Software Development
Threat Intelligence

New OCTI dashboards: the first graph dashboarding engine for the STIX model

Jan 15, 2023 11 min read

When we’ve started working on Key Performance Indicators (KPI), trends modelization and graphical representation of the Cyber Threat Intelligence knowledge as well as operational data stored in the platform, most of the people though it was easier to embed something that already exists in the technological stack such as KibanaOpenSearch dashboards or Grafana. But the truth is none of existing systems is able generate queries which go through the knowledge graph and help the OpenCTI community with use cases awaited since a long time.

In OpenCTI 5.5 branch, we’ve introduced a brand new dashboarding engine but this first version can be difficult to apprehend for analysts or stakeholders who are not familiar (or even experts 😊) with the STIX model. If the user experience of widget creation will be enhanced in the next releases, the underlying logic will remain the same and this article aims to explain it and illustrate the power of this implementation by answering several questions, from the most basic to the most complex ones.


New widget creation workflow

First of all, when creating a new widget, the workflow is now as follows:

Workflow of the dashboard widget creation

Depending on the selection, the widget configuration may change and the number of datasets to display as well. In the new engine, the number of available visualization types have been widely increased:

Available visualization types

For perspective selection, think knowledge graph

After selecting the visualization type, generally two perspectives are available for data to be displayed: Entities” or “Knowledge graph. To choose which kind of perspective should be used, the question to answer is just: “Do I need to go through some relationships to compute the dataset to display or not?”.

In other words, if you would like to display a subset of entities with filters like labels, authors, marking definitions, etc. you just need the “Entities” perspective, but if you need to take into account victimology (targets), attribution (attributed-to), usage (uses) or any other relationships, the perspective will be “Knowledge graph”.

Perspective selection

Displaying entities list or timeseries: vertical bars, lines, timeline, number, etc.

The first use cases examples are quiet simple and are about to display numbers, lists or charts (timeseries) using a subset of entities (aka perspective “Entities”). Depending on the visualization type, you may be able to select one single dataset or multiple subsets of the data.

For instance, if the selected visualization type is “List”, “Number” or “Timeline”, you can only select a single subset of data:

List or number of reports with TLP:AMBER

If the visualization type “Vertical bar” or “Line” is selected, it’s possible to display more than one subset (multiple bars, multiple lines, etc.):

Line or bar charts with multiple subsets of data

In the latest example, using default parameters, the generated chart looks like:

Vertical bars with multiple subsets of data

In the last step of the widget configuration, it’s possible to adjust the display parameters such as the interval (day, week, month, etc.), the legend, if the chart is stacked or not and also the “time” field used to compute the timeseries (createdcreated_atupdatedupdated_at, etc.) for each subset of knowledge.

For instance, with interval “Month” and “Stacked Chart”:

With the “Entities” perspective and the available visualization types for list, number or timeseries, it’s possible to answer questions such as:

  • How many TLP:RED indicators or reports are ingested each week?
  • What is the current number of vulnerabilities with a specific label in the platform?
  • What are the latest campaigns with a specific label (in a form of a timeline)?
  • How many reports containing a given sector have been ingested over the last 12 months?

Displaying entities distribution: horizontal bars, pie chart, etc.

When selecting a visualization which leads to data distribution such as radar, pie charts or donuts, you will have to select what is the field used to compute the aggregation such as a type, an author, a marking, etc.

Select the aggregation field

For instance, after selecting a visualization of type “Horizontal bar” with a simple configuration like:

Display all reports

And selecting the “created-by.internal_id” field (aka the “author of the report”):

Distribution by author

The result will be:

Distribution of reports by author

With the “Entities” perspective and the available visualization types for distribution and aggregation, it’s possible to answer questions like:

  • What is the distribution of authors for reports with a specific label?
  • What are the top 10 indicator types in the platform in the 3 last months?
  • What are the top malware types with a given marking definition?

But graphing or displaying just “entities” is limited when it comes to be able to compute datasets based on the activity such as trends related to specific sectors, countries, types of threats, etc. This is why, in most cases, analysts and stakeholders need to go through the graph to cover the questions such as:

  • What are the top ransomware families that have been reported over a particular time frame and what are the regions / sectors / countries impacted?
  • Using the MITRE ATT&CK Matrix, what are the top X initial access techniques used by attackers?
  • What are the top 10 threat actor types reported over a particular time frame?
  • What are the most common families of malware in the incidents reported over a particular time frame and associated regions / sectors / countries?

Displaying knowledge graph list or timeseries: vertical bars, lines, timeline, number, etc.

When getting through the knowledge graph is needed, this generally means that you would like count relationships or even better, to compute a distribution based on relationship filters. Let’s take a few example here.

The first one is simple, we just would like to build a heatmap of all “targets” relationships to the Europe region. We need to take into consideration the nature of relationships as well as the direction (to know if the scoped entity is the source or the target).

