Robustness, intelligence and collaboration with OpenCTI 5.0
We are finally moving forward! Since the release of the version 4, a few milestones later, OpenCTI 5.0 is here.
During our summer work, our 2 main drivers to build this new major release have been:
- Make OpenCTI more reactive and intelligent with the data while we ensure consistency and robustness of our current components.
- Build the roots of more collaboration, sharing and engagement on threat intelligence structured data.
To know what we are talking about, you can either click everywhere in the demonstration instance or read this article.
OpenCTI 5.0 does not introduce any breaking change, migration should work as any other minor releases. Also, all the new features introduced in OpenCTI 5 will be backward compatible with existing platforms, including synchronization between platforms and sharing communities which have been fully rewritten to optimize accuracy and integrity of exchanged data.
Furthermore, this release contains 24 bugfixes in the core platform and 20 in connectors and Python library along with more than 10% of code coverage progression. We are committed for present and future releases to prioritize stability and make OpenCTI maintenance more easy and reliable in time.
Major new features
Reasoning rules engine and adapted metrics
The STIX 2.1 standard provides analysts with great flexibility to represent cyber threat intelligence knowledge but force them to constantly pivot on elements to gather all pieces of information and is not well designed when it comes to compute metrics and statistics over time.
In OpenCTI 5, we have worked to solve these problems by re-implementing the logical inferences already present in OpenCTI 3 with a generic reasoning engine.
In OpenCTI 5, the built-in reasoning engine includes 9 new rules (more to come) which can be activated independently. Some rules are more complex than others but all of them take recursion into account so cascading and side effects are handled.
One other important impact of this new reasoning engine is the way we compute statistics in all OpenCTI visualizations and dashboards. Let’s take a simple example to understand why this matters.
Considering the following relationships:
France → located-at → Europe
Spain → located-at → Europe
Italy → located-at → Europe
Intrusion Set A → targets → France
Intrusion Set A → targets → Spain
Intrusion Set A → targets → Italy
In OpenCTI 5, a rule named Targets via location has been created:
If entity A
targetsentity B and entity B is
located-atentity C, then entity A
This rule will create the following relationship:
Intrusion Set A → targets → Europe
But this relationship is not representative of what happened, since we have 3 different “targeting” and only one inferred relationship created (for performance and to remain generic even for heavy entity types). To solve this issue, we have introduced the concept of “inference weight” (normal entity / relationship has
weight = 1), to reach an exact accuracy in graph metrics.
For instance, these 2 graphs represent top intrusion sets and malware targeting the continent
Subscriptions and digests
Regarding the “collaboration, sharing and engagement” objective, we have developed a subscription systems, allowing users to subscribe to new content in the platform in order to receive digests of knowledge. For example, it is now possible to subscribe to all new reports related to a specific sector or threat as well as be notified when new indicators are available for a given vulnerability.
For the moment, digests can only be sent by email through SMTP server (which must be configured in the OpenCTI parameters), but the objective is to be able to use more destinations such as file sharing platforms, notifications software, ticketing systems, etc.
Content editor and viewer
In our journey to propose more data processing and visualization capabilities, OpenCTI 5 provides users with a new content viewer, explorer and editor in all reports. Now it is possible to:
- View all attached PDF files to the report in an embedded PDF viewer.
- View, edit and convert to PDF any HTML or Markdown file.
In the future, the enriched text editor will be enhanced with templating features and auto-completion capabilities to insert OpenCTI text information and visualization widgets directly in the editor.
Revamped notes and opinions
Notes and opinions are part of the STIX 2.1 standard but should be displayed so users can easily use these entities to contribute and participate. Thus we have greatly enhanced the way to show and create them.
opinions, a new “opinions radar” is available for each entity and a selectable progress bar is proposed to the users to easily update opinions.
notes, users are now able to create them in any entity using a fully embedded form in the overview page. Also when it is not filled, the author is automatically linked to the current logged in user.
Custom workflows for all types of entity
Some entities in OpenCTI may be subject to a processing workflow. For instance, sightings, reports or incidents can be automatically generated and need to be assessed. In OpenCTI 5, it is now possible to enable custom workflows for any type of entity in the platform.
Sharing with communities
This was one of our main focus in OpenCTI 5: to finally make knowledge sharing easier between different platforms. We have decided to remove the “synchronizer” connector and to make consumption of remote OpenCTI platforms data part of the core platform. From now, a few steps are necessary to start consuming a remote platform.
On the remote side:
1] Create your community feed by adding a live stream with the appropriate criteria and filters (or your community can use your default stream on
2] Create a user for each member of your community with a role allowing the “Consume stream” capability.
3] Share the live stream ID (or just “default”) and the token for each community members.
On the consumer side:
1] Just configure the remote OpenCTI platform with the URL, the live stream ID (or “default”) and the given token.
Great new connectors
OpenCTI 5 also brings to OpenCTI users a lot of new features among connectors, with some notable creations:
- Cuckoo Sandbox external import.
- Shodan enrichment.
- External reference enrichment as PDF and markdown.
- Export data to ThreatBus using stream.
But almost all connectors have been enhanced during the last couple months. In OpenCTI 5, having all available enrichment connectors enabled allow users to have very useful data in the application.
New dashboard widgets
Last but not least, a few dashboard visualization widgets have been added, especially to:
- Visualize entities or relationships in a timeline fashion.
- Visualize lists of elements in a table with a number column.
- Introduce new Indicators widgets to follow their lifecycle.
Data curation and garbage collector
In the version 4, we had implemented the automatic expiration of indicators when the
valid_until has passed. The future evolution of the platform will allow administrators to precisely configure their retention policy, the behavior of the garbage collector and how data are kept up-to-date and healthy.
The current connectors portfolio has been greatly increased over the last 6 months. Even if Elastic, Splunk and Tanium connectors allow users to export data to a third party platform, OpenCTI ecosystem is still missing a lot of connectors to export data (Azure Sentinel, Q-Radar, MISP, TheHive, etc.).
A lot of widgets have been added recently but some for some entity types the users need more visualization capabilities. For example, be able to display victimology in a given continent, timeline of campaigns related to a specific threat or lists of reports associated to an entity…
We hope all these new features and this tiny overview of our roadmap has given you an accurate picture of where OpenCTI is going and what we intend to achieve. If you have not crossed the road yes, do not hesitate to join the amazing OpenCTI community on the Luatix slack channel.