New OCTI dashboards: the first graph dashboarding engine for the STIX model
When we’ve started working on Key Performance Indicators (KPI), trends modelization and graphical representation of the Cyber Threat Intelligence knowledge as well as operational data stored in the platform, most of the people though it was easier to embed something that already exists in the technological stack such as Kibana, OpenSearch dashboards or Grafana. But the truth is none of existing systems is able generate queries which go through the knowledge graph and help the OpenCTI community with use cases awaited since a long time.
In OpenCTI 5.5 branch, we’ve introduced a brand new dashboarding engine but this first version can be difficult to apprehend for analysts or stakeholders who are not familiar (or even experts 😊) with the STIX model. If the user experience of widget creation will be enhanced in the next releases, the underlying logic will remain the same and this article aims to explain it and illustrate the power of this implementation by answering several questions, from the most basic to the most complex ones.
New widget creation workflow
First of all, when creating a new widget, the workflow is now as follows:
Depending on the selection, the widget configuration may change and the number of datasets to display as well. In the new engine, the number of available visualization types have been widely increased:
For perspective selection, think knowledge graph
After selecting the visualization type, generally two perspectives are available for data to be displayed: “Entities” or “Knowledge graph”. To choose which kind of perspective should be used, the question to answer is just: “Do I need to go through some relationships to compute the dataset to display or not?”.
In other words, if you would like to display a subset of entities with filters like labels, authors, marking definitions, etc. you just need the “Entities” perspective, but if you need to take into account victimology (targets), attribution (attributed-to), usage (uses) or any other relationships, the perspective will be “Knowledge graph”.
Displaying entities list or timeseries: vertical bars, lines, timeline, number, etc.
The first use cases examples are quiet simple and are about to display numbers, lists or charts (timeseries) using a subset of entities (aka perspective “Entities”). Depending on the visualization type, you may be able to select one single dataset or multiple subsets of the data.
For instance, if the selected visualization type is “List”, “Number” or “Timeline”, you can only select a single subset of data:
If the visualization type “Vertical bar” or “Line” is selected, it’s possible to display more than one subset (multiple bars, multiple lines, etc.):
In the latest example, using default parameters, the generated chart looks like:
In the last step of the widget configuration, it’s possible to adjust the display parameters such as the interval (day, week, month, etc.), the legend, if the chart is stacked or not and also the “time” field used to compute the timeseries (created, created_at, updated, updated_at, etc.) for each subset of knowledge.
For instance, with interval “Month” and “Stacked Chart”:
With the “Entities” perspective and the available visualization types for list, number or timeseries, it’s possible to answer questions such as:
- How many TLP:RED indicators or reports are ingested each week?
- What is the current number of vulnerabilities with a specific label in the platform?
- What are the latest campaigns with a specific label (in a form of a timeline)?
- How many reports containing a given sector have been ingested over the last 12 months?
Displaying entities distribution: horizontal bars, pie chart, etc.
When selecting a visualization which leads to data distribution such as radar, pie charts or donuts, you will have to select what is the field used to compute the aggregation such as a type, an author, a marking, etc.
For instance, after selecting a visualization of type “Horizontal bar” with a simple configuration like:
And selecting the “created-by.internal_id” field (aka the “author of the report”):
The result will be:
With the “Entities” perspective and the available visualization types for distribution and aggregation, it’s possible to answer questions like:
- What is the distribution of authors for reports with a specific label?
- What are the top 10 indicator types in the platform in the 3 last months?
- What are the top malware types with a given marking definition?
But graphing or displaying just “entities” is limited when it comes to be able to compute datasets based on the activity such as trends related to specific sectors, countries, types of threats, etc. This is why, in most cases, analysts and stakeholders need to go through the graph to cover the questions such as:
- What are the top ransomware families that have been reported over a particular time frame and what are the regions / sectors / countries impacted?
- Using the MITRE ATT&CK Matrix, what are the top X initial access techniques used by attackers?
- What are the top 10 threat actor types reported over a particular time frame?
- What are the most common families of malware in the incidents reported over a particular time frame and associated regions / sectors / countries?
Displaying knowledge graph list or timeseries: vertical bars, lines, timeline, number, etc.
When getting through the knowledge graph is needed, this generally means that you would like count relationships or even better, to compute a distribution based on relationship filters. Let’s take a few example here.
The first one is simple, we just would like to build a heatmap of all “targets” relationships to the Europe region. We need to take into consideration the nature of relationships as well as the direction (to know if the scoped entity is the source or the target).
