From 7e58930798f3a1cc3d9f62666b5a0d895716c48b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Feb 2026 18:12:52 +0000 Subject: [PATCH 1/2] Initial plan From e55eb9c645e1a01c9ef814716ba76e387c7908a1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Feb 2026 18:20:43 +0000 Subject: [PATCH 2/2] [docs] Fix typos, spelling mistakes, and grammar issues across docs/ folder Co-authored-by: romain-filigran <171329346+romain-filigran@users.noreply.github.com> --- docs/docs/administration/notifiers.md | 4 +-- docs/docs/deployment/authentication.md | 6 ++--- docs/docs/development/python.md | 2 +- docs/docs/usage/automation.md | 36 +++++++++++++------------- docs/docs/usage/case-management.md | 14 +++++----- docs/docs/usage/deduplication.md | 2 +- docs/docs/usage/draftWorkspaces.md | 2 +- docs/docs/usage/exploring-analysis.md | 24 ++++++++--------- docs/docs/usage/exploring-arsenal.md | 14 +++++----- docs/docs/usage/exploring-cases.md | 6 ++--- docs/docs/usage/exploring-entities.md | 12 ++++----- docs/docs/usage/getting-started.md | 2 +- docs/docs/usage/import/json-feed.md | 6 ++--- docs/docs/usage/nested.md | 8 +++--- docs/docs/usage/notifications.md | 2 +- docs/docs/usage/pivoting.md | 4 +-- docs/docs/usage/refine-content.md | 4 +-- docs/docs/usage/search.md | 6 ++--- docs/docs/usage/widgets.md | 2 +- 19 files changed, 78 insertions(+), 78 deletions(-) diff --git a/docs/docs/administration/notifiers.md b/docs/docs/administration/notifiers.md index 5a7653dec6ac..9a6271eade1b 100644 --- a/docs/docs/administration/notifiers.md +++ b/docs/docs/administration/notifiers.md @@ -60,5 +60,5 @@ Custom notifiers are manageable in the "Settings > Customization > Notifiers" wi For guidance on configuring notification triggers and exploring the usages of notifiers, refer to the [dedicated documentation page](../usage/notifications.md). -For security reason, the authorized methods that can be used in webhook template is limited, see [notifier_authorized_functions parameter](https://github.com/OpenCTI-Platform/opencti/blob/master/opencti-platform/opencti-graphql/config/default.json). -If you need to extend this authorization, you can update `APP__NOTIFIER_AUTHORIZED_FUNCTIONS` with a custom list. The default managed list by OpenCTI is safe, please be aware that you extends this list at your own risk. \ No newline at end of file +For security reasons, the authorized methods that can be used in webhook template is limited, see [notifier_authorized_functions parameter](https://github.com/OpenCTI-Platform/opencti/blob/master/opencti-platform/opencti-graphql/config/default.json). +If you need to extend this authorization, you can update `APP__NOTIFIER_AUTHORIZED_FUNCTIONS` with a custom list. The default managed list by OpenCTI is safe, please be aware that you extend this list at your own risk. \ No newline at end of file diff --git a/docs/docs/deployment/authentication.md b/docs/docs/deployment/authentication.md index d205febb6f00..4db19314f405 100644 --- a/docs/docs/deployment/authentication.md +++ b/docs/docs/deployment/authentication.md @@ -6,7 +6,7 @@ SSO configuration is under the [OpenCTI Enterprise Edition](https://docs.opencti.io/latest/administration/enterprise/?h=ente) license. -With version 7.260224.0, defining & using authentication strategies is an Entreprise Edition feature. Using local authentication will be the unique way to login for Community Edition. More information in [this page](breaking-changes/7.260224.0-SSO-authentication-migration.md) +With version 7.260224.0, defining & using authentication strategies is an Enterprise Edition feature. Using local authentication will be the unique way to login for Community Edition. More information in [this page](breaking-changes/7.260224.0-SSO-authentication-migration.md) Additionally, given the introduction of the capability to define [authentications via UI](../administration/authentication-via-ui.md), **defining authentication via environment variable will be decommissioned after some time (you will be warned before this change will be effective with enough time to ensure all needed actions are taken)** @@ -31,7 +31,7 @@ Under the hood, we technically use the strategies provided by [PassportJS](http: This strategy uses the OpenCTI database as a user management. -OpenCTI use this strategy as the default, but it's not the one we recommend for security reasons. +OpenCTI uses this strategy as the default, but it's not the one we recommend for security reasons. ```json "local": { @@ -234,7 +234,7 @@ Here is an example of OpenID configuration using environment variables: - PROVIDERS__OPENID__CONFIG__LOGOUT_REMOTE=false ``` -OpenCTI support mapping OpenID Claims on OpenCTI Groups (everything is tied to a group in the platform). Here is an example: +OpenCTI supports mapping OpenID Claims on OpenCTI Groups (everything is tied to a group in the platform). Here is an example: ```json "oic": { diff --git a/docs/docs/development/python.md b/docs/docs/development/python.md index 041de5ad21f9..1e97546a440c 100644 --- a/docs/docs/development/python.md +++ b/docs/docs/development/python.md @@ -1,6 +1,6 @@ # Python library -The PyCTI library is the official Python client for OpenCTI. It is made to help developers interact with the openCTI plaform. +The PyCTI library is the official Python client for OpenCTI. It is made to help developers interact with the openCTI platform. # Installation diff --git a/docs/docs/usage/automation.md b/docs/docs/usage/automation.md index 45c734342209..ff01de2f3e17 100644 --- a/docs/docs/usage/automation.md +++ b/docs/docs/usage/automation.md @@ -49,13 +49,13 @@ To do so, click on the grey rectangle in the center of the workspace and select ### Duplicate a playbook -It is possible to duplicate a playbook, to easily replicate a playbook. You can do it directly by cliking on the burger menu (the 3 dots) at the end of the row and click on duplicate, or directly when you're inside a playbook. +It is possible to duplicate a playbook, to easily replicate a playbook. You can do it directly by clicking on the burger menu (the 3 dots) at the end of the row and click on duplicate, or directly when you're inside a playbook. ### Import/Export a playbook #### Export a playbook -If you need to share a playbook with a colleague that is not on the same platform than you (or if you need to troubleshoot a playbook issue), you can now export your playbook directly: by cliking on the burger menu (the 3 dots) at the end of the row and click on duplicate, or directly when you're inside a playbook. +If you need to share a playbook with a colleague that is not on the same platform than you (or if you need to troubleshoot a playbook issue), you can now export your playbook directly: by clicking on the burger menu (the 3 dots) at the end of the row and click on duplicate, or directly when you're inside a playbook. #### Import a playbook @@ -260,7 +260,7 @@ Compared to other components, this component **makes a direct call to the databa #### Manage Access Restriction -Will apply authorized members on the bundle within the playbook. It is only compatible with entities supportsing authorized members (Containers, Drafts, Organization). +Will apply authorized members on the bundle within the playbook. It is only compatible with entities supporting authorized members (Containers, Drafts, Organization). You can decide to only apply restrictions on the triggering element or the whole bundle by enabling the toggle. More details on [Authorize members](https://docs.opencti.io/latest/administration/authorized-members/?h=me) @@ -268,28 +268,28 @@ More details on [Authorize members](https://docs.opencti.io/latest/administratio ##### Specificities of the component Compared to other components, this component **makes direct call to the database**: this means that the query will be applied before the "send to ingestion" step. As a result, if, **within the same playbook**, you attempt to create a new entity (via the wrap in container step) and apply authorized members, the playbook will fail. Indeed, the entity will not yet be created, since it won't be sent to ingestion yet. You need to apply the authorized members in another playbook to achieve this use case. -**This component supportss dynamic variables** +**This component supports dynamic variables** - Dynamic from the main entity triggering the playbook: Will apply the authorized members on the corresponding user of the field you choose, based on the triggering entity only. you can choose among: - Author (organisation): If your author is an organisation, you will be able to apply authorized members directly on the organisation in author. - Creator: Will apply the authorized members on all users in Creator field. - - Assignee: Will apply the authorized members on all users in Asignee field. + - Assignee: Will apply the authorized members on all users in Assignee field. - Participant: Will apply the authorized members on all users in Participants field. - Dynamic from the object in the bundle of the playbook: will apply the authorized members on all the corresponding users of all the entities contained in your bundle and not only the triggering entity. - Organization: all users belonging to the organizations in your bundle will be added as authorized members. -**The component also supportss static fields, used for authorized members: users, groups & organizations.** +**The component also supports static fields, used for authorized members: users, groups & organizations.** #### Remove Access Restriction Compared to other components, this component **makes direct call to the database**: this means that the query will be applied before the "send to ingestion" step. As a result, if, **within the same playbook**, you attempt to create a new entity (via the wrap in container step) and remove default authorized members, the playbook will fail. Indeed, the entity will not yet be created, since it won't be sent to ingestion yet. You need to remove the authorized members in another playbook to achieve this use case. -Will remove authorized members on the bundle within the playbook. It is only compatible with entities supportsing authorized members (Containers, Drafts). +Will remove authorized members on the bundle within the playbook. It is only compatible with entities supporting authorized members (Containers, Drafts). You can decide to only remove restriction on the triggering element or the whole bundle by enabling the toggle. ##### Specificities of the component -**This component supportss dynamic variables** +**This component supports dynamic variables** - Dynamic from the main entity triggering the playbook: Will remove the authorized members on the corresponding user of the field you choose, based on the triggering entity only. you can choose among: - Author (organisation): If your author is an organisation, you will be able to remove the organization from the authorized members. @@ -300,7 +300,7 @@ You can decide to only remove restriction on the triggering element or the whole - Dynamic from the object in the bundle of the playbook: will remove the authorized members on all the corresponding users of all the entities contained in your bundle and not only the triggering entity. - Organization: all users belonging to the organizations in your bundle will be removed from authorized members. -**The component also supportss static fields, used for authorized members: users, groups & organizations.** +**The component also supports static fields, used for authorized members: users, groups & organizations.** ### Apply predefined rule @@ -321,7 +321,7 @@ For instance, the following operation will not work within a playbook: listen to **Routes:** -- Unmodified: because of the above reason, if none of your entities or observables contained in your STIX bundle have been impacted by the rule, then the STIX bundle will follow will follow the **unmodified** route. +- Unmodified: because of the above reason, if none of your entities or observables contained in your STIX bundle have been impacted by the rule, then the STIX bundle will follow the **unmodified** route. - Out: if at least one of the entity or observable of your STIX bundle has been successfully impacted by the rule, then the STIX bundle will follow the **Out** route. ### Send to notifier @@ -335,7 +335,7 @@ Will send an email using the template that you can set in Parameters/security (u ##### Specificities of the component -**This component supportss dynamic variables** +**This component supports dynamic variables** - Dynamic from the main entity triggering the playbook as Target: will send the email using the selected template to the corresponding user of the field you choose, based on the triggering entity only. you can choose among: - Creator: Will send an email using an Email Template to the corresponding user. @@ -345,7 +345,7 @@ Will send an email using the template that you can set in Parameters/security (u - Dynamic from the object in the bundle of the playbook as Target: will send the email using the selected template to the corresponding user of the entities contained in your bundle and not only the triggering entity. - Organization: all users of all organizations contained in your bundle will receive an email. -**The component also supportss static fields, used for authorized members: users, groups & organizations.** +**The component also supports static fields, used for authorized members: users, groups & organizations.