Convert Figma logo to code with AI

OpenCTI-Platform logoopencti

Open Cyber Threat Intelligence Platform

6,279
930
6,279
1,232
View on GitHub

Top Related Projects

MISP's avatar

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

TheHive-Project's avatar

TheHive

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

CIRCL's avatar

AIL-framework

1,303

AIL framework - Analysis Information Leak framework. Project moved to https://github.com/ail-project

Quick Overview

OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to store, organize, visualize, and share cyber threat intelligence knowledge. It provides a comprehensive solution for organizations to manage their threat intelligence data, enabling better analysis and collaboration in cybersecurity efforts.

Pros

  • Comprehensive threat intelligence management with a user-friendly interface
  • Integrates with various external threat intelligence sources and tools
  • Supports STIX2 standard for improved interoperability
  • Highly customizable and extensible through connectors and modules

Cons

  • Steep learning curve for new users due to its extensive features
  • Resource-intensive, requiring significant hardware resources for optimal performance
  • Limited documentation for advanced features and customizations
  • May require additional configuration for enterprise-level scalability

Getting Started

To get started with OpenCTI, follow these steps:

  1. Install Docker and Docker Compose on your system.
  2. Clone the OpenCTI repository: 
    git clone https://github.com/OpenCTI-Platform/opencti.git
  3. Navigate to the opencti directory and copy the example environment file: 
    cd opencti
cp .env.sample .env
  4. Edit the .env file to configure your environment variables.
  5. Start the OpenCTI platform using Docker Compose: 
    docker-compose up -d
  6. Access the OpenCTI platform through your web browser at http://localhost:8080.

For more detailed instructions and advanced configurations, refer to the official documentation on the OpenCTI GitHub repository.

Competitor Comparisons

MISP logo

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Pros of MISP

  • Longer development history and larger community support
  • More extensive built-in threat intelligence feeds
  • Better suited for sharing indicators of compromise (IoCs) between organizations

Cons of MISP

  • Less intuitive user interface
  • Limited visualization capabilities
  • Steeper learning curve for new users

Code Comparison

MISP (PHP):

public function add() {
    if ($this->request->is('post')) {
        $this->Event->create();
        if ($this->Event->save($this->request->data)) {
            $this->Flash->success(__('The event has been saved.'));
            return $this->redirect(array('action' => 'index'));
        }
        $this->Flash->error(__('The event could not be saved. Please, try again.'));
    }
}

OpenCTI (JavaScript):

export const addEvent = (input) => ({
  type: ADD_EVENT,
  payload: { input },
});

export const addEventSuccess = (data) => ({
  type: ADD_EVENT_SUCCESS,
  payload: { data },
});

Both MISP and OpenCTI are open-source threat intelligence platforms, but they have different strengths and use cases. MISP focuses on sharing IoCs and has a longer history, while OpenCTI offers a more modern interface and better visualization capabilities. The code comparison shows that MISP uses PHP with a more traditional MVC structure, while OpenCTI utilizes JavaScript with a React-based frontend and GraphQL API.

TheHive-Project logo

TheHive

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

Pros of TheHive

  • More focused on incident response and case management
  • Integrates well with MISP for threat intelligence sharing
  • Offers a built-in alert triage system

Cons of TheHive

  • Less comprehensive threat intelligence management capabilities
  • Smaller community and ecosystem compared to OpenCTI
  • Limited data visualization options

Code Comparison

TheHive (Scala):

def createCase(caseTemplate: Option[String], fields: Fields)(implicit authContext: AuthContext): Future[Case] = {
  val newCase = Case(fields = fields)
  caseTemplate.fold(Future.successful(newCase))(t => applyCaseTemplate(newCase, t))
    .flatMap(caseModel.create)
    .map { createdCase =>
      auditRepository.create(AuditOperation(createdCase.id, createdCase.`type`, AuditableAction.Create))
      createdCase
    }
}

OpenCTI (JavaScript):

export const createEntity = async (context, user, input) => {
  const entityType = input.type;
  const entityClass = getEntityClassFromType(entityType);
  const created = await createEntityRaw(context, user, entityClass, input);
  await indexCreatedElement(context, user, created);
  return notify(BUS_TOPICS[entityType].ADDED_TOPIC, created, user);
};

Both projects use different programming languages and have distinct approaches to entity creation. TheHive focuses on case management, while OpenCTI emphasizes threat intelligence handling.

