabel', values: [\"&lt;id-for-labelX&gt;\"], operator: 'eq', mode: 'or', },\n      { key: 'objectLabel', values: [], operator: 'nil', mode: 'or', },\n    ],\n    filterGroups: [],\n  }],\n};\n</code></pre> <p>We can express complex, nested filters like:</p> <pre><code>(Entity Type = Malware) AND (Marking = TLP;CLEAR or TLP;GREEN)\nOR\n(Entity Type = Intrusion Set) AND (Label = labelX)  \n</code></pre> <p>In a given filter group, the <code>mode</code> (<code>and</code> or <code>or</code>) represents the boolean operation between the different <code>filters</code> and <code>filterGroups</code> arrays. The <code>filters</code> and <code>filterGroups</code> arrays are composed of objects of type Filter and FilterGroup.</p> <p>The <code>Filter</code> has 4 properties:</p> <ul> <li>a <code>key</code>, representing the kind of data we want to target (example: <code>objectLabel</code> to filter on labels or <code>createdBy</code> to filter on the author)</li> <li>an array of <code>values</code>, representing the values we want to compare to</li> <li>an <code>operator</code> representing the operation we want to apply between the <code>key</code> and the <code>values</code></li> <li>a <code>mode</code> (again, <code>and</code> or <code>or</code>) to apply between the values if there are several ones</li> </ul>"},{"location":"reference/filters/#operators","title":"Operators","text":"<p>The available operators are:</p> <ul> <li><code>eq</code>  for 'equal', and <code>not_eq</code> for 'different',</li> <li><code>gt</code> / <code>gte</code> for 'greater than' / 'greater than or equal',</li> <li><code>lt</code> / <code>lte</code> for 'lower than' / 'lower than or equal',</li> <li><code>nil</code> for 'empty', and <code>not_nil</code> for non-empty (any value),</li> <li><code>starts_with</code> / <code>not_starts_with</code> / <code>ends_with</code> / <code>not_ends_with</code> / <code>contains</code> / <code>not contains</code> are available for searching in short string fields (name, value, title...),</li> <li><code>search</code>  is available in short string and text fields.</li> </ul>"},{"location":"reference/filters/#note","title":"Note","text":"<p><code>nil</code> and <code>not_nil</code> are the only operators that do not require anything inside <code>values</code>.</p> <p>There is a small difference between <code>search</code> and <code>contains</code>. <code>search</code> finds any occurrence of specified words, regardless of order, while \"contains\" specifically looks for the exact sequence of words you provide.</p> <p>When using a numerical comparison operators (<code>gt</code> and the like) against textual values, the alphabetical ordering is used.</p> <p>Some operator may not be allowed for some key, for additional information please navigate to the \"Special keys\" section.</p> <p>Also note that GraphQL input coercion makes possible using a simple <code>string</code> key instead of an array. Multi-key filters are not supported across the platform and are reserved to specific, internal cases. Bottom line: Always use single-key filters.</p>"},{"location":"reference/filters/#examples-of-filter-using-opencti-version-512","title":"Examples of filter using OpenCTI version 5.12+","text":"<ul> <li>entity_type = 'Report'</li> </ul> <pre><code>filters = {\n    mode: 'and',\n    filters: [{\n        key: 'entity_type',\n        values: ['Report'],\n        operator: 'eq',\n        mode: 'or', // useless here because values contains only 1 value\n    }],\n    filterGroups: [],\n};\n</code></pre> <ul> <li>(entity_type = 'Report') AND (label = 'label1' OR 'label2')</li> </ul> <pre><code>filters = {\n    mode: 'and',\n    filters: [\n        {\n            key: 'entity_type',\n            values: ['Report'],\n            operator: 'eq',\n            mode: 'or',\n        },\n        {\n            key: 'objectLabel',\n            values: ['label1', 'label2'],\n            operator: 'eq',\n            mode: 'or',\n        }\n    ],\n    filterGroups: [],\n};\n</code></pre> <ul> <li>(entity_type = 'Report') AND (confidence &gt; 50 OR marking is empty)</li> </ul> <pre><code>filters = {\n    mode: 'and',\n    filters: [\n        {\n            key: 'entity_type',\n            values: ['Report'],\n            operator: 'eq',\n            mode: 'or',\n        }\n    ],\n    filterGroups: [\n        {\n            mode: 'or',\n            filters: [\n                {\n                    key: 'confidence',\n                    values: ['50'],\n                    operator: 'gt',\n                    mode: 'or',\n                },\n                {\n                    key: 'objectMarking',\n                    values: [],\n                    operator: 'nil',\n                    mode: 'or',\n                },\n            ],\n            filterGroups: [],\n        }\n    ],\n};\n</code></pre>"},{"location":"reference/filters/#filter-keys","title":"Filter keys","text":""},{"location":"reference/filters/#filter-keys-validation","title":"Filter keys validation","text":"<p>Only a specific set of key can be used in the filters.</p> <p>Automatic key checking prevents typing error when constructing filters via the API: if a user write an unhandled key (<code>object-label</code> instead of <code>objectLabel</code> for instance), the API will return an error instead of an empty list. Doing so, we make sure the platform do not provide misleading results.</p>"},{"location":"reference/filters/#regular-filter-keys","title":"Regular filter keys","text":"<p>For an extensive list of available filter keys, refer to the attributes and relations schema definitions.</p> <p>Here are some of the most useful keys as example. X refers here to the filtered entities.</p> <ul> <li><code>objectLabel</code>: label of X,</li> <li><code>objectMarking</code>: marking of X,</li> <li><code>createdBy</code>: author of X,</li> <li><code>creator_id</code>: technical creator of X,</li> <li><code>created_at</code>: date of creation of X in the platform,</li> <li><code>confidence</code>: confidence of X,</li> <li><code>entity_type</code>: X entity type ('Report', 'Stix-Cyber-Observable', ...),</li> </ul>"},{"location":"reference/filters/#special-filter-keys","title":"Special filter keys","text":"<p>Some keys do not exist in the schema definition, but are allowed in addition. They describe a special behavior.</p> <p>It is the case for:</p> <ul> <li><code>sightedBy</code>: entities to which X is linked via a stix sighting relationship,</li> <li><code>workflow_id</code>: status id of the entities, or status template id of the status of the entities,</li> <li><code>connectedToId</code>: the listened instances for an instance trigger.</li> </ul> <p>For some keys, negative equality filtering is not supported yet (<code>not_eq</code> operator). For instance, it is the case for:</p> <ul> <li><code>fromId</code></li> <li><code>fromTypes</code></li> <li><code>toId</code></li> <li><code>toTypes</code></li> </ul> <p>The <code>regardingOf</code> filter key has a special format and enables to target the entities having a relationship of a certain type with certain entities. Here is an example of filter to fetch the entities related to the entity X: <pre><code>filters = {\n  mode: 'and',\n  filters: [\n    {\n      key: 'regardingOf',\n      values: [\n        { key: 'id', values: ['id-of-X'] },\n        { key: 'relationship_type', values: ['related-to'] },\n      ],\n    },\n  ],\n  filterGroups: [],\n};\n</code></pre></p>"},{"location":"reference/filters/#limited-support-in-stream-events-filtering","title":"Limited support in stream events filtering","text":"<p>Filters that are run against the event stream are not using the complete schema definition in terms of filtering keys.</p> <p>This concerns:</p> <ul> <li>Live streams</li> <li>CSV feeds</li> <li>Taxii Collection</li> <li>Triggers</li> <li>Playbooks</li> </ul> <p>For filters used in this context, only some keys are supported for the moment:</p> <ul> <li><code>confidence</code></li> <li><code>objectAssignee</code></li> <li><code>createdBy</code></li> <li><code>creator</code></li> <li><code>x_opencti_detection</code></li> <li><code>indicator_types</code></li> <li><code>objectLabel</code></li> <li><code>x_opencti_main_observable_type</code></li> <li><code>objectMarking</code></li> <li><code>objects</code></li> <li><code>pattern_type</code></li> <li><code>priority</code></li> <li><code>revoked</code></li> <li><code>severity</code></li> <li><code>x_opencti_score</code></li> <li><code>entity_type</code></li> <li><code>x_opencti_workflow_id</code></li> <li><code>connectedToId</code> (for the instance triggers)</li> <li><code>fromId</code> (the instance in the 'from' of a relationship)</li> <li><code>fromTypes</code> (the entity type in the 'from' of a relationship)</li> <li><code>toId</code></li> <li><code>toTypes</code></li> </ul>"},{"location":"reference/fips/","title":"SSL FIPS 140-2 deployment","text":""},{"location":"reference/fips/#introduction","title":"Introduction","text":"<p>For organizations that need to deploy OpenCTI in a SSL FIPS 140-2 compliant environment, we provide FIPS compliant OpenCTI images for all components of the platform. Please note that you will also need to deploy dependencies (ElasticSearch / OpenSearch, Redis, etc.) with FIPS 140-2 SSL to have the full compliant OpenCTI technological stack.</p> <p>OpenCTI SSL FIPS 140-2 compliant builds</p> <p>The OpenCTI platform, workers and connectors SSL FIPS 140-2 compliant images are based on packaged Alpine Linux with OpenSSL 3 and FIPS mode enabled maintened by the Filigran engineering team.</p>"},{"location":"reference/fips/#dependencies","title":"Dependencies","text":""},{"location":"reference/fips/#aws-native-services-in-fedramp-compliant-environment","title":"AWS Native Services in FedRAMP compliant environment","text":"<p>It is important to remind that OpenCTI is fully compatible with AWS native services and all dependencies are available in both FedRAMP Moderate (East / West) and FedRAMP High (GovCloud) scopes.</p> <ul> <li>Amazon OpenSearch Service (OpenSearch)</li> <li>Amazon ElastiCache (Redis)</li> <li>Amazon MQ (RabbitMQ)</li> <li>Amazon Simple Storage Service (S3 bucket)</li> </ul>"},{"location":"reference/fips/#elasticsearch-opensearch","title":"ElasticSearch / OpenSearch","text":"<p>ElasticSearch is known to be compatible with FIPS 140-2 SSL using the proper JVM. There is a comprehensive guide in the Elastic documentation.</p> <p>Alternatively, please note that Elastic is also providing an ElasticSearch FedRAMP authorized cloud offering.  </p>"},{"location":"reference/fips/#redis","title":"Redis","text":"<p>Redis does not provide FIPS 140-2 SSL compliant Docker images but supports very well custom tls-ciphersuites that can be configured to use the system FIPS 140-2 OpenSSL library. </p> <p>Alternatively, you can use a Stunnel TLS endpoint to ensure encrypted communication between OpenCTI and Redis. There are a few examples available, here or here.</p>"},{"location":"reference/fips/#rabbitmq","title":"RabbitMQ","text":"<p>RabbitMQ does not provide FIPS 140-2 SSL compliant Docker images but, as Redis, supports custom cipher suites. Also, it is confirmed since RabbitMQ version 3.12.5, the associated Erlang build (&gt; 26.1), supports FIPS mode on OpenSSL 3.</p> <p>Alternatively, you can use a Stunnel TLS endpoint to ensure encrypted communication between OpenCTI and RabbitMQ.</p>"},{"location":"reference/fips/#s3-bucket-minio","title":"S3 Bucket / MinIO","text":"<p>If you cannot use an S3 endpoint already deployed in your FIPS 140-2 SSL compliant environment, MinIO provides FIPS 140-2 SSL compliant Docker images which then are very easy to deploy within your environment.</p>"},{"location":"reference/fips/#opencti-stack","title":"OpenCTI stack","text":""},{"location":"reference/fips/#platform","title":"Platform","text":"<p>For the platform, we provide FIPS 140-2 SSL compliant Docker images. Just use the appropriate tag to ensure you are deploying the FIPS compliant version and follow the standard Docker deployment procedure. </p>"},{"location":"reference/fips/#worker","title":"Worker","text":"<p>For the worker, we provide FIPS 140-2 SSL compliant Docker images. Just use the appropriate tag to ensure you are deploying the FIPS compliant version and follow the standard Docker deployment procedure.</p>"},{"location":"reference/fips/#connectors","title":"Connectors","text":"<p>All connectors have FIPS 140-2 SSL compliant Docker images. For each connector you need to deploy, please use the tag <code>{version}-fips</code> instead of <code>{version}</code> and  follow the standard deployment procedure. An example is available on Docker Hub. </p>"},{"location":"reference/streaming/","title":"Data Streaming","text":""},{"location":"reference/streaming/#presentation","title":"Presentation","text":"<p>In order to provide a real time way to consume STIX CTI information, OpenCTI provides data events in a stream that can be consume to react on creation, update, deletion and merge. This way of getting information out of OpenCTI is highly efficient and already use by some connectors.</p>"},{"location":"reference/streaming/#technology","title":"Technology","text":""},{"location":"reference/streaming/#redis-stream","title":"Redis stream","text":"<p>OpenCTI is currently using REDIS Stream (See https://redis.io/topics/streams-intro) as the technical layer. Each time something is modified in the OpenCTI database, a specific event is added in the stream.</p>"},{"location":"reference/streaming/#sse-protocol","title":"SSE protocol","text":"<p>In order to provides a really easy consuming protocol we decide to provide a SSE (https://fr.wikipedia.org/wiki/Server-sent_events) http URL linked to the standard login system of OpenCTI. Any user with the correct access rights can open and access http://opencti_instance/stream and open an SSE connection to start receiving live events. You can of course consume directly the stream in Redis but you will have to manage access and rights directly.</p>"},{"location":"reference/streaming/#events-format","title":"Events format","text":"<pre><code>id: {Event stream id} -&gt; Like 1620249512318-0\nevent: {Event type} -&gt; create / update / delete\ndata: { -&gt; The complete event data\n    version -&gt; The version number of the event\n    type -&gt; The inner type of the event\n    scope -&gt; The scope of the event [internal or external]\n    data: {STIX data} -&gt; The STIX representation of the data.\n    message -&gt; A simple string to easy understand the event\n    origin: {Data Origin} -&gt; Complex object with different information about the origin of the event\n    context: {Event context} -&gt; Complex object with meta information depending of the event type\n}\n</code></pre> <p>Id can be used to consume the stream from this specific point.</p>"},{"location":"reference/streaming/#stix-data","title":"STIX data","text":"<p>The current stix data representation is based on the STIX 2.1 format using extension mechanism. Please take a look to https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html for more information.</p>"},{"location":"reference/streaming/#create","title":"Create","text":"<p>Its simply the data created in STIX format.</p>"},{"location":"reference/streaming/#delete","title":"Delete","text":"<p>Its simply the data in STIX format just before his deletion. You will also find the automated deletions in context due to automatic dependency management.</p> <pre><code>{\n  \"context\": {\n      \"deletions\": [{STIX data}]\n  }\n}\n</code></pre>"},{"location":"reference/streaming/#update","title":"Update","text":"<p>This event type publish the complete STIX data information along with patches information. Thanks to the patches, its possible to rebuild the previous version and easily understand that happens in the update. patch and reverse_patch follow the official jsonpatch specification. You can find more information at https://jsonpatch.com/</p> <pre><code>{\n  \"context\": {\n      \"patch\": [/* patch operation object */],\n      \"reverse_patch\": [/* patch operation object */]\n  }\n}\n</code></pre>"},{"location":"reference/streaming/#merge","title":"Merge","text":"<p>Merge is a mix of an update of the merge targets and deletions of the sources. In this event you will find the same patch and reverse_patch as an update and the list of elements merged into the target in the \"sources\" attribute.</p> <pre><code>{\n  \"context\": {\n      \"patch\": [/* patch operation object */],\n      \"reverse_patch\": [/* patch operation object */],\n      \"sources\": [{STIX data}]\n  }\n}\n</code></pre>"},{"location":"reference/streaming/#stream-types","title":"Stream types","text":"<p>In OpenCTI we propose 2 types of streams.</p>"},{"location":"reference/streaming/#base-stream","title":"Base stream","text":"<p>The stream hosted in /stream url contains all the raw events of the platform, always filtered by the user rights (marking based). It's a technical stream a bit complex to used but very useful for internal processing or some specific connectors like backup/restore. This stream is live by default but if you want to catchup you can simply add the from parameter to your query. This parameter accept a timestamp in millisecond and also an event id. Like http://localhost/stream?from=1620249512599</p> <p>Stream size?</p> <p>The raw stream is really important in the platform and needs te be sized according to the period of retention you want to ensure. More retention you will have, more security about reprocessing the past information you will get. We usually recommand 1 month of retention, that usually match 2 000 000 of events. This limit can be configured with redis:trimming option, please check deployment configuration page.</p>"},{"location":"reference/streaming/#live-stream","title":"Live stream","text":"<p>This stream aims to simplify your usage of the stream through the connectors, providing a way to create stream with specific filters through the UI. After creating this stream, is simply accessible from /stream/{STREAM_ID}.</p> <p>It's very useful for various cases of data externalization, synchronization, like SPLUNK, TANIUM...</p> <p>This stream provides different interesting mechanics:</p> <ul> <li>Stream the initial list of instances matching your filters when connecting based on main database if you use the recover parameter</li> <li>Auto dependencies resolution to guarantee the consistency of the information distributed</li> <li>Automatic events translation depending on the element segregation</li> </ul> <p>If you want to dig in about the internal behavior you can check this complete diagram:</p>"},{"location":"reference/streaming/#general-options","title":"General options","text":"<ul> <li>no-dependencies (query parameter or header, default false). Can be used to prevent the auto dependencies resolution. To be used with caution.</li> <li>listen-delete (query parameter or header, default true). Can be used prevent receive deletion events. To be used with caution.</li> <li>with-inferences (query parameter or header, default false). Can be used to add inferences events (from rule engine) in the stream.</li> </ul>"},{"location":"reference/streaming/#from-and-recover","title":"From and Recover","text":"<p>From and recover are 2 different options that need to be explains.</p> <ul> <li> <p>from (query parameter) is always the parameter that describe the initial date/event_id you want to start from. Can also be setup with request header from or last-event-id </p> </li> <li> <p>recover (query parameter) is an option that let you consume the initial event from the database and not from the stream.  Can also be setup with request header recover or recover-date </p> </li> </ul> <p>This difference will be transparent for the consumer but very important to get old information as an initial snapshot. This also let you consume information that is no longer in the stream retention period.</p> <p>The next diagram will help you to understand the concept:</p>"},{"location":"reference/taxonomy/","title":"Taxonomy","text":"<p>In OpenCTI, taxonomies serve as structured classification systems that aid in organizing and categorizing intelligence data. This reference guide provides an exhaustive description of the platform's customizable fields within the taxonomies' framework. Users can modify, add, or delete values within the available vocabularies to tailor the classification system to their specific requirements.</p> <p>For broader documentation on the taxonomies section, please consult the appropriate page.</p>"},{"location":"reference/taxonomy/#vocabularies","title":"Vocabularies","text":"<p>Default values are based on those defined in the STIX standard but can be tailored to better suit the organization's needs.</p> Name Used in Default value Account type vocabulary (account-type-ov) User account facebook, ldap, nis, openid, radius, skype, tacacs, twitter, unix, windows-domain, windows-local Attack motivation vocabulary (attack-motivation-ov) Threat actor group accidental, coercion, dominance, ideology, notoriety, organizational-gain, personal-gain, personal-satisfaction, revenge, unpredictable Attack resource level vocabulary (attack-resource-level-ov) Threat actor group club, contest, government, individual, organization, team Case priority vocabulary (case_priority_ov) Incident response P1, P2, P3, P4 Case severity vocabulary (case_severity_ov) Incident response critical, high, medium, low Channel type vocabulary (channel_type_ov) Channel Facebook, Twitter Collection layers vocabulary (collection_layers_ov) Data source cloud-control-plane, container, host, network, OSINT Event type vocabulary (event_type_ov) Event conference, financial, holiday, international-summit, local-election, national-election, sport-competition Eye color vocabulary (eye_color_ov) Threat actor individual black, blue, brown, green, hazel, other Gender vocabulary (gender_ov) Threat actor individual female, male, nonbinary, other Grouping context vocabulary (grouping_context_ov) Grouping malware-analysis, suspicious-activity, unspecified Hair color vocabulary vocabulary (hair_color_ov) Threat actor individual bald, black, blond, blue, brown, gray, green, other, red Implementation language vocabulary (implementation_language_ov) Malware applescript, bash, c, c++, c#, go, java, javascript, lua, objective-c, perl, php, powershell, python, ruby, scala, swift, typescript, visual-basic, x86-32, x86-64 Incident response type vocabulary (incident_response_type_ov) Incident response data-leak, ransomware Incident severity vocabulary (incident_severity_ov) Incident critical, high, medium, low Incident type vocabulary (incident_type_ov) Incident alert, compromise, cybercrime, data-leak, information-system-disruption, phishing, reputation-damage, typosquatting Indicator type vocabulary (indicator_type_ov) Indicator anomalous-activity, anonymization, attribution, benign, compromised, malicious-activity, unknown Infrastructure type vocabulary (infrastructure_type_ov) Infrastructure amplification, anonymization, botnet, command-and-control, control-system, exfiltration, firewall, hosting-malware, hosting-target-lists, phishing, reconnaissance, routers-switches, staging, unknown, workstation Integrity level vocabulary (integrity_level_ov) Process high, medium, low, system Malware capabilities vocabulary (malware_capabilities_ov) Malware accesses-remote-machines, anti-debugging, anti-disassembly, anti-emulation, anti-memory-forensics, anti-sandbox, anti-vm, captures-input-peripherals, captures-output-peripherals, captures-system-state-data, cleans-traces-of-infection, commits-fraud, communicates-with-c2, compromises-data-availability, compromises-data-integrity, compromises-system-availability, controls-local-machine, degrades-security-software, degrades-system-updates, determines-c2-server, emails-spam, escalates-privileges, evades-av, exfiltrates-data, fingerprints-host, hides-artifacts, hides-executing-code, infects-files, infects-remote-machines, installs-other-components, persists-after-system-reboot, prevents-artifact-access, prevents-artifact-deletion, probes-network-environment, self-modifies, steals-authentication-credentials, violates-system-operational-integrity Malware result vocabulary (malware_result_ov) Malware analysis benign, malicious, suspicious, unknown Malware type vocabulary (malware_type_ov) Malware adware, backdoor, bootkit, bot, ddos, downloader, dropper, exploit-kit, keylogger, ransomware, remote-access-trojan, resource-exploitation, rogue-security-software, rootkit, screen-capture, spyware, trojan, unknown, virus, webshell, wiper, worm Marital status vocabulary (marital_status_ov) Threat actor individual annulled, divorced, domestic_partner, legally_separated, married, never_married, polygamous, separated, single, widowed Note types vocabulary (note_types_ov) Note analysis, assessment, external, feedback, internal Opinion vocabulary (opinion_ov) Opinion agree, disagree, neutral, strongly-agree, strongly-disagree Pattern type vocabulary (pattern_type_ov) Indicator eql, pcre, shodan, sigma, snort, spl, stix, suricata, tanium-signal, yara Permissions vocabulary (permissions_ov) Attack pattern Administrator, root, User Platforms vocabulary (platforms_ov) Data source android, Azure AD, Containers, Control Server, Data Historian, Engineering Workstation, Field Controller/RTU/PLC/IED, Google Workspace, Human-Machine Interface, IaaS, Input/Output Server, iOS, linux, macos, Office 365, PRE, SaaS, Safety Instrumented System/Protection Relay, windows Processor architecture vocabulary (processor_architecture_ov) Malware alpha, arm, ia-64, mips, powerpc, sparc, x86, x86-64 Reliability vocabulary (reliability_ov) Report, Organization A - Completely reliable, B - Usually reliable, C - Fairly reliable, D - Not usually reliable, E - Unreliable, F - Reliability cannot be judged Report types vocabulary (report_types_ov) Report internal-report, threat-report Request for information types vocabulary (request_for_information_types_ov) Request for information none Request for takedown types vocabulary (request_for_takedown_types_ov) Request for takedown brand-abuse, phishing Service status vocabulary (service_status_ov) Process SERVICE_CONTINUE_PENDING, SERVICE_PAUSE_PENDING, SERVICE_PAUSED, SERVICE_RUNNING, SERVICE_START_PENDING, SERVICE_STOP_PENDING, SERVICE_STOPPED Service type vocabulary (service_type_ov) Process SERVICE_FILE_SYSTEM_DRIVER, SERVICE_KERNEL_DRIVER, SERVICE_WIN32_OWN_PROCESS, SERVICE_WIN32_SHARE_PROCESS Start type vocabulary (start_type_ov) Process SERVICE_AUTO_START, SERVICE_BOOT_START, SERVICE_DEMAND_START, SERVICE_DISABLED, SERVICE_SYSTEM_ALERT Threat actor group role vocabulary (threat_actor_group_role_ov) Threat actor group agent, director, independent, infrastructure-architect, infrastructure-operator, malware-author, sponsor Threat actor group sophistication vocabulary (threat_actor_group_sophistication_ov) Threat actor group advanced, expert, innovator, intermediate, minimal, none, strategic Threat actor group type vocabulary (threat_actor_group_type_ov) Threat actor group activist, competitor, crime-syndicate, criminal, hacker, insider-accidental, insider-disgruntled, nation-state, sensationalist, spy, terrorist, unknown Threat actor individual role vocabulary (threat_actor_individual_role_ov) Threat actor individual agent, director, independent, infrastructure-architect, infrastructure-operator, malware-author, sponsor Threat actor individual sophistication vocabulary (threat_actor_individual_sophistication_ov) Threat actor individual advanced, expert, innovator, intermediate, minimal, none, strategic Threat actor individual type vocabulary (threat_actor_individual_type_ov) Threat actor individual activist, competitor, crime-syndicate, criminal, hacker, insider-accidental, insider-disgruntled, nation-state, sensationalist, spy, terrorist, unknown Tool types vocabulary (tool_types_ov) Tool credential-exploitation, denial-of-service, exploitation, information-gathering, network-capture, remote-access, unknown, vulnerability-scanning <p></p>"},{"location":"reference/taxonomy/#customization","title":"Customization","text":"<p>Users can customize the taxonomies by modifying the available values or adding new ones. These modifications enable users to adapt the classification system to their specific intelligence requirements. Additionally, within each vocabulary list, users have the flexibility to customize the order of the dropdown menu associated with the taxonomy. This feature allows users to prioritize certain values or arrange them in a manner that aligns with their specific classification needs. Additionally, users can track the usage count for each vocabulary, providing insights into the frequency of usage and helping to identify the most relevant and impactful classifications. These customization options empower users to tailor the taxonomy system to their unique intelligence requirements, enhancing the efficiency and effectiveness of intelligence analysis within the OpenCTI platform.</p> <p></p>"},{"location":"usage/ask-ai/","title":"Ask AI","text":"<p>Enterprise edition</p> <p>Ask AI is available under the \"Filigran Entreprise Edition\" license.</p> <p>Please read the dedicated page to have all information</p>"},{"location":"usage/ask-ai/#prerequisites-for-using-ask-ai","title":"Prerequisites for using Ask AI","text":"<p>There are several possibilities for Enterprise Edition customers to use OpenCTI AI endpoints:</p> <ul> <li>Use the Filigran AI Service leveraging our custom AI model using the token given by the support team.</li> <li>Use OpenAI or MistralAI cloud endpoints using your own tokens.</li> <li>Deploy or use local AI endpoints (Filigran can provide you with the custom model).</li> </ul> <p>Please read the configuration documentation</p> <p>Beta Feature</p> <p>Ask AI is a beta feature as we are currently fine-tuning our models. Consider checking important information.</p>"},{"location":"usage/ask-ai/#how-it-works","title":"How it works","text":"<p>Even if in the future, we would like to leverage AI to do RAG, for the moment we are mostly using AI to analyze and produce texts or images, based on data directly sent into the prompt.</p> <p>This means that if you are using Filigran AI endpoint or a local one, your data is never used to re-train or adapt the model and everything relies on a pre-trained and fixed model. When using the <code>Ask AI</code> button in the platform, a prompt is generated with the proper instruction to generate the expected result and use it in the context of the button (in forms, rich text editor etc.).</p>"},{"location":"usage/ask-ai/#filigran-custom-model","title":"Filigran custom model","text":"<p>We are hosting a scalable AI endpoint for all SaaS or On-Prem enterprise edition customers, this endpoint is based on MistralAI with a model that will be adapted over time to be more effective when processing threat intelligence related contents.</p> <p>The model, which is still in beta version, will be adapted in the upcoming months to reach maturity at the end of 2024. It can be shared with on-prem enterprise edition customers under NDA.</p>"},{"location":"usage/ask-ai/#functionalities-of-ask-ai","title":"Functionalities of Ask AI","text":"<p>Ask AI is represented by a dedicated icon wherever on of its functionalities is available to use.</p> <p></p>"},{"location":"usage/ask-ai/#assistance-for-writing-meaningful-content","title":"Assistance for writing meaningful content","text":"<p>Ask AI can assist you for writing better textual content, for example better title, name, description and detailed content of Objects.</p> <ul> <li>Fix spelling &amp; grammar: try to improve the text from a formulation and grammar perspective.  </li> <li>Make it shorter/longer: try to shorten or lengthen the text.</li> <li>Change tone: try to change the tone of the text. You can select if you want the text to be written for Strategic (Management, decision makers), Operational (for team leaders) or Tactital (for technical CTI analysts) audiences.</li> <li>Summarize: try to summarize the text in bullet points.</li> <li>Explain: try to explain the context of the subject's text based on what is available to the LLM.</li> </ul>"},{"location":"usage/ask-ai/#assistance-for-importing-data-from-documents","title":"Assistance for importing data from documents","text":"<p>Fom the Content tab of a Container (Reports, Groupings and Cases), Ask AI can also assist you for importing data contained in uploaded documents into OpenCTI for further exploitation.</p> <ul> <li>Generate report document: Generate a text report based on the knowledge graph (entities and relationships) of this container.</li> <li>Summarize associated files: Generate a summary of the selected files (or all files associated to this container).</li> <li>Try to convert the selected files (or all files associated to this container) in a STIX 2.1 bundle you will then be able to use at your convenience (for example importing it into the platform).</li> </ul> <p></p> <p></p> <p>A short video on the FiligranHQ YouTube channel presents tha capabilities of AskAI: https://www.youtube.com/watch?v=lsP3VVsk5ds.</p>"},{"location":"usage/ask-ai/#improving-generated-elements-of-ask-ai","title":"Improving generated elements of Ask AI","text":"<p>Be aware that the text quality is highly dependent on the capabilities of the associated LLM.</p> <p>That is why every generated text by Ask AI is provided in a dedicated panel, allowing you to verify and rectify any error the LLM could have made.</p>"},{"location":"usage/automation/","title":"Playbooks Automation","text":"<p>Enterprise edition</p> <p>Playbooks automation is available under the \"Filigran Entreprise Edition\" license.</p> <p>Please read the dedicated page to have all information</p> <p>OpenCTI playbooks are flexible automation scenarios which can be fully customized and enabled by platform administrators to enrich, filter and modify the data created or updated in the platform. </p> <p>Playbook automation is accessible in the user interface under Data &gt; Processing &gt; Automation.</p> <p>You need the \"Manage credentials\" capability to use the Playbooks automation, because you will be able to manipulate data simple users cannot access.</p> <p>You will then be able to:</p> <ul> <li>add labels depending on enrichment results to be used in threat intelligence-driven detection feeds;</li> <li>create reports and cases based on various criteria;</li> <li>trigger enrichments or webhooks in given conditions;</li> <li>modify attributes such as first_seen and last_seen based on other pieces of knowledge;</li> <li>etc.</li> </ul>"},{"location":"usage/automation/#playbook-philosophy","title":"Playbook philosophy","text":"<p>Consider Playbook as a STIX 2.1 bundle pipeline. </p> <p>Initiating with a component listening to a data stream, each subsequent component in the playbook processes a received STIX bundle. These components have the ability to modify the bundle and subsequently transmit the altered result to connected components.</p> <p>In this paradigm, components can send out the STIX 2.1 bundle to multiple components, enabling the development of multiple branches within your playbook.</p> <p>A well-designed playbook end with a component executing an action based on the processed information. For instance, this may involve writing the STIX 2.1 bundle in a data stream.</p> <p>Validate ingestion</p> <p>The STIX bundle processed by the playbook won't be written in the platform without specifying it using the appropriate component, i.e. \"Send for ingestion\".</p>"},{"location":"usage/automation/#create-a-playbook","title":"Create a Playbook","text":"<p>It is possible to create as many playbooks as needed which are running independently. You can give a name and description to each playbook.</p> <p></p> <p>The first step to define in the playbook is the \u201ctriggering event\u201d, which can be any knowledge event (create, update or delete) with customizable filters. To do so, click on the grey rectangle in the center of the workspace and choose the component to \"listen knowledge events\". Configure it with adequate filters. You can use same filters as in other part of the platform.</p> <p></p> <p>Then you have flexible choices for the next steps to:</p> <ul> <li>filter the initial knowledge ;</li> <li>enrich data using external sources and internal rules ;</li> <li>modify entities and relationships by applying patches ;</li> <li>write the data, send notifications, etc.</li> </ul> <p>Do not forget to start your Playbook when ready, with the Start option of the burger button placed near the name of your Playbook.</p> <p>By clicking the burger button of a component, you can replace it by another one.</p> <p>By clicking on the arrow icon in the bottom right corner of a component, you can develop a new branch at the same level.</p> <p>By clicking the \"+\" button on a link between components, you can insert a component between the two.</p>"},{"location":"usage/automation/#components-of-playbooks","title":"Components of playbooks","text":""},{"location":"usage/automation/#log-data-in-standard-output","title":"Log data in standard output","text":"<p>Will write the received STIX 2.1 bundle in platform logs with configurable log level and then send out the STIX 2.1 bundle unmodified.</p>"},{"location":"usage/automation/#send-for-ingestion","title":"Send for ingestion","text":"<p>Will pass the STIX 2.1 bundle to be written in the data stream. This component has no output and should end a branch of your playbook.</p>"},{"location":"usage/automation/#filter-knowledge","title":"Filter Knowledge","text":"<p>Will allow you to define filter and apply it to the received STIX 2.1 bundle. The component has 2 output, one for data matching the filter and one for the remainder. By default, filtering is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all elements in the bundle (elements that might result from enrichment for example).</p>"},{"location":"usage/automation/#enrich-through-connector","title":"Enrich through connector","text":"<p>Will send the received STIX 2.1 bundle to a compatible enrichement connector and send out the modifed bundle.</p>"},{"location":"usage/automation/#manipulate-knwoledge","title":"Manipulate Knwoledge","text":"<p>Will add, replace or remove compatible attribute of the entities contains in the received STIX 2.1 bundle and send out the modified bundle. By default, modification is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all elements in the bundle (elements that might result from enrichment for example).</p>"},{"location":"usage/automation/#container-wrapper","title":"Container wrapper","text":"<p>Will modify the received STIX 2.1 bundle to include the entities into an container of the type you configured.  By default, wrapping is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all elements in the bundle (elements that might result from enrichment for example).</p>"},{"location":"usage/automation/#manage-sharing-with-organizations","title":"Manage sharing with organizations","text":"<p>Will share every entity in the received STIX 2.1 bundle with Organizations you configured. Your platform need to have declare a platform main organization in Settings/Parameters.</p>"},{"location":"usage/automation/#apply-predefined-rule","title":"Apply predefined rule","text":"<p>Will apply a complex automation built-in rule. This kind of rule might impact performance. Current rules are: * First/Last seen computing extension from report publication date: will populate first seen and last seen date of entities contained in the report based on its publication date. * Resolve indicators based on observables (add in bundle) * Resolve observables an indicator is based on (add in bundle) * Resolve container references (add in bundle)</p>"},{"location":"usage/automation/#send-to-notifier","title":"Send to notifier","text":"<p>Will generate a Notification each time a STIX 2.1 bundle is received.</p>"},{"location":"usage/automation/#promote-observable-to-indicator","title":"Promote observable to indicator","text":"<p>Will generate indicator based on observables contained in the received STIX 2.1 bundle.  By default, it is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all observables in the bundle (observables that might result from enrichment for example).</p>"},{"location":"usage/automation/#extract-observables-from-indicator","title":"Extract observables from indicator","text":"<p>Will extract observables based on indicators contained in the received STIX 2.1 bundle.  By default, it is applied to entities having triggered the playbook. You can toggle the corresponding option to apply it to all indicators in the bundle (indicators that might result from enrichment for example).</p>"},{"location":"usage/automation/#reduce-knowledge","title":"Reduce Knowledge","text":"<p>Will elagate the received STIX 2.1 bundle based on the configured filter.</p>"},{"location":"usage/automation/#monitor-playbook-activity","title":"Monitor playbook activity","text":"<p>At the top right of the interface, you can access execution trace of your playbook and consult the raw data after every step of your playbook execution.</p> <p></p>"},{"location":"usage/background-tasks/","title":"Background tasks","text":"<p>Three types of tasks are done in the background:</p> <ul> <li>rule tasks,</li> <li>knowledge tasks,</li> <li>user tasks.</li> </ul> <p>Rule tasks can be seen and activated in Settings &gt; Customization &gt; Rules engine. Knowledge and user tasks can be seen and managed in Data &gt; Background Tasks. The scope of each task is indicated.</p> <p></p>"},{"location":"usage/background-tasks/#rule-tasks","title":"Rule tasks","text":"<p>If a rule task is enabled, it leads to the scan of the whole platform data and the creation of entities or relationships in case a configuration corresponds to the tasks rules. The created data are called 'inferred data'. Each time an event occurs in the platform, the rule engine checks if inferred data should be updated/created/deleted.</p>"},{"location":"usage/background-tasks/#knowledge-tasks","title":"Knowledge tasks","text":"<p>Knowledge tasks are background tasks updating or deleting entities and correspond to mass operations on these data. To create one, select entities via the checkboxes in an entity list, and choose the action to perform via the toolbar.