Enterprise edition
-Activity unified interface and logging are available under the "OpenCTI Enterprise Edition" license.
- -As explained in the overview page, all administration actions are listened by default. -However, all knowledge are not listened by default due to performance impact on the platform.
-For this reason you need to explicitly activate extended listening on user / group or organization.
-
Listening will start just after the configuration. Every past events will not be taken into account.
- - - - - - - - - - - - - - - - - - - - - - - - -Enterprise edition
-Activity unified interface and logging are available under the "OpenCTI Enterprise Edition" license.
- -OpenCTI activity capability is the way to unified whats really happen in the platform. -In events section you will have access to the UI that will answer to "who did what, where, and when?" within your data with the maximum level of transparency.
-
By default, the events screen only show you the administration actions done by the users.
-If you want to see also the information about the knowledge, you can simply activate the filter in the bar to get the complete overview of all user actions.
-Don't hesitate to read again the overview page to have a better understanding of the difference between Audit, Basic/Extended knowledge.
- - - - - - - - - - - - - - - - - - - - - - - - -Enterprise edition
-Activity unified interface and logging are available under the "OpenCTI Enterprise Edition" license.
- -OpenCTI activity capability is the way to unify what's really happening in the platform. -With this feature you will be able to answer "who did what, where, and when?" within your data with the maximum level of transparency.
-Enabling activity helps your security, auditing, and compliance entities monitor platform for possible vulnerabilities or external data misuse.
-The activity groups 3 different concepts that need to be explained.
-The basic knowledge refers to all STIX data knowledge inside OpenCTI. Every create/update/delete action on that knowledge is accessible through the history. That basic activity is handled by the history manager and can also be found directly on each entity.
-The extended knowledge refers to extra information data to track specific user activity. As this kind of tracking is expensive, the tracking will only be done for specific users/groups/organizations explicitly configured in the configuration window.
-Audit is focusing on user administration or security actions. -Audit will produce console/logs files along with user interface elements.
-{
- "auth": "<User information>",
- "category": "AUDIT",
- "level": "<info | error>",
- "message": "<human readable explanation>",
- "resource": {
- "type": "<authentication | mutation>",
- "event_scope": "<depends on type>",
- "event_access": "<administration>",
- "data": "<contextual data linked to the event type>",
- "version": "<version of audit log format>"
- },
- "timestamp": "<event date>",
- "version": "<platform version>"
-}
-OpenCTI uses different mechanisms to be able to publish actions (audit) or data modification (history)
- - -Administration or security actions
-With Enterprise edition activated, Administration and security actions are always written; you can't configure, exclude, or disable them
-
Supported
Not supported for now
Not applicable
| - | Create | -Delete | -Edit | -
|---|---|---|---|
| Remote OCTI Streams | - |
- |
- |
-
| - | Create | -Delete | -Edit | -
|---|---|---|---|
| CSV Feeds | - |
- |
- |
-
| TAXII Feeds | - |
- |
- |
-
| Stream Feeds | - |
- |
- |
-
| - | Create | -Delete | -Edit | -
|---|---|---|---|
| Connectors | - |
- |
- State reset |
-
| Works | - |
- |
- |
-
| - | Create | -Delete | -Edit | -
|---|---|---|---|
| Platform parameters | - |
- |
- |
-
| - | Create | -Delete | -Edit | -
|---|---|---|---|
| Roles | - |
- |
- |
-
| Groups | - |
- |
- |
-
| Users | - |
- |
- |
-
| Sessions | - |
- |
- |
-
| Policies | - |
- |
- |
-
| - | Create | -Delete | -Edit | -
|---|---|---|---|
| Entity types | - |
- |
- |
-
| Rules engine | - |
- |
- |
-
| Retention policies | - |
- |
- |
-
| - | Create | -Delete | -Edit | -
|---|---|---|---|
| Status templates | - |
- |
- |
-
| Case templates + tasks | - |
- |
- |
-
| - | Listen | -- | - |
|---|---|---|---|
| Login (success or fail) | - |
-- | - |
| Logout | - |
-- | - |
| Unauthorized access | - |
-- | - |
Extended knowledge
-Extented knowledge activity are written only if you activate the feature for a subset of users / groups or organizations
-Some history actions are already included in the "basic knowledge". (basic marker)
-| - | Read | -Create | -Delete | -Edit | -
|---|---|---|---|---|
| Platform knowledge | - |
-basic | -basic | -basic | -
| Background tasks knowledge | - |
- |
- |
- |
-
| Knowledge files | - |
-basic | -basic | - |
-
| Global data import files | - |
- |
- |
- |
-
| Analyst workbenches files | - |
- |
- |
- |
-
| Triggers | - |
- |
- |
- |
-
| Workspaces | - |
- |
- |
- |
-
| Investigations | - |
- |
- |
- |
-
| User profile | - |
- |
- |
- |
-
| - | Supported | -- | - | - |
|---|---|---|---|---|
| Ask for file import | - |
-- | - | - |
| Ask for data enrichment | - |
-- | - | - |
| Ask for export generation | - |
-- | - | - |
| Execute global search | - |
-- | - | - |
Enterprise edition
-Activity unified interface and logging are available under the "OpenCTI Enterprise Edition" license.
- -Having all the history in the user interface (events) is sometimes not enough to have a proactive monitoring. For this reason, you can configure some specific triggers to receive notifications on audit events. -You can configure like personal triggers, lives one that will be sent directly or digest depending on your needs.
-In this type of trigger, you will need to configure various options:
-In order to correctly configure the filters, here's a definition of the event structure
-Event type: authentication
login and logout Event type: read
read and unauthorized Event type: file
read, create and deleteEvent type: mutation
unauthorized, update, create and deleteEvent type: command
search, enrich, import and exportIn OpenCTI, CSV Mappers allow to parse CSV files in a STIX 2.1 Object. The mappers are created and configured by users with the Manage CSV mapper capability. Then, they are available to users who import CSV files, for instance inside a report or in the global import view.
-The mapper contains representations of STIX 2.1 entities and relationships, in order for the parser to properly extract them. One mapper is dedicated to parsing a specific CSV file structure, and thus dedicated mappers should be created for every specific CSV structure you might need to ingest in the platform.
-In menu Data, select the submenu Processing, and on the right menu select CSV Mappers. You are presented with a list of all the mappers set in the platform. Note that you can delete or update any mapper from the context menu via the burger button beside each mapper.
-Click on the button + in the bottom-right corner to add a new Mapper.
-Enter a name for your mapper and some basic information about your CSV files:
-Header management
-The parser will not extract any information from the CSV header if any, it will just skip the first line during parsing.
-
Then, you need to create every representation, one per entity and relationship type represented in the CSV file. -Click on the + button to add an empty representation in the list, and click on the chevron to expand the section and configure the representation.
-Depending on the entity type, the form contains the fields that are either required (input outlined in red) or optional. -For each field, set the corresponding columns mapping (the letter-based index of the column in the CSV table, as presented in common spreadsheet tools).
-References to other entities should be picked from the list of all the other representations already defined earlier in the mapper.
-You can do the same for all the relationships between entities that might be defined in this particular CSV file structure.
-
Fields might have options besides the mandatory column index, to help extract relevant data:
-+ or |)Or to set default values in case some data is missing in the imported file.
-
The only parameter required to save a CSV Mapper is a name. The creation and refinement of its representations can be done iteratively.
-Nonetheless, all CSV Mappers go through a quick validation that checks if all the representations have all their mandatory fields set. -Only valid mappers can be run by the users on their CSV files.
-Mapper validity is visible in the list of CSV Mappers as shown below.
-
In the creation or edition form, hit the button Test to open a dialog. Select a sample CSV file and hit the Test button.
-The code block contains the raw result of the parsing attempt, in the form of a STIX 2.1 bundle in JSON format.
-You can then check if the extracted values match the expected entities and relationships.
-
Partial test
-The test conducted in this window relies only on the translation of CSV data according to the chosen representation in the mapper. It does not take into account checks for accurate entity formatting (e.g. IPv4) or specific entity configurations (e.g. mandatory "description" field on reports). Consequently, the entities visible in the test window may not be created during the actual import process.
-Test with a small file
-We strongly recommend limiting test files to 100 lines and 1MB. Otherwise, the browser may crash.
-You can change the default configuration of the import csv connector in your configuration file.
-"import_csv_built_in_connector": {
- "enabled": true,
- "interval": 10000,
- "validate_before_import": false
-},
-In Data import section, or Data tab of an entity, when you upload a CSV, you can select a mapper to apply to the file. -The file will then be parsed following the representation rules set in the mapper.
-By default, the imported elements will be added in a new Analyst Workbench where you will be able to check the result of the import.
-In the case of the CSV file misses some data, you can complete it with default values. To achieve this, you have two possibilities:
-Default value mechanisms
-Note that adding default values in settings have an impact at entity creation globally on the platform, not only on CSV mappers. If you want to apply those default values only at CSV mapper level, please use the second option.
-In settings > Customization, you can select an entity type and then set default values for its attributes.
-
In the configuration of the entity, you have access to the entity's attributes that can be managed.
-Click on the attribute to add a default value information.
-
Enter the default value in the input and save the update.
-
The value filled will be used in the case where the CSV file lacks data for this attribute.
-Information retained in case of default value
-If you fill a default value in entity settings and the CSV mapper, the one from CSV mapper will be used.
-In the mapper form, you will see next to the column index input a gear icon to add extra information for the attribute. If the attribute can have a customizable default value, then you will be able to set one here.
-
The example above shows the case of the attribute architecture implementation of a malware. You have some information here. First, it seems we have a default value already set in entity settings for this attribute with the value [powerpc, x86]. However, we want to override this value with another one for our case: [alpha].
For marking definitions, setting a default value is different from other attributes. We are not choosing a particular marking definition to use if none is specified in the CSV file. Instead, we will choose a default policy. Two option are available:
-
Decay rules are used to update automatically indicators score in order to represent their lifecycle.
-Decay rules can be configured in the "Settings > Customization > Decay rule" menu.
-
There are built-in decay rules that can't be modified and are applied by default to indicators depending on their main observable type. -Decay rules are applied from highest to lowest order (the lowest being 0).
-You can create new decay rules with higher order to apply them along with (or instead of) the built-in rules.
-
When you create a decay rule, you can specify on which indicators' main observable types it will apply. If you don't enter any, it will apply to all indicators.
-You can also add reaction points which represent the scores at which indicators are updated. For example, if you add one reaction point at 60 and another one at 40, indicators that have an initial score of 80 will be updated with a score of 60, then 40, depending on the decay curve.
