Introduction

Data layout

The core database concept of OpenCTI is that of a Graph database where you have two different kinds of entities:

1. Nodes for describing an entity and it's values like an IP address, a domain name or a malware.
2. Edges for describing the relationship between two entity nodes. An example would be that the entity "APT28" has a relationship "uses" to the malware entity "Drovorub".

To enable a unified approach for using a graph database for the description of different kind of threats, the STIX database schema was developed. This standard makes it easy for different analysts to describe their knowledge and share it with each other. The OpenCTI data model is based on the STIX 2.1 standard. Only a few attributes/entities are different. The real goal was to store “pure” STIX 2.1 and prefix all deviations with “x_opencti_”.

Thus we can highly recommend giving the STIX v. 2 introduction and the different kinds of STIX relationships a bit of your time to get a better understanding of what OpenCTI does. Some more important STIX naming shortcuts are:

• SDO: Stix Domain Object (Attack Patterns, Malware, Threat Actors, ...)
• SCO: Stix Cyber Observable (IP addresses, domains, hashes, ...)
• SRO: Stix Relationship Object (Relationship, Sighting)
• STIX bundle: A container for an arbitrary collection of STIX objects

https://www.figma.com/file/Srp4IQ9xAnzaS043epUZuJ/OpenCTI---Models?node-id=0%3A1