Software Development
Threat Intelligence

Telemetry in OpenCTI 6.1

May 16, 2024 4 min read

Since 6.1, OpenCTI gathers some measurements related to the platform. These metrics collections is now mandatory for us to improve platform performances, as current usage implies significantly larger data volumes than before. It is also essential for us to enhance workflows and adapt them to community usage patterns. The data are anonymized and statistical. User personal information and confidential data are not collected.

Let’s dive in together on how it is done! 🙂


Confidentiality and anonymization

All the collected data are anonymized and we don’t collect any data that could enable to identify individual users (like IP addresses, email adresses or user names). Thus the privacy of our users is protected in compliance with privacy regulations.

We also don’t collect information related to threat intelligence knowledge: the data ingested by your platforms and your analyses remain strictly confidential.

The purpose of telemetry

The collected data is used for:

  • better understanding the platform usage to improve the functionalities and performances of the application,
  • analyzing users behavior to enhance user experience,
  • generating aggregated and anonymized statistics for internal metrics and KPIs.

In the future, we plan to also use this statistical data for external reporting, giving insights directly to the community of users and customers about OpenCTI usages.

Telemetry data compute

We use the OpenTelemetry library to collect, manage and export telemetry data.

The metrics are collected every hour by a telemetry manager. Some metrics not changing over a platform life (like its version) are only collected one time, at the telemetry manager start.

Telemetry data export

Data are exported every 6 hours in two possible ways:

  • File export — Metrics are written into specific log files via a file exporter. You can find these files in your local OpenCTI folders (path : opencti/opencti-platform/opencti-graphql/telemetry/), and thus have access to all the exported data. These files are also included in the support package. Note that they are always generated, this cannot be disabled.
  • OTPL export — For connected platforms, the metrics are sent to the telemetry.filigran.io hostname using the OTLP protocol over HTTPS. This export is deactivated if OpenCTI was not able to connect to the hostname at the telemetry manager start (disconnected platforms).

Exported data are written in the OpenTelemetry JSON format.

Workflow of telemetry data collect and export

The data collected

Here is the list of metrics related to the platform usage that are collected in OpenCTI 6.1:

  • the current platform version,
  • the platform unique identifier,
  • the platform creation date,
  • the number of nodes (instances),
  • the total number of users,
  • the number of active users (i.e. the number of users having a session active since the last data collect by the telemetry manager),
  • the Enterprise Edition status (if EE is activated or not),
  • the number of active connectors.

Next steps

Other data may be collected in the future to understand better the platform usage, such as:

  • where the Enterprise Edition activation comes from (page where the EE pop-up has been opened), to know which features make users adopt EE the most.
  • average session duration over time, to evaluate users platform usage evolution over time.
  • some metrics to evaluate the feature adoption rate, to know how much a feature is used over time. This can be calculated via the number of API calls of a feature per session for instance.

Conclusion

Collecting telemetry data, in respect of users privacy and data confidentiality, is game changer for Filigran. It enables to understand better how the platform is used, in order to propose solutions and features adapted to our users behaviors, while improving the OpenCTI experience and functionalities in the best way for our community.

Feel free to ask any questions about it on our Slack community channel 📢!

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.