-The decay curve is based on two parameters:
-Finally, the revoke score is the score at which the indicator can be revoked automatically.
-
Once you have created a new decay rule, you will be able to view its details, along with a life curve graph showing the score evolution over time.
-You will also be able to edit your rule, change all its parameters and order, activate or deactivate it (only activated rules are applied), or delete it.
-
Indicator decay manager
-Decay rules are only applied, and indicators score updated, if indicator decay manager is enabled (enabled by default).
- -Filigran
-Filigran is providing an Enterprise Edition of the platform, whether on-premise or in the SaaS.
-OpenCTI Enterprise Edition is based on the open core concept. This means that the source code of OCTI EE remains open source and included in the main GitHub repository of the platform but is published under a specific license. As specified in the GitHub license file:
-The source files in this repository have a header indicating which license they are under. If no such header is provided, this means that the file belongs to the Community Edition under the Apache License, Version 2.0.
-We wrote a complete article to explain the enterprise edition, feel free to read it to have more information
-Enterprise edition is easy to activate. You need to go the platform settings and click on the Activate button.
-
Then you will need to agree to the Filigran EULA.
-
As a reminder:
-Audit logs help you answer "who did what, where, and when?" within your data with the maximum level of transparency. Please read Activity monitoring page to get all information.
-OpenCTI playbooks are flexible automation scenarios which can be fully customized and enabled by platform administrators to enrich, filter and modify the data created or updated in the platform. Please read Playbook automation page to get all information.
-Organizations segregation is a way to segregate your data considering the organization associated to the users. Useful when your platform aims to share data to multiple organizations that have access to the same OpenCTI platform. Please read Organizations RBAC to get more information.
-Full text indexing grants improved searches across structured and unstructured data. OpenCTI classic searches are based on metadata fields (e.g. title, description, type) while advanced indexing capability enables searches to be extended to the document’s contents. Please read File indexing to get all information.
-More features will be available in OpenCTI in the future. Features like:
-A variety of entity customization options are available to optimize data representation, workflow management, and enhance overall user experience. Whether you're fine-tuning processing statuses, configuring entities' attributes, or hiding entities, OpenCTI's customization capabilities provide the flexibility you need to create a tailored environment for your threat intelligence and cybersecurity workflows.
-The following chapter aims to provide readers with an understanding of the available customization options by entity type. Customize entities can be done in "Settings > Customization".
-
This configuration allows to hide a specific entity type throughout the entire platform. It provides a potent means to simplify the interface and tailor it to your domain expertise. For instance, if you have no interest in disinformation campaigns, you can conceal related entities such as Narratives and Channels from the menus.
-You can specify which entities to hide on a platform-wide basis from "Settings > Customization" and from "Settings > Parameters", providing you with a list of hidden entities. Furthermore, you can designate hidden entities for specific Groups and Organizations from "Settings > Security > Groups/Organizations" by editing a Group/Organization.
-An overview of hidden entity types is available in the "Hidden entity types" field in "Settings > Parameters."
-This configuration enables an entity to automatically construct an external reference from the uploaded file.
-This configuration enables the requirement of a reference message on an entity creation or modification. This option is helpful if you want to keep a strong consistency and traceability of your knowledge and is well suited for manual creation and update.
-
For now, OpenCTI has a simple workflow approach. They're represented by the "Processing status" field embedded in each object. By default, this field is disabled for most objects but can be activated through the platform settings:
-
In addition, the available statuses are defined by a collection of status templates visible in "Settings > Taxonomies > Status templates". This collection can be customized.
- -Each attribute in an Entity offers several customization options:
-
Confidence scale can be customized for each entity type by selecting another scale template or by editing directly the scale values. -Once you have customized your scale, click on "Update" to save your configuration.
-
Max confidence level
-The above scale also needs to take into account the confidence level per user. To understand the concept, please navigate to this page
-At the platform level, the Overview layout tab of the containers can be rearranged to fit the users needs. -The widgets can be reordered or extended to their full width.
-
To reset the layout to its default version, click the button next to the section title.
- - - - - - - - - - - - - - - - - - - - - - - - -Enterprise edition
-Platform segregation by organization is available under the "OpenCTI Enterprise Edition" license. Please read the dedicated page to have all the information.
-In order to search in files, we need to extract and index files text content, which requires to have one of these database configurations :
-File indexing can be configured via the File indexing tab in the Settings menu.
The configuration and impact panel shows all file types that can be indexed, as well as the volume of storage used.
-It is also possible to include or exclude files uploaded from the global Data import panel and that are not associated with a specific entity in the platform.
-Finally, it is possible to set a maximum file size for indexing (5 Mb by default).
-Currently supported content types : application/pdf, text/plain, text/csv, text/html, application/vnd.ms-excel, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet (excel sheets).
Once indexing has been launched by pressing the Start button, you can follow its progress.
You will also be able to Pause it and restart from the beginning by pressing Reset button which deletes all indexed files from the database.
If you change the configuration while file indexing is running, you might need to reset in order to include newly impacted files.
-File indexing runs every 5 minutes to index last uploaded files.
-
This guide aims to give you a full overview of the OpenCTI features and workflows. The platform can be used in various contexts to handle threats management use cases from a technical to a more strategic level.
-The OpenCTI Administrative settings console allows administrators to configure many options dynamically within the system. As an Administrator, you can access this settings console, by clicking the settings link.