</p>"},{"location":"usage/background-tasks/#rights","title":"Rights","text":"<ul> <li>To create a knowledge task, the user should have the capability to Update Knowledge (or the capability to delete knowledge if the task action is a deletion).</li> <li>To see a knowledge task in the Background task section, the user should be the creator of the task, or have the KNOWLEDGE capability.</li> <li>To delete a knowledge task from the Background task section, the user should be the creator of the task, or have the KNOWLEDGE_UPDATE capability.</li> </ul>"},{"location":"usage/background-tasks/#user-tasks","title":"User tasks","text":"<p>User tasks are background tasks updating or deleting notifications. It can be done from the Notification section, by selecting several notifications via the checkboxes, and choosing an action via the toolbar.</p>"},{"location":"usage/background-tasks/#rights_1","title":"Rights","text":"<ul> <li>A user can create a user task on its own notifications only.</li> <li>To see or delete a user task, the user should be the creator of the task or have the SET_ACCESS capability.</li> </ul>"},{"location":"usage/case-management/","title":"Case management","text":""},{"location":"usage/case-management/#why-case-management","title":"Why Case management?","text":"<p>Compiling CTI data in one place, deduplicate and correlate to transform it into Intelligence is very important. But ultimately, you need to act based on this Intelligence. Some situations will need to be taken care of, like cybersecurity incidents, requests for information or requests for takedown. Some actions will then need to be traced, to be coordinated and oversaw. Some actions will include feedback and content delivery.</p> <p>OpenCTI includes Cases to allow organizations to manage situations and organize their team's work. Better, by doing Case management in OpenCTI, you handle your cases with all the context and Intelligence you need, at hand.</p>"},{"location":"usage/case-management/#how-to-manage-your-case-in-opencti","title":"How to manage your Case in OpenCTI?","text":"<p>Multiple situations can be modelize in OpenCTI as a Case, either an Incident Response, a Request for Takedown or a Request for Information.</p> <p></p> <p>All Cases can contain any entities and relationships you need to represent the Intelligence context related to the situation. At the beginning of your case, you may find yourself with only some Observables sighted in a system. At the end, you may have Indicators, Threat Actor, impacted systems, attack patterns. All representing your findings, ready to be presented and exported as graph, pdf report, timeline, etc.</p> <p></p> <p>Some Cases may need some collaborative work and specific Tasks to be performed by people that have the skillset for. OpenCTI allows you to associate <code>Tasks</code> in your Cases and assign them to users in the platform. As some type of situation may need the same tasks to be done, it is also possible to pre-define lists of tasks to be applied on your case. You can define these lists by accessing the Settings/Taxonomies/Case templates panel. Then you just need to add it from the overview of your desire Case.</p> <p>Tip: A user can have a custom dashboard showing him all the tasks that have been assigned to him.</p> <p></p> <p>As with other objects in OpenCTI, you can also leverage the <code>Notes</code> to add some investigation and analysis related comments, helping you shaping up the content of your case with unstructured data and trace all the work that have been done.</p> <p>You can also use <code>Opinions</code> to collect how the Case has been handled, helping you to build Lessons Learned.</p> <p></p> <p>To trace the evolution of your Case and define specific resolution worflows, you can use the <code>Status</code> (that can be define in Settings/Taxonomies/Status templates).</p> <p>At the end of your Case, you will certainly want to report on what have been done. OpenCTI allows you to export the content of the Case in a simple but customizable PDF (currently in refactor). But of course, your company have its own documents' templates, right? With OpenCTI, you will be able to include some nice graphics in it. For example, a Matrix view of the attacker attack pattern or even a graph display of how things are connected. </p> <p>Also, we are currently working a more meaningfull Timeline view that will be possible to export too.</p>"},{"location":"usage/case-management/#use-case-example-a-suspicious-observable-is-sighted-by-a-defense-system-is-it-important","title":"Use case example: A suspicious observable is sighted by a defense system. Is it important?","text":"<ul> <li>Daily, your SIEM and EDR are feeded Indicators of Compromise from your OpenCTI instance. </li> <li>Today, your SIEM have sighted the domain name \"bad.com\" matching one of them. Its alert has been transfered to OpenCTI and have created a <code>Sighting</code> relationship between your System \"SIEM permiter A\" and the Observable \"bad.com\". </li> <li>You are alerted immediatly, because you have activated the inference rule creating a corresponding <code>Incident</code> in this situation, and you have created an alert based on new Incident that send you email <code>notification</code> and Teams message (webhook).</li> <li>In OpenCTI, you can clearly see the link between the alerting System, the sighted Observable and the corresponding Indicator. Better, you can also see all the context of the Indicator. It is linked to a notorious and recent phishing <code>campaign</code> targeting your activity <code>sector</code>. \"bad.com\" is clearly something to investigate ASAP.</li> <li>You quickly select all the context you have found, and add it to a new <code>Incident response</code>case. You position the priority to High, regarding the context, and the severity to Low, as you don't know yet if someone really interact with \"bad.com\"</li> <li>You also assign the case to one of your collegue, on duty for investigative work. To guide him, you also create a <code>Task</code> in your case for verifying if an actual interaction happened with \"bad.com\".</li> </ul>"},{"location":"usage/containers/","title":"Containers","text":""},{"location":"usage/containers/#stix-standard","title":"STIX standard","text":""},{"location":"usage/containers/#definition","title":"Definition","text":"<p>In the STIX 2.1 standard, some STIX Domain Objects (SDO) can be considered as \"container of knowledge\", using the <code>object_refs</code> attribute to refer multiple other objects as nested references. In <code>object_refs</code>, it is possible to refer to entities and relationships. </p>"},{"location":"usage/containers/#example","title":"Example","text":"<pre><code>{\n   \"type\": \"report\",\n   \"spec_version\": \"2.1\",\n   \"id\": \"report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3\",\n   \"created_by_ref\": \"identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283\",\n   \"created\": \"2015-12-21T19:59:11.000Z\",\n   \"modified\": \"2015-12-21T19:59:11.000Z\",\n   \"name\": \"The Black Vine Cyberespionage Group\",\n   \"description\": \"A simple report with an indicator and campaign\",\n   \"published\": \"2016-01-20T17:00:00.000Z\",\n   \"report_types\": [\"campaign\"],\n   \"object_refs\": [\n      \"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2\",\n      \"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c\",\n      \"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a\"\n   ]\n}\n</code></pre> <p>In the previous example, we have a nested reference to 3 other objects:</p> <pre><code>\"object_refs\": [\n   \"indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2\",\n   \"campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c\",\n   \"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a\"\n]\n</code></pre>"},{"location":"usage/containers/#implementation","title":"Implementation","text":""},{"location":"usage/containers/#types-of-container","title":"Types of container","text":"<p>In OpenCTI, containers are displayed differently than other entities, because they contain pieces of knowledge. Here is the list of containers in the platform:</p> Type of entity STIX standard Description Report Native Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. Grouping Native A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). Observed Data Native Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). Note Native A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects. Opinion Native An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. Case Extension A case whether an Incident Response, a Request for Information or a Request for Takedown is used to convey an epic with a set of tasks. Task Extension A task, generally used in the context of a case, is intended to convey information about something that must be done in a limited timeframe."},{"location":"usage/containers/#containers-behavior","title":"Containers behavior","text":"<p>In the platform, it is always possible to visualize the list of entities and/or observables referenced in a container (<code>Container &gt; Entities or Observables</code>) but also to add / remove entities from the container.</p> <p></p> <p>As containers can also contain relationships, which are generally linked to the other entities in the container, it is also possible to visualize the container as a graph (<code>Container &gt; Knowledge</code>)</p> <p></p>"},{"location":"usage/containers/#containers-of-an-entity-or-a-relationship","title":"Containers of an entity or a relationship","text":"<p>On the entity or the relationship side, you can always find all containers where the object is contained using the top menu <code>Analysis</code>:</p> <p></p> <p>In all containers list, you can also filter containers based on one or multiple contained object(s):</p> <p></p>"},{"location":"usage/dashboards/","title":"Custom dashboards","text":"<p>OpenCTI provides an adaptable and entirely customizable dashboard functionality. The flexibility of OpenCTI's dashboard ensures a tailored and insightful visualization of data, fostering a comprehensive understanding of the platform's knowledge, relationships, and activities.</p>"},{"location":"usage/dashboards/#dashboard-overview","title":"Dashboard overview","text":"<p>You have the flexibility to tailor the arrangement of widgets on your dashboard, optimizing organization and workflow efficiency. Widgets can be intuitively placed to highlight key information. Additionally, you can resize widgets from the bottom right corner based on the importance of the information, enabling adaptation to specific analytical needs. This technical flexibility ensures a fluid, visually optimized user experience.</p> <p>Moreover, the top banner of the dashboard offers a convenient feature to configure the timeframe for displayed data. This can be accomplished through the selection of a relative time period, such as \"Last 7 days\", or by specifying fixed \"Start\" and \"End\" dates, allowing users to precisely control the temporal scope of the displayed information.</p> <p></p> <p></p>"},{"location":"usage/dashboards/#access-control","title":"Access control","text":"<p>In OpenCTI, the power to create custom dashboards comes with a flexible access control system, allowing users to tailor visibility and rights according to their collaborative needs.</p> <p>When a user crafts a personalized dashboard, by default, it remains visible only to the dashboard creator. At this stage, the creator holds administrative access rights. However, they can extend access and rights to others using the \"Manage access\" button, denoted by a locker icon, located at the top right of the dashboard page.</p> <p></p> <p>Levels of access:</p> <ul> <li>View: Access to view the dashboard. </li> <li>Edit: View + Permission to modify and update the dashboard and its widgets. </li> <li>Manage: Edit + Ability to delete the dashboard and to control user access and rights.</li> </ul> <p>It's crucial to emphasize that at least one user must retain admin access to ensure ongoing management capabilities for the dashboard.</p> <p> </p> <p>Knowledge access restriction</p> <p>The platform's data access restrictions also apply to dashboards. The data displayed in the widgets is subject to the user's access rights within the platform. Therefore, an admin user will not see the same results in the widgets as a user with limited access, such as viewing only TLP:CLEAR data (assuming the platform contains data beyond TLP:CLEAR). </p>"},{"location":"usage/dashboards/#share-dashboard-and-widget-configurations","title":"Share dashboard and widget configurations","text":"<p>OpenCTI provides functionality for exporting, importing and duplicating dashboard and widget configurations, facilitating the seamless transfer of customized dashboard setups between instances or users.</p>"},{"location":"usage/dashboards/#export","title":"Export","text":"<p>Dashboards can be exported from either the custom dashboards list or the dashboard view. </p> <p>To export a dashboard configuration from the custom dashboards list:</p> <ol> <li>Click on the burger menu button at the end of the dashboard line.</li> <li>Select <code>Export</code>.</li> </ol> <p></p> <p>To export a widget, the same mechanism is used, but from the burger menu button in the upper right-hand corner of the widget.</p> <p></p> <p>To export a dashboard configuration from the dashboard view:</p> <ol> <li>Navigate to the desired dashboard.</li> <li>Click on the <code>Export</code> button (file with an arrow pointing to the top right corner) located in the top-right corner of the dashboard.</li> </ol> <p></p>"},{"location":"usage/dashboards/#configuration-file","title":"Configuration file","text":"<p>The dashboard configuration will be saved as a JSON file, with the title formatted as <code>[YYYYMMDD]_octi_dashboard_[dashboard title]</code>. The expected configuration file content is as follows:</p> <pre><code>{\n  \"openCTI_version\": \"5.12.0\",\n  \"type\": \"dashboard\",\n  \"configuration\": {\n    \"name\": \"My dashboard title\",\n    \"manifest\": \"eyJ3aWRn(...)uZmlnIjp7fX0=\"\n  }\n}\n</code></pre> <p>The widget configuration will be saved as a JSON file, with the title formatted as <code>[YYYYMMDD]_octi_widget_[widget view]</code>. The expected configuration file content is as follows:</p> <pre><code>{\n  \"openCTI_version\": \"5.12.0\",\n  \"type\": \"widget\",\n  \"configuration\": \"eyJ0eXB(...)iOmZhbHNlfX0=\"\n}\n</code></pre> <p>Source platform-related filters</p> <p>When exporting a dashboard or widget configuration, all filters will be exported as is. Filters on objects that do not exist in the receiving platform will need manual deletion after import. Filters to be deleted can be identified by their \"delete\" barred value.</p> <p></p>"},{"location":"usage/dashboards/#import","title":"Import","text":"<p>Dashboards can be imported from the custom dashboards list:</p> <ol> <li>Hover over the Add button (+) in the right bottom corner.</li> <li>Click on the <code>Import dashboard</code> button (cloud with an upward arrow).</li> <li>Select your file.</li> </ol> <p></p> <p>To import a widget, the same mechanism is used, but from a dashboard view.</p> <p></p> <p>Configuration compatibility</p> <p>Only JSON files with the required properties will be accepted, including \"openCTI_version: [5.12.0 and above]\", \"type: [dashboard|widget]\", and a \"configuration\". This applies to both dashboards and widgets configurations.</p>"},{"location":"usage/dashboards/#duplicate","title":"Duplicate","text":"<p>Dashboards can be duplicated from either the custom dashboards list or the dashboard view.</p> <p>To duplicate a dashboard from the custom dashboards list:</p> <ol> <li>Click on the burger menu button at the end of the dashboard line.</li> <li>Select <code>Duplicate</code>.</li> </ol> <p>To duplicate a widget, the same mechanism is used, but from the burger menu button in the upper right-hand corner of the widget.</p> <p>To duplicate a dashboard from the dashboard view:</p> <ol> <li>Navigate to the desired dashboard.</li> <li>Click on the <code>Duplicate the dashboard</code> button (two stacked sheets) located in the top-right corner of the dashboard.</li> </ol> <p></p> <p>Upon successful duplication, a confirmation message is displayed for a short duration, accompanied by a link for easy access to the new dashboard view. Nevertheless, the new dashboard can still be found in the dashboards list.</p> <p></p> <p>Dashboard access</p> <p>The user importing or duplicating a dashboard becomes the only one with access to it. Then, access can be managed as usual.</p>"},{"location":"usage/data-model/","title":"Data model","text":""},{"location":"usage/data-model/#introduction","title":"Introduction","text":"<p>The OpenCTI core design relies on the concept of a knowledge graph, where you have two different kinds of object:</p> <ol> <li>Nodes are used to describe <code>entities</code>, which have some <code>properties</code> or <code>attributes</code>.</li> <li>Edges are used to describe <code>relationships</code>, which are created between two <code>entity</code> nodes and have some <code>properties</code> or <code>attributes</code>.</li> </ol> <p>Example</p> <p>An example would be that the entity <code>APT28</code> has a relationship <code>uses</code> to the malware entity <code>Drovorub</code>.</p>"},{"location":"usage/data-model/#standard","title":"Standard","text":""},{"location":"usage/data-model/#the-stix-model","title":"The STIX model","text":"<p>To enable a unified approach in the description of threat intelligence knowledge as well as importing and exporting data, the OpenCTI data model is based on the STIX 2.1 standard. Thus we highly recommend to take a look to the STIX Introductory Walkthrough and to the different kinds of STIX relationships to get a better understanding of how OpenCTI works.</p> <p>Some more important STIX naming shortcuts are:</p> <ul> <li>STIX Domain Objects (SDO): Attack Patterns, Malware, Threat Actors, etc.</li> <li>STIX Cyber Observable (SCO): IP Addresses, domain names, hashes, etc.</li> <li>STIX Relationship Object (SRO): Relationships, Sightings</li> </ul> <p></p>"},{"location":"usage/data-model/#extensions","title":"Extensions","text":"<p>In some cases, the model has been extended to be able to:</p> <ul> <li>Support more types of SCOs to modelize information systems such as cryptocurrency wallets, user agents, etc.</li> <li>Support more types of SDOs to modelize disinformation and cybercrime such as channels, events, narrative, etc.</li> <li>Support more types of SROs to extend the new SDOs such as<code>amplifies</code>, <code>publishes</code>, etc.</li> </ul>"},{"location":"usage/data-model/#implementation-in-the-platform","title":"Implementation in the platform","text":""},{"location":"usage/data-model/#diagram-of-types","title":"Diagram of types","text":"<p>You can find below the digram of all types of entities and relationships available in OpenCTI.</p>"},{"location":"usage/data-model/#attributes-and-properties","title":"Attributes and properties","text":"<p>To get a comprehensive list of available properties for a given type of entity or relationship, you can use the GraphQL playground schema available in your \"Profile &gt; Playground\". Then you can click on schema. You can for instance search for the keyword <code>IntrusionSet</code>:</p> <p></p>"},{"location":"usage/deduplication/","title":"Deduplication","text":"<p>One of the core concept of the OpenCTI knowledge graph is all underlying mechanisms implemented to accurately de-duplicate and consolidate (aka. <code>upserting</code>) information about entities and relationships.</p>"},{"location":"usage/deduplication/#creation-behavior","title":"Creation behavior","text":"<p>When an object is created in the platform, whether manually by a user or automatically by the connectors / workers chain, the platform checks if something already exist based on some properties of the object. If the object already exists, it will return the existing object and, in some cases, update it as well.</p> <p>Technically, OpenCTI generates deterministic IDs based on the listed properties below to prevent duplicate (aka \"ID Contributing Properties\"). Also, it is important to note that there is a special link between <code>name</code> and <code>aliases</code> leading to not have entities with overlapping aliases or an alias already used in the name of another entity.</p>"},{"location":"usage/deduplication/#entities","title":"Entities","text":"Type Attributes Area (<code>name</code> OR <code>x_opencti_alias</code>) AND <code>x_opencti_location_type</code> Attack Pattern (<code>name</code> OR <code>alias</code>) AND optional <code>x_mitre_id</code> Campaign <code>name</code> OR <code>alias</code> Channel <code>name</code> OR <code>alias</code> City (<code>name</code> OR <code>x_opencti_alias</code>) AND <code>x_opencti_location_type</code> Country (<code>name</code> OR <code>x_opencti_alias</code>) AND <code>x_opencti_location_type</code> Course Of Action (<code>name</code> OR <code>alias</code>) AND optional <code>x_mitre_id</code> Data Component <code>name</code> OR <code>alias</code> Data Source <code>name</code> OR <code>alias</code> Event <code>name</code> OR <code>alias</code> Feedback Case <code>name</code> AND <code>created</code> (date) Grouping <code>name</code> AND <code>context</code> Incident <code>name</code> OR <code>alias</code> Incident Response Case <code>name</code> OR <code>alias</code> Indicator <code>pattern</code> OR <code>alias</code> Individual (<code>name</code> OR <code>x_opencti_alias</code>) and <code>identity_class</code> Infrastructure <code>name</code> OR <code>alias</code> Intrusion Set <code>name</code> OR <code>alias</code> Language <code>name</code> OR <code>alias</code> Malware <code>name</code> OR <code>alias</code> Malware Analysis <code>name</code> OR <code>alias</code> Narrative <code>name</code> OR <code>alias</code> Note None Observed Data <code>name</code> OR <code>alias</code> Opinion None Organization (<code>name</code> OR <code>x_opencti_alias</code>) and <code>identity_class</code> Position (<code>name</code> OR <code>x_opencti_alias</code>) AND <code>x_opencti_location_type</code> Region <code>name</code> OR <code>alias</code> Report <code>name</code> AND <code>published</code> (date) RFI Case <code>name</code> AND <code>created</code> (date) RFT Case <code>name</code> AND <code>created</code> (date) Sector (<code>name</code> OR <code>alias</code>) and <code>identity_class</code> Task None Threat Actor <code>name</code> OR <code>alias</code> Tool <code>name</code> OR <code>alias</code> Vulnerability <code>name</code> OR <code>alias</code> <p>Names and aliases management</p> <p>The name and aliases of an entity define a set of unique values, so it's not possible to have the name equal to an alias and vice versa.</p>"},{"location":"usage/deduplication/#relationships","title":"Relationships","text":"<p>The deduplication process of relationships is based on the following criterias:</p> <ul> <li>Type</li> <li>Source</li> <li>Target</li> <li>Start time between -30 days / + 30 days</li> <li>Stop time between -30 days / + 30 days</li> </ul>"},{"location":"usage/deduplication/#observables","title":"Observables","text":"<p>For STIX Cyber Observables, OpenCTI also generate deterministic IDs based on the STIX specification using the \"ID Contributing Properties\" defined for each type of observable.</p>"},{"location":"usage/deduplication/#update-behavior","title":"Update behavior","text":"<p>In cases where an entity already exists in the platform, incoming creations can trigger updates to the existing entity's attributes. This logic has been implemented to converge the knowledge base towards the highest confidence and quality levels for both entities and relationships.</p> <p>To understand in details how the deduplication mechanism works in context of the maximum confidence level, you can navigate through this diagram (section deduplication):</p>"},{"location":"usage/enrichment/","title":"Enrichment connectors","text":"<p>Enriching the data within the OpenCTI platform is made seamlessly through the integration of enrichment connectors. These connectors facilitate the retrieval of additional data from external sources or portals.</p>"},{"location":"usage/enrichment/#automatic-enrichment","title":"Automatic enrichment","text":"<p>Enrichment can be conducted automatically in two distinct modes:</p> <ul> <li>Upon data arrival: Configuring the connector to run automatically when data arrives in OpenCTI ensures a real-time enrichment process, supplementing the platform's data. However, it's advisable to avoid automatic enrichment for quota-based connectors to paid sources to prevent quickly depleting all quotas. Additionally, this automatic enrichment contributes to increased data volume. On a large scale, with hundreds of thousands of objects, the disk space occupied by this data can be substantial, and it should be considered, especially if disk space is a concern. The automatic execution is configured at the connector level using the \"auto: true|false\" parameter.</li> <li>Targeted enrichment via playbooks: Enrichment can also be performed in a more targeted manner using playbooks. This approach allows for a customized enrichment strategy, focusing on specific objects and optimizing the relevance of the retrieved data.</li> </ul>"},{"location":"usage/enrichment/#manual-enrichment","title":"Manual enrichment","text":"<p>Manually initiating the enrichment process is straightforward. Simply locate the button with the cloud icon at the top right of an entity. </p> <p></p> <p>Clicking on this icon unveils a side panel displaying a list of available connectors that can be activated for the given object. If no connectors appear in the panel, it indicates that no enrichment connectors are available for the specific type of object in focus.</p> <p></p> <p>Activation of an enrichment connector triggers a contact with the designated remote source, importing a set of data into OpenCTI to enrich the selected object. Each enrichment connector operates uniquely, focusing on a specific set of object types it can enrich and a distinct set of data it imports. Depending on the connectors, they may, establish relationships, add external references, or complete object information, thereby contributing to the comprehensiveness of information within the platform.</p> <p>The list of available connectors can be found in our connectors catalog. In addition, further documentation on connectors is available on the dedicated documentation page.</p> <p>Impact of the max confidence level</p> <p>The maximum confidence level per user can have an impact on enrichment connectors, not being able to update data in the platform. To understand the concept and the potential issues you could face, please navigate to this page to understand.</p>"},{"location":"usage/exploring-analysis/","title":"Analyses","text":"<p>When you click on \"Analyses\" in the left-side bar, you see all the \"Analyses\" tabs, visible on the top bar on the left. By default, the user directly access the \"Reports\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Analyses</code> section, users can access the following tabs:</p> <ul> <li><code>Reports</code>: See Reports as a sort of containers to detail and structure what is contained on a specific report, either from a source or write by yourself. Think of it as an Intelligence Production in OpenCTI.</li> <li><code>Groupings</code>: Groupings are containers, like Reports, but do not represent an Intelligence Production. They regroup Objects sharing an explicit context. For example, a Grouping might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as Report container.</li> <li><code>Malware Analyses</code>: As define by STIX 2.1 standard, Malware Analyses captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.</li> <li><code>Notes</code>: Through this tab, you can find all the Notes that have been written in the platform, for example to add some analyst's unstructured knowledge about an Object.</li> <li><code>External references</code>: Intelligence is never created from nothing. External references give user a way to link sources or reference documents to any Object in the platform.</li> </ul> <p></p>"},{"location":"usage/exploring-analysis/#reports","title":"Reports","text":""},{"location":"usage/exploring-analysis/#general-presentation","title":"General presentation","text":"<p>Reports are one of the central component of the platform. It is from a <code>Report</code> that knowledge is extracted and integrated in the platform for further navigation, analyses and exports. Always tying the information back to a report allows for the user to be able to identify the source of any piece of information in the platform at all time.</p> <p>In the MITRE STIX 2.1 documentation, a <code>Report</code> is defined as such :</p> <p>Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story.</p> <p>As a result, a <code>Report</code> object in OpenCTI is a set of attributes and metadata defining and describing a document outside the platform, which can be a threat intelligence report from a security reseearch team, a blog post, a press article a video, a conference extract, a MISP event, or any type of document and source.</p> <p>When clicking on the Reports tab at the top left, you see the list of all the Reports you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of reports.</p>"},{"location":"usage/exploring-analysis/#visualizing-knowledge-within-a-report","title":"Visualizing Knowledge within a Report","text":"<p>When clicking on a Report, you land on the Overview tab. For a Report, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge contained in the report, accessible through different views (See below for a dive-in). As described here.</li> <li>Content: a tab to upload or creates outcomes document displaying the content of the Report (for example in PDF, text, HTML or markdown files). The Content of the document is displayed to ease the access of Knowledge through a readable format. As described here.</li> <li>Entities: A table containing all SDO (Stix Domain Objects) contained in the Report, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine</li> <li>Observables: A table containing all SCO (Stix Cyber Observable) contained in the Report, with search and filters available. It also displays if the SCO has been added directly or through inferences with the reasoning engine</li> <li>Data: as described here.</li> </ul> <p>Exploring and modifying the structured Knowledge contained in a Report can be done through different lenses.</p>"},{"location":"usage/exploring-analysis/#graph-view","title":"Graph View","text":"<p>In Graph view, STIX SDO are displayed as graph nodes and relationships as graph links. Nodes are colored depending of their type. Direct relationship are displayed as plain link and inferred relationships in dotted link. At the top right, you will find a serie of icons. From there you can change the current type of view. Here you can also perform global action on the Knowledge of the Report. Let's highlight 2 of them: - Suggestions: This tool suggests you some logical relationships to add between your contained Object to give more consistency to your Knowledge. - Share with an Organization: if you have designated a main Organization in the platform settings, you can here share your Report and its content with users of an other Organization. At the bottom, you have many option to manipulate the graph: - Multiple option for shaping the graph and applying forces to the nodes and links - Multiple selection options - Multiple filters, including a time range selector allowing you to see the evolution of the Knowledge within the Report. - Multiple creation and edition tools to modify the Knowledge contained in the Report.</p>"},{"location":"usage/exploring-analysis/#content-mapping-view","title":"Content mapping view","text":"<p>Through this view, you can map exsisting or new Objects directly from a readable content, allowing you to quickly append structured Knowledge in your Report before refining it with relationships and details.  This view is a great place to see the continuum between unstructured and structured Knowledge of a specific Intelligence Production.</p>"},{"location":"usage/exploring-analysis/#timeline-view","title":"Timeline view","text":"<p>This view allows you to see the structured Knowledge chronologically. This view is really useful when the report describes an attack or a campaign that lasted some time, and the analyst payed attention to the dates. The view can be filtered and displayed relationships too.</p>"},{"location":"usage/exploring-analysis/#correlation-view","title":"Correlation view","text":"<p>The correlation view is a great way to visualize and find other Reports related to your current subject of interest. This graph displays all Report related to the important nodes contained in your current Report, for example Objects like Malware or Intrusion sets.</p>"},{"location":"usage/exploring-analysis/#matrix-view","title":"Matrix view","text":"<p>If your Report describes let's say an attack, a campaign, or an understanding of an Intrusion set, it should contains multiple attack patterns Objects to structure the Knowledge about the TTPs of the Threat Actor. Those attack patterns can be displayed as highlighted matrices, by default the MITRE ATT&amp;CK Enterprise matrix. As some matrices can be huge, it can be also filtered to only display attack patterns describes in the Report.</p>"},{"location":"usage/exploring-analysis/#groupings","title":"Groupings","text":"<p>Groupings are an alternative to Report for grouping Objects sharing a context without describing an Intelligence Production.</p> <p>In the MITRE STIX 2.1 documentation, a <code>Grouping</code> is defined as such :</p> <p>A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. A STIX Grouping object might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as a STIX Report object. For example, a Grouping could be used to characterize an ongoing investigation into a security event or incident. A Grouping object could also be used to assert that the referenced STIX Objects are related to an ongoing analysis process, such as when a threat analyst is collaborating with others in their trust community to examine a series of Campaigns and Indicators.</p> <p>When clicking on the Groupings tab at the top of the interface, you see the list of all the Groupings you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of the groupings.</p> <p>Clicking on a Grouping, you land on its Overview tab. For a Groupings, the following tabs are accessible: - Overview: as described here. - Knowledge: a complex tab that regroups all the structured Knowledge contained in the groupings, as for a Report, except for the Timeline view. As described here. - Entities: A table containing all SDO (Stix Domain Objects) contained in the Grouping, with search and filters available. It also display if the SDO has been added directly or through inferences with the reasonging engine - Observables: A table containing all SCO (Stix Cyber Observable) contained in the Grouping, with search and filters available. It also display if the SDO has been added directly or through inferences with the reasonging engine - Data: as described here.</p>"},{"location":"usage/exploring-analysis/#malware-analyses","title":"Malware Analyses","text":"<p>Malware analyses are an important part of the Cyber Threat Intelligence, allowing an precise understanding of what and how a malware really do on the host but also how and from where it receives its command and communicates its results.</p> <p>In OpenCTI, Malware Analyses can be created from enrichment connectors that will take an Observable as input and perform a scan on a online service platform to bring back results. As such, Malware Analyses can be done on File, Domain and URL.</p> <p>In the MITRE STIX 2.1 documentation, a <code>Malware Analyses</code> is defined as such :</p> <p>Malware Analyses captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.</p> <p>When clicking on the Malware Analyses tab at the top of the interface, you see the list of all the Malware Analyses you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of the Malware Analyses.</p> <p>Clicking on a Malware Analyses, you land on its Overview tab. The following tabs are accessible: - Overview: This view contains some additions from the common Overview here. You will find here details about how the analysis have been performed, what is the global result regarding the malicioussness of the analysed artifact and all the Observables that have been found during the analysis.  - Knowledge: If you Malware analysis is linked to other Objects that are not part of the analysis result, they will be displayed here. As described here. - Data: as described here. - History: as described here.</p> <p></p>"},{"location":"usage/exploring-analysis/#notes","title":"Notes","text":"<p>Not every Knowledge can be structured. For allowing any users to share their insights about a specific Knowledge, they can create a Note for every Object and relationship in OpenCTI they can access to. All the Notes are listed within the Analyses menu for allowing global review of this unstructured addition to the global Knowledge.</p> <p>In the MITRE STIX 2.1 documentation, a <code>Note</code> is defined as such :</p> <p>A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator).</p> <p>Clicking on a Note, you land on its Overview tab. The following tabs are accessible: - Overview: as described here. - Data: as described here. - History: as described here.</p>"},{"location":"usage/exploring-analysis/#external-references","title":"External references","text":"<p>Intelligence is never created from nothing. External references give user a way to link sources or reference documents to any Object in the platform. All external references are listed within the Analyses menu for accessing directly sources of the structured Knowledge.</p> <p>In the MITRE STIX 2.1 documentation, a <code>External references</code> is defined as such :</p> <p>External references are used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.</p> <p>Clicking on an External reference, you land on its Overview tab. The following tabs are accessible: - Overview: as described here.</p>"},{"location":"usage/exploring-arsenal/","title":"Arsenal","text":"<p>When you click on \"Arsenal\" in the left-side bar, you access all the \"Arsenal\" tabs, visible on the top bar on the left. By default, the user directly access the \"Malware\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Arsenal</code> section, users can access the following tabs:</p> <ul> <li><code>Malware</code>: <code>Malware</code> represents any piece of code specifically designed to damage, disrupt, or gain unauthorized access to computer systems, networks, or user data.</li> <li><code>Channels</code>: <code>Channels</code>, in the context of cybersecurity, refer to places or means through which actors disseminate information. This category is used in particular in the context of FIMI (Foreign Information Manipulation Interference). </li> <li><code>Tools</code>: <code>Tools</code> represent legitimate, installed software or hardware applications on an operating system that can be misused by attackers for malicious purposes. (e.g. LOLBAS).</li> <li><code>Vulnerabilities</code>: <code>Vulnerabilities</code> are weaknesses or that can be exploited by attackers to compromise the security, integrity, or availability of a computer system or network.</li> </ul>"},{"location":"usage/exploring-arsenal/#malware","title":"Malware","text":""},{"location":"usage/exploring-arsenal/#general-presentation","title":"General presentation","text":"<p>Malware encompasses a broad category of malicious pieces of code built, deployed, and operated by intrusion set. Malware can take many forms, including viruses, worms, Trojans, ransomware, spyware, and more. These entities are created by individuals or groups, including state-nations, state-sponsored groups, corporations, or hacktivist collectives.</p> <p>Use the <code>Malware</code> SDO to model and track these threats comprehensively, facilitating in-depth analysis, response, and correlation with other security data.</p> <p>When clicking on the Malware tab on the top left, you see the list of all the Malware you have access to, in respect with your allowed marking definitions. These malware are displayed as Cards where you can find a summary of the important Knowledge associated with each of them: description, aliases, related intrusion sets, countries and sectors they target, and labels. You can then search and filter on some common and specific attributes of Malware.</p> <p>At the top right of each Card, you can click the star icon to put it as favorite. It will pin the card on top of the list. You will also be able to display all your favorite easily in your Custom Dashboards.</p> <p></p>"},{"location":"usage/exploring-arsenal/#visualizing-knowledge-associated-with-a-malware","title":"Visualizing Knowledge associated with a Malware","text":"<p>When clicking on an <code>Malware</code> card you land on its Overview tab. For a Malware, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Malware. Different thematic views are proposed to easily see the victimology, the threat actors and intrusion sets using the Malware, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-arsenal/#channels","title":"Channels","text":""},{"location":"usage/exploring-arsenal/#general-presentation_1","title":"General presentation","text":"<p><code>Channels</code> - such as forums, websites and social media platforms (e.g. Twitter, Telegram) - are mediums for disseminating news, knowledge, and messages to a broad audience. While they offer benefits like open communication and outreach, they can also be leveraged for nefarious purposes, such as spreading misinformation, coordinating cyberattacks, or promoting illegal activities. </p> <p>Monitoring and managing content within <code>Channels</code> aids in analyzing threats, activities, and indicators associated with various threat actors, campaigns, and intrusion sets.