How DocIntel compares to
other Threat Intelligence Platforms?
Most of the threat intelligence platforms are focused on technical indicators. They abstract the knowledge about a threat with a specific model; This is called domain modeling. The model leaves out details to allow metrics, visualization and analysis. Analyst will then identify patterns and trends, or export relevant indicators to detection systems. But to build these models, you need knowledge.
DocIntel is not focused on technical indicators or domain modeling. It focuses on the information and knowledge that will enable technical indicators to be identifed or models to be created. DocIntel makes all the information available to your CTI team. It complements other Threat Intelligence Platforms, providing the necessary material for the next steps.
DocIntel and MISP
MISP is an open source threat intelligence platform. The project develops utilities and documentation for more effective threat intelligence. The biggest focus is on sharing structured indicators of compromise.
DocIntel does not help you to model threats with attributes, objects and connections or building timelines. DocIntel does not enable information sharing outside your organization. However, DocIntel benefits from MISP project as you can import warning lists, taxonomies and galaxies in DocIntel. Compared to MISP, DocIntel includes an efficient full-text search providing relevant and tailored results. PDF reports are readable by the users within the platform. DocIntel also provides a more fine-grained support to control who access what information.
DocIntel and OpenCTI
OpenCTI is an open source threat intelligence platform focused on cyber threat intelligence knowledge and observables managment. The platform is focused on domain modeling, abstracting threats into a knowledge hypergraph connecting pieces of informations together. The data model is based on the STIX2 standard. OpenCTI provides advanced metrics and visualisations.
DocIntel is not focused on data modelling. Observables are extracted and related to threat reports but these elements are not connected between them in the platform. DocIntel does not provide tools and features to extract metrics about the most active actors, or visualizations showing overlaps in attackers' infrastructure. On the contrary, DocIntel will help analyst manage the knowledge needed for the analysis. It will also help in finding the original threat report with all the details, without abstractions or filtering. The information available in DocIntel is not constrained by the STIX2 format but will help your organization populate your OpenCTI instance.