-
The Settings Console allows for configuration of various aspects of the system.
-
Various aspects of the Dark Theme can be dynamically configured in this section.
-Various aspects of the Light Theme can be dynamically configured in this section.
-This section will give general status on the various tools and enabled components of the currently configured OpenCTI deployment.
- - - - - - - - - - - - - - - - - - - - - - - - -Within the OpenCTI platform, the merge capability is present into the "Data > Entities" tab, and is fairly straightforward to use. To execute a merge, select the set of entities to be merged, then click on the Merge icon.
-Merging limitation
-It is not possible to merge entities of different types, nor is it possible to merge more than 4 entities at a time (it will have to be done in several stages).
-
Central to the merging process is the selection of a main entity. This primary entity becomes the anchor, retaining crucial attributes such as name and description. Other entities, while losing specific fields like descriptions, are aliased under the primary entity. This strategic decision preserves vital data while eliminating redundancy.
-
Once the choice has been made, simply validate to run the task in the background. Depending on the number of entity relationships, and the current workload on the platform, the merge may take more or less time. In the case of a healthy platform and around a hundred relationships per entity, merge is almost instantaneous.
-A common concern when merging entities lies in the potential loss of information. In the context of OpenCTI, this worry is alleviated. Even if the merged entities were initially created by distinct sources, the platform ensures that data is not lost. Upon merging, the platform automatically generates relationships directly on the merged entity. This strategic approach ensures that all connections, regardless of their origin, are anchored to the consolidated entity. Post-merge, OpenCTI treats these once-separate entities as a singular, unified entity. Subsequent information from varied sources is channeled directly into the entity resulting from the merger. This unified entity becomes the focal point for all future relationships, ensuring the continuity of data and relationships without any loss or fragmentation.
-To configure a notifier for Teams, allowing to send notifications via Teams messages, we followed the guidelines outlined in the Microsoft documentation.
-
The Teams template message sent through webhook for a live notification is:
-{
- "type": "message",
- "attachments": [
- {
- "contentType": "application/vnd.microsoft.card.thumbnail",
- "content": {
- "subtitle": "Operation : <%=content[0].events[0].operation%>",
- "text": "<%=(new Date(notification.created)).toLocaleString()%>",
- "title": "<%=content[0].events[0].message%>",
- "buttons": [
- {
- "type": "openUrl",
- "title": "See in OpenCTI",
- "value": "https://YOUR_OPENCTI_URL/dashboard/id/<%=content[0].events[0].instance_id%>"
- }
- ]
- }
- }
- ]
- }
-The Teams template message sent through webhook for a digest notification is:
-{
- "type": "message",
- "attachments": [
- {
- "contentType": "application/vnd.microsoft.card.adaptive",
- "content": {
- "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
- "type": "AdaptiveCard",
- "version": "1.0",
- "body": [
- {
- "type": "Container",
- "items": [
- {
- "type": "TextBlock",
- "text": "<%=notification.name%>",
- "weight": "bolder",
- "size": "extraLarge"
- }, {
- "type": "TextBlock",
- "text": "<%=(new Date(notification.created)).toLocaleString()%>",
- "size": "medium"
- }
- ]
- },
- <% for(var i=0; i<content.length; i++) { %>
- {
- "type": "Container",
- "items": [<% for(var j=0; j<content[i].events.length; j++) { %>
- {
- "type" : "TextBlock",
- "text" : "[<%=content[i].events[j].message%>](https://YOUR_OPENCTI_URL/dashboard/id/<%=content[i].events[j].instance_id%>)"
- }<% if(j<(content[i].events.length - 1)) {%>,<% } %>
- <% } %>]
- }<% if(i<(content.length - 1)) {%>,<% } %>
- <% } %>
- ]
- }
- }
- ],
- "dataString": <%-JSON.stringify(notification)%>
-}
-Leveraging the platform's built-in connectors, users can create custom notifiers tailored to their unique needs. OpenCTI features three built-in connectors: a webhook connector, a simple mailer connector, and a platform mailer connector. These connectors operate based on registered schemas that describe their interaction methods.
-
This notifier connector enables customization of notifications raised within the platform. It's simple to configure, requiring only:
-This notifier connector offers a straightforward approach to email notifications with simplified configuration options. Users can set:
-
This notifier connector enables users to send notifications to external applications or services through HTTP requests. Users can specify:
-OpenCTI provides two notifier samples by default, designed to communicate with Microsoft Teams through a webhook. A documentation page providing details on these samples is available.
-Custom notifiers are manageable in the "Settings > Customization > Notifiers" window and can be restricted through Role-Based Access Control (RBAC). Administrators can control access, limiting usage to specific Users, Groups, or Organizations.
-For guidance on configuring notification triggers and exploring the usages of notifiers, refer to the dedicated documentation page.
- - - - - - - - - - - - - - - - - - - - - - - - -Taxonomies in OpenCTI refer to the structured classification systems that help in organizing and categorizing cyber threat intelligence data. They play a crucial role in the platform by allowing analysts to systematically tag and retrieve information based on predefined categories and terms.
-Along with the Customization page, these pages allow the administrator to customize the platform.
-Labels in OpenCTI serve as a powerful tool for organizing, categorizing, and prioritizing data. Here’s how they can be used effectively:
-Tip
-In order to achieve effective data labeling methods, it is recommended to establish a clear and consistent criteria for your labeling and document them in a policy or guideline.