</p> <p>When clicking on the Channels tab at the top left, you see the list of all the Channels you have access to, in respect with your allowed marking definitions. These channels are displayed in a list where you can find certain fields characterizing the entity: type of channel, labels, and dates. You can then search and filter on some common and specific attributes of Channels.</p> <p></p>"},{"location":"usage/exploring-arsenal/#visualizing-knowledge-associated-with-a-channel","title":"Visualizing Knowledge associated with a Channel","text":"<p>When clicking on a <code>Channel</code> in the list, you land on its Overview tab. For a Channel, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Channel. Different thematic views are proposed to easily see the victimology, the threat actors and intrusion sets using the Malware, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-arsenal/#tools","title":"Tools","text":""},{"location":"usage/exploring-arsenal/#general-presentation_2","title":"General presentation","text":"<p><code>Tools</code> refers to legitimate, pre-installed software applications, command-line utilities, or scripts that are present on a compromised system. These objects enable you to model and monitor the activities of these tools, which can be misused by attackers.</p> <p>When clicking on the <code>Tools</code> tab at the top left, you see the list of all the <code>Tools</code> you have access to, in respect with your allowed marking definitions. These tools are displayed in a list where you can find certain fields characterizing the entity: labels and dates. You can then search and filter on some common and specific attributes of Tools.</p> <p></p>"},{"location":"usage/exploring-arsenal/#visualizing-knowledge-associated-with-an-observed-data","title":"Visualizing Knowledge associated with an Observed Data","text":"<p>When clicking on a <code>Tool</code> in the list, you land on its Overview tab. For a Tool, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Tool. Different thematic views are proposed to easily see the threat actors, the intrusion sets and the malware using the Tool. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-arsenal/#vulnerabilities","title":"Vulnerabilities","text":""},{"location":"usage/exploring-arsenal/#general-presentation_3","title":"General presentation","text":"<p><code>Vulnerabilities</code> represent weaknesses or flaws in software, hardware, configurations, or systems that can be exploited by malicious actors. This object assists in managing and tracking the organization's security posture by identifying areas that require attention and remediation, while also providing insights into associated intrusion sets, malware and campaigns where relevant.</p> <p>When clicking on the <code>Vulnerabilities</code> tab at the top left, you see the list of all the <code>Vulnerabilities</code> you have access to, in respect with your allowed marking definitions. These vulnerabilities are displayed in a list where you can find certain fields characterizing the entity: CVSS3 severity, labels, dates and creators (in the platform). You can then search and filter on some common and specific attributes of Vulnerabilities.</p> <p></p>"},{"location":"usage/exploring-arsenal/#visualizing-knowledge-associated-with-an-observed-data_1","title":"Visualizing Knowledge associated with an Observed Data","text":"<p>When clicking on a <code>Vulnerabilities</code> in the list, you land on its Overview tab. For a Vulnerability, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Vulnerability. Different thematic views are proposed to easily see the threat actors, the intrusion sets and the malware exploiting the Vulnerability. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-cases/","title":"Cases","text":"<p>When you click on \"Cases\" in the left-side bar, you access all the \"Cases\" tabs, visible on the top bar on the left. By default, the user directly access the \"Incident Responses\" tab, but can navigate to the other tabs as well.</p> <p>As Analyses, <code>Cases</code> can contain other objects. This way, by adding context and results of your investigations in the case, you will be able to get an up-to-date overview of the ongoing situation, and later produce more easily an incident report. </p> <p>From the <code>Cases</code> section, users can access the following tabs:</p> <ul> <li><code>Incident Responses</code>: This type of Cases is dedicated to the management of incidents. An Incident Response case does not represent an incident, but all the context and actions that will encompass the response to a specific incident.</li> <li><code>Request for Information</code>: CTI teams are often asked to provide extensive information and analysis on a specific subject, be it related to an ongoing incident or a particular trending threat. Request for Information cases allow you to store context and actions relative to this type of request and its response.</li> <li><code>Request for Takedown</code>: When an organization is targeted by an attack campaign, a typical response action can be to request the Takedown of elements of the attack infrastructure, for example a domain name impersonating the organization to phish its employees, or an email address used to deliver phishing content. As Takedown needs in most case to reach out to external providers and be effective quickly, it often needs specific workflows. Request for Takedown cases give you a dedicated space to manage these specific actions.</li> <li><code>Tasks</code>: In every case, you need tasks to be performed in order to solve it. The Tasks tab allows you to review all created tasks to quickly see past due date, or quickly see every task assigned to a specific user.</li> <li><code>Feedbacks</code>: If you use your platform to interact with other teams and provide them CTI Knowledge, some users may want to give you feedback about it. Those feedbacks can easily be considered as another type of case to solve, as it will often refer to Knowledge inconsistency or gaps.</li> </ul> <p></p>"},{"location":"usage/exploring-cases/#incident-response-request-for-information-request-for-takedown","title":"Incident Response, Request for Information &amp; Request for Takedown","text":""},{"location":"usage/exploring-cases/#general-presentation","title":"General presentation","text":"<p>Incident responses, Request for Information &amp; Request for Takedown cases are an important part of the case management system in OpenCTI. Here, you can organize the work of your team to respond to cybersecurity situations. You can also give context to the team and other users on the platform about the situation and actions (to be) taken.</p> <p>To manage the situation, you can issue <code>Tasks</code> and assign them to users in the platform, by directly creating a Task or by applying a Case template that will append a list of predefined tasks.</p> <p>To bring context, you can use your Case as a container (like Reports or Groupings), allowing you to add any Knowledge from your platform in it. You can also use this possibility to trace your investigation, your Case playing the role of an Incident report. You will find more information about case management here.</p> <p>Incident Response, Request for Information &amp; Request for Takedown are not STIX 2.1 Objects.</p> <p>When clicking on the Incident Response, Request for Information &amp; Request for Takedown tabs at the top, you see the list of all the Cases you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes.</p>"},{"location":"usage/exploring-cases/#visualizing-knowledge-within-an-incident-response-request-for-information-request-for-takedown","title":"Visualizing Knowledge within an Incident Response, Request for Information &amp; Request for Takedown","text":"<p>When clicking on an Incident Response, Request for Information or Request for Takedown, you land on the Overview tab. The following tabs are accessible:</p> <ul> <li>Overview: Overview of Cases are slightly different from the usual (described here). Cases' Overview displays also the list of the tasks associated with the case. It also let you highlight Incident, Report or Sighting at the origin of the case. If other cases contains some Observables with your Case, they will be displayed as Related Cases in the Overview.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge contained in the Case, accessible through different views (See below for a dive-in). As described here.</li> <li>Content: a tab to upload or creates outcomes document displaying the content of the Case (for example in PDF, text, HTML or markdown files). The Content of the document is displayed to ease the access of Knowledge through a readable format. As described here.</li> <li>Entities: A table containing all SDO (Stix Domain Objects) contained in the Case, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine</li> <li>Observables: A table containing all SCO (Stix Cyber Observable) contained in the Case, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine</li> <li>Data: as described here.</li> </ul> <p>Exploring and modifying the structured Knowledge contained in a Case can be done through different lenses.</p>"},{"location":"usage/exploring-cases/#graph-view","title":"Graph View","text":"<p>In Graph view, STIX SDO are displayed as graph nodes and relationships as graph links. Nodes are colored depending on their type. Direct relationship are displayed as plain link and inferred relationships in dotted link. At the top right, you will find a series of icons. From there you can change the current type of view. Here you can also perform global action on the Knowledge of the Case. Let's highlight 2 of them:</p> <ul> <li>Suggestions: This tool suggests you some logical relationships to add between your contained Object to give more consistency to your Knowledge.</li> <li>Share with an Organization: if you have designated a main Organization in the platform settings, you can here share your Case and its content with users of another Organization. At the bottom, you have many option to manipulate the graph:</li> <li>Multiple option for shaping the graph and applying forces to the nodes and links</li> <li>Multiple selection options</li> <li>Multiple filters, including a time range selector allowing you to see the evolution of the Knowledge within the Case.</li> <li>Multiple creation and edition tools to modify the Knowledge contained in the Case.</li> </ul>"},{"location":"usage/exploring-cases/#content-mapping-view","title":"Content mapping view","text":"<p>Through this view, you can map existing or new Objects directly from a readable content, allowing you to quickly append structured Knowledge in your Case before refining it with relationships and details. This view is a great place to see the continuum between unstructured and structured Knowledge.</p>"},{"location":"usage/exploring-cases/#timeline-view","title":"Timeline view","text":"<p>This view allows you to see the structured Knowledge chronologically. This view is particularly useful in the context of a Case, allowing you to see the chain of events, either from the attack perspectives, the defense perspectives or both. The view can be filtered and displayed relationships too.</p>"},{"location":"usage/exploring-cases/#matrix-view","title":"Matrix view","text":"<p>If your Case contains attack patterns, you will be able to visualize them in a Matrix view.</p>"},{"location":"usage/exploring-cases/#tasks","title":"Tasks","text":"<p>Tasks are actions to be performed in the context of a Case (Incident Response, Request for Information, Request for Takedown). Usually, a task is assigned to a user, but important tasks may involve more participants.</p> <p>When clicking on the Tasks tab at the top of the interface, you see the list of all the Tasks you have access to, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of the tasks.</p> <p>Clicking on a Task, you land on its Overview tab. For a Tasks, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-cases/#feedbacks","title":"Feedbacks","text":"<p>When a user fill a feedback form from its Profile/Feedback menu, it will then be accessible here.</p> <p>This feature gives the opportunity to engage with other users of your platform and to respond directly to their concern about it or the Knowledge, without the need of third party software.</p> <p></p> <p>Clicking on a Feedback, you land on its Overview tab. For a Feedback, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Content: as described here. </li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-entities/","title":"Entities","text":"<p>OpenCTI's Entities objects provides a comprehensive framework for modeling various targets and attack victims within your threat intelligence data. With five distinct Entity object types, you can represent sectors, events, organizations, systems, and individuals. This robust classification empowers you to contextualize threats effectively, enhancing the depth and precision of your analysis.</p> <p>When you click on \"Entities\" in the left-side bar, you access all the \"Entities\" tabs, visible on the top bar on the left. By default, the user directly access the \"Sectors\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Entities</code> section, users can access the following tabs:</p> <ul> <li><code>Sectors</code>: areas of activity.</li> <li><code>Events</code>: event in the real world.</li> <li><code>Organizations</code>: groups with specific aims such as companies and government entities.</li> <li><code>Systems</code>: technologies such as platforms and software.</li> <li><code>Individuals</code>: real persons.</li> </ul>"},{"location":"usage/exploring-entities/#sectors","title":"Sectors","text":""},{"location":"usage/exploring-entities/#general-presentation","title":"General presentation","text":"<p>Sectors represent specific domains of activity, defining areas such as energy, government, health, finance, and more. Utilize sectors to categorize targeted industries or sectors of interest, providing valuable context for threat intelligence analysis within distinct areas of the economy.</p> <p>When clicking on the Sectors tab at the top left, you see the list of all the Sectors you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-a-sector","title":"Visualizing Knowledge associated with a Sector","text":"<p>When clicking on a <code>Sector</code> in the list, you land on its Overview tab. For a Sector, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Sector. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Sector. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in the Sector.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-entities/#events","title":"Events","text":""},{"location":"usage/exploring-entities/#general-presentation_1","title":"General presentation","text":"<p>Events encompass occurrences like international sports events, summits (e.g., G20), trials, conferences, or any significant happening in the real world. By modeling events, you can analyze threats associated with specific occurrences, allowing for targeted investigations surrounding high-profile incidents.</p> <p>When clicking on the Events tab at the top left, you see the list of all the Events you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-an-event","title":"Visualizing Knowledge associated with an Event","text":"<p>When clicking on an <code>Event</code> in the list, you land on its Overview tab. For an Event, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Event. Different thematic views are proposed to easily see the related entities, the threats, the locations, etc. linked to the Event. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted during an attack against the Event.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-entities/#organizations","title":"Organizations","text":""},{"location":"usage/exploring-entities/#general-presentation_2","title":"General presentation","text":"<p>Organizations include diverse entities such as companies, government bodies, associations, non-profits, and other groups with specific aims. Modeling organizations enables you to understand the threat landscape concerning various entities, facilitating investigations into cyber-espionage, data breaches, or other malicious activities targeting specific groups.</p> <p>When clicking on the Organizations tab at the top left, you see the list of all the Organizations you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-an-organization","title":"Visualizing Knowledge associated with an Organization","text":"<p>When clicking on an <code>Organization</code> in the list, you land on its Overview tab. For an Organization, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Organization. Different thematic views are proposed to easily see the related entities, the threats, the locations, etc. linked to the Organization. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in the Organization.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p>Furthermore, an Organization can be observed from an \"Author\" perspective. It is possible to change this viewpoint to the right of the entity name, using the \"Display as\" drop-down menu (see screenshot below). This different perspective is accessible in the Overview, Knowledge and Analyses tabs. When switched to \"Author\" mode, the observed data pertains to the entity's description as an author within the platform:</p> <ul> <li>Overview: The \"Latest created relationships\" and \"Latest containers about the object\" panels are replaced by the \"Latest containers authored by this entity\" panel.</li> <li>Knowledge: A tab that presents an overview of the data authored by the Organization (i.e. counters and a graph).</li> <li>Analyses: The list of all Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) for which the Organization is the author.</li> </ul> <p></p>"},{"location":"usage/exploring-entities/#systems","title":"Systems","text":""},{"location":"usage/exploring-entities/#general-presentation_3","title":"General presentation","text":"<p>Systems represent software applications, platforms, frameworks, or specific tools like WordPress, VirtualBox, Firefox, Python, etc. Modeling systems allows you to focus on threats related to specific software or technology, aiding in vulnerability assessments, patch management, and securing critical applications.</p> <p>When clicking on the Systems tab at the top left, you see the list of all the Systems you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-a-system","title":"Visualizing Knowledge associated with a System","text":"<p>When clicking on a <code>System</code> in the list, you land on its Overview tab. For a System, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the System. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the System. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in the System.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p>Furthermore, a System can be observed from an \"Author\" perspective. It is possible to change this viewpoint to the right of the entity name, using the \"Display as\" drop-down menu (see screenshot below). This different perspective is accessible in the Overview, Knowledge and Analyses tabs. When switched to \"Author\" mode, the observed data pertains to the entity's description as an author within the platform:</p> <ul> <li>Overview: The \"Latest created relationships\" and \"Latest containers about the object\" panels are replaced by the \"Latest containers authored by this entity\" panel.</li> <li>Knowledge: A tab that presents an overview of the data authored by the System (i.e. counters and a graph).</li> <li>Analyses: The list of all Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) for which the System is the author.</li> </ul>"},{"location":"usage/exploring-entities/#individuals","title":"Individuals","text":""},{"location":"usage/exploring-entities/#general-presentation_4","title":"General presentation","text":"<p>Individuals represent specific persons relevant to your threat intelligence analysis. This category includes targeted individuals, or influential figures in various fields. Modeling individuals enables you to analyze threats related to specific people, enhancing investigations into cyber-stalking, impersonation, or other targeted attacks.</p> <p>When clicking on the Individuals tab at the top left, you see the list of all the Individuals you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-entities/#visualizing-knowledge-associated-with-an-individual","title":"Visualizing Knowledge associated with an Individual","text":"<p>When clicking on an <code>Individual</code> in the list, you land on its Overview tab. For an Individual, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Individual. Different thematic views are proposed to easily see the related entities, the threats, the locations, etc. linked to the Individual. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in the Individual.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p>Furthermore, an Individual can be observed from an \"Author\" perspective. It is possible to change this viewpoint to the right of the entity name, using the \"Display as\" drop-down menu (see screenshot below). This different perspective is accessible in the Overview, Knowledge and Analyses tabs. When switched to \"Author\" mode, the observed data pertains to the entity's description as an author within the platform:</p> <ul> <li>Overview: The \"Latest created relationships\" and \"Latest containers about the object\" panels are replaced by the \"Latest containers authored by this entity\" panel.</li> <li>Knowledge: A tab that presents an overview of the data authored by the Individual (i.e. counters and a graph).</li> <li>Analyses: The list of all Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) for which the Individual is the author.</li> </ul>"},{"location":"usage/exploring-events/","title":"Events","text":"<p>When you click on \"Events\" in the left-side bar, you access all the \"Events\" tabs, visible on the top bar on the left. By default, the user directly access the \"Incidents\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Events</code> section, users can access the following tabs:</p> <ul> <li><code>Incidents</code>: In OpenCTI, <code>Incidents</code> correspond to a negative event happening on an information system. This can include a cyberattack (intrusion, phishing, etc.), a consolidated security alert generated by a SIEM or EDR that need to be qualified, and so on. It can also refer to an information warfare attack in the context of countering disinformation.</li> <li><code>Sightings</code>: <code>Sightings</code> correspond to the event in which an <code>Observable</code> (IP, domain name, certificate, etc.) is detected by or within an information system, an individual or an organization. Most often, this corresponds to a security event transmitted by a SIEM or an EDR.</li> <li><code>Observed Data</code>: <code>Observed Data</code> has been added in OpenCTI by compliance with the STIX 2.1 standard. You can see it has a pseudo-container that contains Observables, like a line of firewall log for example. Currently, it is rarely used.</li> </ul>"},{"location":"usage/exploring-events/#incidents","title":"Incidents","text":""},{"location":"usage/exploring-events/#general-presentation","title":"General presentation","text":"<p>Incidents usually represents negative events impacting resources you want to protect, but local definitions can vary a lot, from a simple security events send by a SIEM to a massive scale supply chain attack impacting a whole activity sector.</p> <p>In the MITRE STIX 2.1, the <code>Incident</code> SDO has not yet been finalized and is the object of important work as part of a forthcoming STIX Extension.</p> <p>When clicking on the Incidents tab at the top left, you see the list of all the Incidents you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-events/#visualizing-knowledge-associated-with-an-incident","title":"Visualizing Knowledge associated with an Incident","text":"<p>When clicking on an <code>Incident</code> in the list, you land on its Overview tab. For an Incident, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display two distribution graphs of its related Entities (STIX SDO) and Observable (STIX SCO).</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Incident. Different thematic views are proposed to easily see the victimology, arsenal, techniques and so on used in the context of the Incident. As described here.</li> <li>Content: This specific tab allows to previzualize, manage and write deliverable associated with the Incident. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-events/#sightings","title":"Sightings","text":""},{"location":"usage/exploring-events/#general-presentation_1","title":"General presentation","text":"<p>The <code>Sightings</code> correspond to events in which an <code>Observable</code> (IP, domain name, url, etc.) is detected by or within an information system, an individual or an organization. Most often, this corresponds to a security event transmitted by a SIEM or EDR. </p> <p>In OpenCTI, as we are in a cybersecurity context, <code>Sightings</code> are associated with <code>Indicators</code> of Compromise (IoC) and the notion of \"True positive\" and \"False positive\". </p> <p>It is important to note that Sightings are a type of relationship (not a STIX SDO or STIX SCO), between an Observable and an Entities or Locations.</p> <p>When clicking on the Sightings tab at the top left, you see the list of all the Sightings you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-events/#visualizing-knowledge-associated-with-a-sighting","title":"Visualizing Knowledge associated with a Sighting","text":"<p>When clicking on a <code>Sighting</code> in the list, you land on its Overview tab. As other relationships in the platform, Sighting's overview displays common related metadata, containers, external references, notes and entities linked by the relationship. </p> <p>In addition, this overview displays: - Qualification : if the Sighting is a True Positive or a False Positive - Count : number of times the event has been seen</p>"},{"location":"usage/exploring-events/#observed-data","title":"Observed Data","text":""},{"location":"usage/exploring-events/#general-presentation_2","title":"General presentation","text":"<p><code>Observed Data</code> correspond to an extract from a log that contains Observables. </p> <p>In the MITRE STIX 2.1, the <code>Observed Data</code> SDO is defined as such:</p> <p>Observed Data conveys information about cybersecurity related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, Observed Data can capture information about an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply the raw information without any context for what it means.</p> <p>When clicking on the <code>Observed Data</code> tab at the top left, you see the list of all the <code>Observed Data</code> you have access to, in respect with your allowed marking definitions.</p>"},{"location":"usage/exploring-events/#visualizing-knowledge-associated-with-an-observed-data","title":"Visualizing Knowledge associated with an Observed Data","text":"<p>When clicking on an <code>Observed Data</code> in the list, you land on its Overview tab. The following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display a distribution graphs of its related Observables (STIX SCO).</li> <li>Entities : a sortable and filterable list of all Entities (SDO) </li> <li>Observables: a sortable and filterable list of all Observables (SCO) in relation with the Observed Data</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-locations/","title":"Location","text":"<p>OpenCTI's Locations objects provides a comprehensive framework for representing various geographic entities within your threat intelligence data. With five distinct Location object types, you can precisely define regions, countries, areas, cities, and specific positions. This robust classification empowers you to contextualize threats geographically, enhancing the depth and accuracy of your analysis.</p> <p>When you click on \"Locations\" in the left-side bar, you access all the \"Locations\" tabs, visible on the top bar on the left. By default, the user directly access the \"Regions\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Locations</code> section, users can access the following tabs:</p> <ul> <li><code>Regions</code>: very large geographical territories, such as a continent.</li> <li><code>Countries</code>: the world's countries.</li> <li><code>Areas</code>: more or less extensive geographical areas and often not having a very defined limit</li> <li><code>Cities</code>: the world's cities.</li> <li><code>Positions</code>: very precise positions on the globe.</li> </ul>"},{"location":"usage/exploring-locations/#regions","title":"Regions","text":""},{"location":"usage/exploring-locations/#general-presentation","title":"General presentation","text":"<p>Regions encapsulate broader geographical territories, often representing continents or significant parts of continents. Examples include EMEA (Europe, Middle East, and Africa), Asia, Western Europe, and North America. Utilize regions to categorize large geopolitical areas and gain macro-level insights into threat patterns.</p> <p>When clicking on the Regions tab at the top left, you see the list of all the Regions you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-a-region","title":"Visualizing Knowledge associated with a Region","text":"<p>When clicking on a <code>Region</code> in the list, you land on its Overview tab. For a Region, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity of not having a <code>Details</code> section but a map locating the Region.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Region. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Region. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in a Region.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-locations/#countries","title":"Countries","text":""},{"location":"usage/exploring-locations/#general-presentation_1","title":"General presentation","text":"<p>Countries represent individual nations across the world. With this object type, you can specify detailed information about a particular country, enabling precise localization of threat intelligence data. Countries are fundamental entities in geopolitical analysis, offering a focused view of activities within national borders.</p> <p>When clicking on the Countries tab at the top left, you see the list of all the Countries you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-a-country","title":"Visualizing Knowledge associated with a Country","text":"<p>When clicking on a <code>Country</code> in the list, you land on its Overview tab. For a Country, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity of not having a <code>Details</code> section but a map locating the Country.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Country. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Country. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in a Country.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-locations/#areas","title":"Areas","text":""},{"location":"usage/exploring-locations/#general-presentation_2","title":"General presentation","text":"<p>Areas define specific geographical regions of interest, such as the Persian Gulf, the Balkans, or the Caucasus. Use areas to identify unique zones with distinct geopolitical, cultural, or strategic significance. This object type facilitates nuanced analysis of threats within defined geographic contexts.</p> <p>When clicking on the Areas tab at the top left, you see the list of all the Areas you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-an-area","title":"Visualizing Knowledge associated with an Area","text":"<p>When clicking on an <code>Area</code> in the list, you land on its Overview tab. For an Area, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity of not having a <code>Details</code> section but a map locating the Area.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Area. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Area. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in an Area.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-locations/#cities","title":"Cities","text":""},{"location":"usage/exploring-locations/#general-presentation_3","title":"General presentation","text":"<p>Cities provide granular information about urban centers worldwide. From major metropolises to smaller towns, cities are crucial in understanding localized threat activities. With this object type, you can pinpoint threats at the urban level, aiding in tactical threat assessments and response planning.</p> <p>When clicking on the Cities tab at the top left, you see the list of all the Cities you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-a-city","title":"Visualizing Knowledge associated with a City","text":"<p>When clicking on a <code>City</code> in the list, you land on its Overview tab. For a City, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity of not having a <code>Details</code> section but a map locating the City.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the City. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the City. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted in a City.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-locations/#positions","title":"Positions","text":""},{"location":"usage/exploring-locations/#general-presentation_4","title":"General presentation","text":"<p>Positions represent highly precise geographical points, such as monuments, buildings, or specific event locations. This object type allows you to define exact coordinates, enabling accurate mapping of events or incidents. Positions enhance the granularity of your threat intelligence data, facilitating precise geospatial analysis.</p> <p>When clicking on the Positions tab at the top left, you see the list of all the Positions you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-locations/#visualizing-knowledge-associated-with-a-position","title":"Visualizing Knowledge associated with a Position","text":"<p>When clicking on a <code>Position</code> in the list, you land on its Overview tab. For a Position, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display a map locating the Position.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Position. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Position. As described here.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which an <code>Indicator</code> (IP, domain name, url, etc.) is sighted at a Position.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-observations/","title":"Observations","text":"<p>When you click on \"Observations\" in the left-side bar, you access all the \"Observations\" tabs, visible on the top bar on the left. By default, the user directly access the \"Observables\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Observations</code> section, users can access the following tabs:</p> <ul> <li><code>Observables</code>: An <code>Observable</code> represents an immutable object. Observables can encompass a wide range of entities such as IPv4 addresses, domain names, email addresses, and more.</li> <li><code>Artefacts</code>: In OpenCTI, the <code>Artefacts</code> is a particular Observable. It may contain a file, such as a malware sample.</li> <li><code>Indicators</code>: An <code>Indicator</code> is a detection object. It is defined by a search pattern, which could be expressed in various formats such as STIX, Sigma, YARA, among others.</li> <li><code>Infrastructures</code>: An <code>Infrastructure</code> describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g. C2 servers used as part of an attack, devices or servers that are part of defense, database servers targeted by an attack, etc.).</li> </ul>"},{"location":"usage/exploring-observations/#observables","title":"Observables","text":""},{"location":"usage/exploring-observations/#general-presentation","title":"General presentation","text":"<p>An Observable is a distinct entity from the Indicator within OpenCTI and represents an immutable object. Observables can encompass a wide range of entities such as IPv4 addresses, domain names, email addresses, and more. Importantly, Observables don't inherently imply malicious intent, they can include items like legitimate IP addresses or domains associated with an organization. Additionally, they serve as raw data points without the additional detection context found in Indicators.</p> <p>When clicking on the Observables tab at the top left, you see the list of all the Observables you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-observations/#visualizing-knowledge-associated-with-an-observable","title":"Visualizing Knowledge associated with an Observable","text":"<p>When clicking on an <code>Observable</code> in the list, you land on its Overview tab. For an Observable, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display Indicators composed with the Observable.</li> <li>Knowledge: a tab listing all its relationships and nested objects.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which the <code>Observable</code> (IP, domain name, url, etc.) has been sighted.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-observations/#artefacts","title":"Artefacts","text":""},{"location":"usage/exploring-observations/#general-presentation_1","title":"General presentation","text":"<p>An Artefact is a particular Observable. It may contain a file, such as a malware sample. Files can be uploaded or downloaded in encrypted archives, providing an additional layer of security against potential manipulation of malicious payloads.</p> <p>When clicking on the Artefacts tab at the top left, you see the list of all the Artefacts you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-observations/#visualizing-knowledge-associated-with-an-artefact","title":"Visualizing Knowledge associated with an Artefact","text":"<p>When clicking on an <code>Artefact</code> in the list, you land on its Overview tab. For an Artefact, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to be able to download the attached file.</li> <li>Knowledge: a tab listing all its relationships and nested objects.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which the <code>Artefact</code> has been sighted.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-observations/#indicators","title":"Indicators","text":""},{"location":"usage/exploring-observations/#general-presentation_2","title":"General presentation","text":"<p>An Indicator is a detection object. It is defined by a search pattern, which could be expressed in various formats such as STIX, Sigma, YARA, among others. This pattern serves as a key to identify potential threats within the data. Furthermore, an Indicator includes additional information that enriches its detection context. This information encompasses:</p> <ul> <li>Validity dates: Indicators are accompanied by a time frame, specifying the duration of their relevance, and modeled by the <code>Valid from</code> and <code>Valid until</code> dates.</li> <li>Actionable fields: Linked to the validity dates, the <code>Revoked</code> and <code>Detection</code> fields can be used to sort Indicators for detection purposes.</li> <li>Kill chain phase: They indicate the phase within the cyber kill chain where they are applicable, offering insights into the progression of a potential threat.</li> <li>Types: Indicators are categorized based on their nature, aiding in classification and analysis.</li> </ul> <p>When clicking on the Indicators tab at the top left, you see the list of all the Indicators you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-observations/#visualizing-knowledge-associated-with-an-indicator","title":"Visualizing Knowledge associated with an Indicator","text":"<p>When clicking on an <code>Indicator</code> in the list, you land on its Overview tab. For an Indicator, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display the Observables on which it is based.</li> <li>Knowledge: a tab listing all its relationships.</li> <li>Analyses: as described here.</li> <li>Sightings: a table containing all <code>Sightings</code> relationships corresponding to events in which the <code>Indicator</code> has been sighted.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul> <p></p>"},{"location":"usage/exploring-observations/#infrastructures","title":"Infrastructures","text":""},{"location":"usage/exploring-observations/#general-presentation_3","title":"General presentation","text":"<p>An Infrastructure refers to a set of resources, tools, systems, or services employed by a threat to conduct their activities. It represents the underlying framework or support system that facilitates malicious operations, such as the command and control (C2) servers in an attack. Notably, like Observables, an Infrastructure doesn't inherently imply malicious intent. It can also represent legitimate resources affiliated with an organization (e.g. devices or servers that are part of defense, database servers targeted by an attack, etc.).</p> <p>When clicking on the Infrastructures tab at the top left, you see the list of all the Infrastructures you have access to, in respect with your allowed marking definitions.</p> <p></p>"},{"location":"usage/exploring-observations/#visualizing-knowledge-associated-with-an-infrastructure","title":"Visualizing Knowledge associated with an Infrastructure","text":"<p>When clicking on an <code>Infrastructure</code> in the list, you land on its Overview tab. For an Infrastructure, the following tabs are accessible:</p> <ul> <li>Overview: as described here, with the particularity to display distribution graphs of its related Observable (STIX SCO).</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Infrastructure. Different thematic views are proposed to easily see the threats, the arsenal, the observations, etc. linked to the Infrastructure. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-techniques/","title":"Techniques","text":"<p>When you click on \"Techniques\" in the left-side bar, you access all the \"Techniques\" tabs, visible on the top bar on the left. By default, the user directly access the \"Attack pattern\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Techniques</code> section, users can access the following tabs:</p> <ul> <li><code>Attack pattern</code>: attacks pattern used by the threat actors to perform their attacks. By default, OpenCTI is provisionned with attack patterns from MITRE ATT&amp;CK matrices (for CTI) and DISARM matrix (for FIMI).</li> <li><code>Narratives</code>: In OpenCTI, narratives used by threat actors can be represented and linked to other Objects. Narratives are mainly used in the context of disinformation campaigns where it is important to trace which narratives have been and are still used by threat actors.</li> <li><code>Courses of action</code>: A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it.</li> <li><code>Data sources</code>: Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Data sources also include data components, </li> <li><code>Data components</code>: Data components identify specific properties/values of a data source relevant to detecting a given ATT&amp;CK technique or sub-technique.</li> </ul>"},{"location":"usage/exploring-techniques/#attack-pattern","title":"Attack pattern","text":""},{"location":"usage/exploring-techniques/#general-presentation","title":"General presentation","text":"<p>Attacks pattern used by the threat actors to perform their attacks. By default, OpenCTI is provisionned with attack patterns from MITRE ATT&amp;CK matrices and CAPEC (for CTI) and DISARM matrix (for FIMI).</p> <p>In the MITRE STIX 2.1 documentation, an <code>Attack pattern</code> is defined as such :</p> <p>Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is \"spear phishing\": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern.</p> <p>When clicking on the Attack pattern tab at the top left, you access the list of all the attack pattern you have access too, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of attack patterns.</p>"},{"location":"usage/exploring-techniques/#visualizing-knowledge-associated-with-an-attack-pattern","title":"Visualizing Knowledge associated with an Attack pattern","text":"<p>When clicking on an Attack pattern, you land on its Overview tab. For an Attack pattern, the following tabs are accessible:</p> <ul> <li> <p>Overview: Overview of Attack pattern is a bit different as the usual described here. The \"Details\" box is more structured and contains information about:</p> </li> <li> <p>parent or subtechniques (as in the MITRE ATT&amp;CK matrices), </p> </li> <li>related kill chain phases</li> <li>Platform on which the Attack pattern is usable,</li> <li>permission required to apply it</li> <li>Related detection technique</li> <li>Courses of action to mitigate the Attack pattern</li> <li>Data components in which find data to detect the usage of the Attack pattern</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Attack pattern. Different thematic views are proposed to easily see Threat Actors and Intrusion Sets using this techniques, linked incidents, etc.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-techniques/#narratives","title":"Narratives","text":""},{"location":"usage/exploring-techniques/#general-presentation_1","title":"General presentation","text":"<p>In OpenCTI, narratives used by threat actors can be represented and linked to other Objects. Narratives are mainly used in the context of disinformation campaigns where it is important to trace which narratives have been and are still used by threat actors.</p> <p>An example of Narrative can be \"The country A is weak and corrupted\" or \"The ongoing operation aims to free people\". </p> <p>Narrative can be a mean in the context of a more broad attack or the goal of the operation, a vision to impose.</p> <p>When clicking on the Narrative tab at the top left, you access the list of all the Narratives you have access too, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of narratives.</p>"},{"location":"usage/exploring-techniques/#visualizing-knowledge-associated-with-a-narrative","title":"Visualizing Knowledge associated with a Narrative","text":"<p>When clicking on a Narrative, you land on its Overview tab. For a Narrative, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Narratives. Different thematic views are proposed to easily see the Threat actors and Intrusion Set using the Narrative, etc. </li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-techniques/#courses-of-action","title":"Courses of action","text":""},{"location":"usage/exploring-techniques/#general-presentation_2","title":"General presentation","text":"<p>In the MITRE STIX 2.1 documentation, an <code>Course of action</code> is defined as such :</p> <p>A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it.</p> <p>When clicking on the <code>Courses of action</code> tab at the top left, you access the list of all the Courses of action you have access too, in respect with your allowed marking definitions. You can then search and filter on some common and specific attributes of course of action.</p>"},{"location":"usage/exploring-techniques/#visualizing-knowledge-associated-with-a-course-of-action","title":"Visualizing Knowledge associated with a Course of action","text":"<p>When clicking on a <code>Course of Action</code>, you land on its Overview tab. For a Course of action, the following tabs are accessible:</p> <ul> <li>Overview: Overview of Course of action is a bit different as the usual described here. In \"Details\" box, mitigated attack pattern are listed.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Narratives. Different thematic views are proposed to easily see the Threat actors and Intrusion Set using the Narrative, etc. </li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-techniques/#data-sources-data-components","title":"Data sources &amp; Data components","text":""},{"location":"usage/exploring-techniques/#general-presentation_3","title":"General presentation","text":"<p>In the MITRE ATT&amp;CK documentation, <code>Data sources</code> are defined as such :</p> <p>Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Data sources also include data components, which identify specific properties/values of a data source relevant to detecting a given ATT&amp;CK technique or sub-technique.</p>"},{"location":"usage/exploring-techniques/#visualizing-knowledge-associated-with-a-data-source-or-a-data-components","title":"Visualizing Knowledge associated with a Data source or a Data components","text":"<p>When clicking on a <code>Data source</code> or a <code>Data component</code>, you land on its Overview tab. For a Course of action, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-threats/","title":"Threats","text":"<p>When you click on \"Threats\" in the left-side bar, you access all the \"Threats\" tabs, visible on the top bar on the left. By default, the user directly access the \"Threat Actor (Group)\" tab, but can navigate to the other tabs as well.</p> <p>From the <code>Threats</code> section, users can access the following tabs:</p> <ul> <li><code>Threat actors (Group)</code>: Threat actor (Group) represents a physical group of attackers operating an Intrusion set, using malware and attack infrastructure, etc.</li> <li><code>Threat actors (Indvidual)</code>: Threat actor (Individual) represents a real attacker that can be described by physical and personal attributes and motivations. Threat actor (Individual) operates Intrusion set, uses malware and infrastructure, etc.</li> <li><code>Intrusion sets</code>: Intrusion set is an important concept in Cyber Threat Intelligence field. It is a consistent set of technical and non-technical elements corresponding of what, how and why a Threat actor acts. it is particularly useful for associating multiple attacks and malicious actions to a defined Threat, even without sufficient information regarding who did them. Often, with you understanding of the threat growing, you will link an Intrusion set to a Threat actor (either a Group or an Individual).</li> <li><code>Campaigns</code>: Campaign represents a series of attacks taking place in a certain period of time and/or targeting a consistent subset of Organization/Individual.</li> </ul>"},{"location":"usage/exploring-threats/#threat-actors-group-and-individual","title":"Threat actors (Group and Individual)","text":""},{"location":"usage/exploring-threats/#general-presentation","title":"General presentation","text":"<p>Threat actors are the humans who are building, deploying and operating intrusion sets. A threat actor can be an single individual or a group of attackers (who may be composed of individuals). A group of attackers may be a state-nation, a state-sponsored group, a corporation, a group of hacktivists, etc. </p> <p>Beware, groups of attackers might be modelled as \"Intrusion sets\" in feeds, as there is sometimes a misunderstanding in the industry between group of people and the technical/operational intrusion set they operate.</p> <p></p> <p>When clicking on the Threat actor (Group or Individual) tabs at the top left, you see the list of all the groups of Threat actors or Individual Threat actors you have access to, in respect with your allowed marking definitions. These groups or individual are displayed as Cards where you can find a summary of the important Knowledge associated with each of them: description, aliases, malware they used, countries and industries they target, labels. You can then search and filter on some common and specific attributes of Threat actors.</p> <p>At the top right of each Card, you can click the star icon to put it as favorite. It will pin the card on top of the list. You will also be able to display all your favorite easily in your Custom Dashboards.</p>"},{"location":"usage/exploring-threats/#demographic-and-biographic-information","title":"Demographic and Biographic Information","text":"<p>Individual Threat actors have unique properties to represent demographic and biographic information. Currently tracked demographics include their countries of residence, citizenships, date of birth, gender, and more.</p> <p></p> <p>Biographic information includes their eye and hair color, as well as known heights and weights.</p> <p></p> <p>An Individual Threat actor can also be tracked as employed by an Organization or a Threat Actor group. This relationship can be set under the knowledge tab.</p>"},{"location":"usage/exploring-threats/#visualizing-knowledge-associated-with-a-threat-actor","title":"Visualizing Knowledge associated with a Threat actor","text":"<p>When clicking on a Threat actor Card, you land on its Overview tab. For a Threat actor, the following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Threat actor. Different thematic views are proposed to easily see the victimology, arsenal and techniques used by the Threat actor, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-threats/#intrusion-sets","title":"Intrusion Sets","text":"<p>An intrusion set is a consistent group of technical elements such as \"tactics, technics and procedures\" (TTP), tools, malware and infrastructure used by a threat actor against one or a number of victims who are usually sharing some characteristics (field of activity, country or region) to reach a similar goal whoever the victim is. The intrusion set may be deployed once or several times and may evolve with time. Several intrusion sets may be linked to one threat actor. All the entities described below may be linked to one intrusion set. There are many debates in the Threat Intelligence community on how to define an intrusion set and how to distinguish several intrusion sets with regards to:</p> <ul> <li>their differences</li> <li>their evolutions</li> <li>the possible reuse</li> <li>\"false flag\" type of attacks</li> </ul> <p>As OpenCTI is very customizable, each organization or individual may use these categories as they wish. Instead, it is also possible to use the import feed for the choice of categories.</p> <p></p> <p>When clicking on the Intrusion set tab on the top left, you see the list of all the Intrusion sets you have access to, in respect with your allowed marking definitions. These intrusion sets are displayed as Cards where you can find a summary of the important Knowledge associated with each of them: description, aliases, malware they used, countries and industries they target, labels. You can then search and filter on some common and specific attributes of Intrusion set.</p> <p>At the top right of each Card, you can click the star icon to put it as favorite. It will pin the card on top of the list. You will also be able to display all your favorite easily in your Custom Dashboards.</p>"},{"location":"usage/exploring-threats/#visualizing-knowledge-associated-with-an-intrusion-set","title":"Visualizing Knowledge associated with an Intrusion set","text":"<p>When clicking on an Intrusion set Card, you land on its Overview tab. The following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Intrusion Set. Different thematic views are proposed to easily see the victimology, arsenal and techniques used by the Intrusion Set, etc. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/exploring-threats/#campaigns","title":"Campaigns","text":"<p>A campaign can be defined as \"a series of malicious activities or attacks (sometimes called a \"wave of attacks\") taking place within a limited period of time, against a defined group of victims, associated to a similar intrusion set and characterized by the use of one or several identical malware towards the various victims and common TTPs\". However, a campaign is an investigation element and may not be widely recognized. Thus, a provider might define a series of attacks as a campaign and another as an intrusion set. Campaigns can be attributed to an Intrusion set.</p> <p></p> <p>When clicking on the Campaign tab on the top left, you see the list of all the Campaigns you have access to, in respect with your allowed marking definitions. These campaigns are displayed as Cards where you can find a summary of the important Knowledge associated with each of them: description, aliases, malware used, countries and industries they target, labels. You can then search and filter on some common and specific attributes of Campaigns.</p> <p>At the top right of each Card, you can click the star icon to put it as favorite. It will pin the card on top of the list. You will also be able to display all your favorite easily in your Custom Dashboards.</p>"},{"location":"usage/exploring-threats/#visualizing-knowledge-associated-with-a-campaign","title":"Visualizing Knowledge associated with a Campaign","text":"<p>When clicking on an Campaign Card, you land on its Overview tab. The following tabs are accessible:</p> <ul> <li>Overview: as described here.</li> <li>Knowledge: a complex tab that regroups all the structured Knowledge linked to the Campaign. Different thematic views are proposed to easily see the victimology, arsenal and techniques used in the context of the Campaign. As described here.</li> <li>Analyses: as described here.</li> <li>Data: as described here.</li> <li>History: as described here.</li> </ul>"},{"location":"usage/export/","title":"Manual export","text":""},{"location":"usage/export/#introduction","title":"Introduction","text":"<p>With the OpenCTI platform, you can manually export your intelligence content in the following formats:</p> <ul> <li>JSON,</li> <li>CSV,</li> <li>PDF,</li> <li>TXT.</li> </ul> <p></p>"},{"location":"usage/export/#export-in-structured-or-document-format","title":"Export in structured or document format","text":""},{"location":"usage/export/#generate-an-export","title":"Generate an export","text":"<p>To export one or more entities you have two possibilities. First you can click on the button \"Open export panel\". The list of pre-existing exports will open, and in the bottom right-hand corner you can configure and generate a new export.</p> <p></p> <p>This opens the export settings panel, where you can customize your export according to three fields:</p> <ul> <li>desired export format (text/csv, application/pdf, application/vnd.oasis.stix+json, text/plain)</li> <li>export type (simple or full),</li> <li>the max marking definition level of the elements in the entity to be exported (a TLP level, for instance).</li> </ul> <p></p> <p>The second way is to click directly on the \"Generate an Export\" button to export the content of an entity in the desired format. The same settings panel will open.</p> <p></p>"},{"location":"usage/export/#export-possibilities","title":"Export possibilities","text":"<p>All entities in your instance can be exported either directly via Generate Export or indirectly via Export List in .json and .csv formats.</p>"},{"location":"usage/export/#export-a-list-entities","title":"Export a list entities","text":"<p>You have the option to export either a single element, such as a report, or a collection of elements, such as multiple reports. These exports may contain not only the entity itself but also related elements, depending on the type of export you select: \"simple\" or \"full\". See the Export types (simple and full) section.</p> <p>You can also choose to export a list of entities within a container. To do so, go to the container's entities tab. For example, for a report, if you only want to retrieve entity type attack pattern and indicators to design a detection strategy, go to the entities tab and select specific elements for export.</p> <p></p> <p></p>"},{"location":"usage/export/#export-types-simple-and-full","title":"Export types (simple and full)","text":"<p>When you wish to export only the content of a specific entity such as a report, you can choose a \"simple\" export type.</p> <p>If you also wish to export associated content, you can choose a \"full\" export. With this type of export, the entity will be exported along with all entities directly associated with the central one (first neighbors).</p> <p></p>"},{"location":"usage/export/#exports-list-panel","title":"Exports list panel","text":"<p>Once an export has been created, you can find it in the export list panel. Simply click on a particular export to download it.</p> <p>You can also generate a new export directly from the Exports list, as explained in the Generate an export section.</p> <p></p>"},{"location":"usage/feeds/","title":"Native feeds","text":"<p>OpenCTI provides versatile mechanisms for sharing data through its built-in feeds, including Live streams, TAXII collections, and CSV feeds.</p>"},{"location":"usage/feeds/#feed-configuration","title":"Feed configuration","text":"<p>Feeds are configured in the \"Data &gt; Data sharing\" window. Configuration for all feed types is uniform and relies on the following parameters:</p> <ul> <li>Filter setup: The feed can have specific filters to publish only a subset of the platform overall knowledge. Any data that meets the criteria established by the user's feed filters will be shared (e.g. specific types of entities, labels, marking definitions, etc.).</li> <li>Access control: A feed can be either public, i.e. accessible without authentication, or restricted. By default, it's accessible to any user with the \"Access data sharing\" capability, but it's possible to increase restrictions by limiting access to a specific user, group, or organization.</li> </ul> <p></p> <p>By carefully configuring filters and access controls, you can tailor the behavior of Live streams, TAXII collections, and CSV feeds to align with your specific data-sharing needs.</p>"},{"location":"usage/feeds/#live-streams","title":"Live streams","text":""},{"location":"usage/feeds/#introduction","title":"Introduction","text":"<p>Live streams, an exclusive OpenCTI feature, increase the capacity for real-time data sharing by serving STIX 2.1 bundles as TAXII collections with advanced capabilities. What distinguishes them is their dynamic nature, which includes the creation, updating, and deletion of data. Unlike TAXII, Live streams comprehensively resolve relationships and dependencies, ensuring a more nuanced and interconnected exchange of information. This is particularly beneficial in scenarios where sharing involves entities with complex relationships, providing a richer context for the shared data.</p> <p>In scenarios involving data sharing between two OpenCTI platforms, Live streams emerge as the preferred mechanism. These streams operate like TAXII collections but are notably enhanced, supporting:</p> <ul> <li>create, update and delete events depending on the parameters,</li> <li>caching already created entities in the last 5 minutes,</li> <li>resolving relationships and dependencies even out of the filters,</li> <li>can be public (without authentication).</li> </ul> <p></p> <p>Resolve relationships and dependencies</p> <p>Dependencies and relationships of entities shared via Live streams, as determined by specified filters, are automatically shared even beyond the confines of these filters. This means that interconnected data, which may not directly meet the filter criteria, is still included in the Live stream. However, OpenCTI data segregation mechanisms are still applied. They allow to restrict access to shared data based on factors such as markings or organization. It's imperative to carefully configure and manage these access controls to ensure that no confidential data is shared.</p>"},{"location":"usage/feeds/#illustrative-scenario","title":"Illustrative scenario","text":"<p>To better understand how live streams are working, let's take a few examples, from simple to complex.</p> <p>Given a live stream with filters Entity type: Indicator <code>AND</code> Label: detection. Let's see what happens with an indicator with:</p> <ul> <li>Marking definition: <code>TLP:GREEN</code></li> <li>Author <code>Crowdstrike</code></li> <li>Relation <code>indicates</code> to the malware <code>Emotet</code></li> </ul> Action Result in stream (with <code>Avoid dependencies resolution=true</code>) Result in stream (with <code>Avoid dependencies resolution=false</code>) 1. Create an indicator Nothing Nothing 2. Add the label <code>detection</code> Create <code>TLP:GREEN</code>, create <code>CrowdStrike</code>, create the indicator Create <code>TLP:GREEN</code>, create <code>CrowdStrike</code>, create the malware <code>Emotet</code>, create the indicator, create the relationship <code>indicates</code> 3. Remove the label <code>detection</code> Delete the indicator Delete the indicator and the relationship 4. Add the label <code>detection</code> Create the indicator Create the indicator, create the relationship <code>indicates</code> 5. Delete the indicator Delete the indicator Delete the indicator  and the relationship <p>Details on how to consume these Live streams can be found on the dedicated page.</p>"},{"location":"usage/feeds/#taxii-collections","title":"TAXII Collections","text":"<p>OpenCTI has an embedded TAXII API endpoint which provides valid STIX 2.1 bundles. If you wish to know more about the TAXII standard, please read the official introduction.</p> <p>In OpenCTI you can create as many TAXII 2.1 collections as needed. </p> <p></p> <p>After creating a new collection, every system with a proper access token can consume the collection using different kinds of authentication (basic, bearer, etc.). </p> <p>As when using the GraphQL API, TAXII 2.1 collections have a classic pagination system that should be handled by the consumer. Also, it's important to understand that element dependencies (nested IDs) inside the collection are not always contained/resolved in the bundle, so consistency needs to be handled at the client level.</p>"},{"location":"usage/feeds/#csv-feeds","title":"CSV feeds","text":"<p>The CSV feed facilitates the automatic generation of a CSV file, accessible via a URL. The CSV file is regenerated and updated at user-defined intervals, providing flexibility.</p> <p></p>"},{"location":"usage/getting-started/","title":"Getting started","text":"<p>This guide aims to give you a full overview of the OpenCTI features and workflows. The platform can be used in various contexts to handle threats management use cases from a technical to a more strategic level. OpenCTI has been designed as a knowledge graph, taking inputs (threat intelligence feeds, sightings &amp; alerts, vulnerabilities, assets, artifacts, etc.) and generating outputs based on built-in capabilities and / or connectors.</p> <p>Here are some examples of use cases:</p> <ul> <li>Cyber Threat Intelligence knowledge base</li> <li>Detection as code feeds for XDR, EDR, SIEMs, firewalls, proxies, etc.</li> <li>Incident response artifacts &amp; cases management</li> <li>Vulnerabilities management</li> <li>Reporting, alerting and dashboarding on a subset of data</li> </ul> <p></p> <p></p>"},{"location":"usage/getting-started/#welcome-dashboard","title":"Welcome dashboard","text":"<p>The welcome gives any visitor on the OpenCTI platform an outlook on the live of the platform. It can be replaced by a custom dashboard, created by a user (or the default dashboard in a role, a group or an organization).</p> <p></p>"},{"location":"usage/getting-started/#indicators-in-the-dashboard","title":"Indicators in the dashboard","text":""},{"location":"usage/getting-started/#numbers","title":"Numbers","text":"Component Description Total entities Number of entities (<code>threat actor</code>, <code>intrusion set</code>, <code>indicator</code>, etc.). Total relationships Number of relationships (<code>targets</code>, <code>uses</code>, <code>indicates</code>, etc.). Total reports Number of reports. Total observables Number of observables (<code>IPv4-Addr</code>, <code>File</code>, etc.)."},{"location":"usage/getting-started/#charts-lists","title":"Charts &amp; lists","text":"Component Description Top labels Top labels given to entities during the last 3 months. Ingested entities Number of entities ingested by month. Top 10 active entities List of the entities with the greatest number of relations over the last 3 months. Targeted countries Intensity of the targeting tied to the number of relations <code>targets</code> for a given country. Observable distribution Distribution of the number of observables by type. Last ingested reports Last reports ingested in the platform."},{"location":"usage/import-automated/","title":"Automated import","text":"<p>Automated imports in OpenCTI streamline the process of data ingestion, allowing users to effortlessly bring in valuable intelligence from diverse sources. This page focuses on the automated methods of importing data, which serve as bridges between OpenCTI and diverse external systems, formatting it into a STIX bundle, and importing it into the OpenCTI platform.</p>"},{"location":"usage/import-automated/#connectors","title":"Connectors","text":"<p>Connectors in OpenCTI serve as dynamic gateways, facilitating the import of data from a wide array of sources and systems. Every connector is designed to handle specific data types and structures of the source, allowing OpenCTI to efficiently ingest the data.</p>"},{"location":"usage/import-automated/#connector-behaviors","title":"Connector behaviors","text":"<p>The behavior of each connector is defined by its development, determining the types of data it imports and its configuration options. This flexibility allows users to customize the import process to their specific needs, ensuring a seamless and personalized data integration experience.</p> <p>The level of configuration granularity regarding the imported data type varies with each connector. Nevertheless, connectors empower users to specify the date from which they wish to fetch data. This capability is particularly useful during the initial activation of a connector, enabling the retrieval of historical data. Following this, the connector operates in real-time, continuously importing new data from the source.</p>"},{"location":"usage/import-automated/#connector-ecosystem","title":"Connector Ecosystem","text":"<p>OpenCTI's connector ecosystem covers a broad spectrum of sources, enhancing the platform's capability to integrate data from various contexts, from threat intelligence providers to specialized databases. The list of available connectors can be found in our connectors catalog. Connectors are categorized into three types: import connectors (the focus here), enrichment connectors, and stream consumers. Further documentation on connectors is available on the dedicated documentation page.</p> <p>In summary, automated imports through connectors empower OpenCTI users with a scalable, efficient, and customizable mechanism for data ingestion, ensuring that the platform remains enriched with the latest and most relevant intelligence.</p>"},{"location":"usage/import-automated/#native-automated-import","title":"Native automated import","text":"<p>In OpenCTI, the \"Data &gt; Ingestion\" section provides users with built-in functions for automated data import. These functions are designed for specific purposes and can be configured to seamlessly ingest data into the platform. Here, we'll explore the configuration process for the three built-in functions: Live Streams, TAXII Feeds, and RSS Feeds.</p>"},{"location":"usage/import-automated/#live-streams","title":"Live streams","text":"<p>Live Streams enable users to consume data from another OpenCTI platform, fostering collaborative intelligence sharing. Here's a step-by-step guide to configure Live streams synchroniser:</p> <ol> <li>Remote OpenCTI URL: Provide the URL of the remote OpenCTI platform (e.g., <code>https://[domain]</code>; don't include the path).</li> <li>Remote OpenCTI token: Provide the user token. An administrator from the remote platform must supply this token, and the associated user must have the \"Access data sharing\" privilege.</li> <li>After filling in the URL and user token, validate the configuration.</li> <li>Once validated, select a live stream to which you have access.</li> </ol> <p></p> <p>Additional configuration options:</p> <ul> <li>User responsible for data creation: Define the user responsible for creating data received from this stream. Best practice is to dedicate one user per source for organizational clarity. Please see the section \"Best practices\" below for more information.</li> <li>Starting synchronization: Specify the date of the oldest data to retrieve. Leave the field empty to import everything.</li> <li>Take deletions into account: Enable this option to delete data from your platform if it was deleted on the providing stream. (Note: Data won't be deleted if another source has imported it previously.)</li> <li>Verify SSL certificate: Check the validity of the certificate of the domain hosting the remote platform.</li> <li>Avoid dependencies resolution: Import only entities without their relationships. For instance, if the stream shares malware, all the malware's relationships will be retrieved by default. This option enables you to choose not to recover them.</li> <li>Use perfect synchronization: This option is specifically for synchronizing two platforms. If an imported entity already exists on the platform, the one from the stream will overwrite it.</li> </ul> <p></p>"},{"location":"usage/import-automated/#taxii-feeds","title":"TAXII feeds","text":"<p>TAXII Feeds in OpenCTI provide a robust mechanism for ingesting TAXII collections from TAXII servers or other OpenCTI instances. Configuring TAXII ingester involves specifying essential details to seamlessly integrate threat intelligence data. Here's a step-by-step guide to configure TAXII ingesters:</p> <ol> <li>TAXII server URL: Provide the root API URL of the TAXII server. For collections from another OpenCTI instance, the URL is in the form <code>https://[domain]/taxii2/root</code>.</li> <li>TAXII collection: Enter the ID of the TAXII collection to be ingested. For collections from another OpenCTI instance, the ID follows the format <code>426e3acb-db50-4118-be7e-648fab67c16c</code>.</li> <li>Authentication type (if necessary): Enter the authentication type. For non-public collections from another OpenCTI instance, the authentication type is \"Bearer token.\" Enter the token of a user with access to the collection (similar to the point 2 of the Live streams configuration above).</li> </ol> <p>Additional configuration options:</p> <ul> <li>User responsible for data creation: Define the user responsible for creating data received from this TAXII feed. Best practice is to dedicate one user per source for organizational clarity. Please see the section \"Best practices\" below for more information.</li> <li>Import from date: Specify the date of the oldest data to retrieve. Leave the field empty to import everything.</li> </ul> <p></p>"},{"location":"usage/import-automated/#rss-feeds","title":"RSS feeds","text":"<p>RSS Feeds functionality enables users to seamlessly ingest items in report form from specified RSS feeds. Configuring RSS Feeds involves providing essential details and selecting preferences to tailor the import process. Here's a step-by-step guide to configure RSS ingesters:</p> <ol> <li>RSS Feed URL: Provide the URL of the RSS feed from which items will be imported.</li> </ol> <p>Additional configuration options:</p> <ul> <li>User responsible for data creation: Define the user responsible for creating data received from this RSS feed. Best practice is to dedicate one user per source for organizational clarity. Please see the section \"Best practices\" below for more information.</li> <li>Import from date: Specify the date of the oldest data to retrieve. Leave the field empty to import everything.</li> <li>Default report types: Indicate the report type to be applied to the imported report.</li> <li>Default author: Indicate the default author to be applied to the imported report. Please see the section \"Best practices\" below for more information.</li> <li>Default marking definitions: Indicate the default markings to be applied to the imported reports.</li> </ul> <p></p> <p></p>"},{"location":"usage/import-automated/#best-practices-for-feed-import","title":"Best practices for feed import","text":"<p>Ensuring a secure and well-organized environment is paramount in OpenCTI. Here are two recommended best practices to enhance security, traceability, and overall organizational clarity:</p> <ol> <li>Create a dedicated user for each source: Generate a user specifically for feed import, following the convention <code>[F] Source name</code> for clear identification. Assign the user to the \"Connectors\" group to streamline user management and permission related to data creation. Please see here for more information on this good practice.</li> <li>Establish a dedicated Organization for the source: Create an organization named after the data source for clear identification. Assign the newly created organization to the \"Default author\" field in feed import configuration if available.</li> </ol> <p>By adhering to these best practices, you ensure independence in managing rights for each import source through dedicated user and organization structures. In addition, you enable clear traceability to the entity's creator, facilitating source evaluation, dashboard creation, data filtering and other administrative tasks.</p>"},{"location":"usage/import-automated/#digest","title":"Digest","text":"<p>Users can streamline the data ingestion process using various automated import capabilities. Each method proves beneficial in specific circumstances.</p> <ul> <li>Connectors act as bridges to retrieve data from diverse sources and format it for seamless ingestion into OpenCTI.</li> <li>Live Streams enable collaborative intelligence sharing across OpenCTI instances, fostering real-time updates and efficient data synchronization.</li> <li>TAXII Feeds provide a standardized mechanism for ingesting threat intelligence data from TAXII servers or other OpenCTI instances.</li> <li>RSS Feeds facilitate the import of items in report form from specified RSS feeds, offering a straightforward way to stay updated on relevant intelligence.</li> </ul> <p>By leveraging these automated import functionalities, OpenCTI users can build a comprehensive, up-to-date threat intelligence database. The platform's adaptability and user-friendly configuration options ensure that intelligence workflows remain agile, scalable, and tailored to the unique needs of each organization.</p>"},{"location":"usage/import-files/","title":"Import from files","text":""},{"location":"usage/import-files/#import-mechanisms","title":"Import mechanisms","text":"<p>The platform provides a seamless process for automatically parsing data from various file formats. This capability is facilitated by two distinct mechanisms.</p> <p>File import connectors: Currently, there are two connectors designed for importing files and automatically identifying entities.</p> <ul> <li><code>ImportFileStix</code>: Designed to handle STIX-structured files (json or xml format).</li> <li><code>ImportDocument</code>: Versatile connector supporting an array of file formats, including pdf, text, html, and markdown.</li> </ul> <p>CSV mappers: The CSV mapper is a tailored functionality to facilitate the import of data stored in CSV files. For more in-depth information on using CSV mappers, refer to the CSV Mappers documentation page.</p> <p></p>"},{"location":"usage/import-files/#usage","title":"Usage","text":""},{"location":"usage/import-files/#locations","title":"Locations","text":"<p>Both mechanisms can be employed wherever file uploads are possible. This includes the \"Data\" tabs of all entities and the dedicated panel named \"Data import and analyst workbenches\" located in the top right-hand corner (database logo with a small gear). Importing files from these two locations is not entirely equal; refer to the \"Relationship handling from entity's Data tab\" section below for details on this matter.</p>"},{"location":"usage/import-files/#entity-identification-process","title":"Entity identification process","text":"<p>For <code>ImportDocument</code> connector, the identification process involves searching for existing entities in the platform and scanning the document for relevant information. In additions, the connector use regular expressions (regex) to detect IP addresses and domains within the document.</p> <p>As for the <code>ImportFileStix</code> connector and the CSV mappers, there is no identification mechanism. The imported data will be, respectively, the data defined in the STIX bundle or according to the configuration of the CSV mapper used.</p>"},{"location":"usage/import-files/#workflow-overview","title":"Workflow overview","text":"<ol> <li>Upload file: Navigate to the desired location, such as the \"Data\" tabs of an entity or the \"Data import and analyst workbenches\" panel. Then, upload the file containing the relevant data by clicking on the small cloud with the arrow inside next to \"Uploaded files\".</li> <li>Entity identification: For a CSV file, select the connector and CSV mapper to be used by clicking on the icon with an upward arrow in a circle. If it's not a CSV file, the connector will launch automatically. Then, the file import connectors or CSV mappers will identify entities within the uploaded document.</li> <li>Workbench review and validation: Entities identified by connectors are not immediately integrated into the platform's knowledge base. Instead, they are thoughtfully placed in a workbench, awaiting review and validation by an analyst. Workbenches function as draft spaces, ensuring that no data is officially entered into the platform until the workbench has undergone the necessary validation process. For more information on workbenches, refer to the Analyst workbench documentation page.</li> </ol> <p>Review workbenches</p> <p>Import connectors may introduce errors in identifying object types or add \"unknown\" entities. Workbenches were established with the intent of reviewing the output of connectors before validation. Therefore, it is crucial to be vigilant when examining the workbench to prevent the import of incorrect data into the platform.</p> <p></p>"},{"location":"usage/import-files/#additional-information","title":"Additional information","text":""},{"location":"usage/import-files/#no-workbench-for-csv-mapper","title":"No workbench for CSV mapper","text":"<p>It's essential to note that CSV mappers operate differently from other import mechanisms. Unlike connectors, CSV mappers do not generate workbenches. Instead, the data identified by CSV mappers is imported directly into the platform without an intermediary workbench stage.</p>"},{"location":"usage/import-files/#relationship-handling-from-entitys-data-tab","title":"Relationship handling from entity's \"Data\" tab","text":"<p>When importing a document directly from an entity's \"Data\" tab, there can be an automatic addition of relationships between the objects identified by connectors and the entity in focus. The process differs depending on the type of entity in which the import occurs:</p> <ul> <li>If the entity is a container (e.g., Report, Grouping, and Cases), the identified objects in the imported file will be linked to the entity (upon workbench validation). In the context of a container, the object is said to be \"contained\".</li> <li>For entities that are not containers, a distinct behavior unfolds. In this scenario, the identified objects are not linked to the entity, except for Observables. <code>Related to</code> relationships between the Observables and the entity are automatically added to the workbench and created after validation of this one.</li> </ul>"},{"location":"usage/import-files/#file-import-in-content-tab","title":"File import in Content tab","text":"<p>Expanding the scope of file imports, users can seamlessly add files in the <code>Content</code> tab of Analyses or Cases. In this scenario, the file is directly added as an attachment without utilizing an import mechanism.</p>"},{"location":"usage/import-files/#user-capability-requirement","title":"User capability requirement","text":"<p>In order to initiate file imports, users must possess the requisite capability: \"Upload knowledge files.\" This capability ensures that only authorized users can contribute and manage knowledge files within the OpenCTI platform, maintaining a controlled and secure environment for data uploads.</p> <p>Deprecation warning</p> <p>Using the <code>ImportDocument</code> connector to parse CSV file is now disallowed as it produces inconsistent results. Please configure and use CSV mappers dedicated to your specific CSV content for a reliable parsing. CSV mappers can be created and configured in the administration interface.   </p>"},{"location":"usage/indicators-lifecycle/","title":"Indicators Lifecycle Management","text":""},{"location":"usage/indicators-lifecycle/#introduction","title":"Introduction","text":"<p>OpenCTI enforces strict rules to determine the period during which an indicator is effective for usage. This period is defined by the <code>valid_from</code> and <code>valid_until</code> dates. All along its lifecycle, the indicator <code>score</code> will decrease according to configured decay rules. After the indicator expires, the object is marked as <code>revoked</code> and the <code>detection</code> field is automatically set to <code>false</code>. Here, we outline how these dates are calculated within the OpenCTI platform and how the score is updated with decay rules.</p>"},{"location":"usage/indicators-lifecycle/#setting-validity-dates","title":"Setting validity dates","text":""},{"location":"usage/indicators-lifecycle/#data-source-provided-the-dates","title":"Data source provided the dates","text":"<p>If a data source provides <code>valid_from</code> and <code>valid_until</code> dates when creating an indicator on the platform, these dates are used without modification. But, if the creation is performed from the UI and the indicator is elligible to be manages by a decay rule, the platform will change this valid_until with the one calculated by the Decay rule.</p>"},{"location":"usage/indicators-lifecycle/#fallback-rules-for-unspecified-dates","title":"Fallback rules for unspecified dates","text":"<p>If a data source does not provide validity dates, OpenCTI applies the decay rule matching the indicator to determine these dates. The <code>valid_until</code> date is computed based on the revoke score of the decay rule : it is set at the exact time at which the indicator will reach the revoke score. Past <code>valid_until</code> date, the indicator is marked as revoked.</p>"},{"location":"usage/indicators-lifecycle/#score-decay","title":"Score decay","text":"<p>Indicators have an initial score at creation, either provided by data source, or 50 by default. Over time, this score is going to decrease according to the configured decay rules. Score is updated at each reaction point defined for the decay rule matching the indicator at creation.</p>"},{"location":"usage/indicators-lifecycle/#example","title":"Example","text":"<p>This URL indicator has matched the <code>Built-in IP and URL</code> decay rule. Its initial score at creation is 100. </p> <p></p> <p>Right next to the indicator score, there is a button <code>Lifecycle</code> which enables to open a dialog to see the details of the indicator's lifecyle.</p> <p></p>"},{"location":"usage/indicators-lifecycle/#conclusion","title":"Conclusion","text":"<p>Understanding how OpenCTI calculates validity periods and scores is essential for effective threat intelligence analysis. These rules ensure that your indicators are accurate and up-to-date, providing a reliable foundation for threat intelligence data.</p>"},{"location":"usage/inferences/","title":"Inferences and reasoning","text":""},{"location":"usage/inferences/#overview","title":"Overview","text":"<p>OpenCTI\u2019s inferences and reasoning capability is a robust engine that automates the process of relationship creation within your threat intelligence data. This capability, situated at the core of OpenCTI, allows logical rules to be applied to existing relationships, resulting in the automatic generation of new, pertinent connections.</p>"},{"location":"usage/inferences/#understanding-inferences-and-reasoning","title":"Understanding inferences and reasoning","text":"<p>Inferences and reasoning serve as OpenCTI\u2019s intelligent engine. It interprets your data logically. By activating specific predefined rules (of which there are around twenty), OpenCTI can deduce new relationships from the existing ones. For instance, if there's a connection indicating an Intrusion Set targets a specific country, and another relationship stating that this country is part of a larger region, OpenCTI can automatically infer that the Intrusion Set also targets the broader region.</p>"},{"location":"usage/inferences/#key-benefits","title":"Key benefits","text":"<ul> <li>Efficiency: Reduces manual workload by automating relationship creation, saving valuable analyst time.</li> <li>Completeness: Fills relationship gaps, ensuring a comprehensive and interconnected threat intelligence database.</li> <li>Accuracy: Minimizes manual input errors by deriving relationships from predefined, accurate logic.</li> </ul>"},{"location":"usage/inferences/#how-it-operates","title":"How it operates","text":"<p>When you activate an inference rule, OpenCTI continuously analyzes your existing relationships and applies the defined logical rules. These rules are logical statements that define conditions for new relationships. When the set of conditions is met, the OpenCTI creates the corresponding relationship automatically.</p> <p>For example, if you activate a rule as follows:</p> <p>IF [Entity A targets Identity B] AND [Identity B is part of Identity C] THEN [Entity A targets Identity C]</p> <p>OpenCTI will apply this rule to existing data. If it finds an Intrusion Set (\"Entity A\") targeting a specific country (\"Identity B\") and that country is part of a larger region (\"Identity C\"), the platform will automatically establish a relationship between the Intrusion Set and the region.</p>"},{"location":"usage/inferences/#identifying-inferred-relationships","title":"Identifying inferred relationships","text":"<p>In the knowledge graphs: Inferred relationships are represented by dotted lines of a different color, distinguishing them from non-inferred relations.</p> <p></p> <p>In the lists: In a relationship list, a magic wand icon at the end of the line indicates relationship created by inference.</p> <p></p>"},{"location":"usage/inferences/#additional-resources","title":"Additional resources","text":"<ul> <li>Administration: To find out about existing inference rules and enable/disable them, refer to the Rules engine page in the Administration section of the documentation.</li> <li>Playbooks: OpenCTI playbooks are highly customizable automation scenarios. This seamless integration allows for further automation, making your threat intelligence processes even more efficient and tailored to your specific needs. More information in our blog post</li> </ul>"},{"location":"usage/manual-creation/","title":"Manual creations","text":"<p>Manual data creation in OpenCTI is an intuitive process that occurs throughout the platform. This page provides guidance on two key aspects of manual creation: Entity creation and Relationship creation.</p>"},{"location":"usage/manual-creation/#entity-creation","title":"Entity creation","text":"<p>To create an entity:</p> <ol> <li>Navigate to the relevant section: Be on the section of the platform related to the object type you want to create.</li> <li>Click on the \"+\" icon: Locate the \"+\" icon located at the bottom right of the window. </li> <li>Fill in entity-specific fields: A form on the right side of the window will appear, allowing to fill in specific fields of the entity. Certain fields are inherently obligatory, and administrators have the option to designate additional mandatory fields (See here for more information). </li> <li>Click on \"Create\": Once you've filled in the desired fields, click on \"create\" to initiate the entity creation process.</li> </ol> <p></p>"},{"location":"usage/manual-creation/#relationship-creation","title":"Relationship creation","text":"<p>Before delving into the creation of relationships between objects in OpenCTI, it's crucial to grasp some foundational concepts. Here are key points to understand:</p> <ul> <li>On several aspects, including relationships, two categories of objects must be differentiated: containers (e.g., Reports, Groupings, and Cases) and others. Containers aren't related to but contains objects.</li> <li>Relationships, like all other entities, are objects. They possess fields, can be linked, and share characteristics identical to other entities.</li> <li>Relationships are inherently directional, comprising a \"from\" entity and a \"to\" entity. Understanding this directionality is essential for accurate relationship creation.</li> <li>OpenCTI supports various relationship types, and their usage depends on the entity types being linked. For example, a \"target\" relationship might link malware to an organization, while linking malware to an intrusion set might involve a different relationship type.</li> </ul> <p>Now, let\u2019s explore the process of creating relationships. To do this, we will differentiate the case of containers from the others. </p>"},{"location":"usage/manual-creation/#for-container","title":"For container","text":"<p>When it comes to creating relationships within containers in OpenCTI, the process is straightforward. Follow these steps to attach objects to a container:</p> <ol> <li>Navigate to the container: Go to the specific container to which you want to attach an object. This could be a Report, Grouping, or Cases.</li> <li>Access the \"Entities\" tab: Within the container, locate and access the \"Entities\" tab.</li> <li>Click on the \"+\" icon: Find the \"+\" icon located at the bottom right of the window. </li> <li>Search for entities: A side window will appear. Search for the entities you want to add to the container. </li> <li>Add entities to the container: Click on the desired entities. They will be added directly to the container.</li> </ol>"},{"location":"usage/manual-creation/#for-other","title":"For other","text":"<p>When creating relationships not involving a container, the creation method is distinct. Follow these steps to create relationships between entities:</p> <ol> <li>Navigate to one of the entities: Go to one of the entities you wish to link. Please be aware that the entity from which you create the relationship will be designated as the \"from\" entity for that relationship. So the decision of which entity to choose for creating the relationship should be considered, as it will impact the outcome. </li> <li>Access the \"Knowledge\" tab: Within the entity, go to the \"Knowledge\" tab.</li> <li>Select the relevant categories: In the right banner, navigate to the categories that correspond to the object to be linked. The available categories depend on the type of entity you are currently on. For example, if you are on malware and want to link to a sector, choose \"victimology.\"</li> <li>Click on the \"+\" icon: Find the \"+\" icon located at the bottom right of the window. </li> <li>Search for entities: A side window will appear. Search for the entities you want to link.</li> <li>Add entities and click on \"Continue\": Click on the entities you wish to link. Multiple entities can be selected. Then click on \"Continue\" at the bottom right. </li> <li>Fill in the relationship form: As relationships are objects, a creation form similar to creating an entity will appear. </li> <li>Click on \"Create\": Once you've filled in the desired fields, click on \"create\" to initiate the relationship creation process.</li> </ol> <p></p>"},{"location":"usage/manual-creation/#additional-methods","title":"Additional methods","text":"<p>While the aforementioned methods are primary for creating entities and relationships, OpenCTI offers versatility, allowing users to create objects in various locations within the platform. Here's a non-exhaustive list of additional places that facilitate on-the-fly creation:</p> <ul> <li>Creating entities during relationship creation: During the \"Search for entities\" phase (see above) of the relationship creation process, click on the \"+\" icon to create a new entity directly.</li> <li>Knowledge graph: Within the knowledge graph - found in the knowledge tab of the containers or in the investigation functionality - users can seamlessly create entities or relationships.</li> <li>Inside a workbench: The workbench serves as another interactive space where users can create entities and relationships efficiently.</li> </ul> <p>These supplementary methods offer users flexibility and convenience, allowing them to adapt their workflow to various contexts within the OpenCTI platform. As users explore the platform, they will naturally discover additional means of creating entities and relationships.</p> <p>Max confidence level</p> <p>When creating knowledge in the platform, the maximum confidence level of the users is used. Please navigate to this page to understand this concept and the impact it can have on the knowledge creation.</p>"},{"location":"usage/merging/","title":"Merge objects","text":""},{"location":"usage/merging/#introduction","title":"Introduction","text":"<p>OpenCTI\u2019s merge capability stands as a pivotal tool for optimizing threat intelligence data, allowing to consolidate multiple entities of the same type. This mechanism serves as a powerful cleanup tool, harmonizing the platform and unifying scattered information. In this section, we explore the significance of this feature, the process of merging entities, and the strategic considerations involved.</p>"},{"location":"usage/merging/#data-streamlining","title":"Data streamlining","text":"<p>In the ever-expanding landscape of threat intelligence and the multitude of names chosen by different data sources, data cleanliness is essential. Duplicates and fragmented information hinder efficient analysis. The merge capability is a strategic solution for amalgamating related entities into a cohesive unit. Central to the merging process is the selection of a main entity. This primary entity becomes the anchor, retaining crucial attributes such as name and description. Other entities, while losing specific fields like descriptions, are aliased under the primary entity. This strategic decision preserves vital data while eliminating redundancy.</p>"},{"location":"usage/merging/#preserving-entity-relationships","title":"Preserving entity relationships","text":"<p>One of the key feature of the merge capability is its ability to preserve relationships. While merging entities, their interconnected relationships are not lost. Instead, they seamlessly integrate into the new, merged entity. This ensures that the intricate web of relationships within the data remains intact, fostering a comprehensive understanding of the threat landscape.</p>"},{"location":"usage/merging/#conclusion","title":"Conclusion","text":"<p>OpenCTI\u2019s merge capability helps improve the quality of threat intelligence data. By consolidating entities and centralizing relationships, OpenCTI empowers analysts to focus on insights and strategies, unburdened by data silos or fragmentation. However, exercising caution and foresight in the merging process is essential, ensuring a robust and streamlined knowledge basis.</p>"},{"location":"usage/merging/#additional-resources","title":"Additional resources","text":"<ul> <li>Administration: To understand how to merge entities and the consideration to take into account, refer to the Merging page in the Administration section of the documentation.</li> <li>Deduplication mechanism: the platform is equipped with deduplication processes that automatically merge data at creation (either manually or by importing data from different sources) if it meets certain conditions.</li> </ul>"},{"location":"usage/nested/","title":"Nested references and objects","text":""},{"location":"usage/nested/#stix-standard","title":"STIX standard","text":""},{"location":"usage/nested/#definition","title":"Definition","text":"<p>In the STIX 2.1 standard, objects can:</p> <ol> <li>Refer to other objects in directly in their <code>attributes</code>, by referencing one or multiple IDs.</li> <li>Have other objects directly embedded in the entity.</li> </ol>"},{"location":"usage/nested/#example","title":"Example","text":"<pre><code>{\n   \"type\": \"intrusion-set\",\n   \"spec_version\": \"2.1\",\n   \"id\": \"intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29\",\n   \"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\", // nested reference to an identity\n   \"object_marking_refs\": [\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"], // nested reference to multiple marking defintions\n   \"external_references\": [\n      {\n         \"source_name\": \"veris\",\n         \"external_id\": \"0001AA7F-C601-424A-B2B8-BE6C9F5164E7\",\n         \"url\": \"https://github.com/vz-risk/VCDB/blob/125307638178efddd3ecfe2c267ea434667a4eea/data/json/validated/0001AA7F-C601-424A-B2B8-BE6C9F5164E7.json\",    \n      }\n   ],\n   \"created\": \"2016-04-06T20:03:48.000Z\",\n   \"modified\": \"2016-04-06T20:03:48.000Z\",\n   \"name\": \"Bobcat Breakin\",\n   \"description\": \"Incidents usually feature a shared TTP of a bobcat being released within the building containing network access...\",\n   \"aliases\": [\"Zookeeper\"],\n   \"goals\": [\"acquisition-theft\", \"harassment\", \"damage\"]\n}\n</code></pre> <p>In the previous example, we have 2 nested references to other objects in:</p> <pre><code>\"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\", // nested reference to an identity\n\"object_marking_refs\": [\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"], // nested reference to multiple marking defintions\n</code></pre> <p>But we also have a nested object within the entity (an <code>External Reference</code>):</p> <pre><code>\"external_references\": [\n   {\n      \"source_name\": \"veris\",\n      \"external_id\": \"0001AA7F-C601-424A-B2B8-BE6C9F5164E7\",\n      \"url\": \"https://github.com/vz-risk/VCDB/blob/125307638178efddd3ecfe2c267ea434667a4eea/data/json/validated/0001AA7F-C601-424A-B2B8-BE6C9F5164E7.json\",    \n   }\n]\n</code></pre>"},{"location":"usage/nested/#implementation","title":"Implementation","text":""},{"location":"usage/nested/#modelization","title":"Modelization","text":"<p>In OpenCTI, all nested references and objects are modelized as relationships, to be able to pivot more easily on labels, external references, kill chain phases, marking definitions, etc.</p> <p></p>"},{"location":"usage/nested/#import-export","title":"Import &amp; export","text":"<p>When importing and exporting data to/from OpenCTI, the translation between nested references and objects to full-fledged nodes and edges is automated and therefore transparent for the users. Here is an example with the object in the graph above:</p> <pre><code>{\n   \"id\": \"file--b6be3f04-e50f-5220-af3a-86c2ca66b719\",\n   \"spec_version\": \"2.1\",\n   \"x_opencti_description\": \"...\",\n   \"x_opencti_score\": 50,\n   \"hashes\": {\n       \"MD5\": \"b502233b34256285140676109dcadde7\"\n   },\n   \"labels\": [\n       \"cookiecutter\",\n       \"clouddata-networks-1\"\n   ],\n   \"external_references\": [\n       {\n           \"source_name\": \"Sekoia.io\",\n           \"url\": \"https://app.sekoia.io/intelligence/objects/indicator--3e6d61b4-d5f0-48e0-b934-fdbe0d87ab0c\"\n       }\n   ],\n   \"x_opencti_id\": \"8a3d108f-908c-4833-8ff4-4d6fc996ce39\",\n   \"type\": \"file\",\n   \"created_by_ref\": \"identity--b5b8f9fc-d8bf-5f85-974e-66a7d6f8d4cb\",\n   \"object_marking_refs\": [\n       \"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9\"\n   ]\n}\n</code></pre>"},{"location":"usage/notifications/","title":"Notifications and alerting","text":"<p>In the evolving landscape of cybersecurity, timely awareness is crucial. OpenCTI empowers users to stay informed and act swiftly through its robust notifications and alerting system. This feature allows users to create personalized triggers that actively monitor the platform for specific events and notify them promptly when these conditions are met.</p> <p>From individual users tailoring their alert preferences to administrators orchestrating collaborative triggers for Groups or Organizations, OpenCTI's notification system is a versatile tool for keeping cybersecurity stakeholders in the loop.</p> <p>The main menu \"Notifications and triggers\" for creating and managing notifications is located in the top right-hand corner with the bell icon.</p> <p> </p>"},{"location":"usage/notifications/#triggers","title":"Triggers","text":"<p>In OpenCTI, triggers serve as personalized mechanisms for users to stay informed about specific events that align with their cybersecurity priorities. Users can create and manage triggers to tailor their notification experience. Each trigger operates by actively listening to events based on predefined filters and event types, promptly notifying users via chosen notifiers when conditions are met.</p> <p></p>"},{"location":"usage/notifications/#trigger-management","title":"Trigger management","text":"<p>Individual user triggers: Each user possesses the autonomy to craft their own triggers, finely tuned to their unique preferences and responsibilities. By setting up personalized filters and selecting preferred notifiers, users ensure that they receive timely and relevant notifications aligned with their specific focus areas.</p> <p>Administrative control: Platform administrators have the capability to create and manage triggers for Users, Groups and Organizations. This provides centralized control and the ability to configure triggers that address collective cybersecurity objectives. Users within the designated Group or Organization will benefit from triggers with read-only access rights. These triggers are to be created directly on the User|Group|Organization with whom to share them in \"Settings &gt; Security &gt; Users|Groups|Organizations\".</p> <p></p>"},{"location":"usage/notifications/#trigger-filters","title":"Trigger filters","text":"<p>Leveraging the filters, users can meticulously define the criteria that activate their triggers. This level of granularity ensures that triggers are accurate, responding precisely to events that matter most. Users can tailor filters to consider various parameters such as object types, markings, sources, or other contextual details. They can also allow notifications for the assignment of a Task, a Case, etc.</p> <p>Beyond filters, a trigger can be configured to respond to three event types: creation, modification, and deletion.</p> <p></p>"},{"location":"usage/notifications/#instance-triggers","title":"Instance triggers","text":"<p>Instance triggers offer a targeted approach to live monitoring by allowing users to set up triggers specific to one or several entities. These triggers, when activated, keep a vigilant eye on a predefined set of events related to the selected entities, ensuring that you stay instantly informed about crucial changes.</p>"},{"location":"usage/notifications/#creating-instance-triggers","title":"Creating instance triggers","text":"<p>Method 1: Using the general trigger creation form</p> <ol> <li>Go on the \"Notifications and triggers\" window.</li> <li>Navigate to the \"Triggers and digests\" tab.</li> <li>Access the general trigger creation form.</li> <li>Toggle the switch \"Instance trigger\".</li> <li>Choose the entities to monitor.</li> </ol> <p></p> <p>Method 2: Quick subscription</p> <ol> <li>On an entity's overview, locate the \"Instance trigger quick subscription\" button with the bell icon at the top right.</li> <li>Click on the button to create the instance trigger.</li> <li>(Optional) Click on it again to modify the instance trigger created.</li> </ol> <p></p>"},{"location":"usage/notifications/#events-monitored-by-instance-triggers","title":"Events monitored by instance triggers","text":"<p>An instance trigger set on an entity X actively monitors the following events:</p> <ul> <li>Update/Deletion of X: Stay informed when the selected entity undergoes changes or is deleted.</li> <li>Creation/Deletion of relationships: Receive notifications about relationships being added or removed from/to X.</li> <li>Creation/Deletion of related entities: Be alerted when entities that have X in its refs - i.e. contains X, is shared with X, is created by X, etc. - are created or deleted.</li> <li>Adding/Removing X in ref: Stay in the loop when X is included or excluded from the ref of other entities - i.e. adding X in the author of an entity, adding X in a report, etc.).</li> </ul> <p>Entity deletion notification</p> <p>It's important to note that the notification of entity deletion can occur in two scenarios:     - Real entity deletion: When the entity is genuinely deleted from the platform.     - Visibility loss: When a modification to the entity results in the user losing visibility for that entity.</p>"},{"location":"usage/notifications/#digest","title":"Digest","text":"<p>Digests provide an efficient way to streamline and organize your notifications. By grouping notifications based on selected triggers and specifying the delivery period (daily, weekly, monthly), you gain the flexibility to receive consolidated updates at your preferred time, as opposed to immediate notifications triggered by individual events.</p>"},{"location":"usage/notifications/#creating-digests","title":"Creating digests","text":"<ol> <li>Go on the \"Notifications and triggers\" window.</li> <li>Navigate to the \"Triggers and digests\" tab.</li> <li>Create a new digest.</li> <li>Configure digest: Set the parameters, including triggers to be included and the frequency of notifications (daily, weekly, monthly). </li> <li>Choose the notifier(s): Select the notification method(s) (e.g. within the OpenCTI interface, via email, etc.).</li> </ol>"},{"location":"usage/notifications/#benefits-of-digests","title":"Benefits of digests","text":"<ul> <li>Organized notifications: Digests enable you to organize and categorize notifications, preventing a flood of individual alerts.</li> <li>Customized delivery: Choose the frequency of digest delivery based on your preferences, whether it's a daily overview, a weekly summary, or a monthly roundup.</li> <li>Reduced distractions: Receive notifications at a scheduled time, minimizing interruptions and allowing you to focus on critical tasks.</li> </ul> <p>Digests enhance your control over notification management, ensuring a more structured and convenient approach to staying informed about important events.</p>"},{"location":"usage/notifications/#notifiers","title":"Notifiers","text":"<p>In OpenCTI, notifiers serve as the channels for delivering notifications, allowing users to stay informed about critical events. The platform offers two built-in notifiers, \"Default mailer\" for email notifications and \"User interface\" for in-platform alerts.</p> <p></p>"},{"location":"usage/notifications/#notifier-connectors","title":"Notifier connectors","text":"<p>OpenCTI features built-in notifier connectors that empower users to create personalized notifiers for notification and activity alerting. Three essential connectors are available:</p> <ul> <li>Platform mailer connector: Enables sending notifications directly within the OpenCTI platform.</li> <li>Simple mailer connector: Offers a straightforward approach to email notifications with simplified configuration options.</li> <li>Generic webhook connector: Facilitates communication through webhooks.</li> </ul> <p>OpenCTI provides two samples of webhook notifiers designed for Teams integration.</p> <p></p>"},{"location":"usage/notifications/#configuration-and-access","title":"Configuration and Access","text":"<p>Notifiers are manageable in the \"Settings &gt; Customization &gt; Notifiers\" window and can be restricted through Role-Based Access Control (RBAC). Administrators can restrict access to specific Users, Groups, or Organizations, ensuring controlled usage.</p> <p>For guidance on configuring custom notifiers and explore detailed setup instructions, refer to the dedicated documentation page.</p>"},{"location":"usage/overview/","title":"Overview","text":""},{"location":"usage/overview/#introduction","title":"Introduction","text":"<p>The following chapter aims at giving the reader a step-by-step description of what is available on the platform and the meaning of the different tabs and entries.</p> <p>When the user connects to the platform, the home page is the <code>Dashboard</code>. This <code>Dashboard</code> contains several visuals summarizing the types and quantity of data recently imported into the platform.</p> <p>Dashboard</p> <p>To get more information about the components of the default dashboard, you can consult the Getting started.</p> <p>The left side panel allows the user to navigate through different windows and access different views and categories of knowledge.</p> <p></p>"},{"location":"usage/overview/#structure","title":"Structure","text":""},{"location":"usage/overview/#the-hot-knowledge","title":"The \"hot knowledge\"","text":"<p>The first part of the platform in the left menu is dedicated to what we call the \"hot knowledge\", which means this is the entities and relationships which are added on a daily basis in the platform and which generally require work / analysis from the users.</p> <ul> <li><code>Analyses</code>: all containers which convey relevant knowledge such as reports, groupings and malware analyses.</li> <li><code>Cases</code>: all types of case like incident responses, requests for information, for takedown, etc.</li> <li><code>Events</code>: all incidents &amp; alerts coming from operational systems as well as sightings.</li> <li><code>Observations</code>: all technical data in the platform such as observables, artifacts and indicators.</li> </ul>"},{"location":"usage/overview/#the-cold-knowledge","title":"The \"cold knowledge\"","text":"<p>The second part of the platform in the left menu is dedicated to the \"cold knowledge\", which means this is the entities and relationships used in the hot knowledge. You can see this as the \"encyclopedia\" of all pieces of knowledge you need to get context: threats, countries, sectors, etc.</p> <ul> <li><code>Threats</code>: all threats entities from campaigns to threat actors, including intrusion sets.</li> <li><code>Arsenal</code>: all tools and pieces of malware used and/or targeted by threats, including vulnerabilities.</li> <li><code>Techniques</code>: all objects related to tactics and techniques used by threats (TTPs, etc.).</li> <li><code>Entities</code>: all non-geographical contextual information such as sectors, events, organizations, etc.</li> <li><code>Locations</code>: all geographical contextual information, from cities to regions, including precise positions.</li> </ul>"},{"location":"usage/overview/#hide-categories","title":"Hide categories","text":"<p>You can customize the experience in the platform by hiding some categories in the left menu, whether globally or for a specific role.</p>"},{"location":"usage/overview/#hide-categories-globally","title":"Hide categories globally","text":"<p>In the <code>Settings &gt; Parameters</code>, it is possible for the platform administrator to hide categories in the platform for all users.</p> <p></p>"},{"location":"usage/overview/#hide-categories-in-roles","title":"Hide categories in roles","text":"<p>In OpenCTI, the different roles are highly customizable. It is possible to defined default dashboards, triggers, etc. but also be able to hide categories in the roles:</p> <p></p>"},{"location":"usage/overview/#presentation-of-a-typical-page-in-opencti","title":"Presentation of a typical page in OpenCTI","text":"<p>While OpenCTI features numerous entities and tabs, many of them share similarities, with only minor differences arising from specific characteristics. These differences may involve the inclusion or exclusion of certain fields, depending on the nature of the entity.</p> <p>In this part will only be detailed a general outline of a \"typical\" OpenCTI page. The specifies of the different entities will be detailed in the corresponding pages below (Activities and Knowledge).</p> <p></p> <p></p>"},{"location":"usage/overview/#overview_1","title":"Overview","text":"<p>In the <code>Overview</code> tab on the entity, you will find all properties of the entity as well as the recent activities.</p> <p>First, you will find the <code>Details</code> section, where are displayed all properties specific to the type of entity you are looking at, an example below with a piece of malware:</p> <p></p> <p>Thus, in the <code>Basic information</code> section, are displayed all common properties to all objects in OpenCTI, such as the marking definition, the author, the labels (i.e. tags), etc.</p> <p></p> <p>Below these two sections, you will find latest modifications in the Knowledge base related to the Entity:</p> <ul> <li><code>Latest created relationships</code>: display the latest relationships that have been created from or to this Entity. For example, latest Indicators of Compromise and associated Threat Actor of a Malware.</li> <li><code>latest containers about the object</code>: display all the Cases and Analyses that contains this Entity. For example, the latest Reports about a Malware.</li> <li><code>External references</code>: display all the external sources associated with the Entity. You will often find here links to external reports or webpages from where Entity's information came from.</li> <li><code>History</code>: display the latest chronological modifications of the Entity and its relationships that occurred in the platform, in order to traceback any alteration.</li> </ul> <p> </p> <p>Last, all Notes written by users of the platform about this Entity are displayed in order to access unstructured analysis comments.</p> <p></p>"},{"location":"usage/overview/#knowledge","title":"Knowledge","text":"<p>In the <code>Knowledge</code> tab, which is the central part of the entity, you will find all the Knowledge related to the current entity. The <code>Knowledge</code> tab is different for Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) entities than for all the other entity types.</p> <ul> <li>The <code>Knowledge</code> tab of those entities (who represents Analyses or Cases that can contains a collection of Objects) is the place to integrate and link together entities. For more information on how to integrate information in OpenCTI using the knowledge tab of a report, please refer to the part Manual creation.</li> <li>The <code>Knowledge</code> tabs of any other entity (that does not aim to contain a collection of Objects) gather all the entities which have been at some point linked to the entity the user is looking at. For instance, as shown in the following capture, the <code>Knowledge</code> tab of Intrusion set APT29, gives access to the list of all entities APT29 is attributed to, all victims the intrusion set has targeted, all its campaigns, TTPs, malware etc. For entities to appear in these tabs under <code>Knowledge</code>, they need to have been linked to the entity directly or have been computed with the inference engine.</li> </ul> <p></p>"},{"location":"usage/overview/#focus-on-indicators-and-observables","title":"Focus on Indicators and Observables","text":"<p>The <code>Indicators</code> and <code>Observables</code> section offers 3 display modes: - The <code>entities view</code>, which displays the indicators/observables linked to the entity. - The <code>relationship view</code>, which displays the various relationships between the indicators/observables linked to the entity and the entity itself. - The <code>contextual view</code>, which displays the indicators/observables contained in the cases and analyses that contain the entity.</p> <p></p> <p></p>"},{"location":"usage/overview/#content","title":"Content","text":"<p>The <code>Content</code> tab allows for uploading and creating outcomes documents related to the content of the current entity (in PDF, text, HTML or markdown files). This specific tab enable to previzualize, manage and write deliverable associated with the entity. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc.</p> <p>The <code>Content</code> tab is available for a subset of entities: <code>Report</code>, <code>Incident</code>, <code>Incident response</code>, <code>Request for Information</code>, and <code>Request for Takedown</code>.</p> <p></p> <p></p>"},{"location":"usage/overview/#analyses","title":"Analyses","text":"<p>The <code>Analyses</code> tab contains the list of all Analyses (<code>Report</code>, <code>Groupings</code>) and Cases (<code>Incident response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>) in which the entity has been identified.</p> <p></p> <p>By default, this tab display the list, but you can also display the content of all the listed Analyses on a graph, allowing you to explore all their Knowledge and have a glance of the context around the Entity.</p> <p></p> <p></p>"},{"location":"usage/overview/#data","title":"Data","text":"<p>The <code>Data</code> tab contains documents that are associated to the object and were either:</p> <ul> <li>Uploaded to the platform : for instance the PDF document containing the text of the report</li> <li>Generated from the platform to be downloaded : a JSON or CSV file containing information on the object and generated by the user.</li> <li>associated to an external reference</li> </ul> <p>Analyst Workbench can also be created from here. They will contain the entity by default.</p> <p></p> <p>In addition, the <code>Data</code> tab of <code>Threat actors (group)</code>, <code>Threat actors (individual)</code>, <code>Intrusions sets</code>, <code>Organizations</code>, <code>Individuals</code> have an extra panel:</p> <ul> <li>Pictures Management: allows to manage the profile pictures attached to the entity.</li> </ul> <p> </p> <p></p>"},{"location":"usage/overview/#history","title":"History","text":"<p>The <code>History</code> tab displays the history of change of the Entity, update of attributes, creation of relations, ...</p> <p>Because of the volumes of information the history is written in a specific index that consume the redis stream to rebuild the history for the UI. </p>"},{"location":"usage/overview/#less-frequent-tabs","title":"Less frequent tabs","text":"<ul> <li>The <code>Observables</code> tab (for Reports and Observed data): A table containing all SCO (Stix Cyber Observable) contained in the Report or the Observed data, with search and filters available. It also displays if the SCO has been added directly or through inferences with the reasoning engine</li> <li>the <code>Entities</code> tab (for Reports and Observed data): A table containing all SDO (Stix Domain Objects) contained in the Report or the Observed data, with search and filters available. It also displays if the SDO has been added directly or through inferences with the reasoning engine</li> <li>Observables:</li> <li>the <code>Sightings</code> tab (for Indicators and Observables): A table containing all <code>Sightings</code> relationships corresponding to events in which <code>Indicators</code> (IP, domain name, URL, etc.) are detected by or within an information system, an individual or an organization. Most often, this corresponds to a security event transmitted by a SIEM or EDR.</li> </ul>"},{"location":"usage/pivoting/","title":"Pivot and investigate","text":"<p>In OpenCTI, all data are structured as an extensive knowledge graph, where every element is interconnected. The investigation functionality provides a powerful tool for pivoting on any entity or relationship within the platform. Pivoting enables users to explore and analyze connections between entities and relationships, facilitating a comprehensive understanding of the data.</p> <p>To access investigations, navigate to the top right corner of the toolbar:</p> <p></p> <p>Access restriction</p> <p>When an investigation is created, it is initially visible only to the creator, allowing them to work on the investigation before deciding to share it. The sharing mechanism is akin to that of dashboards. For further details, refer to the Access control section in the dashboard documentation page.</p>"},{"location":"usage/pivoting/#perform-investigation","title":"Perform investigation","text":""},{"location":"usage/pivoting/#manipulate-entity","title":"Manipulate entity","text":"<p>We can add any existing entity of the platform to your investigation.</p> <p></p> <p>After adding an entity, we can choose the entity and view its details in the panel that appears on the right of the screen.</p> <p>On each node, we'll notice a bullet with a number inside, serving as a visual indication of how many entities are linked to it but not currently displayed in the graph. Keep in mind that this number is an approximation, which is why there's a \"+\" next to it. If there's no bullet displayed, it means there's nothing to expand from this node.</p> <p></p> <p>To incorporate these linked entities into the graph, we just have to expand the nodes. Utilize the button with a 4-arrows logo in the mentioned menu, or double-click on the entity directly. This action opens a new window where we can choose the types of entities and relationships we wish to expand.</p> <p></p> <p>For instance, in the image above, selecting the target Malware and the relationship Uses implies expanding in my investigation graph all Malware linked to this node with a relationship of type Uses.</p>"},{"location":"usage/pivoting/#manipulate-relationship","title":"Manipulate relationship","text":"<p>We can create a relationship between entities directly within our investigation. To achieve this, select multiple entities by clicking on them while holding down the shift key. Subsequently, a button appears at the bottom right to create one (or more, depending on the number of entities selected) relationships.</p> <p></p> <p>Relationship creation</p> <p>Creating a relationship in the investigation graph will generate the relationship in your knowledge base.</p>"},{"location":"usage/pivoting/#capitalize-on-an-investigation","title":"Capitalize on an investigation","text":""},{"location":"usage/pivoting/#export-investigation","title":"Export investigation","text":"<p>Users have the capability to export investigations, providing a way to share, document, or archive their findings.</p> <ul> <li>PDF and image formats: Users can export investigations in either PDF or image format, offering flexibility in sharing and documentation.