Release new documentations

opencti-documentation/docs/getting-started/achitecture.md

@@ -0,0 +1,16 @@
+---
+id: architecture
+title: Architecture of the application
+sidebar_label: Architecture
+---
+
+The OpenCTI platform relies on several external databases and services in order to work. 
+
+![Architecture](assets/getting-started/architecture.png "Architecture")
+
+## The GraphQL API
+
+The API is the central part of the OpenCTI platorm, allowing the *clients* (including the *frontend*) to interact with the *databases* and the *brokers*.
+
+[documentation on the tool](https://opencti-platform.github.io/docs)
+

opencti-documentation/docs/getting-started/introduction.md

@@ -0,0 +1,52 @@
+---
+id: introduction
+title: Introduction
+sidebar_label: Introduction
+---
+
+![](assets/getting-started/logo.png)
+---
+
+OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.
+
+The structuration of the data is performed using a knowledge schema based on the [STIX2 standards](https://oasis-open.github.io/cti-documentation/). It has been designed as a modern web application including a [GraphQL API](https://graphql.org) and an UX oriented frontend. Also, OpenCTI can be integrated with other tools and applications such as [MISP](https://github.com/MISP/MISP), [TheHive](https://github.com/TheHive-Project/TheHive), [MITRE ATT&CK](https://github.com/mitre/cti), etc.
+
+![Screenshot](assets/getting-started/screenshot.png "OpenCTI")
+
+## Objective
+
+The goal is to create a comprehensive tool allowing users to capitalize technical (such as TTPs and observables) and non-technical information (such as suggested attribution, victimlogy etc.) while linking each piece of information to its primary source (a report, a MISP event, etc.), with features such as links between each information, first and last seen dates, levels of confidence etc. The tool is able to use the [MITRE ATT&CK framework](https://attack.mitre.org) (through a [dedicated connector](https://github.com/OpenCTI-Platform/connectors)) to help structure the data. The user can also chose to implement its own datasets.
+
+Once data has been capitalized and processed by the analysts within OpenCTI, new relations [may be inferred](../usage/inferences) from existing ones to facilitate the understanding and the representation of this information. This allow the user to extract and leverage meaningful knowledge from the raw data.
+
+OpenCTI not only allows [imports](guides/import-data) but also [exports of data](guides/export-data) under different formats (CSV, STIX2 bundles, etc.). [Connectors](https://github.com/OpenCTI-Platform/connectors) are currently developped to accelerate interactions between the tool and other platforms.
+
+## Demonstration
+
+If you wish to discover how the OpenCTI platform is working, a [demonstration instance](https://demo.opencti.io) is available and open to everyone. This instance is reset every night and is based on reference data maintened by the OpenCTI developers.
+
+## Releases download
+
+The releases are available on the [Github releases page](https://github.com/OpenCTI-Platform/opencti/releases). You can also access to the [rolling release package](https://releases.opencti.io) generated from the mater branch of the repository.
+
+## Installation
+
+You have 3 options to install the OpenCTI platform, depending of your needs:
+
+* [Use Docker](../installation/docker) (recommanded)
+* [Install manually](../installation/manual) 
+* [Install for development](../development/installation)
+
+## Community
+
+### Status & bugs
+
+Currently OpenCTI is under heavy development, if you wish to report bugs or ask for new features, you can directly use the [Github issues module](https://github.com/OpenCTI-Platform/opencti/issues).
+
+### Discussion
+
+If you need support or you wish to engage a discussion about the OpenCTI platform, feel free to join us on our [Slack channel](https://slack.luatix.org). You can also send us an email to contact@opencti.io.
+
+## About
+
+OpenCTI is a product powered by the collaboration of the [French national cybersecurity agency (ANSSI)](https://ssi.gouv.fr), the [CERT-EU](https://cert.europa.eu) and the [Luatix](https://www.luatix.org) non-profit organization.

opencti-documentation/docs/usage/model.md

@@ -0,0 +1,61 @@
+---
+id: model
+title: Data model
+sidebar_label: Data model
+---
+
+Even if the OpenCTI data model is based on [STIX2](https://oasis-open.github.io/cti-documentation/stix/intro) and you are already familiar with it, you should read this section to understand how we have implemented this model and what make the OpenCTI platform unique (even if some features described here are not available in the frontend yet).
+
+## The hypergraph
+
+The OpenCTI data model needs a database that implements the [hypergraph theory](https://en.wikipedia.org/wiki/Hypergraph). We made this choice because we want, now and in the future, to be able to modelize the full understanding of a threat or a campaign without limitation. We selected [Grakn Core Server](http://grakn.ai) as our main database backend because it really fits our needs to implement the model we designed. Here are some useful information about the OpenCTI graph model.
+
+### Hierarchical entities
+
+Entities are not all at the same level, we have implemented both abstract entities (normal entities inheritates of their attributes) and sub-entities (that inheritates attributes from other entities). So for instance, we have an entity named `Stix-Domain-Entity` that has a `name` and a `description`, and an other entity `Tool` which is a child of `Stix-Domain-Entity` and has the specific attribute `tool_version`.
+
+```
+Stix-Domain-Entity sub entity,
+  abstract,
+  has name,
+  has description;
+```
+
+```
+Tool sub Stix-Domain-Entity,
+  has tool_version;
+```
+
+This allow database query to select all `Stix-Domain-Entity` instances if needed, or just `Tool` instances.
+
+### Relations
+
+Entities could be linked by some relations. A relation is a connection between any number of entities, identified with specific `roles` that defined a relation:
+
+```
+origin sub role;
+attribution sub role;
+
+attributed-to sub relation,
+  relates origin,
+  relates attribution;
+
+Threat-Actor sub Stix-Domain-Entity,
+  plays origin;
+
+Intrusion-Set sub Stix-Domain-Entity,
+  plays attribution;
+```
+
+This means that you can have this relation:
+
+| Source (*role*)                 | Relation type        | Target (*role*)                       |
+| ------------------------------- | -------------------- | ------------------------------------- |
+| Intrusion Set (*attribution*)   | **attributed-to**    | Threat Actor (*origin*)               |
+
+To know more about available relations, please read the [dedicated section](../reference/relations).
+
+### 
+
+
+