-Kill chain phases are used in OpenCTI to structure and analyze the data related to cyber threats and attacks. They describe the stages of an attack from the perspective of the attacker and provide a framework for identifying, analysing and responding to threats.
-OpenCTI supports the following kill chain models:
-You can add, edit, or delete kill chain phases in the settings page, and assign them to indicators, attack patterns, incidents, or courses of action in the platform. You can also filter the data by kill chain phase, and view the kill chain phases in a timeline or as a matrix.
-
Open vocabularies are sets of terms and definitions that are agreed upon by the CTI community. They help to standardize the communication documentation of cyber threat information. -This section allows you to customize a set of available fields by adding vocabulary. Almost all of the drop-down menus available in the entities can be modified from this panel.
-Open vocabularies in OpenCTI are mainly based on the STIX standard.
-
Status templates are predefined statuses that can be assigned to different entities in OpenCTI, such as reports, incidents, or cases (incident responses, requests for information and requests for takedown).
-They help to track the progress of the analysis and response activities by defining statuses that are used in the workflows.
-
Customizable case templates help to streamline the process of creating cases with predefined lists of tasks.
-
Enterprise edition
-Platform segregation by organization is available under the "OpenCTI Enterprise Edition" license. Please read the dedicated page to have all the information.
-Platform administrators can promote members of an organization as "Organization administrator". This elevated role grants them the necessary capabilities to create, edit and delete users from the corresponding Organization. Additionally, administrators have the flexibility to define a list of groups that can be granted to newly created members by the organization administrators. This feature simplifies the process of granting appropriate access and privileges to individuals joining the organization.
-
The platform administrator can promote/demote an organization admin through its user edition form.
-
Organization admin rights
-The "Organization admin" has restricted access to Settings. They can only manage the members of the organizations for which they have been promoted as "admins".
-This part of the interface wil let you configure global platform settings, like title, favicon, etc.
-It will also give you important information about the platform.
-
This section allows the administrator to edit the following settings:
-
This is where the Enterprise edition can be enabled.
-This section gives important information about the platform like the used version, the edition, the architecture mode (can be Standalone or Cluster) and the number used nodes.
-Through the "Remove Filigran logos" toggle, the administrator has the option to hide the Filigran logo on the login page and the sidebar.
-This section gives you the possibility to set and display Announcements in the platform. Those announcements will be visible to every user in the platform, on top of the interface.
-They can be used to inform some of your users or all of important information, like a scheduled downtime, an incoming upgrade, or even to share important tips regarding the usage of the platform.
-An Announcement can be accompanied by a "Dismiss” button. When clicked by a user, it makes the message disappear for this user.
-
This option can be deactivated to have a permanent announcement.
-
-⚠️ Only one announcement is shown at a time, with priority given to dismissible ones. If there are no dismissible announcements, the most recent non-dismissible one is shown.
Enterprise edition
-Analytics is available under the "OpenCTI Enterprise Edition" license.
- -This is where you can configure analytics providers. At the moment only Google Analytics v4 is supported.
-In this section, the administrator can customize the two OpenCTI themes
-
This section informs the administrator of the statuses of the different managers used in the Platform. More information about the managers can be found here. -It shows also the used versions of the search engine database, RabbitMQ and Redis.
-In cluster mode, the fact that a manager appears as enabled means that it is active in at least one node.
-
The Policies configuration window (in "Settings > Security > Policies") encompasses essential settings that govern the organizational sharing, authentication strategies, password policies, login messages, and banner appearance within the OpenCTI platform.
-Allow to set a main organization for the entire platform. Users belonging to the main organization enjoy unrestricted access to all data stored in the platform. In contrast, users affiliated with other organizations will only have visibility into data explicitly shared with them.
-
Numerous repercussions linked to the activation of this feature
-This feature has implications for the entire platform and must be fully understood before being used. For example, it's mandatory to have organizations set up for each user, otherwise they won't be able to log in. It is also advisable to include connector's users in the platform main organization to avoid import problems.
-The authentication strategies section provides insights into the configured authentication methods. Additionally, an "Enforce Two-Factor Authentication" button is available, allowing administrators to mandate 2FA activation for users, enhancing overall account security.
-Please see the Authentication section for further details on available authentication strategies.
-
This section encompasses a comprehensive set of parameters defining the local password policy. Administrators can specify requirements such as minimum/maximum number of characters, symbols, digits, and more to ensure robust password security across the platform. Here are all the parameters available:
-| Parameter | -Description | -
|---|---|
Number of chars must be greater than or equals to |
-Define the minimum length required for passwords. | -
Number of chars must be lower or equals to (0 equals no maximum) |
-Set an upper limit for password length. | -
Number of symbols must be greater or equals to |
-Specify the minimum number of symbols required in a password. | -
Number of digits must be greater or equals to |
-Set the minimum number of numeric characters in a password. | -
Number of words (split on hyphen, space) must be greater or equals to |
-Enforce a minimum count of words in a password. | -
Number of lowercase chars must be greater or equals to |
-Specify the minimum number of lowercase characters. | -
Number of uppercase chars must be greater or equals to |
-Specify the minimum number of uppercase characters. | -
Allow to define messages on the login page to customize and highlight your platform's security policy. Three distinct messages can be customized:
-
The platform banner configuration section allows administrators to display a custom banner message at the top and bottom of the screen. This feature enables customization for enhanced visual communication and branding within the OpenCTI platform. It can be used to add a disclaimer or system purpose.
