Authoring Tool
The CTI Blueprints Authoring Tool is a web application for creating CTI reports based on the CTI Blueprints templates.
The easiest way to get started is to run the authoring tool in your browser–no installation required:
For advanced users who want to run the tool locally, download the latest release, extract cti_authoring_tool.zip to a location of your choosing, and double click on index.html to open the tool in you web browser.
The Authoring Tool supports a growing number of features which make authoring reports quicker and simpler.
Anytime you open the application, the splash page will aid you in choosing the template that suits your current requirements. This page also allows you to open previously saved reports.
To help avoid input errors, the Authoring Tool limits each field to a specific data type. This ensures that date fields like Date Reported only receive a date, number fields like CVE Score only receive a number, and enumeration fields like Patch Available only receive one of two values. Strictly typed fields are designed to guide your authoring process and prevent you from making simple mistakes and easy-to-miss typos.
Currently, the tool supports 7 unique field types:
| Type | Examples |
|---|---|
| Text |
Hello World, You can write anything, Your text here
|
| Integer |
1, 12, 100
|
| Float |
0.5, 1.333, 37.2
|
| Date |
Jun 11, 2023, May 2, 2023, Apr 12, 2023
|
| Time |
01:00, 12:05, 22:30
|
| Date + Time |
Jun 11, 2023 - 01:00 May 2, 2023 - 12:05, Apr 12, 2023 - 22:30
|
| Enumeration |
['Yes', 'Maybe', 'No'], ['True', 'False'], ['Great', 'Good', 'Fair', 'Bad']
|
Nobody likes having to scroll through long dropdown lists looking for what they need. That’s why the Authoring Tool provides rich dropdown navigation and options filtering. Simply click on a dropdown and begin typing to filter the available options, scroll (or use the up/down arrow keys) to navigate, and click (or press Enter) on an option to select it.
When it comes to tables, the Authoring Tool makes it easy to duplicate, reorder, and delete rows with a click. This is especially useful when managing sophisticated tables which may contain anywhere from 5 to 7 fields per row.
The Authoring Tool keeps a complete history of all the changes you make to a document. If you’ve made a mistake or want to go back to an earlier version, simply go to Edit > Undo (or use the shortcut Ctrl + Z). Alternatively, if you’ve undone too much and want to advance forward through the edit history, simply go to Edit > Redo (or use the shortcut Ctrl + Y).
Whether you’ve finished your report or want to come back to it later, select File > Save (or use the shortcut Ctrl + S) to save a copy of the report to your computer. The Authoring Tool will download a JSON file which is easily parsed by other applications including the CTI Blueprints Publishing Tool. If you want to edit a previously saved document, select File > Open File… (or use the shortcut Ctrl + O), choose the previously saved JSON file, and pick up right where you left off.
You can switch between multiple documents in the editor by using the tabs at the bottom of the application. These tabs allow you to choose which document to focus on and close documents you are no longer using.
Looking to expand your editing experience? Select View > Fullscreen to put the editor into Fullscreen mode.
The Authoring Tool is designed to be extendable to suit your unique requirements. To that end, the Authoring Tool allows you to install custom plugins which enhance its functionality. The Authoring Tool's Plugin API supports a wide range of features which makes it easy to craft custom behaviors. With the Plugin API, you can write a plugin to upload a log file from your firewall into an IOC Table; auto-recommend a Report Number according to your organization's policies; or provide feedback when the Executive Summary fails to meet specific requirements. Currently, the tool comes pre-installed with 3 plugins out-of-the-box.
This plugin enables you to upload a published Attack Flow document (where applicable) to automatically populate MITRE ATT&CK tactics, techniques, and sub-techniques. It is particularly useful when you already have an existing Attack Flow built out and want to include a list of TTPs in your report.
If you haven't already, open an Attack Flow Builder file (.afb) in the Attack Flow Builder. Under File select Publish Attack Flow to save the published Attack Flow file.
Back in the Authoring Tool, select Import from Attack Flow on any field that supports the plugin.
Choose your published Attack Flow File (.json).
And just like that, the plugin automatically populates a list of tactics, techniques, and sub-techniques.
This plugin automatically populates any table with a CSV (Comma Separated Value) file. It is particularly useful when you have pre-exiting data already available and want to incorporate it into the document.
First, copy the name of each field you want to populate into a spreadsheet editor of your choosing. Each field should be given its own column.
Proceed to fill out the table with one entry per line.
Save the file as a .csv file.
Back in the Authoring Tool, select Import from CSV.
Choose your .csv file.
And with that, your table will now be filled with the entries from your CSV file.
This plugin automatically creates a link to the appropriate controls in D3FEND for each given TTP. This plugin eliminates the need to look up each D3FEND control and manually paste the link in yourself.
Simply select any technique or sub-technique...
...and the D3FEND link will automatically populate for you.