** ### Promote observable to indicator @@ -355,7 +355,7 @@ By default, it is applied to entities having triggered the playbook. You can tog You can also add all indicators and relationships generated by this component in the entity having triggered the playbook, if this entity is a container. -#### Specifities of the component +#### Specificities of the component **Routes:** @@ -370,7 +370,7 @@ By default, it is applied to entities having triggered the playbook. You can tog You can also add all observables and relationships generated by this component in the entity having triggered the playbook, if this entity is a container. -#### Specifities of the component +#### Specificities of the component **Routes:** @@ -385,7 +385,7 @@ Will filter out any entities in the current stage that do not match the filter c **Reduce will not work if the result of your reduce knowledge step is different from the entity triggering your playbook:** -If the result of the reduce knowledge ends up not matching the initial entity triggering yur playbook, then the reduce step will fail. As an example: +If the result of the reduce knowledge ends up not matching the initial entity triggering your playbook, then the reduce step will fail. As an example: With a first step listening on: entity type = IPV4 OR Report AND label = test. And a step that reduces knowledge based on Entity type = IPV4. You will get the following results: @@ -400,7 +400,7 @@ With a first step listening on: entity type = IPV4 OR Report AND label = test. A **Routes:** -- Unmatched: if the bundle does not match the reduce condition, then the stix bundle will follow the **unmatch** route. In this case, the playbook will act as the route "umatch" of the "match" component. +- Unmatched: if the bundle does not match the reduce condition, then the stix bundle will follow the **unmatched** route. In this case, the playbook will act as the route "unmatched" of the "match" component. - Out: if your bundle is effectively reduced, then the stix bundle will follow the **Out** route. ### Match knowledge @@ -433,10 +433,10 @@ In this list, you will find: At the top right of the interface, you can access execution trace of your playbook and consult the raw data after every step of your playbook execution. -### Useful for troublshooting +### Useful for troubleshooting - Fewer steps than the number of steps of your playbook: If your playbook contains, for instance, 5 steps and only 4 steps are shown, it means that the playbook stopped at the 4th step. - Data created/ingested by the playbook does not contain the right modifications applied in the manipulate step: verify that your step is present, and that the operations you wanted to apply are well applied (you need to see the operation type, the field & the value) -- Use the different routes to help troubleshoot your playbook: if you're using multiple components that involves mutliple routes, it is sometimes useful to test your playbook by adding a "manipulate knowledge" step to add a label for instance, to understand the route your bundle is taking if you feel that the data created by your playbook is not the one you expect. +- Use the different routes to help troubleshoot your playbook: if you're using multiple components that involves multiple routes, it is sometimes useful to test your playbook by adding a "manipulate knowledge" step to add a label for instance, to understand the route your bundle is taking if you feel that the data created by your playbook is not the one you expect. ![Steps monitoring](assets/playbook_traces.png) diff --git a/docs/docs/usage/case-management.md b/docs/docs/usage/case-management.md index 923d2f2ebd97..2323757ce5fe 100644 --- a/docs/docs/usage/case-management.md +++ b/docs/docs/usage/case-management.md @@ -2,13 +2,13 @@ ## Why Case management? -Compiling CTI data in one place, deduplicate and correlate to transform it into Intelligence is very important. **But ultimately, you need to act based on this Intelligence**. Some situations will need to be taken care of, like cybersecurity incidents, requests for information or requests for takedown. Some actions will then need to be traced, to be coordinated and oversaw. Some actions will include feedback and content delivery. +Compiling CTI data in one place, deduplicate and correlate to transform it into Intelligence is very important. **But ultimately, you need to act based on this Intelligence**. Some situations will need to be taken care of, like cybersecurity incidents, requests for information or requests for takedown. Some actions will then need to be traced, to be coordinated and overseen. Some actions will include feedback and content delivery. OpenCTI includes [Cases](exploring-cases.md) to allow organizations to manage situations and organize their team's work. Better, **by doing Case management in OpenCTI, you handle your cases with all the context and Intelligence you need, at hand.** ## How to manage your Case in OpenCTI? -Multiple situations can be modelize in OpenCTI as a Case, either an Incident Response, a Request for Takedown or a Request for Information. +Multiple situations can be modeled in OpenCTI as a Case, either an Incident Response, a Request for Takedown or a Request for Information. ![Incident Responses' list](assets/cases-list.png) @@ -22,7 +22,7 @@ Tip: A user can have a custom dashboard showing him all the tasks that have been ![Incident Responses' list](assets/case-applying-template.png) -As with other objects in OpenCTI, you can also leverage the `Notes` to add some investigation and analysis related comments, helping you shaping up the content of your case with unstructured data and trace all the work that have been done. +As with other objects in OpenCTI, you can also leverage the `Notes` to add some investigation and analysis related comments, helping you shaping up the content of your case with unstructured data and trace all the work that has been done. You can also use `Opinions` to collect how the Case has been handled, helping you to build Lessons Learned. @@ -30,15 +30,15 @@ You can also use `Opinions` to collect how the Case has been handled, helping yo To trace the evolution of your Case and define specific resolution worflows, you can use the `Status` (that can be define in Settings/Taxonomies/Status templates). -At the end of your Case, you will certainly want to report on what has been done. OpenCTI allows you to export the content of the Case in a simple but customizable PDF (currently in refactor). But of course, your company has its own documents' templates, right? With OpenCTI, you will be able to include some nice graphics in it. For example, a Matrix view of the attacker attack pattern or even a graph display of how things are connected. +At the end of your Case, you will certainly want to report on what has been done. OpenCTI allows you to export the content of the Case in a simple but customizable PDF (currently in refactor). But of course, your company has its own document templates. With OpenCTI, you will be able to include some nice graphics in it. For example, a Matrix view of the attacker attack pattern or even a graph display of how things are connected. -Also, we are currently working a more meaningfull Timeline view that will be possible to export too. +Also, we are currently working a more meaningful Timeline view that will be possible to export too. ## Use case example: A suspicious observable is sighted by a defense system. Is it important? - Daily, your SIEM and EDR are fed Indicators of Compromise from your OpenCTI instance. -- Today, your SIEM has sighted the domain name "bad.com" matching one of them. Its alert has been transfered to OpenCTI and has created a `Sighting` relationship between your System "SIEM permiter A" and the Observable "bad.com". -- You are alerted immediatly, because you have activated the inference rule creating a corresponding `Incident` in this situation, and you have created an alert