Skip to content

Overview

Overview

Enterprise edition

Activity unified interface and logging are available under the "OpenCTI Enterprise Edition" license.

Please read the dedicated page to have all the information

OpenCTI activity capability is the way to unify what's really happening in the platform. With this feature you will be able to answer "who did what, where, and when?" within your data with the maximum level of transparency.

Enabling activity helps your security, auditing, and compliance entities monitor platform for possible vulnerabilities or external data misuse.

Categories

The activity groups 3 different concepts that need to be explained.

Basic knowledge

The basic knowledge refers to all STIX data knowledge inside OpenCTI. Every create/update/delete action on that knowledge is accessible through the history. That basic activity is handled by the history manager and can also be found directly on each entity.

Extended knowledge

The extended knowledge refers to extra information data to track specific user activity. As this kind of tracking is expensive, the tracking will only be done for specific users/groups/organizations explicitly configured in the configuration window.

Audit knowledge

Audit is focusing on user administration or security actions. Audit will produce console/logs files along with user interface elements.

{
  "auth": "<User information>",
  "category": "AUDIT",
  "level": "<info | error>",
  "message": "<human readable explanation>",
  "resource": {
    "type": "<authentication | mutation>",
    "event_scope": "<depends on type>",
    "event_access": "<administration>",
    "data": "<contextual data linked to the event type>",
    "version": "<version of audit log format>"
  },
  "timestamp": "<event date>",
  "version": "<platform version>"
}

Architecture

OpenCTI uses different mechanisms to be able to publish actions (audit) or data modification (history)

Audit knowledge

Administration or security actions

With Enterprise edition activated, Administration and security actions are always written; you can't configure, exclude, or disable them

✅ Supported

❌ Not supported for now

🚫 Not applicable

Ingestion

Create Delete Edit
Remote OCTI Streams ✅ ✅ ✅

Data sharing

Create Delete Edit
CSV Feeds ✅ ✅ ✅
TAXII Feeds ✅ ✅ ✅
Stream Feeds ✅ ✅ ✅

Connectors

Create Delete Edit
Connectors ✅ ✅ ✅ State reset
Works 🚫 ✅ 🚫

Parameters

Create Delete Edit
Platform parameters 🚫 🚫 ✅

Security

Create Delete Edit
Roles ✅ ✅ ✅
Groups ✅ ✅ ✅
Users ✅ ✅ ✅
Sessions 🚫 ✅ 🚫
Policies 🚫 🚫 ✅

Customization

Create Delete Edit
Entity types 🚫 🚫 ✅
Rules engine 🚫 🚫 ✅
Retention policies ✅ ✅ ✅

Taxonomies

Create Delete Edit
Status templates ✅ ✅ ✅
Case templates + tasks ✅ ✅ ✅

Accesses

Listen
Login (success or fail) ✅
Logout ✅
Unauthorized access ✅

Extended knowledge

Extended knowledge

Extented knowledge activity are written only if you activate the feature for a subset of users / groups or organizations

Data management

Some history actions are already included in the "basic knowledge". (basic marker)

Read Create Delete Edit
Platform knowledge ✅ basic basic basic
Background tasks knowledge 🚫 ✅ ✅ 🚫
Knowledge files ✅ basic basic 🚫
Global data import files ✅ ✅ ✅ 🚫
Analyst workbenches files 🚫 ✅ ✅ 🚫
Triggers 🚫 ✅ ✅ ❌
Workspaces ✅ ✅ ✅ ❌
Investigations ✅ ✅ ✅ ❌
User profile 🚫 🚫 🚫 ✅

User actions

Supported
Ask for file import ✅
Ask for data enrichment ✅
Ask for export generation ✅
Execute global search ✅