In terms of filtering, this means:
Heatmap result will appear as:
The visualization type “Heatmap” support multiple datasets so it’s possible to extend it to Americas targets:
And the result will be as follows:
Let’s take another example, if we would like to display the number of indicators over time for specific threats. Here we will choose the vertical bar chart to display number of indicators related to Turla, APT28, APT41 and Kimsuki. As a reminder, the relationship between indicators and threats is in a form of “Indicator” → indicates → “Threat”.
Then, the visualization result will be:
But at this moment, most of the analysts would like to display a graph not for a defined list of threats but for a dynamic one. This means that the “target entity” is defined with some filters and is not a particular entity. This is why OpenCTI 5.5 has introduced a new concept called “dynamic source” or “dynamic target” when listing / counting relationships.
Let say we would like to graph indicators for all malware with the specific label “ransomware”.
In dashboard configuration, this means to be able to filter on the “target” of the relationships:
Result in an area graph:
The dynamic sources / targets of relationships associated with all available filters for the relationships themself is a very powerful feature that allows almost all types of dataset visualization for timeseries, lists and numbers.
With the “Knowledge graph” perspective and the available visualization types for lists, numbers or timeseries, it’s possible to answer questions like:
- How many indicators related to specific or subset of threats have been ingested over the last 12 months?
- How many ransomware incidents (incidents uses a malware with a type ransomware) occurred each month?
- What are the latest vulnerabilities targeted by a subset of threat actors? (in a form of a timeline)?
Displaying knowledge graph distribution: horizontal bars, pie chart, etc.
Last but not least, all distribution and aggregation visualization types are available for knowledge graph perspectives. Let’s take another example to display the top 10 malware targeting United States of America. First of all, we need to select a distribution visualization such as Horizontal bar, and then adjust the filters:
Then, in the parameters of the relationships distribution, it is possible to display rather the type of entity or the entity itself (aka the “name / value”), in this case, we need the actual name of all pieces of malware targeting the USA. Also, as the relationship is “Malware → targets → USA”, we need to check “Display the source” because the Malware is the source of the relationship.
This leads to the chart below:
Just to follow up on this use case and to understand all options available here, let’s remove the filter “Target Entity = USA”. So basically we would like to display the distribution of relationships with a source entity of type “Malware”, therefore graphing the top malware, without any specific targeted country or sector:
This now displays the top malware regardless the victim:
But what if we just toggle the parameter “Display the source” to display the “Target” (and not the “Source”) of the relationships with the same parameters?
It will display the top “victims” (sectors, countries, regions, etc.) targeted by malware:
It’s also possible to scope on a specific malware or intrusion set to get top victims targeted by Emotet or Play ransomware for instance. Just as an information dynamic source and dynamic target are also available here so be able to address use cases such as:
- What are the top sectors targeted by intrusion sets with a specific labels?
- What is the distribution of indicator types (STIX, YARA rules, SNORT rules, Suricata rules, etc.) for malware of type “ransomware”?
- What are the most active threats attributed to Russia in the last 3 months based on indicators or targeting?
Finally, some visualization type like horizontal bars support breakdown within the aggregation. This means that OpenCTI allows users to re-compute a subset of the data based on the entity in the bar. Here is an example of top targeted countries and a breakdown by malware type:
Then, just select the appropriate field to for the second dimension of distribution:
This will result in:
The breakdown capability can be described as a recomputing based on the entity returned in the bar, and can be a complex query through relationships if necessary. To be precise, when “Emotet” in returned in the bar, it will be used as the source or the target of the sub-query directly.
In the platform, you can choose if you would like to perform a subquery with a perspective of “Entities” or “Relationships” (aka Knowledge Graph).
To end this article and understand better the breakdown capabilities, let’s take another example: aggregate the top sectors and then breakdown by motivation of intrusion sets.
With the following parameters, displaying “Primary Motivation”:
So result is:
Conclusion
As previously mentioned, the user experience of widget configuration will be enhanced in the next releases. Also, this article only covers a part of the new dashboarding engine (not covering timelines, lists, radars of TTPs, etc.) which is powerful enough to answer most of any organizations needs in termes of KPIs and trends around the data in the platform.
If you still have question and would like to request the exact path to be able to achieve a specific use case, don’t hesitate to join the Filigran community and ask for it!
Read more
Explore related topics and insights