On the OpenCTI platform, the direction of the relations between entities matters a lot.

Either you add knowledge manually to a report or creating new knowledge programmatically, you have to be aware of the entities-relations model in order to use the platform. This model is based on STIX2 so if you are already familiar with it, you should already be aware of most of the following information.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a22921c7-aaab-46fe-99bb-14ed6b2725c2/report_relation_direction1.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/d5351d35-71ff-4ca7-bc08-810727304754/report_relation_direction2.png

Relations from a relation

TODO

Inferences

OpenCTI is based on an entities-relations model that allows users to connect many entities together. In some cases, it could be interesting that some facts to be automatically inferred from others. For instance, if a campaign targeted the sector of electricity, which is a sub-sector of the energy sector, and is attributed to an intrusion set, the analyst wants to know that this specific intrusion set has targeted the energy sector.

In OpenCTI, this can be represented by:

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ab877cf5-e83a-444d-b940-368d48376e63/relations.png

To derive the implicit facts of this kind of knowledge, OpenCTI relies on the inferences capability of the Grakn database. The result is explained directly in the application when displaying an inferred relation:

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/8f73b4ec-de67-4910-b65c-14e6ccebc2f2/inference1.png

The implemented rules are expressed here in pseudo-code.

Usage rules

when {
	A attributed-to B
	A uses C
}, then {
	B uses C
}

Target rules

when {
	A attributed-to B
	A targets C
}, then {
	B targets C
}