-This configuration has two parameters:
-
The rules engine comprises a set of predefined rules (named inference rules) that govern how new relationships are inferred based on existing data. These rules are carefully crafted to ensure logical and accurate relationship creation. Here is the list of existing inference rules:
-| Conditions | -Creations | -
|---|---|
| A non-revoked Indicator is sighted in an Entity | -Creation of an Incident linked to the sighted Indicator and the targeted Entity | -
| Conditions | -Creations | -
|---|---|
| An Indicator is based on an Observable contained in an Observed Data | -Creation of a sighting between the Indicator and the creating Identity of the Observed Data | -
| Conditions | -Creations | -
|---|---|
| An Indicator based on an Observable is sighted in an Entity | -The Observable is sighted in the Entity | -
| Conditions | -Creations | -
|---|---|
| An Indicator is based on an Observable sighted in an Entity | -The Indicator is sighted in the Entity | -
| Conditions | -Creations | -
|---|---|
| An observable is related to two Entities | -Create a related to relationship between the two Entities | -
| Conditions | -Creations | -
|---|---|
| An Entity A is attributed to an Entity B and this Entity B is itself attributed to an Entity C | -The Entity A is attributed to Entity C | -
| Conditions | -Creations | -
|---|---|
| An Entity A is part of an Entity B and this Entity B is itself part of an Entity C | -The Entity A is part of Entity C | -
| Conditions | -Creations | -
|---|---|
| A Location A is located at a Location B and this Location B is itself located at a Location C | -The Location A is located at Location C | -
| Conditions | -Creations | -
|---|---|
| A User is affiliated with an Organization B, which is part of an Organization C | -The User is affiliated to the Organization C | -
| Conditions | -Creations | -
|---|---|
| A Report contains an Identity B and this Identity B is part of an Identity C | -The Report contains Identity C, as well as the Relationship between Identity B and Identity C | -
| Conditions | -Creations | -
|---|---|
| A Report contains a Location B and this Location B is located at a Location C | -The Report contains Location B, as well as the Relationship between Location B and Location C | -
| Conditions | -Creations | -
|---|---|
| A Report contains an Indicator and this Indicator is based on an Observable | -The Report contains the Observable, as well as the Relationship between the Indicator and the Observable | -
| Conditions | -Creations | -
|---|---|
| An Entity A, attributed to an Entity C, uses an Entity B | -The Entity C uses the Entity B | -
| Conditions | -Creations | -
|---|---|
| An Indicator, sighted at an Entity C, indicates an Entity B | -The Entity B targets the Entity C | -
| Conditions | -Creations | -
|---|---|
| An Entity A, attributed to an Entity C, targets an Entity B | -The Entity C targets the Entity B | -
| Conditions | -Creations | -
|---|---|
| An Entity A targets an Identity B, part of an Identity C | -The Entity A targets the Identity C | -
| Conditions | -Creations | -
|---|---|
| An Entity targets a Location B and this Location B is located at a Location C | -The Entity targets the Location C | -
| Conditions | -Creations | -
|---|---|
| An Entity A targets an Entity B and this target is located at Location D. | -The Entity A targets the Location D | -
When a rule is activated, a background task is initiated. This task scans all platform data, identifying existing relationships that meet the conditions defined by the rule. Subsequently, it creates new objects (entities and/or relationships), expanding the network of insights within your threat intelligence environment. Then, activated rules operate continuously. Whenever a relationship is created or modified, and this change aligns with the conditions specified in an active rule, the reasoning mechanism is triggered. This ensures real-time relationship inference.
-Deactivating a rule leads to the deletion of all objects and relationships created by it. This cleanup process maintains the accuracy and reliability of your threat intelligence database.
-Access to the rule engine panel is restricted to administrators only. Regular users do not have visibility into this section of the platform. Administrators possess the authority to activate or deactivate rules.
-The rules engine empowers OpenCTI with the capability to automatically establish intricate relationships within your data. However, these rules can lead to a very large number of objects created. Even if the operation is reversible, an administrator should consider the impact of activating a rule.
-Retention rules serve the purpose of establishing data retention times, specifying when data should be automatically deleted from the platform. Users can define filters to target specific objects. Any object meeting these criteria that haven't been updated within the designated time frame will be permanently deleted.
-Note that the data deleted by an active retention policy will not appear in the trash and thus cannot be restored.
-Retention rules can be configured in the "Settings > Customization > Retention policies" window. A set of parameters must be configured:
-An object will be removed if it meets the specified filters and hasn't been updated for the duration set in the "Maximum retention days" field.
-
Before activating a retention rule, users have the option to verify its impact using the "Verify" button. This action provides insight into the number of objects that currently match the rule's criteria and would be deleted if the rule is activated.
-
Verify before activation
-Always use the "Verify" feature to assess the potential impact of a retention rule before activating it. Once the rule is activated, data deletion will begin, and retrieval of the deleted data will not be possible.
-Retention rules contribute to maintaining a streamlined and efficient data lifecycle within OpenCTI, ensuring that outdated or irrelevant information is systematically removed from the platform, thereby optimizing disk space usage.
- - - - - - - - - - - - - - - - - - - - - - - - -Data segregation in the context of Cyber Threat Intelligence refers to the practice of categorizing and separating different types of data or information related to cybersecurity threats based on specific criteria.