</li> <li>STIX bundle: The platform allows the export of the entire content of an investigation graph as a STIX bundle. In the STIX format, all objects within the investigation graph are automatically aggregated into a Report object.</li> </ul> <p></p>"},{"location":"usage/pivoting/#turn-investigation-into-a-container","title":"Turn investigation into a container","text":"<p>Users can efficiently collect and consolidate the findings of an investigation by adding the content into dedicated containers. The contents of an investigation can be imported into various types of containers, including:</p> <ul> <li>Grouping</li> <li>Incident Response</li> <li>Report</li> <li>Request for Information</li> <li>Request for Takedown</li> </ul> <p></p> <p>We have the flexibility to choose between creating a new container on the fly or adding investigation content to an existing container. </p> <p></p> <p></p> <p>After clicking on the <code>ADD</code> button, the browser will redirect to the Knowledge tab of the container where we added the content of our investigation. If we added it to multiple containers, the redirection will be to the first of the list.</p> <p></p>"},{"location":"usage/reliability-confidence/","title":"Reliability and Confidence","text":""},{"location":"usage/reliability-confidence/#generalities","title":"Generalities","text":"<p>In (Cyber) Threat Intelligence, evaluation of information sources and of information quality is one of the most important aspect of the work. It is of the utter most importance to assess situations by taking into account reliability of the sources and credibility of the information.</p> <p>This concept is foundational in OpenCTI, and have real impact on:</p> <ul> <li>the data deduplication process</li> <li>the data stream filtering for ingestion and sharing</li> </ul>"},{"location":"usage/reliability-confidence/#what-is-the-reliability-of-a-source","title":"What is the Reliability of a source?","text":"<p>Reliability of a source of information is a measurement of the trust that the analyst can have about the source, based on the technical capabilities or history of the source. Is the source a reliable partner with long sharing history? A competitor? Unknown?</p> <p>Reliability of sources are often stated at organizational level, as it requires an overview of the whole history with it. </p> <p>In the Intelligence field, Reliability is often notated with the NATO Admiralty code.</p>"},{"location":"usage/reliability-confidence/#what-is-confidence-of-an-information","title":"What is Confidence of an information?","text":"<p>Reliability of a source is important but even a trusted source can be wrong. Information in itself has a credibility, based on what is known about the subject and the level of corroboration by other sources.</p> <p>Credibility is often stated at the analyst team level, expert of the subject, able to judge the information with its context.</p> <p>In the Intelligence field, Confidence is often notated with the NATO Admiralty code.</p> <p>Why Confidence instead of Credibility?</p> <p>Using both Reliability and Credibility is an advanced use case for most of CTI teams. It requires a mature organization and a well staffed team. For most of internal CTI team, a simple confidence level is enough to forge assessment, in particular for teams that concentrate on technical CTI. </p> <p>Thus in OpenCTI, we have made the choice to fuse the notion of Credibility with the Confidence level that is commonly used by the majority of users. They have now the liberty to push forward their practice and use both Confidence and Reliability in their daily assessments.</p>"},{"location":"usage/reliability-confidence/#reliability-open-vocabulary","title":"Reliability open vocabulary","text":"<p>Reliability value can be set for every Entity in the platform that can be Author of Knowledge:</p> <ul> <li><code>Organizations</code></li> <li><code>Individuals</code></li> <li><code>Systems</code></li> <li>and also <code>Reports</code></li> </ul> <p>Reliability on <code>Reports</code> allows you to specify the reliability associated to the original author of the report if you received it through a provider.</p> <p>For all Knowledge in the platform, the reliability of the source of the Knowledge (author) is displayed in the Overview. This way, you can always forge your assessment of the provided Knowledge regarding the reliability of the author.</p> <p></p> <p>You can also now filter entities by the reliability of its author.</p> <p>Tip</p> <p>This way, you may choose to feed your work with only Knowledge provided by reliable sources.</p> <p>Reliability is an open vocabulary that can be customized in Settings -&gt; Taxonomies -&gt; Vocabularies : reliability_ov. </p> <p>Info</p> <p>The setting by default is the Reliability scale from NATO Admiralty code. But you can define whatever best fit your organization.</p> <p></p>"},{"location":"usage/reliability-confidence/#confidence-scale","title":"Confidence scale","text":"<p>Confidence level can be set for:</p> <ul> <li>Analyses: <code>Report</code>, <code>Grouping</code>, <code>Malware analysis</code>, <code>Notes</code></li> <li>Cases: <code>Incident Response</code>, <code>Request for Information</code>, <code>Request for Takedown</code>, <code>Feedback</code></li> <li>Events: <code>Incident</code>, <code>Sighting</code>, <code>Observed data</code></li> <li>Observations: <code>Indicator</code>, <code>Infrastructure</code></li> <li>Threats: <code>Threat actor (Group)</code>, <code>Threat actor (Individual)</code>, <code>Intrusion Set</code>, <code>Campaign</code></li> <li>Arsenal: <code>Malware</code>, <code>Channel</code>, <code>Tool</code>, <code>Vulnerability</code></li> </ul> <p>For all of these entities, the Confidence level is displayed in the Overview, along with the Reliability. This way, you can rapidly assess the Knowledge with the Confidence level representing the credibility/quality of the information.</p>"},{"location":"usage/reliability-confidence/#confidence-scale-customization","title":"Confidence scale customization","text":"<p>Confidence level is a numerical value between 0 and 100. But Multiple \"Ticks\" can be defined and labelled to provide a meaningful scale.</p> <p>Confidence level can be customized for each entity type in Settings &gt; Customization &gt; Entity type.</p> <p></p> <p>As such customization can be cumbersome, three confidence level templates are provided in OpenCTI:</p> <ul> <li>Admiralty: corresponding to the Admiralty code's credibility scale</li> <li>Objective: corresponding to a full objective scale, aiming to leave any subjectivity behind. With this scale, an information confidence is:<ul> <li>\"Cannot be judged\": there is no data regarding the credibility of the information</li> <li>\"Told\": the information is known because it has been told to the source. The source doesn't verify it by any means.</li> <li>\"Induced\": the information is the result of an analysis work and is based on other similar information assumed to be true.</li> <li>\"Deduced\": the information is the result of an analysis work, and is a logical conclusion of other information assumed to be true.</li> <li>\"Witnessed\": the source have observed itself the described situation or object.</li> </ul> </li> <li>standard: the historic confidence level scale in OpenCTI defining a Low, Med and High level of confidence.</li> </ul> <p>It is always possible to modify an existing template to define a custom scale adapted to your context.</p> <p>Tip</p> <p>If you use the Admiralty code setting for both reliability and Confidence, you will find yourself with the equivalent of NATO confidence notation in the Overview of your different entities (A1, B2, C3, etc.)</p>"},{"location":"usage/reliability-confidence/#max-confidence-level","title":"Max confidence level","text":""},{"location":"usage/reliability-confidence/#overview","title":"Overview","text":"<p>We know that in organizations, different users do not always have the same expertise or seniority.  As a result, some specific users can be more \"trusted\" when creating or updating knowledge than others. Additionnaly, because connectors, TAXII feeds and streams are all linked to respectively one user, it is important to be able to differentiate which connector, stream or TAXII feed is more trustable than others.</p> <p>This is why we have introduced the concept of max confidence level to tackle this use case.</p> <p>Max confidence level per user allows organizations to fine tune their users to ensure knowledge updated and created stays as consistent as possible.</p>"},{"location":"usage/reliability-confidence/#overall-way-of-working","title":"Overall way of working","text":"<p>The overall idea is that users with a max confidence level lower than a confidence level of an entity cannot update or delete this entity.</p> <p>Also, in a conservative approach, when 2 confidence levels are possible, we would always take the lowest one.</p> <p>To have a detailed understanding of the concept, please browse through this diagram:</p>"},{"location":"usage/reliability-confidence/#how-to-set-a-confidence-level","title":"How to set a confidence level","text":"<p>To see how to set up the confidence level, please go in this page.</p>"},{"location":"usage/reliability-confidence/#usage-in-opencti","title":"Usage in OpenCTI","text":""},{"location":"usage/reliability-confidence/#example-with-the-admiralty-code-template","title":"Example with the admiralty code template","text":"<p>Your organization have received a report from a CTI provider. At your organization level, this provider is considered as reliable most of the time and its reliability level has been set to \"B - Usually Reliable\" (your organization uses the Admiralty code).</p> <p>This report concerns ransomware threat landscape and have been analysed by your CTI analyst specialized in cybercrime. This analyst has granted a confidence level of \"2 - Probably True\" to the information. </p> <p>As a technical analyst, through the cumulated reliability and Confidence notations, you now know that the technical elements of this report are probably worth consideration.</p> <p></p>"},{"location":"usage/reliability-confidence/#example-with-the-objective-template","title":"Example with the Objective template","text":"<p>As a CTI analyst in a governmental CSIRT, you build up Knowledge that will be shared within the platform to beneficiaries. Your CSIRT is considered as a reliable source by your beneficiaries, even if you play a role of a proxy with other sources, but your beneficiaries need some insights about how the Knowledge has been built/gathered. </p> <p>For that, you use the \"Objective\" confidence scale in your platform to provide beneficiaries with that. When the Knowledge is the work of the investigation of your CSIRT, either from incident response or attack infrastructure investigation, you set the confidence level to \"Witnessed\", \"Deduced\" or \"Induced\" (depending on if you observed directly the data, or inferred it during your research). When the information has not been verified by the CSIRT but has value to be shared with beneficiaries, you can use the \"Told\" level to make it clear to them that the information is probably valuable but has not been verified.</p> <p></p>"},{"location":"usage/search/","title":"Search for knowledge","text":"<p>In OpenCTI, you have access to different capabilities to be able to search for knowledge in the platform. In most cases, a search by keyword can be refined with additional filters for instance on the type of object, the author etc.</p>"},{"location":"usage/search/#global-search","title":"Global search","text":"<p>The global search is always available in the top bar of the platform.</p> <p></p> <p>This search covers all STIX Domain Objects (SDOs) and STIX Cyber Observables (SCOs) in the platform. The search results are sorted according to the following behaviour:</p> <ul> <li>Priority 1 for exact matching of the keyword in one attribute of the objects.</li> <li>Priority 2 for partial matching of the keyword in the <code>name</code>, the <code>aliases</code> and the <code>description</code> attributes (full text search).</li> <li>Priority 3 for partial matching of the keyword in all other attributes (full text search).</li> </ul> <p>If you get unexpected result, it is always possible to add some filters after the initial search:</p> <p></p> <p>Also, using the <code>Advanced search</code> button, it is possible to directly put filters in a global search:</p> <p></p> <p>Advanced filters</p> <p>You have access to advanced filters all accross the UI, if you want to know more about how to use these  filters with the API or the Python library, don't hesitate to read the dedicated page</p>"},{"location":"usage/search/#full-text-search-in-files-content","title":"Full text search in files content","text":"<p>Enterprise edition</p> <p>Full text search in files content is available under the \"Filigran entreprise edition\" license.</p> <p>Please read the dedicated page to have all information</p> <p>It's possible to extend the global search by keywords to the content of documents uploaded to the platform via the Data import tab, or directly linked to an entity via its Data tab.</p> <p>It is particularly useful to enable <code>Full text indexing</code> to avoid missing important information that may not have been structured within the platform. This situation can arise due to a partial automatic import of document content, limitations of a connector, and, of course, errors during manual processing.</p> <p></p> <p>In order to search in files, you need to configure file indexing.</p>"},{"location":"usage/search/#bulk-search","title":"Bulk search","text":"<p>The bulk search capabilities is available in the top bar of the platform and allows you to copy paste a list of keyword or objects (ie. list of domains, list of IP addresses, list of vulnerabilities, etc.) to search in the platform:</p> <p></p> <p>When searching in bulk, OpenCTI is only looking for an exact match in some properties:</p> <ul> <li><code>name</code></li> <li><code>aliases</code></li> <li><code>x_opencti_aliases</code></li> <li><code>x_mitre_id</code></li> <li><code>value</code></li> <li><code>subject</code></li> <li><code>abstract</code></li> <li><code>hashes.MD5</code></li> <li><code>hashes.SHA-1</code></li> <li><code>hashes.SHA-256</code></li> <li><code>hashes.SHA-512</code></li> <li><code>x_opencti_additional_names</code></li> </ul> <p>When something is not found, it appears in the list as <code>Unknown</code> and will be excluded if you choose to export your search result in a JSON STIX bundle or in a CSV file.</p> <p></p>"},{"location":"usage/search/#contextual-search","title":"Contextual search","text":"<p>In most of the screens of knowledge, you always have a contextual search bar allowing you to filter the list you are on:</p> <p></p> <p>The search keyword used here is taken into account if you decide to export the current view in a file such as a JSON STIX bundle or a CSV file.</p>"},{"location":"usage/search/#other-search-bars","title":"Other search bars","text":"<p>Some other screens can contain search bars for specific purposes. For instance, in the graph views to filter the nodes displayed on the graph:</p> <p></p>"},{"location":"usage/tips-widget-creation/","title":"Pro-tips on widget creation","text":"<p>Previously, the creation of widgets has been covered. To help users being more confident in creating widgets, here are some details to master the widget creation.</p> <p></p>"},{"location":"usage/tips-widget-creation/#how-to-choose-the-appropriate-widget-visualization-for-your-use-case","title":"How to choose the appropriate widget visualization for your use case?","text":"<p>We can classify the widgets in 3 different types.</p>"},{"location":"usage/tips-widget-creation/#single-dimension-widgets","title":"Single dimension widgets","text":"<p>Use these widgets when you would like to display information about one single type of object (entity or relation).</p> <ul> <li>Widget visualizations: number, list, list (distribution), timeline, donuts, radar, map, bookmark, tree map.</li> <li>Use case example: view the amount of malware in platform (number widget), view the top 10 threat actor group target a specific country (distribution list widget), etc.</li> </ul>"},{"location":"usage/tips-widget-creation/#multi-dimension-widgets","title":"Multi dimension widgets","text":"<p>Use these widgets if you would like to compare or have some insights about similar types of object (up to 5).</p> <ul> <li>Widget visualizations: line, area, heatmap, vertical bars.</li> <li>Use case example: view the amount of malware, intrusion sets, threat actor groups added in the course of last month in the platform (line or area widget).</li> </ul> <p>Type of object in widget</p> <p>These widgets need to use the same \"type\" of object to work properly. You always need to add relationships in the filter view if you have selected a \"knowledge graph\" perspective. If you have selected the knowledge graph entity, adding \"Entities\" (click on <code>+ entities</code>) will not work, since you are not counting the same things.</p>"},{"location":"usage/tips-widget-creation/#break-down-widgets","title":"Break down widgets","text":"<p>Use this widget if you want to divide your data set into smaller parts to make it clearer and more useful for analysis.</p> <ul> <li>Widget visualization: horizontal bars.</li> <li>Use case example: view the list of malware targeting a country breakdown by the type of malware.</li> </ul> <p></p>"},{"location":"usage/tips-widget-creation/#adding-datasets-to-your-widget","title":"Adding datasets to your widget","text":"<p>Adding datasets can serve two purposes: comparing data or breakdown a view to have deeper understanding on what a specific dataset is composed of. </p>"},{"location":"usage/tips-widget-creation/#use-case-1-compare-several-datasets","title":"Use Case 1: compare several datasets","text":"<p>As mentioned in How to choose the appropriate widget visualization for your use case? section you can add data sets to compare different data. Make sure to add the same type of objects (entities or relations) to be able to compare the same objects, by using access buttons like <code>+</code>, <code>+ Relationships</code>, or <code>+ Entities</code>.</p> <p>You can add up to 5 different data sets.  The <code>Label</code> field allows you to name a data set, and this label can then be shown as a legend in the widget using the <code>Display legend</code> button in the widget parameters (see the next section).</p>"},{"location":"usage/tips-widget-creation/#use-case-2-break-down-your-chart","title":"Use case 2: break down your chart","text":"<p>As mentioned in How to choose the appropriate widget visualization for your use case? section you can add data sets to decompose your graph into smaller meaningful chunks. In the below points, you can find some use cases that will help you understand how to structure your data.</p> <p>You can break down a view either by entity or by relations, depending on what you need to count.</p>"},{"location":"usage/tips-widget-creation/#break-down-by-entity","title":"Break down by entity","text":"<p>Use case example: I need to understand what are the most targeted countries by malware, and have a breakdown for each country by malware type.</p> <p>Process:</p> <ol> <li>To achieve this use case, you first need to select the horizontal bar vizualisation.</li> <li>Then you need to select the knowledge graph perspective.</li> </ol> <p>In the filters view:</p> <ol> <li>Then input your main query <code>Source type = Malware AND Target type = Countries AND Relation type = Targets</code>. Add a label to your dataset. </li> <li>Add an entity data set by using access button <code>+ Entities</code>.</li> <li>Add the following filters <code>Entity type = Malware AND In regards of = targets</code>. Add a label to your dataset.</li> </ol> <p></p> <p>In the parameter view:</p> <ol> <li>Attribute (of your relation) = entity (so that you display the different entities values)</li> <li>Display the source toggle = off</li> <li>Attribute (of your entity malware) = Malware type (since you want to break down your relations by the malware types)</li> </ol> <p></p> <p>As a result, you get a list of countries broken down by malware types.</p> <p></p>"},{"location":"usage/tips-widget-creation/#break-down-by-relation","title":"Break down by relation","text":"<p>Use case example: I need to understand what are the top targeting malware and have a breakdown of the top targets per malware</p> <p>Process:</p> <ol> <li>To achieve this use case, you first need to select the horizontal bar vizualisation.</li> <li>Then you need to select the knowledge graph perspective.</li> </ol> <p>In the filters view:</p> <ol> <li>Then input your main query <code>Source type = Malware AND Relation type = Targets</code>. Add a label to your dataset. </li> <li>Add a relation data set by using access button  <code>+ Relationships</code></li> <li>Add the following filters <code>Source type = Malware AND Relation type = targets</code>. Add a label to your dataset.</li> </ol> <p></p> <p>In the parameter view:</p> <ol> <li>Attribute (of your relation): entity (so that you display the different entities values)</li> <li>Display the source toggle = on</li> <li>Attribute (of your entity malware) = Malware type (since you want to break down your relations by the malware types)</li> <li>Display the source toggle = off</li> </ol> <p></p> <p>As a result, you get a list of malware with the breakdown of their top targets.</p> <p></p>"},{"location":"usage/tips-widget-creation/#more-use-cases","title":"More use cases","text":"<p>To see more use cases, feel free to have a look at this blog post that will provide you additional information.</p>"},{"location":"usage/widgets/","title":"Widget creation","text":"<p>Creating widgets on the dashboard involves a four-step configuration process. By navigating through these configuration steps, users can design widgets that meet their specific requirements.</p>"},{"location":"usage/widgets/#widget-configuration","title":"Widget configuration","text":""},{"location":"usage/widgets/#1-visualization","title":"1. Visualization","text":"<p>Users can select from 15 diverse visualization options to highlight different aspects of their data. This includes simple views like counters and lists, as well as more intricate views like heatmaps and trees. The chosen visualization impacts the available perspectives and parameters, making it crucial to align the view with the desired data observations. Here are a few insights:</p> <ul> <li>Line and Area views: Ideal for visualizing activity volumes over time.</li> <li>Horizontal bar views: Designed to identify top entities that best satisfy applied filters (e.g., top malware targeting the Finance sector).</li> <li>Tree views: Useful for comparing activity volumes.</li> <li>...</li> </ul> <p></p>"},{"location":"usage/widgets/#2-perspective","title":"2. Perspective","text":"<p>A perspective is the way the platform will count the data to display in your widgets:</p> <ul> <li>Entities Perspective: Focuses on entities, allowing observation of simple knowledge based on defined filters and criteria. The count will be based on entities only.</li> <li>Knowledge Graph Perspective: Concentrates on relationships, displaying intricate knowledge derived from relationships between entities and specified filters.  The count will be based on relations only.</li> <li>Activity &amp; History Perspective: Centers on activities within the platform, not the knowledge content. This perspective is valuable for monitoring user and connector activities, evaluating data sources, and more.</li> </ul> <p></p>"},{"location":"usage/widgets/#3-filters","title":"3. Filters","text":""},{"location":"usage/widgets/#generic-knowledge","title":"Generic knowledge","text":"<p>Filters vary based on the selected perspective, defining the dataset to be utilized in the widget. Filters are instrumental in narrowing down the scope of data for a more focused analysis.</p> <p>While filters in the \"Entities\" and \"Activity &amp; History\" perspectives align with the platform's familiar search and feed creation filters, the \"Knowledge Graph\" perspective introduces a more intricate filter configuration.Therefore, they need to be addressed in more detail.</p>"},{"location":"usage/widgets/#filter-in-the-context-of-knowledge-graph","title":"Filter in the context of Knowledge Graph","text":"<p>Two types of filters are available in the Knowledge Graph perspective:</p> <ul> <li> <p>Main query filter</p> <ul> <li>Classic filters (gray): Define the relationships to be retrieved, forming the basis on which the widget displays data. Remember, statistics in the Knowledge Graph perspective are based on relationships.</li> </ul> </li> <li> <p>Pre-query filters</p> <ul> <li>Pre-query filters are used to provide to your main query a specific dataset. In other words, instead of making a query on the whole data set of your platform, you can already target a subset of data that will match certain criteria. They are two types of pre-query filters:<ul> <li>Dynamic filters on the source (orange): Refine data by filtering on entities positioned as the source (in the \"from\" position) of the relationship.</li> <li>Dynamic filters on the target (green): Refine data by filtering on entities positioned as the target (in the \"to\" position) of the relationship.</li> </ul> </li> </ul> </li> </ul> <p>Pre-query limitation</p> <p>The pre-query is limited to 5000 results. If your pre-query results in having more than 5000 results, your widget will only display statistics based on these 5000 results matching your pre-query, resulting in a wrong view. To avoid this issue, be specific in your pre-query filters.</p> <p>Example scenario:</p> <p>Let's consider an example scenario: Analyzing the initial access attack patterns used by intrusion sets targeting the finance sector.</p> <ol> <li>Classic filters: Define the relationships associated with the use of attack patterns by intrusion sets</li> <li>Dynamic filters on the source (Orange): Narrow down the data by filtering on intrusion sets targeting the finance sector.</li> <li>Dynamic filters on the target (Green): Narrow down the data by filtering on attack patterns associated with the kill chain's initial access phase.</li> </ol> <p>By leveraging these advanced filters, users can conduct detailed analyses within the Knowledge Graph perspective, unlocking insights that are crucial for understanding intricate relationships and statistics.</p> <p></p> <p>In certain views, you can access buttons like <code>+</code>, <code>+ Relationships,</code> or <code>+ Entities</code>. These buttons enable you to incorporate different data into the same widget for comparative analysis. For instance, in a Line view, adding a second set of filters will display two curves in the widget, each corresponding to one of the filtered data sets. Depending on the view, you can work with 1 to 5 sets of filters. The <code>Label</code> field allows you to name a data set, and this label can then be shown as a legend in the widget using the <code>Display legend</code> button in the widget parameters (see the next section).</p> <p></p>"},{"location":"usage/widgets/#4-parameters","title":"4. Parameters","text":"<p>Parameters depend on the chosen visualization and allow users to define widget titles, choose displayed elements from the filtered data, select data reference date, and configure various other parameters specific to each visualization.</p> <p>For the \"Knowledge Graph\" perspective, a critical parameter is the <code>Display the source</code> toggle. This feature empowers users to choose whether the widget displays entities from the source side or the target side of the relationships.</p> <ul> <li>Toggle ON (\"Display the source\"): The widget focuses on entities positioned as the source of the relationships (in the \"from\" position).</li> <li>Toggle OFF (\"Display the target\"): The widget shifts its focus to entities positioned as the target of the relationships (in the \"to\" position).</li> </ul> <p>This level of control ensures that your dashboard aligns precisely with your analytical objectives, offering a tailored perspective based on your data and relationship.</p> <p></p>"},{"location":"usage/widgets/#prerequisite-knowledge","title":"Prerequisite knowledge","text":"<p>To successfully configure widgets in OpenCTI, having a solid understanding of the platform's data modeling is essential. Knowing specific relationships, entities, and their attributes helps refine filters accurately. Let's explore two examples.</p> <p>Scenarios 1:</p> <p>Consider the scenario where you aim to visualize relationships between intrusion sets and attack patterns. In this case, the relevant relationship type connecting intrusion sets to attack patterns is labeled as \"Uses\" (as illustrated in the \"Filters\" section).</p> <p>Scenarios 2:</p> <p>Suppose your goal is to retrieve all reports associated with the finance sector. In this case, it's essential to use the correct filter for the finance sector. Instead of placing the finance sector in the \"Related entity\" filter, it should be placed in the \"Contains\" filter. Since a Report is a container object (like Cases and Groupings), it contains entities within it and is not related to entities.</p>"},{"location":"usage/widgets/#key-data-modeling-aspects","title":"Key data modeling aspects","text":"<ul> <li>Entities: Recognizing container (e.g. Reports, Cases and Groupings) and understanding the difference with non-container.</li> <li>Relationships: Identifying the relationship types connecting entities.</li> <li>Attributes: Understanding entities and relationships attributes for effective filtering.</li> </ul> <p>Having this prerequisite knowledge allows you to navigate the widget configuration process seamlessly, ensuring accurate and insightful visualizations based on your specific data requirements.</p>"},{"location":"usage/workbench/","title":"Analyst workbench","text":"<p>Workbenches serve as dedicated workspaces for manipulating data before it is officially imported into the platform. </p>"},{"location":"usage/workbench/#location-of-use","title":"Location of use","text":"<p>The workbenches are located at various places within the platform:</p>"},{"location":"usage/workbench/#data-import-and-analyst-workbenches-window","title":"Data import and analyst workbenches window","text":"<p>This window encompasses all the necessary tools for importing a file. Files imported through this interface will subsequently be processed by the import connectors, resulting in the creation of workbenches. Additionally, analysts can manually create a workbench by clicking on the \"+\" icon at the bottom right of the window.</p> <p></p>"},{"location":"usage/workbench/#data-tabs-of-all-entities","title":"Data tabs of all entities","text":"<p>Workbenches are also accessible through the \"Data\" tabs of entities, providing convenient access to import data associated with the entity.</p> <p></p>"},{"location":"usage/workbench/#operation","title":"Operation","text":"<p>Workbenches are automatically generated upon the import of a file through an import connector. When an import connector is initiated, it scans files for recognizable entities and subsequently creates a workbench. All identified entities are placed within this workbench for analyst reviews. Alternatively, analysts have the option to manually create a workbench by clicking on the \"+\" icon at the bottom right of the \"Data import and analyst workbenches\" window.</p> <p></p> <p>The workbench being a draft space, the analysts use it to review connector proposals before finalizing them for import. Within the workbench, analysts have the flexibility to add, delete, or modify entities to meet specific requirements.</p> <p></p> <p>Once the content within the workbench is deemed acceptable, the analyst must initiate the ingestion process by clicking on <code>Validate this workbench</code>. This action signifies writing the data in the knowledge base.</p> <p>Workbenches are drafting spaces</p> <p>Until the workbench is validated, the contained data remains in draft form and is not recorded in the knowledge base. This ensures that only reviewed and approved data is officially integrated into the platform.</p> <p>For more information on importing files, refer to the Import from files documentation page.</p> <p>Confidence level of created knowledge through workbench</p> <p>The confidence level of knowledge created through workbench is affected by the confidence level of the user. Please navigate to this page to understand in more details.</p>"},{"location":"usage/workflows/","title":"Workflows and assignation","text":"<p>Efficiently manage and organize your work within the OpenCTI platform by leveraging workflows and assignment. These capabilities provide a structured approach to tracking the status of objects and assigning responsibilities to users.</p>"},{"location":"usage/workflows/#workflows","title":"Workflows","text":"<p>Workflows are designed to trace the status of objects in the system. They are represented by the \"Processing status\" field embedded in each object. By default, this field is disabled for most objects but can be activated through the platform settings. For details on activating and configuring workflows, refer to the dedicated documentation page.</p> <p>Enabling workflows enhances visibility into the progress and status of different objects, providing a comprehensive view for effective management.</p> <p></p>"},{"location":"usage/workflows/#assignment-attributes","title":"Assignment attributes","text":"<p>Certain objects, including Reports, Cases, and Tasks, come equipped with \"Assignees\" and \"Participants\" attributes. These attributes serve the purpose of designating individuals responsible for the object and those who actively participate in it.</p> <p>Attributes can be set as mandatory or with default values, streamlining the assignment process. Users can also be assigned or designated as participants manually, contributing to a collaborative and organized workflow. For details on configuring attributes, refer to the dedicated documentation page.</p> <p></p> <p>Users can stay informed about assignments through notification triggers. By setting up notification triggers, users receive alerts when an object is assigned to them. This ensures timely communication and proactive engagement with assigned tasks or responsibilities.</p>"}]}
\ No newline at end of file
diff --git a/6.0.X/sitemap.xml b/6.0.X/sitemap.xml
index 69415080..614aba90 100755
--- a/6.0.X/sitemap.xml
+++ b/6.0.X/sitemap.xml
@@ -2,422 +2,422 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
          <loc>https://docs.opencti.io/latest/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/csv-mappers/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/decay-rules/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/enterprise/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/entities/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/file-indexing/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/introduction/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/merging/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/notifier-samples/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/notifiers/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/ontologies/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/parameters/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/policies/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/reasoning/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/retentions/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/segregation/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/users/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/audit/configuration/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/audit/events/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/audit/overview/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/administration/audit/triggers/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/authentication/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/clustering/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/configuration/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/connectors/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/installation/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/integrations/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/managers/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/overview/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/resources/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/rollover/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/troubleshooting/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/deployment/upgrade/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/development/api-usage/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/development/connectors/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/development/environment_ubuntu/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/development/environment_windows/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/development/platform/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/development/python/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/reference/api/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/reference/data-intelligence/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/reference/data-model/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/reference/filters-migration/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/reference/filters/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/reference/fips/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/reference/streaming/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/reference/taxonomy/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
-         <loc>https://docs.opencti.io/latest/usage/AskAI/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <loc>https://docs.opencti.io/latest/usage/ask-ai/</loc>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/automation/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/background-tasks/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/case-management/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/containers/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/dashboards/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/data-model/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/deduplication/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/enrichment/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/exploring-analysis/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/exploring-arsenal/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/exploring-cases/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/exploring-entities/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/exploring-events/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/exploring-locations/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/exploring-observations/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/exploring-techniques/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/exploring-threats/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/export/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/feeds/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/getting-started/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/import-automated/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/import-files/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/indicators-lifecycle/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/inferences/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/manual-creation/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/merging/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/nested/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/notifications/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/overview/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/pivoting/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/reliability-confidence/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/search/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/tips-widget-creation/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/widgets/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/workbench/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
     <url>
          <loc>https://docs.opencti.io/latest/usage/workflows/</loc>
-         <lastmod>2024-03-02</lastmod>
+         <lastmod>2024-03-08</lastmod>
          <changefreq>daily</changefreq>
     </url>
 </urlset>
\ No newline at end of file
diff --git a/6.0.X/sitemap.xml.gz b/6.0.X/sitemap.xml.gz
index 2f8e60f02351608e3a9f8dadd41df86fb7794c02..87501cbf0474d21dabf738700e61d3381b7e8b42 100755
GIT binary patch
literal 876
zcmV-y1C#t8iwFq)#_DAP|8r?{Wo=<_E_iKh0M(k!lG`>6$M1QH9p7m=X%A_~>)iST
z?YTpfkc3%^U_j7bzkMOgZQSJ6Lx<4C5=}`z{|(}U<nhb<l3p&r6)C^&KJE{@7s!Dk
z=IM3!$M3(n&$}<D568x-g1l(wTwiyyNcnXbuGj0nqQK%y-4jnk4YOX<;n6r8_P^{-
zA71oWAF!R>k7J^6TAxz&F_D7aUi7tsd!!+GfhxmsSUWx6<EtzbPoEB-es+hS+~Ko!
zd9*!s3$xD?j0|5-(PO$Dho_beX84EZKXCcDV8$x!MKv2jy*T}?MJ2R?93l9d<Cee-
zGGqZRj1>$Kqo5syM@--_M|jtvZv`5&FvS+`7e<&D;K`80nFL1!cGWM%kjMC&+YB&e
zp+u7*mr*?X1;miXg%Sos3N!dh*^swjHHW;OnUT1{#4veF5u{Z^L(aE|G6c#aPK{0J
zyrIKIE!vpeq!rx-;cAOo7^kUc(~eLQ-4?Y6C6;;hbfIsHej*O3RgKj>2a{)76At6w
zz!`#&4fDlZ#iwLOT`lx9PW!$yiznX2XK%%obssFASQ#oc4q!r9rj%B3EwBnxJ8OAA
zlh(~PLPRU-5h8SqdVxe`OBV{dR@Eh#pfwT8zTrZ?AX8q?|7_=$rJ2LNVvcmRA$QTX
zk$ABIdy~226o+91)<#%8gaOLv#k(~bO9`iYixFmhJ0t_JBc^pi)h#%6Ui<vOY=X2{
zz^uaHm!8wGZ>-|qDbsT67IjOze0_5sdxva7OW&h@13mljHfhC>qZ3uOc8(i-1-F&t
z_oSe6TFT-v_v}$O(CF)YCeN{d(C#yU2Pni=Qty+>8!KeSFdG<8@Lm$F^WIK9K)O||
zc7VBpGMnLD9jzU8yWgVq190C<k>BI$EuGKUe@{&33VbmJEfD66Uz;IAmRSoN3zkgW
zdvqHCy3fBRkabbPRq-qkJEz5E{oCE67_)-A?%(a*4lu_xw<WGF;RxXt5_FIJnCR$T
zTP<&!PcE#Ewg2Lw_f60nW!BT~$N#p`*+!<-{Z@kwv*4xgRqzdyA)!BGLb<v7eyP~?
zip&OG!E=~9hZHQ;T`_9nV#T9ww7olkEAiV|znTqjj_H3{k-vXbkkemFoNzIWIRF69
C9=8Di