STIX representation of victimology

In terms of filtering, this means:

Filtering all threats targeting Europe

Heatmap result will appear as:

Europe targets over the last 6 months

The visualization type “Heatmap” support multiple datasets so it’s possible to extend it to Americas targets:

Europe and Americas targets data selection

And the result will be as follows:

Europe and Americas targets over the last 6 months

Let’s take another example, if we would like to display the number of indicators over time for specific threats. Here we will choose the vertical bar chart to display number of indicators related to TurlaAPT28APT41 and Kimsuki. As a reminder, the relationship between indicators and threats is in a form of “Indicator” → indicates → “Threat”.

Data selection for indicators related to specific threats

Then, the visualization result will be:

Indicators for specific threats over time

But at this moment, most of the analysts would like to display a graph not for a defined list of threats but for a dynamic one. This means that the “target entity” is defined with some filters and is not a particular entity. This is why OpenCTI 5.5 has introduced a new concept called “dynamic source” or “dynamic target” when listing / counting relationships.

Let say we would like to graph indicators for all malware with the specific label “ransomware”.

Dynamic computing of the target of relationships

In dashboard configuration, this means to be able to filter on the “target” of the relationships:

Indicators to Malware with label “ransomware”

Result in an area graph:

Trends for indicators to Malware with label “ransomware”

The dynamic sources / targets of relationships associated with all available filters for the relationships themself is a very powerful feature that allows almost all types of dataset visualization for timeseries, lists and numbers.

With the “Knowledge graph” perspective and the available visualization types for lists, numbers or timeseries, it’s possible to answer questions like:

  • How many indicators related to specific or subset of threats have been ingested over the last 12 months?
  • How many ransomware incidents (incidents uses a malware with a type ransomware) occurred each month?
  • What are the latest vulnerabilities targeted by a subset of threat actors? (in a form of a timeline)?

Displaying knowledge graph distribution: horizontal bars, pie chart, etc.

Last but not least, all distribution and aggregation visualization types are available for knowledge graph perspectives. Let’s take another example to display the top 10 malware targeting United States of America. First of all, we need to select a distribution visualization such as Horizontal bar, and then adjust the filters:

Filters for displaying top malware targeting USA

Then, in the parameters of the relationships distribution, it is possible to display rather the type of entity or the entity itself (aka the “name / value”), in this case, we need the actual name of all pieces of malware targeting the USAAlso, as the relationship is “Malware → targets → USA”, we need to check “Display the source” because the Malware is the source of the relationship.

Display the entity (aka the malware), source of relationships “targets”

This leads to the chart below:

Top malware targeting USA

Just to follow up on this use case and to understand all options available here, let’s remove the filter “Target Entity = USA”. So basically we would like to display the distribution of relationships with a source entity of type “Malware”, therefore graphing the top malware, without any specific targeted country or sector:

Top malware based on number of “target” relationships

This now displays the top malware regardless the victim:

Global top malware

But what if we just toggle the parameter “Display the source” to display the “Target” (and not the “Source”) of the relationships with the same parameters?

Top victims (displaying target and not the source)

It will display the top “victims” (sectors, countries, regions, etc.) targeted by malware:

Top victims targeted by pieces of malware

It’s also possible to scope on a specific malware or intrusion set to get top victims targeted by Emotet or Play ransomware for instance. Just as an information dynamic source and dynamic target are also available here so be able to address use cases such as:

  • What are the top sectors targeted by intrusion sets with a specific labels?
  • What is the distribution of indicator types (STIX, YARA rules, SNORT rules, Suricata rules, etc.) for malware of type “ransomware”?
  • What are the most active threats attributed to Russia in the last 3 months based on indicators or targeting?

Finally, some visualization type like horizontal bars support breakdown within the aggregation. This means that OpenCTI allows users to re-compute a subset of the data based on the entity in the bar. Here is an example of top targeted countries and a breakdown by malware type:

Datasets to display top countries targeted by malware and then breakdown by type

Then, just select the appropriate field to for the second dimension of distribution:

Display the “target” (aka the countries) and then break by type in bars

This will result in:

Top countries targeted by malware with malware types distribution

The breakdown capability can be described as a recomputing based on the entity returned in the bar, and can be a complex query through relationships if necessary. To be precise, when “Emotet” in returned in the bar, it will be used as the source or the target of the sub-query directly.

Sub-query for aggregation

In the platform, you can choose if you would like to perform a subquery with a perspective of “Entities” or “Relationships” (aka Knowledge Graph).

Breakdown using entities or relationships re-filtering

To end this article and understand better the breakdown capabilities, let’s take another example: aggregate the top sectors and then breakdown by motivation of intrusion sets.

Top sectors targeted by Intrusion Sets then breakdown by intrusion set motivation.

With the following parameters, displaying “Primary Motivation”:

Displaying top sector with a breakdown by primary motivation of Intrusion Sets

So result is:

Top sectors targeted by intrusion sets with a breakdown by motivation

Conclusion

As previously mentioned, the user experience of widget configuration will be enhanced in the next releases. Also, this article only covers a part of the new dashboarding engine (not covering timelines, lists, radars of TTPs, etc.) which is powerful enough to answer most of any organizations needs in termes of KPIs and trends around the data in the platform.

If you still have question and would like to request the exact path to be able to achieve a specific use case, don’t hesitate to join the Filigran community and ask for it!

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.