CIRCL logo

AIL-framework

1,303

AIL framework - Analysis Information Leak framework. Project moved to https://github.com/ail-project

Pros of AIL-framework

  • Specialized in information leaks and data analysis
  • Modular architecture allows for easy extension and customization
  • Strong focus on privacy and data protection

Cons of AIL-framework

  • Steeper learning curve due to its specialized nature
  • Less comprehensive threat intelligence capabilities
  • Smaller community and fewer integrations compared to OpenCTI

Code Comparison

AIL-framework (Python):

from packages import Item
from pubsublogger import publisher

class AILFeeder:
    def __init__(self):
        self.items = []

    def add_item(self, item):
        self.items.append(Item(item))

OpenCTI (JavaScript):

import { createEntity } from '../database/middleware';

const createThreatActor = async (user, threatActor) => {
  const created = await createEntity(user, threatActor, 'Threat-Actor');
  return created;
};

Summary

AIL-framework excels in specialized information leak analysis and offers a modular architecture, while OpenCTI provides a more comprehensive threat intelligence platform with a larger community. AIL-framework may require more expertise to use effectively but offers strong privacy features. OpenCTI is generally more user-friendly and has broader integration capabilities. The code snippets highlight the different focus areas: AIL-framework on data processing and OpenCTI on threat intelligence entity management.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

OpenCTI

DeepScan grade DeepScan grade

Introduction

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.

The structuration of the data is performed using a knowledge schema based on the STIX2 standards. It has been designed as a modern web application including a GraphQL API and an UX oriented frontend. Also, OpenCTI can be integrated with other tools and applications such as MISP, TheHive, MITRE ATT&CK, etc.

Screenshot

Objective

The goal is to create a comprehensive tool allowing users to capitalize technical (such as TTPs and observables) and non-technical information (such as suggested attribution, victimology etc.) while linking each piece of information to its primary source (a report, a MISP event, etc.), with features such as links between each information, first and last seen dates, levels of confidence, etc. The tool is able to use the MITRE ATT&CK framework (through a dedicated connector) to help structure the data. The user can also choose to implement their own datasets.

Once data has been capitalized and processed by the analysts within OpenCTI, new relations may be inferred from existing ones to facilitate the understanding and the representation of this information. This allows the user to extract and leverage meaningful knowledge from the raw data.

OpenCTI not only allows imports but also exports of data under different formats (CSV, STIX2 bundles, etc.). Connectors are currently developed to accelerate interactions between the tool and other platforms.

Editions of the platform

OpenCTI platform has 2 different editions: Community (CE) and Enterprise (EE). The purpose of the Enterprise Edition is to provide additional and powerful features which require specific investments in research and development. You can enable the Enterprise Edition directly in the settings of the platform.

To understand what OpenCTI Enterprise Edition brings in terms of features, just check the Enterprise Editions page on the Filigran website. You can also try this edition by enabling it in the settings of the platform.

Documentation and demonstration

If you want to know more on OpenCTI, you can read the documentation on the tool. If you wish to discover how the OpenCTI platform is working, a demonstration instance is available and open to everyone. This instance is reset every night and is based on reference data maintained by the OpenCTI developers.

Releases download

The releases are available on the Github releases page. You can also access the rolling release package generated from the master branch of the repository.

Installation

All you need to install the OpenCTI platform can be found in the official documentation. For installation, you can:

Contributing

Code of Conduct

OpenCTI has adopted a Code of Conduct that we expect project participants to adhere to. Please read the full text so that you can understand what actions will and will not be tolerated.

Contributing Guide

Read our contributing guide to learn about our development process, how to propose bugfixes and improvements, and how to build and test your changes to OpenCTI.

Beginner friendly issues

To help you get you familiar with our contribution process, we have a list of beginner friendly issues which are fairly easy to implement. This is a great place to get started.

Development

If you want to actively help OpenCTI, we created a dedicated documentation about the deployment of a development environment and how to start the source code modification.

Community

Status & bugs

Currently OpenCTI is under heavy development, if you wish to report bugs or ask for new features, you can directly use the Github issues module.

Discussion

If you need support or you wish to engage a discussion about the OpenCTI platform, feel free to join us on our Slack channel. You can also send us an email to contact@filigran.io.

About

Authors

OpenCTI is a product designed and developed by the company Filigran.

Data Collection

Usage telemetry

To improve the features and the performances of OpenCTI, the platform collects anonymous statistical data related to its usage and health.

You can find all the details on collected data and associated usage in the usage telemetry documentation.

OpenStreetMap server

To provide OpenCTI users with cartography features, the platform uses a dedicated OpenStreetMap server (https://map.opencti.io). To monitor usage and adapt services performances, Filigran collects access log to this server (including IP addresses).

By using this server, you authorize Filigran to collect this information. Otherwise, you are free to deploy your own OpenStreetMap server and modify the platform configuration accordingly.

If you have started using the Filigran server and change your mind, you have the right to access, limit, rectify, erase and receive your data. To exercise your rights, please send your request to privacy@filigran.io.