literal 881
zcmV-%1CIP3iwFqj^WtR!|8r?{Wo=<_E_iKh0M(kYlH)cEhWmSp9rv{MHYt*f*EiQ>
zCVf(8XcCezOA$N(wAXJR%5rkfU6&$5sIf#-(q|a_0gya=dSBAh8Ca0=>+a+JdG`c4
zP{cgF?*91wSNGHI)A7ThauU#|);Y`TZdNV748!Ge*$XNxzQ~?<8YIl^LWX<e@Vx(d
zcl_|wj`acC+3h$a3di*+(jF5jwA)L2t>PYONM1p7I1Fp2$9uf!Lh<<W{PLrF{=q%J
zv@Z9yhi+l^d4iGQ%Q1RP*TeA8vcU}h(EJB39~aCh%3hnzh9GCxerstaw1ONV_^acZ
zzzi~E1ul#NhKNzoj)g}|;4nvcZ$sY-G-hRrHQX+YFfYK9Arog(91+-wUy32c_?z1d
zFlD7glOf3{p8W!9$i{^d216ER@Iu*;T5xlRyq=jcvB1PIc}o$bilHIrYeXFa<q@aK
zrtG|-!?}61F>_O^=*|ciThz)pO+CAIgp%mGG=FHsI<HC>`u6At;*hGeSlx3ld89QV
z82<*&5R`1VFJ@7nk{Ro^La)VX-*;y5z`OYDtw>q-!Qz3HL8x*76NY6<X*I3|R%NQE
zR^HFl>Sh}uqL!uz5jsXaL!z>!3k6-3CJ82JO~kUVxRB4tl-Kh=>#1g~=CCiABVBBm
zyR^2Ec(DO{)w$yohhYS6jj$?&0m|sryEPe038!0&5$5)GNCsd>OzVWITX5>U_W6$4
z1ZlB=DazoNp3|_etm@w>({k+=bxXTG%iHJQI%o7%Y3X~=Z=fe1-lkSC<mlAPn{<vF
zynx#(@>@>OIW1-Nn0pq~4K#Y0PvklF588bKa0i80OX_`2d1Hml7-j?G3EoShb=uoC
z1xQyxu>;HkjoA$EDztX2+x-r$?|}PWiToC~-O~Al{kOz)65z8jXoWCm{89}$vd*o(
zvEa$Xy+^kZp!@u50$tY>oTz7o*f}jO>)-C~#h4Y`b^C7bet<cyxh=7{gd>D&NYFj<
zeV(It+qUwy`sBhYto;`cz3+kED04gQe*ACyoNZ)U-S0HmFbkghUIgDT84~&vCe*9D
zZI_B&FUV}r0-nR%Iiz9{cfr^a7b}Xo(e^F?7vi^5`)W48Ii~+*LH_n3pvS)er<$Po
Hi#Y%QWZlZp

