RST CTI Assistant Usage Guide

This document provides detailed instructions on how to use the RST CTI Assistant. The API is designed to work seamlessly with all RST Cloud libraries, datasets, and engines, offering human-like interaction capabilities. It closely mimics OpenAI's API structure and supports the same communication methods, enabling easy integration with any OpenAI-compatible library or tool.

Below, you will find practical examples and comprehensive explanations based on the provided code to help you effectively interact with the RST CTI Assistant.

Prerequisites

- Install the `openai` Python library: `pip install openai`
- For structured outputs, install `pydantic`: `pip install pydantic`
- Obtain an API key from RST (replace `USE_YOUR_API_KEY` with your actual key)

Initializing the Client

To interact with the RST CTI Assistant API, initialize the OpenAI client with the RST endpoint and your API key.
from openai import OpenAI
# Initialize the client
client = OpenAI(
    base_url="https://api.rstcloud.net/v1",
    api_key="USE_YOUR_API_KEY"
)


  • base_url: Set to https://ai.rstcloud.net/v1 to point to the RST API.
  • api_key: Your unique API key for authentication.

Making a Basic Chat Completion Request

Use the client.chat.completions.create method to query the API and receive a text response.

Example: Text Response

from openai import OpenAI
# Initialize the client
client = OpenAI(
    base_url="https://api.rstcloud.net/v1",
    api_key="USE_YOUR_API_KEY"
)
# Make a chat completion request
response = client.chat.completions.create(
    model="rst-rag-1",  # or "rst-automation-1"
    messages=[
        {"role": "user", "content": "What threats for MacOS do you know based on the reports for the last year?"}
    ],
    temperature=0.2,
)
# Print the assistant's reply
print(response.choices[0].message.content)

Parameters

  • model: Choose rst-rag-1 for general text responses or rst-automation-1 for JSON/structured outputs.
  • messages: A list of dictionaries containing role ("user") and content (your query).
  • temperature: Controls response randomness (0.0 to 1.0; 0.2 is less random).

Output

The response is a text string accessible via response.choices[0].message.content.

Using JSON Mode

The rst-automation-1 model is designed to handle better JSON-formatted responses for structured data. The information and capabilities of the models are very similar.

Example: JSON Response

 from openai import OpenAI
# Initialize the client
client = OpenAI(
    base_url="https://api.rstcloud.net/v1",
    api_key="USE_YOUR_API_KEY"
)
# Make a chat completion request with JSON response
response = client.chat.completions.create(
    model="rst-automation-1",
    messages=[
        {"role": "user", "content": "What threats for MacOS do you know based on the reports for the last year? Return a json file in the format: threat_name, reference, date as YYYYmmdd "}
    ],
    response_format={"type": "json_object"},
    temperature=0.2,
)
# Print the assistant's reply
print(response.choices[0].message.content)

Parameters

  • model: Must be rst-automation-1 for JSON mode.
  • prompt:: explicitly ask for the JSON output in your prompt.
  • response_format: Set to {"type": "json_object"} to ensure JSON output.
  • messages and temperature: Same as above.

Output

The response is a JSON string (e.g., {"threat_name": "...", "reference": "...", "date": "YYYYmmdd"}) accessible via response.choices[0].message.content.

Using Structured Output with Pydantic

For structured data parsing, use the rst-automation-1 model with Pydantic models and the client.beta.chat.completions.parse method.

Example: Pydantic Structured Response

from pydantic import BaseModel
import json
# Define Pydantic models
class CTIResponse(BaseModel):
    threat_name: str
    reference: str
    date: str
class CTIResponses(BaseModel):
    items: list[CTIResponse]
# Make a chat completion request with Pydantic parsing
response = client.beta.chat.completions.parse(
    model="rst-automation-1",
    messages=[
        {"role": "user", "content": "What threats for MacOS do you know based on the reports for the last year? Return a json file in the format: threat_name, reference (URL), date (YYYYmmdd) "}
    ],
    response_format=CTIResponses,
    temperature=0.2,
)
# Print the parsed response
print(response.choices[0].message.parsed)

Parameters

  • model: Must be rst-automation-1.
  • response_format: Specify a Pydantic model (e.g., CTIResponses) for structured output.
  • messages and temperature: Same as above.

Pydantic Models

  • CTIResponse: Defines a single threat with threat_name (string), reference (URL string), and date (string in YYYYmmdd format).
  • CTIResponses: Wraps a list of CTIResponse objects in the items field.

Output

The response is a Pydantic object accessible via response.choices[0].message.parsed, with attributes like response.choices[0].message.parsed.items containing a list of threat objects.

Notes

  • Keep your API key secure and do not expose it in public repositories.
  • Use rst-automation-1 for JSON or Pydantic responses; rst-rag-1 for plain text.
  • The temperature value (e.g., 0.2) ensures more predictable responses; adjust as needed.
  • The client.beta.chat.completions.parse method requires a compatible OpenAI library version supporting the beta namespace.
  • For API key or further details, please reach out to support@rstcloud.net.

Best Practices for Working with RST CTI Assistant

You can ask any relevant questions related to Cyber Threat Intelligence.

The RST CTI Assistant supports both high-level strategic inquiries and deep technical analysis. You can start with broad questions and progressively drill down into specific details.

Here are a few examples of the types of questions you can ask:

1.  List names of malware used by APT28 in 2024.

2.  What is motivation of APT40?

3.  Where Earth Akhlut is from?

4.  Who attacked the U.S. Democratic Party?

5.  Give me the aliases of Lazarus.

6.  Do you have any YARA rules to detect Rhadamanthys?

7.  What skills operators of Akira Ransomware showed over the last 2 years?

8.  What industries are under attack by Ransomhub?

9.  Give me a table with a list of threat actors targeting New Zealand?

10.  What is FIN7?

11.  How to attack with WMI?

12.  How was SolarWinds hacked?

13.  What do you know about 209.126.6.227

14.  How does Lumma Stealer work?

15.  Give me TTPs for Lumma Stealer in a table

16.  Who attacked organisations in Australia in 2024?

17.  What are the most used TTPs by threat actors in France in the second part of the year? Format answer as list.

18.  List malware or ransomware which disable antivirus and how.

19.  Can you give me SIGMA rules for detecting Akira?

20.  Which techniques and tactics used by Ransomhub?

21.  What groups use the technique t1059?

22.  Who is attacking hospitality sector in Australia?

23.  Who is attacking Telecommunication in Asia?

24.  How can attackers exploit CVE-2024-0012?

25.  What do you know about CVE-2023-34362?

The agent provides answers based on the most relevant and up-to-date reports from RST Cloud's internal intelligence library, for example:

RST CTI Assistant-example Q on malware

Please contact us for your specific request and other details.

Congratulations! You have successfully configured the RST CTI Assistant.