OpenCTI Cyber Threat Intelligence Platform Intro

OpenCTI is an open source cyber threat intelligence platform (TIP). It includes a knowledge management database, data visualization, and context for observables and indicators. It structures data according to the STIX2 standard.

The OpenCTI ecosystem includes many connectors, including those for data input, enrichment, stream consumers, and file import and export. There are connectors for AlienVault, CrowdStrike, Mandiant, MISP, MITRE ATT&CK, TAXII, VirusTotal, Shodan, Elastic, Splunk, STIX, Malego, and more.

OpenCTI Dashboard

OpenCTI Setup

There are several ways to run OpenCTI. If you just want to try it out, the simplest way is to use the hosted demo, which requires a free registration.

If you want to have your own installation, you can use a pre-configured VM template, Docker, Terraform (for cloud platforms), or manually install OpenCTI on Linux.

If you don’t like the default dark theme, go to Settings > Configuration > Theme.

OpenCTI Tour

Pages

The navigation on the left side provides access to the main pages in OpenCTI.

• Dashboard: an overview of top labels, active entities, targeted countries, latest ingested analysis, observables distribution, and more
• Analysis: reports from various sources, notes, opinions, and external references
• Events: incidents, sightings, and observed data
• Observations: observables, artifacts, indicators, and infrastructure
• Threats: threat actors, intrusion sets (TTPs, tools, malware, infrastructure), campaigns
• Arsenal: malware, attack patterns (TTPs), ATT&CK courses of action, tools, and vulnerabilities (CVEs)
• Entities: sectors, countries, cities, geographic positions, organizations, systems, individuals
• Data: data and data administration within OpenCTI (entities, background tasks, connectors, synchronization, data sharing, TAXII collections)
• Settings: OpenCTI settings (parameters, workflows, retention policies, rules engine, label and attributes)

Tabs

Depending on the page you’re viewing, you’ll see tabs at the top of the page that provide more info.

• Overview: general info about entity
• Knowledge: shows relations between entities, linked observables and indicators
• Entities: other entities that have been linked to the entity
• Observables: technical elements which may have been observed (IP addresses, domain names, hashes, etc.)
• Data: files related to the entity
• Sightings: where the observable or indicator has been seen
• History: change history
• Analysis: reports that include the entity
• Indicators: detection rules for malicious behavior (STIX2, Snort, Suricata, YARA).

APT29 intrusion set in OpenCTI

Additional Resources

OpenCTI Documentation