Import knowledge

Introduction

Before setting up OpenCTI in a production environment, it is highly recommended to first define the requirements for your platform. A knowledge database is only as good as the information's quality, hence sometime it is better to have less data, but of high quality than a lot of mixed quality data. By first thinking about the concept behind your OpenCTI you avoid simply pumping any kind of information into OpenCTI resulting in a "Data Swamp".

Here are some possible requirements for an OpenCTI instance:

  1. I want to store my own analysis reports and correlate my findings with other reports
  2. I want to visualize information and query my knowledge base for new leads
  3. I want to share knowledge with others

Base dataset

Before we will start importing reports and SDOs, we have prepare the rest of the system, so that the ingested data can be easily migrated into knowledge. For this we first have to import a base dataset for the "surrounding" entities like Attack Patterns, sectors, countries and so on. To do this, we have to add a few connectors to import the necessary files.

Base dataset connectors

After those connectors have run, the necessary SDOs are imported which are needed to sufficiently describe observables and indicators.

Importing Threat knowledge

The basic idea behind importing threat intelligence is that once an analysis on a certain threat is finished a report is written which summarizes the findings. Thus knowledge which is about to be imported comes always as a report.

if you are aiming for a high quality knowledge management system, this is the point where you should first evaluate which sources you are using and what kind of information you want to import.

Manual import - Attached Report

One of the two ways of manually importing reports with the support of an internal import file connector. One is with the support of the ImportReport connector which extracts relevant information from the attached files to reports.

This approach will be shown with ESET's report on FontOnLake. To properly import the knowledge from this report, please follow the upcoming description.

1) [Reports List] Create new report and specify the details like the TLP defintion, labels or external references. We will add the link to the overview as well as to the PDF report as external reference.

2) [Report Entities] Since the malware is new, we have to first create that malware entity, otherwise the import report parser won't recognize it later on

Create Report

Create Report

Add new malware

Add new malware