Hi OpenCTI team,
we are currently evaluating OpenCTI and noticed a limitation regarding how entities are displayed in table/list views.
Current Behavior
In the Observables view, the value shown in the "Representation" column appears to be derived from:
observable_value- internally from
representative.main
For example, with a Network-Traffic observable, the UI currently displays the destination port (443) as the representation value.
However, for analysts this is often not the most meaningful identifier.
Example
Instead of:
we would prefer something more descriptive like:
192.0.2.1 → 192.0.2.42:443
or another analyst-defined label.
Screenshots
Current Representation in Observable List
The table currently displays only the port (443) in the Representation column.
Detailed View Contains Better Context
The detail page already contains a much more useful description:
192.0.2.1 → 192.0.2.42:443
Internal Data Model
The GraphQL response shows:
{
"observable_value": "443",
"x_opencti_description": "192.0.2.1 → 192.0.2.42:443",
"representative": {
"main": "443",
"secondary": "192.0.2.1 → 192.0.2.42:443"
}
}
Problem
Currently there seems to be:
- no way to override
representative.main
- no configurable display field for list/table views
- no custom "display name" mechanism for observables or observed data
This also affects other entities such as:
- Observed Data
- custom observables
- potentially other STIX objects where the default representation is not analyst-friendly
Proposed Feature
Add support for configurable/custom representative values.
Possible implementations could include:
Option 1 — Configurable Display Field
Allow administrators to choose which field is used as the main representation in tables.
Examples:
observable_valuex_opencti_descriptionname- custom field
- computed template
Option 2 — Custom Representative Override
Allow entities to define something like:
"x_opencti_representative": "192.0.2.1 → 192.0.2.42:443"
which would override representative.main.
Option 3 — Representation Templates
Provide entity-type-specific templates, e.g.:
Network-Traffic:
{src_ip} → {dst_ip}:{dst_port}
This would make list views significantly more useful for analysts.
Thanks for considering this feature.
Hi OpenCTI team,
we are currently evaluating OpenCTI and noticed a limitation regarding how entities are displayed in table/list views.
Current Behavior
In the Observables view, the value shown in the "Representation" column appears to be derived from:
observable_valuerepresentative.mainFor example, with a
Network-Trafficobservable, the UI currently displays the destination port (443) as the representation value.However, for analysts this is often not the most meaningful identifier.
Example
Instead of:
we would prefer something more descriptive like:
or another analyst-defined label.
Screenshots
Current Representation in Observable List
The table currently displays only the port (
443) in the Representation column.Detailed View Contains Better Context
The detail page already contains a much more useful description:
Internal Data Model
The GraphQL response shows:
{ "observable_value": "443", "x_opencti_description": "192.0.2.1 → 192.0.2.42:443", "representative": { "main": "443", "secondary": "192.0.2.1 → 192.0.2.42:443" } }Problem
Currently there seems to be:
representative.mainThis also affects other entities such as:
Proposed Feature
Add support for configurable/custom representative values.
Possible implementations could include:
Option 1 — Configurable Display Field
Allow administrators to choose which field is used as the main representation in tables.
Examples:
observable_valuex_opencti_descriptionnameOption 2 — Custom Representative Override
Allow entities to define something like:
which would override
representative.main.Option 3 — Representation Templates
Provide entity-type-specific templates, e.g.:
This would make list views significantly more useful for analysts.
Thanks for considering this feature.