diff --git a/6.0.X/usage/AskAI/index.html b/6.0.X/usage/ask-ai/index.html
similarity index 92%
rename from 6.0.X/usage/AskAI/index.html
rename to 6.0.X/usage/ask-ai/index.html
index d6391b41..3146b16c 100755
--- a/6.0.X/usage/AskAI/index.html
+++ b/6.0.X/usage/ask-ai/index.html
@@ -12,7 +12,7 @@
         <meta name="author" content="Filigran">
       
       
-        <link rel="canonical" href="https://docs.opencti.io/latest/usage/AskAI/">
+        <link rel="canonical" href="https://docs.opencti.io/latest/usage/ask-ai/">
       
       
         <link rel="prev" href="../merging/">
@@ -2034,6 +2034,23 @@
         
       
       
+        <label class="md-nav__link md-nav__link--active" for="__toc">
+          
+  
+  <span class="md-ellipsis">
+    
+  
+    Ask AI
+  
+
+    
+  </span>
+  
+  
+
+          <span class="md-nav__icon md-icon"></span>
+        </label>
+      
       <a href="./" class="md-nav__link md-nav__link--active">
         
   
@@ -2050,6 +2067,114 @@
 
       </a>
       
+        
+
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
+  
+  
+  
+    
+  
+  
+    <label class="md-nav__title" for="__toc">
+      <span class="md-nav__icon md-icon"></span>
+      Table of contents
+    </label>
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#prerequisites-for-using-ask-ai" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Prerequisites for using Ask AI
+      
+    </span>
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#how-it-works" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        How it works
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="How it works">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#filigran-custom-model" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Filigran custom model
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#functionalities-of-ask-ai" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Functionalities of Ask AI
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Functionalities of Ask AI">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#assistance-for-writing-meaningful-content" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Assistance for writing meaningful content
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#assistance-for-importing-data-from-documents" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Assistance for importing data from documents
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#improving-generated-elements-of-ask-ai" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Improving generated elements of Ask AI
+      
+    </span>
+  </a>
+  
+</li>
+      
+    </ul>
+  
+</nav>
+      
     </li>
   
 
@@ -4280,6 +4405,103 @@
     
   
   
+    <label class="md-nav__title" for="__toc">
+      <span class="md-nav__icon md-icon"></span>
+      Table of contents
+    </label>
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#prerequisites-for-using-ask-ai" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Prerequisites for using Ask AI
+      
+    </span>
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#how-it-works" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        How it works
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="How it works">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#filigran-custom-model" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Filigran custom model
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#functionalities-of-ask-ai" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Functionalities of Ask AI
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Functionalities of Ask AI">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#assistance-for-writing-meaningful-content" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Assistance for writing meaningful content
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#assistance-for-importing-data-from-documents" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Assistance for importing data from documents
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#improving-generated-elements-of-ask-ai" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Improving generated elements of Ask AI
+      
+    </span>
+  </a>
+  
+</li>
+      
+    </ul>
+  
 </nav>
                   </div>
                 </div>
@@ -4358,7 +4580,7 @@
 
 
   
-    <a href="https://github.com/OpenCTI-Platform/docs/blob/main/docs/usage/AskAI.md" title="Edit this page" class="md-content__button md-icon">
+    <a href="https://github.com/OpenCTI-Platform/docs/blob/main/docs/usage/ask-ai.md" title="Edit this page" class="md-content__button md-icon">
       
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4v-2m10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1 2.1 2.1Z"/></svg>
     </a>
@@ -4367,7 +4589,7 @@
     
       
     
-    <a href="https://github.com/OpenCTI-Platform/docs/raw/main/docs/usage/AskAI.md" title="View source of this page" class="md-content__button md-icon">
+    <a href="https://github.com/OpenCTI-Platform/docs/raw/main/docs/usage/ask-ai.md" title="View source of this page" class="md-content__button md-icon">
       
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.15 8.15 0 0 1-1.23-2Z"/></svg>
     </a>
@@ -4380,11 +4602,7 @@ <h1 id="ask-ai">Ask AI</h1>
 <p>Ask AI is available under the "Filigran Entreprise Edition" license.</p>
 <p><a href="../../administration/enterprise/">Please read the dedicated page to have all information</a></p>
 </div>
-<div class="admonition tip">
-<p class="admonition-title">Beta Feature</p>
-<p>Ask AI is a beta feature as we are currently fine-tuning our models. Consider checking important information.</p>
-</div>
-<h1 id="prerequisites-for-using-ask-ai">Prerequisites for using Ask AI</h1>
+<h2 id="prerequisites-for-using-ask-ai">Prerequisites for using Ask AI</h2>
 <p>There are several possibilities for Enterprise Edition customers to use OpenCTI AI endpoints:</p>
 <ul>
 <li>Use the Filigran AI Service leveraging our custom AI model using the token given by the support team.</li>
@@ -4392,10 +4610,20 @@ <h1 id="prerequisites-for-using-ask-ai">Prerequisites for using Ask AI</h1>
 <li>Deploy or use local AI endpoints (Filigran can provide you with the custom model).</li>
 </ul>
 <p><a href="../../deployment/configuration/">Please read the configuration documentation</a></p>
-<h1 id="functionalities-of-ask-ai">Functionalities of Ask AI</h1>
+<div class="admonition info">
+<p class="admonition-title">Beta Feature</p>
+<p>Ask AI is a beta feature as we are currently fine-tuning our models. Consider checking important information.</p>
+</div>
+<h2 id="how-it-works">How it works</h2>
+<p>Even if in the future, we would like to leverage AI to do <a href="https://blogs.nvidia.com/blog/what-is-retrieval-augmented-generation/">RAG</a>, for the moment we are mostly using AI to analyze and produce texts or images, based on data directly sent into the prompt.</p>
+<p>This means that if you are using Filigran AI endpoint or a local one, your data is never used to re-train or adapt the model and everything relies on a pre-trained and fixed model. When using the <code>Ask AI</code> button in the platform, a prompt is generated with the proper instruction to generate the expected result and use it in the context of the button (in forms, rich text editor etc.).</p>
+<h3 id="filigran-custom-model">Filigran custom model</h3>
+<p>We are hosting a scalable AI endpoint for all SaaS or On-Prem enterprise edition customers, this endpoint is based on MistralAI with a model that will be adapted over time to be more effective when processing threat intelligence related contents.</p>
+<p>The model, which is still in beta version, will be adapted in the upcoming months to reach maturity at the end of 2024. It can be shared with on-prem enterprise edition customers under NDA.</p>
+<h2 id="functionalities-of-ask-ai">Functionalities of Ask AI</h2>
 <p>Ask AI is represented by a dedicated icon wherever on of its functionalities is available to use.</p>
 <p><a class="glightbox" href="../assets/askai_icon.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="Create a new playbook" src="../assets/askai_icon.png" /></a></p>
-<h2 id="assistance-for-writing-menaningful-content">Assistance for writing menaningful content</h2>
+<h3 id="assistance-for-writing-meaningful-content">Assistance for writing meaningful content</h3>
 <p>Ask AI can assist you for writing better textual content, for example better title, name, description and detailed content of Objects.</p>
 <ul>
 <li>Fix spelling &amp; grammar: try to improve the text from a formulation and grammar perspective.  </li>
@@ -4404,7 +4632,7 @@ <h2 id="assistance-for-writing-menaningful-content">Assistance for writing menan
 <li>Summarize: try to summarize the text in bullet points.</li>
 <li>Explain: try to explain the context of the subject's text based on what is available to the LLM.</li>
 </ul>
-<h2 id="assistance-for-importing-data-from-documents">Assistance for importing data from documents</h2>
+<h3 id="assistance-for-importing-data-from-documents">Assistance for importing data from documents</h3>
 <p>Fom the Content tab of a Container (Reports, Groupings and Cases), Ask AI can also assist you for importing data contained in uploaded documents into OpenCTI for further exploitation.</p>
 <ul>
 <li>Generate report document: Generate a text report based on the knowledge graph (entities and relationships) of this container.</li>
@@ -4413,8 +4641,8 @@ <h2 id="assistance-for-importing-data-from-documents">Assistance for importing d
 </ul>
 <p><a class="glightbox" href="../assets/askai_generatereport.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="Generating report with Ask AI" src="../assets/askai_generatereport.png" /></a></p>
 <p><a class="glightbox" href="../assets/askai_generatedcontent.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="Example of a generated content" src="../assets/askai_generatedcontent.png" /></a></p>
-<p>A short video on the FiligranHQ Youtube channel presents tha capabilities of AskAI: https://www.youtube.com/watch?v=lsP3VVsk5ds</p>
-<h1 id="improving-generated-elements-of-ask-ai">Improving generated elements of Ask AI</h1>
+<p>A short video on the FiligranHQ YouTube channel presents tha capabilities of AskAI: https://www.youtube.com/watch?v=lsP3VVsk5ds.</p>
+<h2 id="improving-generated-elements-of-ask-ai">Improving generated elements of Ask AI</h2>
 <p>Be aware that the text quality is highly dependent on the capabilities of the associated LLM.</p>
 <p>That is why every generated text by Ask AI is provided in a dedicated panel, allowing you to verify and rectify any error the LLM could have made.</p>
 
@@ -4439,7 +4667,7 @@ <h1 id="improving-generated-elements-of-ask-ai">Improving generated elements of
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2024-03-01T11:19:18+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2024-03-01</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2024-03-08T08:05:36+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2024-03-08</span>
   </span>
 
     
@@ -4467,9 +4695,9 @@ <h1 id="improving-generated-elements-of-ask-ai">Improving generated elements of
     
     <nav>
       
-        <a href="https://github.com/Jipegien" class="md-author" title="@Jipegien">
+        <a href="https://github.com/SamuelHassine" class="md-author" title="@SamuelHassine">
           
-          <img src="https://avatars.githubusercontent.com/u/104078945?v=4&size=72" alt="Jipegien">
+          <img src="https://avatars.githubusercontent.com/u/1334279?v=4&size=72" alt="SamuelHassine">
         </a>
       
       
diff --git a/6.0.X/usage/automation/index.html b/6.0.X/usage/automation/index.html
index d8084a5b..be9ddcaa 100755
--- a/6.0.X/usage/automation/index.html
+++ b/6.0.X/usage/automation/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/background-tasks/index.html b/6.0.X/usage/background-tasks/index.html
index c63e9f68..1f31fae2 100755
--- a/6.0.X/usage/background-tasks/index.html
+++ b/6.0.X/usage/background-tasks/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/case-management/index.html b/6.0.X/usage/case-management/index.html
index e28a3528..712cc0f2 100755
--- a/6.0.X/usage/case-management/index.html
+++ b/6.0.X/usage/case-management/index.html
@@ -15,7 +15,7 @@
         <link rel="canonical" href="https://docs.opencti.io/latest/usage/case-management/">
       
       
-        <link rel="prev" href="../AskAI/">
+        <link rel="prev" href="../ask-ai/">
       
       
         <link rel="next" href="../notifications/">
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -4607,7 +4607,7 @@ <h2 id="use-case-example-a-suspicious-observable-is-sighted-by-a-defense-system-
       <nav class="md-footer__inner md-grid" aria-label="Footer" >
         
           
-          <a href="../AskAI/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Ask AI">
+          <a href="../ask-ai/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Ask AI">
             <div class="md-footer__button md-icon">
               
               <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
diff --git a/6.0.X/usage/containers/index.html b/6.0.X/usage/containers/index.html
index 50430ec9..40fccd1f 100755
--- a/6.0.X/usage/containers/index.html
+++ b/6.0.X/usage/containers/index.html
@@ -2160,7 +2160,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/dashboards/index.html b/6.0.X/usage/dashboards/index.html
index fd47759b..4076c983 100755
--- a/6.0.X/usage/dashboards/index.html
+++ b/6.0.X/usage/dashboards/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/data-model/index.html b/6.0.X/usage/data-model/index.html
index 9bb165ba..fc7fb51e 100755
--- a/6.0.X/usage/data-model/index.html
+++ b/6.0.X/usage/data-model/index.html
@@ -2160,7 +2160,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/deduplication/index.html b/6.0.X/usage/deduplication/index.html
index b26e13cf..f594f389 100755
--- a/6.0.X/usage/deduplication/index.html
+++ b/6.0.X/usage/deduplication/index.html
@@ -2132,7 +2132,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/enrichment/index.html b/6.0.X/usage/enrichment/index.html
index 39cfab84..a7b20c04 100755
--- a/6.0.X/usage/enrichment/index.html
+++ b/6.0.X/usage/enrichment/index.html
@@ -2093,7 +2093,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/exploring-analysis/index.html b/6.0.X/usage/exploring-analysis/index.html
index c096e205..37e6bd54 100755
--- a/6.0.X/usage/exploring-analysis/index.html
+++ b/6.0.X/usage/exploring-analysis/index.html
@@ -2215,7 +2215,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/exploring-arsenal/index.html b/6.0.X/usage/exploring-arsenal/index.html
index af6dcca2..1abfa974 100755
--- a/6.0.X/usage/exploring-arsenal/index.html
+++ b/6.0.X/usage/exploring-arsenal/index.html
@@ -2227,7 +2227,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/exploring-cases/index.html b/6.0.X/usage/exploring-cases/index.html
index 9751778f..710f471d 100755
--- a/6.0.X/usage/exploring-cases/index.html
+++ b/6.0.X/usage/exploring-cases/index.html
@@ -2182,7 +2182,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/exploring-entities/index.html b/6.0.X/usage/exploring-entities/index.html
index 88674708..0010b68b 100755
--- a/6.0.X/usage/exploring-entities/index.html
+++ b/6.0.X/usage/exploring-entities/index.html
@@ -2266,7 +2266,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/exploring-events/index.html b/6.0.X/usage/exploring-events/index.html
index 7bbe31cd..c2908864 100755
--- a/6.0.X/usage/exploring-events/index.html
+++ b/6.0.X/usage/exploring-events/index.html
@@ -2188,7 +2188,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/exploring-locations/index.html b/6.0.X/usage/exploring-locations/index.html
index cee94458..6b91e862 100755
--- a/6.0.X/usage/exploring-locations/index.html
+++ b/6.0.X/usage/exploring-locations/index.html
@@ -2266,7 +2266,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/exploring-observations/index.html b/6.0.X/usage/exploring-observations/index.html
index 57371803..42abdd46 100755
--- a/6.0.X/usage/exploring-observations/index.html
+++ b/6.0.X/usage/exploring-observations/index.html
@@ -2227,7 +2227,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/exploring-techniques/index.html b/6.0.X/usage/exploring-techniques/index.html
index 667c1fad..eba95187 100755
--- a/6.0.X/usage/exploring-techniques/index.html
+++ b/6.0.X/usage/exploring-techniques/index.html
@@ -2227,7 +2227,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/exploring-threats/index.html b/6.0.X/usage/exploring-threats/index.html
index 0c861073..d9df9aaa 100755
--- a/6.0.X/usage/exploring-threats/index.html
+++ b/6.0.X/usage/exploring-threats/index.html
@@ -2177,7 +2177,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/export/index.html b/6.0.X/usage/export/index.html
index eebef2cf..7e4b5f6b 100755
--- a/6.0.X/usage/export/index.html
+++ b/6.0.X/usage/export/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/feeds/index.html b/6.0.X/usage/feeds/index.html
index fe5fbc47..23711681 100755
--- a/6.0.X/usage/feeds/index.html
+++ b/6.0.X/usage/feeds/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/getting-started/index.html b/6.0.X/usage/getting-started/index.html
index 8906bc77..4e005768 100755
--- a/6.0.X/usage/getting-started/index.html
+++ b/6.0.X/usage/getting-started/index.html
@@ -2127,7 +2127,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/import-automated/index.html b/6.0.X/usage/import-automated/index.html
index 6c96645b..3961e823 100755
--- a/6.0.X/usage/import-automated/index.html
+++ b/6.0.X/usage/import-automated/index.html
@@ -2182,7 +2182,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/import-files/index.html b/6.0.X/usage/import-files/index.html
index 2b966e80..5bf8cfc2 100755
--- a/6.0.X/usage/import-files/index.html
+++ b/6.0.X/usage/import-files/index.html
@@ -2193,7 +2193,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/indicators-lifecycle/index.html b/6.0.X/usage/indicators-lifecycle/index.html
index d7f740a7..5878829d 100755
--- a/6.0.X/usage/indicators-lifecycle/index.html
+++ b/6.0.X/usage/indicators-lifecycle/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/inferences/index.html b/6.0.X/usage/inferences/index.html
index fa6ca4d1..fc42bce2 100755
--- a/6.0.X/usage/inferences/index.html
+++ b/6.0.X/usage/inferences/index.html
@@ -2137,7 +2137,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/manual-creation/index.html b/6.0.X/usage/manual-creation/index.html
index 87c5c926..6bb1062b 100755
--- a/6.0.X/usage/manual-creation/index.html
+++ b/6.0.X/usage/manual-creation/index.html
@@ -2132,7 +2132,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/merging/index.html b/6.0.X/usage/merging/index.html
index 5bad96d3..106c4cd8 100755
--- a/6.0.X/usage/merging/index.html
+++ b/6.0.X/usage/merging/index.html
@@ -18,7 +18,7 @@
         <link rel="prev" href="../enrichment/">
       
       
-        <link rel="next" href="../AskAI/">
+        <link rel="next" href="../ask-ai/">
       
       
         
@@ -2126,7 +2126,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -4650,7 +4650,7 @@ <h2 id="additional-resources">Additional resources</h2>
         
         
           
-          <a href="../AskAI/" class="md-footer__link md-footer__link--next" aria-label="Next: Ask AI">
+          <a href="../ask-ai/" class="md-footer__link md-footer__link--next" aria-label="Next: Ask AI">
             <div class="md-footer__title">
               <span class="md-footer__direction">
                 Next
diff --git a/6.0.X/usage/nested/index.html b/6.0.X/usage/nested/index.html
index 73355522..b2977e09 100755
--- a/6.0.X/usage/nested/index.html
+++ b/6.0.X/usage/nested/index.html
@@ -2149,7 +2149,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/notifications/index.html b/6.0.X/usage/notifications/index.html
index 0f9ee30b..eeb508fe 100755
--- a/6.0.X/usage/notifications/index.html
+++ b/6.0.X/usage/notifications/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/overview/index.html b/6.0.X/usage/overview/index.html
index d2c70973..0168579f 100755
--- a/6.0.X/usage/overview/index.html
+++ b/6.0.X/usage/overview/index.html
@@ -2271,7 +2271,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/pivoting/index.html b/6.0.X/usage/pivoting/index.html
index fdead650..102682e4 100755
--- a/6.0.X/usage/pivoting/index.html
+++ b/6.0.X/usage/pivoting/index.html
@@ -2149,7 +2149,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/reliability-confidence/index.html b/6.0.X/usage/reliability-confidence/index.html
index f6510171..47424de7 100755
--- a/6.0.X/usage/reliability-confidence/index.html
+++ b/6.0.X/usage/reliability-confidence/index.html
@@ -2238,7 +2238,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/search/index.html b/6.0.X/usage/search/index.html
index b65bf736..15b3aba6 100755
--- a/6.0.X/usage/search/index.html
+++ b/6.0.X/usage/search/index.html
@@ -2132,7 +2132,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/tips-widget-creation/index.html b/6.0.X/usage/tips-widget-creation/index.html
index 5ca1422c..fdb1fd2b 100755
--- a/6.0.X/usage/tips-widget-creation/index.html
+++ b/6.0.X/usage/tips-widget-creation/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/widgets/index.html b/6.0.X/usage/widgets/index.html
index df04d6bc..fac28144 100755
--- a/6.0.X/usage/widgets/index.html
+++ b/6.0.X/usage/widgets/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/workbench/index.html b/6.0.X/usage/workbench/index.html
index 79f28148..fc6e7947 100755
--- a/6.0.X/usage/workbench/index.html
+++ b/6.0.X/usage/workbench/index.html
@@ -2121,7 +2121,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
diff --git a/6.0.X/usage/workflows/index.html b/6.0.X/usage/workflows/index.html
index 694b09ea..31d6f998 100755
--- a/6.0.X/usage/workflows/index.html
+++ b/6.0.X/usage/workflows/index.html
@@ -2025,7 +2025,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../AskAI/" class="md-nav__link">
+      <a href="../ask-ai/" class="md-nav__link">
         
   
   <span class="md-ellipsis">