blog.filigran.io Open in urlscan Pro
162.159.153.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in




INTRODUCING DECAY RULES IMPLEMENTATION FOR INDICATORS IN OPENCTI

Souad Hadjiat

·

Follow

Published in

Filigran Blog

·
6 min read
·
Mar 25, 2024

2



Listen

Share



Cyber Threat Intelligence is made to be used. To be useful, it must be relevant
and on time. It is why managing the lifecycle of Indicators of Compromise (IoC)
is so important in cybersecurity. But IoCs are often received by thousands. So,
how managing them all to make them relevant and a time sensitive context?

To answer this problem, we have introduced in the Score Decay algorithm into
OpenCTI 6.0 to help managing your IoCs lifecycle!

This article was co-written with Angélique Jard


INDICATOR LIFECYCLE CHANGES WITH THE NEW DECAY ALGORITHM

IoCs indicates that everything matching their pattern is “malicious”, or at
least relevant regarding a threat. This maliciousness/relevancy is represented
by the IoC’s “score” and the IoC’s “valid_until” values. Prior to 6.0, the
Indicator’s score in OpenCTI could only change based on new information (manual
update, new data from feed, playbook) but not over time. It was an On/Off model
that could not represent IoC’s relevancy evolution over time.

With decay rules enabled, Indicators can now see their score decreases over
time.

On the Indicator overview, a new button is now present next to score called
“Lifecycle”.


Indicator score with lifecycle button

When opening the Indicator lifecycle view, it shows the curve representing the
IoC lifecycle. A table list all the relevant scores that are being monitored to
be able to react on them. The last of these scores is the one making the IoC
revoked because of irrelevancy.


Lifecycle details of indicator

The curve is displayed for context, but the Indicator score that is visible on
the Indicator overview and stored in the database will take score values in the
table. When a stable score’s time is reached, the platform updates the score of
the IoC and this update can be react upon the same way it is when the score is
updated manually on the UI (in streams, in playbook, in notifiers).


HOW DOES THE OPENCTI PLATFORM SELECT A DECAY RULE FOR AN INDICATOR ?

The platform has several decay rules configured by default, and users with
Settings access can configure new ones as explained in the Administration
section of this article.

The decay rule selection is based on the “main observable type” of Indicator and
a priority system.

When a new Indicator is created, the Decay algorithm:

 * Search for decay rules based on the main observable type of the Indicator
   (for example: Domain name)
 * Select the decay rule with the highest order
 * If no rule exists on the main observable type, take the decay rule that
   matches all observable types with the highest priority.

The decay rule is selected when the Indicator is created. It means that if an
Indicator is created with a decay rule, then this decay rule parameters are
modified afterwards, the new parameters are not applied on the Indicator. Only
new Indicators that match the rule will have the new parameters.

It also means that Indicators that exists on the platform before migrating to
OpenCTI 6.0 will not have a backward computation of decay rule. Please note that
when any Indicator reaches the “valid_until” date, Indicators are still revoked.
Score decrease and revoke score with decay rule work all together with the
revoke mechanism.

This design of Indicator decay rule engine is made for performance reasons,
given that an OpenCTI platform can have a millions of existing Indicators.


WHAT HAPPENS IF THE SCORE IS UPDATED BY UI OR CONNECTORS ?

You might see some Indicator lifecycle curves that don’t start from the
Indicator score at creation. The reason is that when the score is updated
manually in the UI or by from connectors/feeds, this new score is taken as the
starting score for decay computation, and stable score dates and revoke dates
are computed again. To maintain understanding of the full Indicator lifecycle,
scores that this Indicator may had before this update are kept and displayed in
the table.


Lifecycle details with score update

For example in this screenshot, the Indicator’s score at creation was 79 on
March 9, 2024, but for some reason, it was updated by a user to 96 on March 12,
2024: the dates for next stable score and revoke score have been computed again,
starting from March 12, 2024.


ADMINISTRATION OF DECAY ALGORITHM AND RULES

For administrators, decay rules can be configured in “Settings > Customization >
Decay rules”.


Decay rules administration

We provide four built-in decay rules that are applied by default.

The last rule, with the lowest priority is the rule that is applied when no
other rule matches.

The built-in rules are special: it is not possible to change their parameters,
disable or delete them. Their priority orders are set to 0 and 1, so if you want
to apply other rules, you can simply create them with your own parameters and
set a higher priority order (at least 2).


Decay rule example with fast score decrease

Decay rule example with slow score decrease

When creating a new rule, the parameters are:

 * Main observable type: Indicators that have one of the observable types in
   this list at creation will match the rule. An empty list means that the rule
   will matches any Indicator.
 * Lifetime (in days): this is the duration in days that the score will take to
   reach zero following the curve algorithm.
 * Decay factor: this parameter defines the shape of the decay algorithm curve.
   A value below 0.33 indicates a slow decrease at the beginning, while a value
   above 0.33 indicates a faster decrease.
 * Reaction point: it’s the score that will trigger an update of the Indicator
   score in the database to be reacted upon.
 * Revoke score: it’s the score that will trigger a revocation of the Indicator.
   The indicator is revoked at the first event: either when reaching that revoke
   score or when the valid until date is reached.
 * Order: this parameter represents the priority order. If the Indicator main
   observable matches several rules, the rule with the highest priority is
   taken. When two rules match with the same priority, one of them is selected
   randomly.