opencti-documentation/docs/usage/overview.md

@@ -0,0 +1,83 @@
+---
+id: overview
+title: Overview
+sidebar_label: Overview
+---
+
+The following document presents some basic explanations on the different platform sections. Its goal is to allow a beginner with OpenCTI to navigate the tool efficiently. This is not a full-fledged user guide and therefore is incomplete. 
+
+We are trying to make it evolve along with the platform but you may find some parts behind the lastest evolutions. If it is the case, please don't hesitate to open an [issue](https://github.com/OpenCTI-Platform/opencti/issues/new/choose).
+
+## Sections of the platform
+
+### Knowledge
+
+When you open the platform, you find yourself on the dashboard. The dashboard will fill up progressively as you import data.
+
+![Dashboard](assets/usage/dashboard.png "Dashboard")
+
+On the left side, you can see a menu made of several icons. The upper left one is the one for the dashboard. The grey ones are services which are not yet implemented on the platform but which we are working on (if you are interested in contributing, you can start [here](https://github.com/OpenCTI-Platform/opencti/blob/master/CONTRIBUTING.md))
+
+> The small arrow at the bottom left allows you to unroll the menu in order to see the name for each icon.
+
+![Menu](assets/usage/menu.png "Menu")
+
+Below the dashboard icon, the other icons are for the following services:
+
+#### Threats
+
+This service allows you to go through all the data in the platform organized by threat actors or intrusion sets or campaigns or incidents or malwares. Clicking on one of the matching tab in the upper part of the window allows the user to visualize all the knowledge on one of this entity.
+
+![Intrusion Sets](assets/usage/intrusion_sets.png "Intrusion Sets")
+
+#### Techniques
+
+This tab allows the user to look among all the Techniques, Tactics and Procedures (TTPs) which may be used during an attack. This covers all the kill chain phases as detailed in the [MITRE ATT&CK framework](https://attack.mitre.org/) but also tools, vulnerabilities and identified courses of actions which can be implemented to block theses techniques.
+
+![TTPs](assets/usage/ttps.png "TTPs")
+
+#### Observables
+
+The observable tab contains all the technical observables which may have been seen during an attack, such as infrastructure or file hashes. Only a few categories are available today, but the list is bound to expand. If you wish to contribute to this part, click [here](https://github.com/OpenCTI-Platform/opencti/blob/master/CONTRIBUTING.md).
+
+![Observables](assets/usage/observables.png "Observables")
+
+#### Reports
+
+In this tab are all the reports which have been uploaded to the platform. They will be the starting point for processing the data inside the reports. For more details, refer to the explanations on how [to upload a report](usage/usage-create-reports) and how [to analyze a report](usage/usage-analyze-report).
+
+![Reports](assets/usage/reports.png "Reports")
+
+#### Entities 
+
+This tab contains all information organized according to the identified entities, which can be either sectors, regions, organisations etc. targeted by an attack or involved in it. Lists of entities can be synchronized from the [repository](https://github.com/OpenCTI-Platform/datasets) through the OpenCTI connector or can be created internally.
+
+![Entities](assets/usage/entities.png "Entities")
+
+### Exploration and processing
+
+#### Explore
+
+This tab is a bit specific, as it constitute a workspace from which the user can automatically generates graphs, timelines, charts and tables from the data previously processed. This can help compare victimologies, timelines of attacks etc. If you want to know more about this service, you can read the article on [how to use the Explore workspace](#usingtheexploreworkspace)
+
+![Workspaces](assets/usage/workspaces.png "Workspaces")
+
+####  Investigate
+
+This service is currently under construction and will be available soon. If you are interested in contributing to its development, see [here](https://github.com/OpenCTI-Platform/opencti/blob/master/CONTRIBUTING.md).
+
+#### Correlate
+
+This service is currently under construction and will be available soon. If you are interested in contributing to its development, see [here](https://github.com/OpenCTI-Platform/opencti/blob/master/CONTRIBUTING.md).
+
+### Parameters
+
+#### Connectors
+
+In this tab, you can manage the different connectors which are used to upload data to the platform. New connectors are being developed. If you are interested in helping or if you would like to have a connector for a specific service, see [the documentation for dcontributing](https://github.com/OpenCTI-Platform/opencti/blob/master/CONTRIBUTING.md) or [open a feature request](https://github.com/OpenCTI-Platform/opencti/tree/master/.github/ISSUE_TEMPLATE).
+
+![Connectors](assets/usage/connectors.png "Connectors")
+
+#### Settings
+
+In this tab, you can change the parameters, visualize all users, create or manage groups, create or manage tagging (by default, the Traffic Light Protocol is implemented, but you can add your own tagging) and manage the kill chain steps (by default, the kill chainis the one defined in the [MITRE ATT&CK framework](https://attack.mitre.org/)).