based on new Incident that sends you email `notification` and Teams message (webhook). +- Today, your SIEM has sighted the domain name "bad.com" matching one of them. Its alert has been transferred to OpenCTI and has created a `Sighting` relationship between your System "SIEM permiter A" and the Observable "bad.com". +- You are alerted immediately, because you have activated the inference rule creating a corresponding `Incident` in this situation, and you have created an alert based on new Incident that sends you email `notification` and Teams message (webhook). - In OpenCTI, you can clearly see the link between the alerting System, the sighted Observable and the corresponding Indicator. Better, you can also see all the context of the Indicator. It is linked to a notorious and recent phishing `campaign` targeting your activity `sector`. "bad.com" is clearly something to investigate ASAP. - You quickly select all the context you have found, and add it to a new `Incident response`case. You position the priority to High, regarding the context, and the severity to Low, as you don't know yet if someone really interacted with "bad.com". - You also assign the case to one of your colleagues, on duty for investigative work. To guide him, you also create a `Task` in your case for verifying if an actual interaction happened with "bad.com". diff --git a/docs/docs/usage/deduplication.md b/docs/docs/usage/deduplication.md index 664e8644dab6..2a0a1f067027 100644 --- a/docs/docs/usage/deduplication.md +++ b/docs/docs/usage/deduplication.md @@ -55,7 +55,7 @@ Technically, OpenCTI generates deterministic IDs based on the listed properties ### Relationships -The deduplication process of relationships is based on the following criterias: +The deduplication process of relationships is based on the following criteria: * Type * Source diff --git a/docs/docs/usage/draftWorkspaces.md b/docs/docs/usage/draftWorkspaces.md index 47c4d9f783e4..0d16f38de7ff 100644 --- a/docs/docs/usage/draftWorkspaces.md +++ b/docs/docs/usage/draftWorkspaces.md @@ -80,7 +80,7 @@ An icon and a number count will be visible when there are ongoing processes in t Once the content of the draft is deemed acceptable, the draft can be approved. Doing so will send the content of the draft for ingestion into the main knowledge base. The draft status will also be updated: the draft will no longer be considered opened, but validated. -Drafts can be approved even if there are ongoing processes still ongoing, but please note that the modifications that would have been applied by these processess will be lost. +Drafts can be approved even if there are still ongoing processes, but please note that the modifications that would have been applied by these processes will be lost. Depending on the draft operation of the data, the ingestion process will be slightly different. Only Create, Update and Delete operations are sent for ingestion. Created entities will be fully sent for ingestion. But updated entities will not be fully sent for ingestion and upserted: instead, only the updates applied in the draft will be applied on the main knowledge version. For deletions, only deleted entities will have a delete action applied, and not delete linked entities. diff --git a/docs/docs/usage/exploring-analysis.md b/docs/docs/usage/exploring-analysis.md index c73320f625aa..8d7a29dff520 100644 --- a/docs/docs/usage/exploring-analysis.md +++ b/docs/docs/usage/exploring-analysis.md @@ -22,7 +22,7 @@ In the MITRE STIX 2.1 documentation, a `Report` is defined as such : > Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. -As a result, a `Report` object in OpenCTI is a set of attributes and metadata defining and describing a document outside the platform, which can be a threat intelligence report from a security reseearch team, a blog post, a press article a video, a conference extract, a MISP event, or any type of document and source. +As a result, a `Report` object in OpenCTI is a set of attributes and metadata defining and describing a document outside the platform, which can be a threat intelligence report from a security research team, a blog post, a press article a video, a conference extract, a MISP event, or any type of document and source. When clicking on the Reports tab at the top left, you see the list of all the Reports you have access to, in respect with your [allowed marking definitions](../administration/users.md). You can then search and filter on some common and specific attributes of reports. @@ -43,10 +43,10 @@ Exploring and modifying the structured Knowledge contained in a Report can be do ![Graph View of a Report](assets/report-graph-view.png) -In Graph view, STIX SDO are displayed as graph nodes and relationships as graph links. Nodes are colored depending of their type. Direct relationship are displayed as plain link and inferred relationships in dotted link. -At the top right, you will find a serie of icons. From there you can change the current type of view. Here you can also perform global action on the Knowledge of the Report. Let's highlight 2 of them: +In Graph view, STIX SDO are displayed as graph nodes and relationships as graph links. Nodes are colored depending on their type. Direct relationship are displayed as plain link and inferred relationships in dotted link. +At the top right, you will find a series of icons. From there you can change the current type of view. Here you can also perform global action on the Knowledge of the Report. Let's highlight 2 of them: - Suggestions: This tool suggests you some logical relationships to add between your contained Object to give more consistency to your Knowledge. -- Share with an Organization: if you have designated a main Organization in the platform settings, you can here share your Report and its content with users of an other Organization. +- Share with an Organization: if you have designated a main Organization in the platform settings, you can here share your Report and its content with users of another Organization. At the bottom, you have many option to manipulate the graph: - Multiple option for shaping the graph and applying forces to the nodes and links @@ -59,7 +59,7 @@ At the bottom, you have many option to manipulate the graph: ![Timeline view of a Report](assets/report-timeline-view.png) -This view allows you to see the structured Knowledge chronologically. This view is really useful when the report describes an attack or a campaign that lasted some time, and the analyst payed attention to the dates. +This view allows you to see the structured Knowledge chronologically. This view is really useful when the report describes an attack or a campaign that lasted some time, and the analyst paid attention to the dates. The view can be filtered and displayed relationships too. #### Correlation view @@ -78,7 +78,7 @@ If your Report describes let's say an attack, a campaign, or an understanding of #### Organization segregation -If you have designated a main Organization in the platform settings, you can share your Report and its content with users of an other Organization. +If you have designated a main Organization in the