Software Development
Threat Intelligence

OpenCTI case management is ready for takeoff: what is available and what’s next

Jul 3, 2023 5 min read

As part of our 2023 strategic roadmap, we’ve worked since January on the case management system within the OpenCTI platform.

This initiative comes from 2 simple statements:

  1. The CTI / DFIR / CSIRT teams have a constant need to handle “requests”, whether for investigation, incident handlinginformation or takedown.
  2. The already existing OpenCTI capabilities cover essential requirements in this area: observables, enrichment, sandboxes, TTPs, matrixes, timelines, graphs, workflows, assignments, notifications, etc.

Available features

Since OpenCTI 5.8.0, we have introduced 3 new types of entity:

  • Case Incident: to handle all cyber operations, including both cybersecurity incidents and law-enforcement investigations.
  • Case Request for Information: to handle requests about specific threats, whether internal or coming from partners and customers.
  • Case Request for Takedown: to handle and follow all kinds of operations which require external communication.
Types of case

What is a Case?

All cases are considered as “container” of knowledge in the platform, which means that in addition to attributes such as titledatepriorityseverity, etc., a case can contain other entities such as attack patterns, intrusion sets, pieces of malware, observables, incidents / alerts, etc. and it is possible to create relationships between them, in the context of the case.

Case overview in the platform

Like any other entity types, the cases support multiple built-in features.

Custom workflows with statuses

It is possible to configure workflows with customizable statuses and steps for each type of case, these workflows will be enhanced in the future to support enforcement, validation and groups restriction.

Customization of a type of entity

Mandatory / default / optional attributes

In the settings, all attributes can now have default values, be configured as mandatory and some of them support custom scales like confidence and reliability.

Attributes and scales in cases

Assignees and participants (users)

case can be assigned to one or multiple users in the platform. It is also possible to set participants, not directly responsible of the case but involved in associated tasks.

Assign people to case

Notifications, triggers and digests

Cases can be used in triggers and digests to be alerted and monitor the activity. From OpenCTI 5.9, you can quickly subscribe to a case using the top right bell icon. Also, assignees and participants are automatically subscribed.

Alert on new case

Discussions in the context of a case

In cases, like other entities, you can discuss and comment using the notes system. All notes can have labels, confidence levels and contain other entities if necessary.

Notes and discussions in a case

Data and knowledge in a case

Beyond functional and technical features available in cases, OpenCTI provides out-of-the-box capabilities for cybersecurity analysts to visualize and enrich the case in various ways. For instance, it is possible to attach artifacts to a case and use all available enrichment connectors for sandboxes.

Graph and knowledge

To understand what’s going on in a case or a request for information, all the knowledge contained can be visualized in comprehensive graphs.

Attack pattern matrixes

Using the MITRE ATT&CK ontology or any other kill chain model and TTPs framework, it is possible to visualize the case in a matrix view.

TTPs matrix view of a case

Timelines and correlations

Other visualization such as timelines and correlations with other cases are available to ease the analyst work.

Case timeline

Tasks in cases

In OpenCTI, cases can be linked to tasks. A task can be assigned to multiple users and have some specific attributes such as due date and description. It is possible to create “case templates” with pre-defined tasks in the settings of the platform:

Case templates

Then it is always possible to apply a template to a case, at creation or after.

Apply a case template

Remaining work

Incident response

For incident response cases, a new type of connector will be introduced in the platform to handle “external actions” triggers. Using a subset of the case data such as endpoint name, observables, etc., it will allow for instance to trigger SOAR playbooks, quarantine actions in EDR, etc.

Requests for information and takedown

We plan multiple enhancements to automate the requests for takedown, especially reaching abuse contacts of registrars and service providers automatically resolved through enrichment.

For requests for information, the feature will be enhanced to have a better overview and follow-up for multi-teams, provider / customer activities. Especially, we would like to create a new capability allowing some users to only open RFIs and follow the RFIs of their own organization so full-fledged analysts can gather information in the case and provide the requester with a proper deliverable.

If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack!

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.