-This separation helps organizations manage and analyze threat intelligence more effectively and securely and the goal of data segregation is to ensure that only those individuals who are authorized to view a particular set of data have access to that set of data.
-Practically, "Need-to-know basis" and "classification level" are data segregation measures.
-Marking definitions are essential in the context of data segregation to ensure that data is appropriately categorized and protected based on its sensitivity or classification level. Marking definitions establish a standardized framework for classifying data.
-Marking Definition objects are unique among STIX objects in the STIX 2.1 standard in that they cannot be versioned. This restriction is in place to prevent the possibility of indirect alterations to the markings associated with a STIX Object.
-Multiple markings can be added to the same object. Certain categories of marking definitions or trust groups may enforce rules that specify which markings take precedence over others or how some markings can be added to complement existing ones.
-In OpenCTI, data is segregated based on knowledge marking. The diagram provided below illustrates the manner in which OpenCTI establishes connections between pieces of information to authorize data access for a user:
-
To create a marking, you must first possess the capability Manage marking definitions. For further information on user administration, please refer to the Users and Role Based Access Control page.
Once you have access to the settings, navigate to "Settings > Security > Marking Definitions" to create a new marking.
-A marking consists of the following attributes:
-
The configuration of authorized markings for a user is determined at the Group level. To access entities and relationships associated with specific markings, the user must belong to a group that has been granted access to those markings.
-There are two ways in which markings can be accessed:
-Access to an object with several markings
-Access to all markings attached to an object is required in order to access it (not only one).
-Automatically grant access to the new marking
-To allow a group to automatically access a newly created marking definition, you can check Automatically authorize this group to new marking definition.
To apply a default marking when creating a new entity or relationship, you can choose which marking to add by default from the list of allowed markings. You can add only one marking per type, but you can have multiple types. This configuration is also done at the Group level.
-
Need a configuration change
-Simply adding markings as default markings is insufficient to display the markings when creating an entity or relationship. You also need to enable default markings in the customization settings of an entity or relationship. For example, to enable default markings for a new report, navigate to "Settings > Customization > Report > Markings" and toggle the option to Activate/Desactivate default values.
This configuration allows to define, for each type of marking definitions, until which level -we allow to share data externally (via Public dashboard or file export).
-The marking definitions that can be shared by a group are the ones
-Users with the Bypass capability can share all the markings.
-By default, every marking of a given marking type is shareable.
-For example in the capture below, for the type of marking TLP, only data with a marking
-definition that is allowed and has a level equal or below GREEN will be shareable. And no data with marking
-definition statement will be shared at all.
In scenarios where multiple markings of the same type but different orders are added, the platform will retain only the marking with the highest order for each type. This consolidation can occurs in various instances:
-For example:
-Create a new report and add markings PAP:AMBER,PAP:RED,TLP:AMBER+STRICT,TLP:CLEAR and a statement CC-BY-SA-4.0 DISARM Foundation
The final markings kept are: PAP:RED, TLP:AMBER+STRICT and CC-BY-SA-4.0 DISARM Foundation
When update an entity or a relationship:
-
As a result of this mechanism, when importing data from a connector, the connector is unable to downgrade a marking for an entity if a marking of the same type is already present on it.
-The Traffic Light Protocol is implemented by default as marking definitions in OpenCTI. It allows you to segregate information by TLP levels in your platform and restrict access to marked data if users are not authorized to see the corresponding marking.
-The Traffic Light Protocol (TLP) was designed by the Forum of Incident Response and Security Teams (FIRST) to provide a standardized method for classifying and handling sensitive information, based on four categories of sensitivity.
-For more details, the diagram provided below illustrates how are categorized the marking definitions:
-
Support packages are useful for troubleshooting issue that occurs on OpenCTI platform. -Administrators can request to create and download a support package that contains recent platform error logs and usage statistics.
-Support package content
-Even if we do our best to prevent logging any data, the support package may contains some sensitive information that you may not want to share with everyone. -Before creating a ticket with your support package takes some time to check if you can safely share the content depending of your security policy.
-Support Package can be requested from "Settings > Support" menu.
-
On a click on "Generate support package", a support event is propagated to every platform instances to request needed information. -Every instance that will receive this message will process the request and send the files to the platform. -During this processing the interface will display the expected support package name in an IN PROGRESS state waiting for completion. -After finishing the process the support package will move to the READY state and the buttons download and delete will be activated.
-After file generation, using the download button will dynamically create a (zip) containing all instances logs and telemetry.
-In case of platform instability, some logs might not be retrieved and the support package will be incomplete.
-If some instances fail to send their data, you will be able to force download a partial zip only after 1 minute. In case of a support package taking more than 5 minutes, the status will be moved to "timeout".
- - - - - - - - - - - - - - - - - - - - - - - - -In OpenCTI, the RBAC system not only related to what users can do or cannot do in the platform (aka. Capabilities) but also to the system of data segregation. Also, platform behavior such as default home dashboards, default triggers and digests as well as default hidden menus or entities can be defined across groups and organizations.
Roles are used in the platform to grant the given groups with some capabilities to define what users in those groups can do or cannot do.