platform settings, you can share your Report and its content with users of another Organization. ![containers-organization-sharing-button.png](assets%2Fcontainers-organization-sharing-button.png) @@ -110,15 +110,15 @@ Clicking on a Grouping, you land on its Overview tab. For a Groupings, the follo - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge contained in the groupings, as for a Report, except for the Timeline view. As described [here](overview.md#knowledge-section). - Content: a tab to provide access to content mapping, suggested mapping and allows to preview, manage and write the deliverables associated with the Grouping. For example, an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). -- Entities: A table containing all SDO (Stix Domain Objects) contained in the Grouping, with search and filters available. It also display if the SDO has been added directly or through [inferences with the reasonging engine](inferences.md) -- Observables: A table containing all SCO (Stix Cyber Observable) contained in the Grouping, with search and filters available. It also display if the SDO has been added directly or through [inferences with the reasonging engine](inferences.md) +- Entities: A table containing all SDO (Stix Domain Objects) contained in the Grouping, with search and filters available. It also displays if the SDO has been added directly or through [inferences with the reasoning engine](inferences.md) +- Observables: A table containing all SCO (Stix Cyber Observable) contained in the Grouping, with search and filters available. It also displays if the SDO has been added directly or through [inferences with the reasoning engine](inferences.md) - Data: as described [here](overview.md#data-section). ### Restricting access to a Grouping #### Organization segregation -If you have designated a main Organization in the platform settings, you can share your Grouping and its content with users of an other Organization. +If you have designated a main Organization in the platform settings, you can share your Grouping and its content with users of another Organization. ![containers-organization-sharing-button.png](assets%2Fcontainers-organization-sharing-button.png) @@ -147,9 +147,9 @@ In the MITRE STIX 2.1 documentation, a `Malware Analyses` is defined as such : When clicking on the Malware Analyses tab at the top of the interface, you see the list of all the Malware Analyses you have access to, in respect with your [allowed marking definitions](../administration/users.md). You can then search and filter on some common and specific attributes of the Malware Analyses. Clicking on a Malware Analyses, you land on its Overview tab. The following tabs are accessible: -- Overview: This view contains some additions from the common Overview [here](overview.md#overview-section). You will find here details about how the analysis have been performed, what is the global result regarding the malicioussness of the analysed artifact and all the Observables that have been found during the analysis. +- Overview: This view contains some additions from the common Overview [here](overview.md#overview-section). You will find here details about how the analysis has been performed, what is the global result regarding the maliciousness of the analysed artifact and all the Observables that have been found during the analysis. - Knowledge: If you Malware analysis is linked to other Objects that are not part of the analysis result, they will be displayed here. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the Malware Analyses. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the Malware Analyses. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Data: as described [here](overview.md#data-section). - History: as described [here](overview.md#history-section). @@ -172,7 +172,7 @@ Clicking on a Note, you land on its Overview tab. The following tabs are accessi Intelligence is never created from nothing. External references give user a way to link sources or reference documents to any Object in the platform. All external references are listed within the Analyses menu for accessing directly sources of the structured Knowledge. -In the MITRE STIX 2.1 documentation, a `External references` is defined as such : +In the MITRE STIX 2.1 documentation, an `External Reference` is defined as such : > External references are used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material. Clicking on an External reference, you land on its Overview tab. The following tabs are accessible: diff --git a/docs/docs/usage/exploring-arsenal.md b/docs/docs/usage/exploring-arsenal.md index 988906c37a02..21226c4efa51 100644 --- a/docs/docs/usage/exploring-arsenal.md +++ b/docs/docs/usage/exploring-arsenal.md @@ -7,7 +7,7 @@ From the `Arsenal` section, users can access the following tabs: - `Malware`: `Malware` represents any piece of code specifically designed to damage, disrupt, or gain unauthorized access to computer systems, networks, or user data. - `Channels`: `Channels`, in the context of cybersecurity, refer to places or means through which actors disseminate information. This category is used in particular in the context of FIMI (Foreign Information Manipulation Interference). - `Tools`: `Tools` represent legitimate, installed software or hardware applications on an operating system that can be misused by attackers for malicious purposes. (e.g. LOLBAS). -- `Vulnerabilities`: `Vulnerabilities` are weaknesses or that can be exploited by attackers to compromise the security, integrity, or availability of a computer system or network. +- `Vulnerabilities`: `Vulnerabilities` are weaknesses that can be exploited by attackers to compromise the security, integrity, or availability of a computer system or network. ## Malware @@ -30,7 +30,7 @@ When clicking on an `Malware` card you land on its Overview tab. For a Malware, - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge linked to the Malware. Different thematic views are proposed to easily see the victimology, the threat actors and intrusion sets using the Malware, etc. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the Malware. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the Malware. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Analyses: as described [here](overview.md#analyses-section). - Data: as described [here](overview.md#data-section). - History: as described [here](overview.md#history-section). @@ -54,7 +54,7 @@ When clicking on a `Channel` in the list, you land on its Overview tab. For a Ch - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge linked to the Channel. Different thematic views are proposed to easily see the victimology, the threat actors and intrusion sets using the Malware, etc. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the Channel. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the Channel. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Analyses: as described [here](overview.md#analyses-section). - Data: as described [here](overview.md#data-section). - History: as described [here](overview.md#history-section). @@ -70,13 +70,13 @@ When clicking on the `Tools` tab at the top left, you see the list of all the `T ![Tools list](assets/tools_list_view.png) -### Visualizing Knowledge associated with an Observed Data +### Visualizing Knowledge associated with a Tool When clicking on a `Tool` in the list, you land on its Overview tab. For a Tool, the following tabs are accessible: - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge linked to the Tool. Different thematic views are proposed to easily see the threat actors, the intrusion sets and the malware using the Tool. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the Tool. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the Tool. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Analyses: as described [here](overview.md#analyses-section). - Data: as described [here](overview.md#data-section). - History: as described [here](overview.md#history-section). @@ -92,13 +92,13 @@ When clicking on the `Vulnerabilities` tab at the top left, you see the list of ![Vulnerabilities list](assets/vulnerabilities_list_view.png) -### Visualizing Knowledge associated with an Observed Data +### Visualizing Knowledge associated with a Vulnerability When clicking on a `Vulnerabilities` in the list, you land on its Overview tab. For a Vulnerability, the following tabs are accessible: - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge linked to the Vulnerability. Different thematic views are proposed to easily see the threat actors, the intrusion sets and the malware exploiting the Vulnerability. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the Vulnerability. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the Vulnerability. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Analyses: as described [here](overview.md#analyses-section). - Data: as described [here](overview.md#data-section). - History: as described [here](overview.md#history-section). diff --git a/docs/docs/usage/exploring-cases.md b/docs/docs/usage/exploring-cases.md index 1d5eef23fdba..d27d95eb6638 100644 --- a/docs/docs/usage/exploring-cases.md +++ b/docs/docs/usage/exploring-cases.md @@ -8,7 +8,7 @@ From the `Cases` section, users can access the following tabs: - `Incident Responses`: This type of Cases is dedicated to the management of incidents. An Incident Response case does not represent an incident, but all the context and actions that will encompass the response to a specific incident. - `Request for Information`: CTI teams are often asked to provide extensive information and analysis on a specific subject, be it related to an ongoing incident or a particular trending threat. Request for Information cases allow you to store context and actions relative to this type of request and its response. -- `Request for Takedown`: When an organization is targeted by an attack campaign, a typical response action can be to request the Takedown of elements of the attack infrastructure, for example a domain name impersonating the organization to phish its employees, or an email address used to deliver phishing content. As Takedown needs in most case to reach out to external providers and be effective quickly, it often needs specific workflows. Request for Takedown cases give you a dedicated space to manage these specific actions. +- `Request for Takedown`: When an organization is targeted by an attack campaign, a typical response action can be to request the Takedown of elements of the attack infrastructure, for example a domain name impersonating the organization to phish its employees, or an email address used to deliver phishing content. As Takedown needs in most cases to reach out to external providers and be effective quickly, it often needs specific workflows. Request for Takedown cases give you a dedicated space to manage these specific actions. - `Tasks`: In every case, you need tasks to be performed in order to solve it. The Tasks tab allows you to review all created tasks to quickly see past due date, or quickly see every task assigned to a specific user. - `Feedbacks`: If you use your platform to interact with other teams and provide them CTI Knowledge, some users may want to give you feedback about it. Those feedbacks can easily be considered as another type of case to solve, as it will often refer to Knowledge inconsistency or gaps. @@ -72,7 +72,7 @@ If your Case contains attack patterns, you will be able to visualize them in a M #### Organization segregation -If you have designated a main Organization in the platform settings, you can share your Case and its content with users of an other Organization. +If you have designated a main Organization in the platform settings, you can share your Case and its content with users of another Organization. ![containers-organization-sharing-button.png](assets%2Fcontainers-organization-sharing-button.png) @@ -103,7 +103,7 @@ Clicking on a Task, you land on its Overview tab. For a Tasks, the following tab ## Feedbacks -When a user fill a feedback form from its Profile/Feedback menu, it will then be accessible here. +When a user fills a feedback form from its Profile/Feedback menu, it will then be accessible here. This feature gives the opportunity to engage with other users of your platform and to respond directly to their concern about it or the Knowledge, without the need of third party software. diff --git a/docs/docs/usage/exploring-entities.md b/docs/docs/usage/exploring-entities.md index 443659ad8302..86a3a5b78b83 100644 --- a/docs/docs/usage/exploring-entities.md +++ b/docs/docs/usage/exploring-entities.md @@ -1,6 +1,6 @@ # Entities -OpenCTI's Entities objects provides a comprehensive framework for modeling various targets and attack victims within your threat intelligence data. With five distinct Entity object types, you can represent sectors, events, organizations, systems, and individuals. This robust classification empowers you to contextualize threats effectively, enhancing the depth and precision of your analysis. +OpenCTI's Entity objects provide a comprehensive framework for modeling various targets and attack victims within your threat intelligence data. With five distinct Entity object types, you can represent sectors, events, organizations, systems, and individuals. This robust classification empowers you to contextualize threats effectively, enhancing the depth and precision of your analysis. When you click on "Entities" in the left-side bar, you access all the "Entities" tabs, visible on the top bar on the left. By default, the user directly access the "Sectors" tab, but can navigate to the other tabs as well. @@ -29,7 +29,7 @@ When clicking on a `Sector` in the list, you land on its Overview tab. For a Sec - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge linked to the Sector. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the Sector. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the Sector. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the Sector. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Analyses: as described [here](overview.md#analyses-section). - Sightings: a table containing all `Sightings` relationships corresponding to events in which an `Indicator` (IP, domain name, url, etc.) is sighted in the Sector. - Data: as described [here](overview.md#data-section). @@ -54,7 +54,7 @@ When clicking on an `Event` in the list, you land on its Overview tab. For an Ev - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge linked to the Event. Different thematic views are proposed to easily see the related entities, the threats, the locations, etc. linked to the Event. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the Event. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the Event. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Analyses: as described [here](overview.md#analyses-section). - Sightings: a table containing all `Sightings` relationships corresponding to events in which an `Indicator` (IP, domain name, url, etc.) is sighted during an attack against the Event. - Data: as described [here](overview.md#data-section). @@ -77,7 +77,7 @@ When clicking on an `Organization` in the list, you land on its Overview tab. Fo - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge linked to the Organization. Different thematic views are proposed to easily see the related entities, the threats, the locations, etc. linked to the Organization. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the Organization. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the Organization. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Analyses: as described [here](overview.md#analyses-section). - Sightings: a table containing all `Sightings` relationships corresponding to events in which an `Indicator` (IP, domain name, url, etc.) is sighted in the Organization. - Data: as described [here](overview.md#data-section). @@ -108,7 +108,7 @@ When clicking on a `System` in the list, you land on its Overview tab. For a Sys - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge linked to the System. Different thematic views are proposed to easily see the related entities, the threats, the incidents, etc. linked to the System. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the System. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the System. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Analyses: as described [here](overview.md#analyses-section). - Sightings: a table containing all `Sightings` relationships corresponding to events in which an `Indicator` (IP, domain name, url, etc.) is sighted in the System. - Data: as described [here](overview.md#data-section). @@ -137,7 +137,7 @@ When clicking on an `Individual` in the list, you land on its Overview tab. For - Overview: as described [here](overview.md#overview-section). - Knowledge: a complex tab that regroups all the structured Knowledge linked to the Individual. Different thematic views are proposed to easily see the related entities, the threats, the locations, etc. linked to the Individual. As described [here](overview.md#knowledge-section). -- Content: This specific tab allows to previzualize, manage and write deliverable associated with the Individual. For example an analytic report to share with other teams, a markdown files to feed a collaborative wiki with, etc. As described [here](overview.md#content-section). +- Content: This specific tab allows to preview, manage and write deliverable associated with the Individual. For example an analytical report to share with other teams, a markdown file to feed a collaborative wiki, etc. As described [here](overview.md#content-section). - Analyses: as described [here](overview.md#analyses-section). - Sightings: a table containing all `Sightings` relationships corresponding to events in which an `Indicator` (IP, domain name, url, etc.) is sighted in the Individual. - Data: as described [here](overview.md#data-section). diff --git a/docs/docs/usage/getting-started.md b/docs/docs/usage/getting-started.md index 959740cfa777..19b46912ee87 100644 --- a/docs/docs/usage/getting-started.md +++ b/docs/docs/usage/getting-started.md @@ -25,7 +25,7 @@ The welcome page gives any visitor on the OpenCTI platform an overview of what's | Component | Description | |:---------------|:---------------------------------| -| Intrusion sets | Number of intrusion sets . | +| Intrusion sets | Number of intrusion sets. | | Malware | Number of malware. | | Reports | Number of reports. | | Indicators | Number of indicators. | diff --git a/docs/docs/usage/import/json-feed.md b/docs/docs/usage/import/json-feed.md index 6846513e4a2f..919e88840fff 100644 --- a/docs/docs/usage/import/json-feed.md +++ b/docs/docs/usage/import/json-feed.md @@ -17,7 +17,7 @@ By adhering to these best practices, you ensure independence in managing rights ## Configuration Configuring a JSON feed will be simple or complex depending on the needs of pagination. -So we will show be example of its different and how to configure it in the two cases. +So we will show by example of its different and how to configure it in the two cases. ### Simple API @@ -31,7 +31,7 @@ Here's a step-by-step guide to configure JSON ingesters: ### Paginated API -For paginated API its more difficult to configure the JSON feed. You have more elements. +For paginated APIs, it's more difficult to configure the JSON feed. You have more elements. #### Verb and variables @@ -39,7 +39,7 @@ You need to start to configure the verb to use and the variables. **GET** -When you use a GET API, a majority of case will use query parameters to be able to setup variables for the pagination. +When you use a GET API, a majority of cases will use query parameters to be able to setup variables for the pagination. For example lets take an api where the get command need to specify the page number to consume. There is a part of the URI that need to be dynamic. diff --git a/docs/docs/usage/nested.md b/docs/docs/usage/nested.md index b251e66d8181..93fb614d3f97 100644 --- a/docs/docs/usage/nested.md +++ b/docs/docs/usage/nested.md @@ -6,7 +6,7 @@ In the [STIX 2.1 standard](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html), objects can: -1. Refer to other objects in directly in their `attributes`, by referencing one or multiple IDs. +1. Refer to other objects directly in their `attributes`, by referencing one or multiple IDs. 2. Have other objects directly embedded in the entity. ### Example @@ -17,7 +17,7 @@ In the [STIX 2.1 standard](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.h "spec_version": "2.1", "id": "intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29", "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", // nested reference to an identity - "object_marking_refs": ["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"], // nested reference to multiple marking defintions + "object_marking_refs": ["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"], // nested reference to multiple marking definitions "external_references": [ { "source_name": "veris", @@ -38,7 +38,7 @@ In the previous example, we have 2 nested references to other objects in: ```json "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", // nested reference to an identity -"object_marking_refs": ["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"], // nested reference to multiple marking defintions +"object_marking_refs": ["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"], // nested reference to multiple marking definitions ``` But we also have a nested object within the entity (an `External Reference`): @@ -57,7 +57,7 @@ But we also have a nested object within the entity (an `External Reference`): ### Modelization -In OpenCTI, all nested references and objects are modelized as relationships, to be able to pivot more easily on labels, external references, kill chain phases, marking definitions, etc. +In OpenCTI, all nested references and objects are modeled as relationships, to be able to pivot more easily on labels, external references, kill chain phases, marking definitions, etc. ![Investigation](assets/investigation.png) diff --git a/docs/docs/usage/notifications.md b/docs/docs/usage/notifications.md index fcc719653388..11daa3888e49 100644 --- a/docs/docs/usage/notifications.md +++ b/docs/docs/usage/notifications.md @@ -8,7 +8,7 @@ The main menu "Notifications and triggers" for creating and managing notificatio ![Notifications](assets/notifications.png) -Click on the line "Digest with multiples notifiers" to open a drawer and access to detailed notifications. +Click on the line "Digest with multiples notifiers" to open a drawer and access detailed notifications. ![Notifications](assets/digestWithMultipleNotifiers.png) diff --git a/docs/docs/usage/pivoting.md b/docs/docs/usage/pivoting.md index 0caa2da1eaa2..7e4882c2f939 100644 --- a/docs/docs/usage/pivoting.md +++ b/docs/docs/usage/pivoting.md @@ -14,8 +14,8 @@ To access investigations, navigate to the top right corner of the toolbar: ## Perform investigation ### Select / search entity -Wehn selecting (or searching) an entity, all the entities that you have selected (or matching your searched), will still be "coloured". The other entities will be overlayed, to emphasis your selection (or search). -The entity that you are currently seeing in the right panel is the one with the **blue solid line** while the ones with **blue doted line** are the other that you have selected but not viewed in the right panel. +When selecting (or searching) an entity, all the entities that you have selected (or matching your searched), will still be "coloured". The other entities will be overlayed, to emphasis your selection (or search). +The entity that you are currently seeing in the right panel is the one with the **blue solid line** while the ones with **blue dotted line** are the other that you have selected but not viewed in the right panel. In addition, the right panel will have now a counter of the amount of selected entities to help you understand the amount of selected (or matching your search). ![select entities in graph](assets/Select-entities-in-graph.png) diff --git a/docs/docs/usage/refine-content.md b/docs/docs/usage/refine-content.md index 4e40a845c0f7..f1f4508696bb 100644 --- a/docs/docs/usage/refine-content.md +++ b/docs/docs/usage/refine-content.md @@ -61,7 +61,7 @@ Fom the Content tab of a Container (Reports, Groupings and Cases), Ask AI can al ![Example of a generated content](assets/askai_generatedcontent.png) -A short video on the FiligranHQ YouTube channel presents tha capabilities of AskAI: https://www.youtube.com/watch?v=lsP3VVsk5ds. +A short video on the FiligranHQ YouTube channel presents the capabilities of AskAI: https://www.youtube.com/watch?v=lsP3VVsk5ds. ### Assistance for finding specific entities (Natural Language Query) @@ -69,7 +69,7 @@ A short video on the FiligranHQ YouTube channel presents tha capabilities of Ask An Ask AI button is available in the top search bar. It enables to switch the search bar in NLQ mode where you can write questions or assertions in natural language. ![Ask AI button in the top search bar](assets/nlq-button.png) -The system uses a Large Language Model (LLM) to generate corresponding filters based on your question. The model constructs filters in the OpenCTI filters format with empty ``filterGroups``. Thus, filters are currently limited to one level of imbrication: a list of filters separated by a single and/or mode. +The system uses a Large Language Model (LLM) to generate corresponding filters based on your question. The model constructs filters in the OpenCTI filters format with empty ``filterGroups``. Thus, filters are currently limited to one level of nesting: a list of filters separated by a single and/or mode. The LLM constructs the filters with: - existing filter keys (attributes, relations input names and some special filter keys), diff --git a/docs/docs/usage/search.md b/docs/docs/usage/search.md index a21b663f0bf9..24c5e3244231 100644 --- a/docs/docs/usage/search.md +++ b/docs/docs/usage/search.md @@ -27,7 +27,7 @@ Also, using the `Advanced search` button, it is possible to directly put filters !!! info "Advanced filters" - You have access to advanced filters all accross the UI, if you want to know more about how to use these + You have access to advanced filters all across the UI, if you want to know more about how to use these filters with the API or the Python library, [don't hesitate to read the dedicated page](../reference/filters.md) ### Full text search in files content @@ -48,11 +48,11 @@ In order to search in files, you need to configure [file indexing](../administra ## Bulk search -The bulk search capabilities is available in the top bar of the platform and allows you to copy paste a list of keyword or objects (ie. list of domains, list of IP addresses, list of vulnerabilities, etc.) to search in the platform: +The bulk search capability is available in the top bar of the platform and allows you to copy paste a list of keyword or objects (ie. list of domains, list of IP addresses, list of vulnerabilities, etc.) to search in the platform: ![Bulk search](assets/bulk-search.png) -When searching in bulk, OpenCTI is only looking for an case-insensitive exact match in some properties: +When searching in bulk, OpenCTI is only looking for a case-insensitive exact match in some properties: * `name` * `aliases` diff --git a/docs/docs/usage/widgets.md b/docs/docs/usage/widgets.md index cfe5aefff099..eade0bcf92fe 100644 --- a/docs/docs/usage/widgets.md +++ b/docs/docs/usage/widgets.md @@ -31,7 +31,7 @@ A perspective is the way the platform will count the data to display in your wid Filters vary based on the selected perspective, defining the dataset to be utilized in the widget. Filters are instrumental in narrowing down the scope of data for a more focused analysis. -While filters in the "Entities" and "Activity & History" perspectives align with the platform's familiar search and feed creation filters, the "Knowledge Graph" perspective introduces a more intricate filter configuration.Therefore, they need to be addressed in more detail. +While filters in the "Entities" and "Activity & History" perspectives align with the platform's familiar search and feed creation filters, the "Knowledge Graph" perspective introduces a more intricate filter configuration. Therefore, they need to be addressed in more detail. #### Filter in the context of Knowledge Graph