NEXT STEPS

In the future, we want to upgrade further the Decay feature! For example, it
could be a great idea to take into account in the score’s evolution when an
sighting is added to an Indicator. It could also be great to define more precise
filters, based on other properties like markings.

Let us know what you think of it in our Community Slack channel!

Reference documentation:

Usage : https://docs.opencti.io/latest/usage/indicators-lifecycle

Administration : https://docs.opencti.io/latest/administration/decay-rules/

Managers configuration :
https://docs.opencti.io/latest/deployment/configuration/#engines-schedules-and-managers





SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Access the best member-only stories.

Support independent authors.

Listen to audio narrations.

Read offline.

Join the Partner Program and earn for your writing.


Try for 5 $/month
Cybersecurity
Opencti
Cyber Threat Intelligence
Decay


2

2



Follow



WRITTEN BY SOUAD HADJIAT

13 Followers
·Writer for

Filigran Blog

Senior software engineer

Follow




MORE FROM SOUAD HADJIAT AND FILIGRAN BLOG

Souad Hadjiat


THE BUG TALES #1


“THE LAZY GORM AND INITIALIZED PROPERTY” - PART 1

3 min read·Feb 28, 2020

21





Frédéric Basler

in

Filigran Blog


OPENCTI & HARFANGLAB: A CONNECTOR TO ENRICH CTI DATA AND OPTIMIZE INCIDENT
RESPONSE


PRESENTATION OF THE HARFANGLAB CONNECTOR : A TECHNICAL APPROACH FOR ENHANCED
CYBERSECURITY

10 min read·Apr 15, 2024

1





Julien Richard

in

Filigran Blog


OPENCTI (6.0.10+) IN AIR GAP/DIODE ENVIRONMENTS


CYBER THREAT INTELLIGENCE IS MADE TO BE USED EVERYWHERE, AND THIS WORD NOT ONLY
MEANS “IN EVERY COUNTRY IN THE WORLD”. IT ALSO MEANS IN…

4 min read·Apr 22, 2024

24





Souad Hadjiat


LEARNINGS FROM SCHOOL OF PO CONFERENCE


ON FEBRUARY 13, I WENT TO A NEW CONFERENCE IN PARIS, ITS VERY FIRST EDITION,
CALLED “SCHOOL OF PO”. WHAT IS A PO ? THE ACRONYM STANDS FOR…

6 min read·Feb 27, 2018

13




See all from Souad Hadjiat
See all from Filigran Blog



RECOMMENDED FROM MEDIUM

Dylan


UTILIZING GENERATIVE AI AND LLMS TO AUTOMATE DETECTION WRITING


IN SECURITY OPERATIONS, WE ARE PRIMARILY RESPONSIBLE FOR TWO THINGS: DETECTION &
RESPONSE. WRITING DETECTIONS CAN BE A VERY LABORIOUS AND…

20 min read·May 10, 2024

60





Cathia Archidoit

in

Filigran Blog


INTRODUCING ADVANCED FILTERING POSSIBILITIES IN OPENCTI


CTI DATABASES ARE USUALLY VAST AND MADE OF COMPLEX, INTER-DEPENDENT OBJECTS
INGESTED FROM VARIOUS SOURCES. IN THIS CHALLENGING CONTEXT…

6 min read·Feb 5, 2024

7






LISTS


TECH & TOOLS

16 stories·241 saves


MEDIUM'S HUGE LIST OF PUBLICATIONS ACCEPTING SUBMISSIONS

307 stories·2784 saves


STAFF PICKS

650 stories·996 saves


NATURAL LANGUAGE PROCESSING

1476 stories·988 saves


SealTeamSecs


INSTALLING OPENCTI


WHAT IS OPENCTI?

4 min read·Mar 5, 2024



"CyberGuard: Malware and Vulnerabilities Analysis"


THREAT INTELLIGENCE FOR SOC


LEARN HOW TO UTILISE THREAT INTELLIGENCE TO IMPROVE THE SECURITY OPERATIONS
PIPELINE.

16 min read·May 12, 2024

61

1




Damag3dRoot


CYBER THREAT INTEL QUEST WITH OPENCTI -PART 2


SEARCH AND INGESTION..

10 min read·Feb 25, 2024

67

1




Ervin Zubic

in

OSINT Ambition


HOW PESTEL ANALYSIS CAN ENHANCE OSINT RESEARCH STRATEGIES


UNLOCK THE POWER OF PESTEL ANALYSIS FOR OSINT RESEARCH WITH THIS INSIGHTFUL
GUIDE.

14 min read·Feb 21, 2024

2




See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.