How to generate custom Finished Intelligence reports in OpenCTI

Focus on what matters

Writing down a report or an incident response shouldn’t be a burden for the analyst. Analyst’s added value lies in researching, making links, creating knowledge, investing…
This knowledge then needs to be shared or processed, which often results in a formal document, shared across various stakeholders.
That’s why we just added a new feature allowing you to create your own dynamic templates of Finished Intelligence (FINTEL) in OpenCTI. As an admin, you can easily create FINTEL templates that your teams can use, helping them standardize their reports.
As an analyst, you can then use these templates to generate custom exports of entities (FINTEL report) with exactly the data you want, in the order you want, saving you time while preserving a high quality outcome.

The goal of FINTEL templates is to generate custom PDFs that effectively convey your message.

This feature is available in OpenCTI Enterprise Edition.

---

Example: communicating how the team managed a cyber attack with a non technical department

To illustrate how FINTEL templates can be useful, let’s suppose I am part of the department responsible for company security. A new phishing campaign targeted the company a few days ago and I want to create a report for my superior explaining how we dealt with it.

On my OpenCTI instance I have an Incident describing this campaign. We have linked this campaign to three Observables. This Incident has been linked to an Incident Response containing all the data related to the phishing campaign.

Create a new FINTEL reports template

To create FINTEL templates I have to go on the page Settings > Customization > Incident-Response.

I can see that I already have two FINTEL templates. Both are built-in within OpenCTI and can be used directly to generate PDFs. However, in our case we want to create a new one with data of our choice.

I click on the “+” button next to the title FINTEL Templates. A form appears, allowing me to input the necessary information.

As you can see, I filled out the form with a name and a description. The template is not yet ready to be used, so I leave “published” deactivated. I haven’t selected any data for my template yet; that will be the next step.

After submitting the form I am redirected to a new page where I can start writing the template content.

This page is composed of three main sections:

• Content Editor: The main area for writing the template content.
• Content Preview: A tab next to the Content Editor that provides a live preview of the PDF rendering.
• Widgets Configuration: The right section, allowing us to create widgets similar to those used in Dashboards. These widgets are then inserted into the content as needed.

Add some data using widgets

So let’s keep the thing simple here in our example and say that in our template we want to display:

• 🟩 the name of the Incident Response
• 🟩 the creation date of the Incident Response
• 🟩 a description of how we contained the attack
• 🟧 the list of Observables linked to the incident

I marked some data with a green square 🟩 and other with an orange square 🟧. It’s to help differentiate two sort of data we want to add.

First data that are directly concerning the Incident Response, data is an attribute of the Incident Response, those are the green ones 🟩 and to add them we will use the button “Add data of the Case Incident”.

On the other hand, we also want to add data that is in relation with this Incident, those are the orange ones 🟧 and to add them we will use the button “Add data related to the Case Incident”.

So let’s start by adding the data directly concerning the Incident Response, I click on “Add data of the Case Incident”, a new form appears so I can select which data I will use in my content.

Configuring the Widgets

You may have recognized the form used when we create widgets in Dashboard. We just added some new features in the case of FINTEL templates.

You also may wandering about this “Current Entity” name in the field Instance. As you already saw, we are defining our template in Customization page of entity types, not on a particular entity. It means that templates can be reused in any entity of the same type we want. For example if the company is targeted again in several months, I would be able to reuse this same template on the newly Incident Response created to generate a PDF very quickly. And so, “Current Entity” refers to the entity that the template will be applied on, on our example: the Incident Response “Response to Phishing Campaign January 27, 2025”.

Now let’s add the data. In the list of attributes we can see we already have the representative which is the name of the Incident Response so we need to add only creation date and description using the “Attribute” select at the bottom.

Variable names are the bridge between our list of widgets and how we implement them in the content of the FINTEL template. After creating widgets, we just need to copy paste the variable names in the Content Editor at the place we want. Those variables names will then be replaced by real data when generating the FINTEL PDF.

I validate the form and now I can see my attributes on the right.

I have warnings because I didn’t use them in the Content Editor yet. It’s a visual indicator helping you to quickly see if some data is missing in the content. So let’s modify the content.

I save my modification with the “Save Content” button at the top. And now we do not have any warnings anymore because all the widgets are used in the content.

Now let’s create the widget listing the Observables related to the Incident Response, I click on the button “Add data related to the Case Incident” and exactly the same way I would create a list in Dashboards, I will create a list for my FINTEL template.

I choose “Entities” because I want to display the list of Observables, not the relationships between Observables and the Incident Response.

I add a new filter to keep only Observables. The filter “Contains = Current Entity” is automatically added to list only Observables that are linked to the Incident Response and not all Observables on the platform. You can still delete this filter if you need.

I enter a title (used in the widget list on the right for clarity) and define a variable name for the content. The other fields remain with their prefilled values.

After validating, I add the newly created widget to the content, resulting in the following:

Previewing the FINTEL reports template

It’s time to see what the PDF will look like. I go on the tab “Content Preview” and then I have to configure some things to be able to display the preview.

First the entity on which to apply the template, here we will chose our Incident Response. Then the max marking definition of the data we want to display in the PDF, we will use TLP:GREEN. And finally which is the marking definition of the generated PDF, we will also use TLP:GREEN.

I can see my PDF displayed on the center of the screen. If I go down to the second page, we have all the data we set with the widgets.

That’s it, our FINTEL Template is ready to be used! And we can use it on any Incident Response we want. We just have a last step to make it visible: set it as published. I click on the three dots button at the top and then “Update” and switch the “Published ” button.

I can now go on my Incident Response page in the tab “Content” and generate the PDF using this template.

Key benefits

• Save time: help your analysts spending more time in finding out threats instead of writing reports.
• Streamline outcome: ensure that you have a consistent level of reporting by exploiting data from your platform.

Conclusion

OpenCTI FINTEL Templates open a new world of possibilities in how you can share the data inside your platform to external people. We hope this article has helped you understand how you can take advantage of this new feature to create personalized and reusable templates to generate custom PDF with your OpenCTI data.

To have more information on how you can customize your template please have a look at our documentation.

If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack!