On the OpenCTI platform, knowledge can only be added in the context of a report. This ensure that all entities and its relationships to be sourced by at least one report. Adding knowledge to a report can be done programmatically using OpenCTI connectors or through the Python client. This documentation is a guide for creating knowledge manually, if you wish to use the Python client, please referer to the dedicated documentation.
To start adding knowledge to report you should:
- Go the reports section and select the report you want to analyze.
- At first you arrive in the overview section of the report. If your report has not been processed by anyone before, this section should be almost empty. The external reference box on the report dashboard allows you to access the PDF file of the report through the URL.
- Go to the knowledge tab at the top middle left of the window.
In this space, you can start selecting entities in order to link them, on the basis of what is written in the report (in this example, knowledge created does not reflect the content of the report). First, click on the orange bottom right button. A window will unroll on the right side. You can use the "search" bar to find the information relevant to the report (TTPs, malwares, countries, sectors etc.).
Note: all the TTPs displayed in the demonstration or in this documentation are from the MITRE ATT&CK framework. But you can add any framework you want or build your own by adding TTPs on the platform.
Each time you click on one element you wish to add, it will stack itself at the upper left of the workspace, just under the title. You can stack all the elements you need for now and unstack them as you organize them on the page and link them to each other.
If one element you wish to add from the report is not in the OpenCTI database, you can create it by clicking again on the orange button at the bottom right of your window. Whatch out for duplicates!
To avoid duplicates, especially with entities such as sectors, cities, countries and regions, we suggest you use the datasets on the repository or create your own.*
Once all the elements of interest are stacked, you can collapse the right window by clicking on the workspace and start unstacking and organizing the boxes on the space by clicking on them and dragging and dropping them.
You then can start to create links between your different entities and techniques.
The direction in which you draw the link matters a lot, so we strongly advise you to carefully read the guide on creating relations before starting creating real cases. As an exemple, if you draw a link from an intrusion set to a TTP, it will be a link of APT-X uses TTP xx, but you want to avoid drawing a link from the TTP to the APT as it does not make sense for an intrusion set to be used by a TTP.
In some cases, a relation already exists between two entities. For instance, the relation between the tool "Cobalt Strike" using the TTP "credential dumping" will be created multiple times.
We advise you create a new relation everytime it is mentionned, with the date matching the information in the report, instead of using always the same relation.
Once you have added all the entities and the relationships between them, the report knowledge is now complete:
All these new entities will be added to the "entities" section belonging to the report and will also appears in the stats in the "overview" section.
Obviously, you can update or suppress relations and suppress TTPs and entities if needed from anywhere in the platform. After you created knowledge of a report, the overview of the report will be updated.