-| Capability | -Description | -
|---|---|
Bypass all capabilities |
-Just bypass everything including data segregation and enforcements. | -
Access knowledge |
-Access in read-only to all the knowledge in the platform. | -
Access to collaborative creation |
-Create notes and opinions (and modify its own) on entities and relations. | -
Create / Update knowledge |
-Create and update existing entities and relationships. | -
Restrict organization access |
-Share entities and relationships with other organizations. | -
Delete knowledge |
-Delete entities and relationships. | -
Manage authorized members |
-Restrict the access to an entity to a user, group or organization. | -
Bypass enforced reference |
-If external references enforced in a type of entity, be able to bypass the enforcement. | -
Upload knowledge files |
-Upload files in the Data and Content section of entities. |
-
Import knowledge |
-Trigger the ingestion of an uploaded file. | -
Download knowledge export |
-Download the exports generated in the entities (in the Data section). |
-
Generate knowledge export |
-Trigger the export of the knowledge of an entity. | -
Ask for knowledge enrichment |
-Trigger an enrichment for a given entity. | -
Access dashboards |
-Access to existing custom dashboards. | -
Create / Update dashboards |
-Create and update custom dashboards. | -
Delete dashboards |
-Delete existing custom dashboards. | -
Manage public dashboards |
-Manage public dashboards. | -
Access investigations |
-Access to existing investigations. | -
Create / Update investigations |
-Create and update investigations. | -
Delete investigations |
-Delete existing investigations. | -
Access connectors |
-Read information in the Data > Connectors section. |
-
Manage connector state |
-Reset the connector state to restart ingestion from the beginning. | -
Connectors API usage: register, ping, export push ... |
-Connectors specific permissions for register, ping, push export files, etc. | -
Access data sharing |
-Access and consume data such as TAXII collections, CSV feeds and live streams. | -
Manage data sharing |
-Share data such as TAXII collections, CSV feeds and live streams or custom dashboards. | -
Access ingestion |
-Access (read only) remote OCTI streams, TAXII feeds, RSS feeds, CSV feeds. | -
Manage ingestion |
-Create, update, delete any remote OCTI streams, TAXII feeds, RSS feeds, CSV feeds. | -
Manage CSV mappers |
-Create, update and delete CSV mappers. | -
Access to admin functionalities |
-Parent capability allowing users to only view the settings. | -
Access administration parameters |
-Access and manage overall parameters of the platform in Settings > Parameters. |
-
Manage credentials |
-Access and manage roles, groups, users, organizations and security policies. | -
Manage marking definitions |
-Update and delete marking definitions. | -
Manage customization |
-Customize entity types, rules, notifiers retention policies and decays rules. | -
Manage taxonomies |
-Manage labels, kill chain phases, vocabularies, status templates, cases templates. | -
Access to security activity |
-Access to activity log. | -
Access to file indexing |
-Manage file indexing. | -
Access to support |
-Generate and download support packages. | -
You can manage the roles in Settings > Security > Roles.
To create a role, just click on the + button:
Then you will be able to define the capabilities of the role:
-
You can manage the users in Settings > Security > Users. If you are using Single-Sign-On (SSO), the users in OpenCTI are automatically created upon login.
To create a user, just click on the + button:
When access to a user, it is possible to:
-
From this view you can edit the user's information by clicking the "Update" button, which opens a panel with several tabs.
-
Mandatory max confidence level
-A user without Max confidence level won't have the ability to create, delete or update any data in our platform. Please be sure that your users are always either assigned to group that have a confidence level defined or that have an override of this group confidence level.
-Groups are the main way to manage permissions and data segregation as well as platform customization for the given users part of this group. You can manage the groups in Settings > Security > Groups.
Here is the description of the group available parameters.
-| Parameter | -Description | -
|---|---|
Auto new markings |
-If a new marking definition is created, this group will automatically be granted to it. | -
Default membership |
-If a new user is created (manually or upon SSO), it will be added to this group. | -
Roles |
-Roles and capabilities granted to the users belonging to this group. | -
Default dashboard |
-Customize the home dashboard for the users belonging to this group. | -
Default markings |
-In Settings > Customization > Entity types, if a default marking definition is enabled, default markings of the group is used. |
-
Allowed markings |
-Grant access to the group to the defined marking definitions, more details in data segregation. | -
Max shareable markings |
-Grant authorization to the group to share marking definitions. | -
Triggers and digests |
-Define defaults triggers and digests for the users belonging to this group. | -
Max confidence level |
-Define the maximum confidence level for the group: it will impact the capacity to update entities, the confidence level of a newly created entity by a user of the group. | -
Max confidence level when a user has multiple groups
-A user with multiple groups will have the the highest confidence level of all its groups. -For instance, if a user is part of group A (max confidence level = 100) and group B (max confidence level = 50), then the user max confidence level will be 100.
-When managing a group, you can define the members and all above configurations.
-
Users can belong to organizations, which is an additional layer of data segregation and customization. To find out more about this part, please refer to the page on organization segregation.
-Platform administrators can promote members of an organization as "Organization administrator". This elevated role grants them the necessary capabilities to create, edit and delete users from the corresponding Organization. Additionally, administrators have the flexibility to define a list of groups that can be granted to newly created members by the organization administrators. This feature simplifies the process of granting appropriate access and privileges to individuals joining the organization.
-
The platform administrator can promote/demote an organization admin through its user edition form.
-
Organization admin rights
-The "Organization admin" has restricted access to Settings. They can only manage the members of the organizations for which they have been promoted as "admins".
-