search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.19k stars 915 forks source link

Add a default confidence level for groups and users #8446

Open seanthegeek opened 1 week ago

seanthegeek commented 1 week ago

Use case

Add a default confidence level for groups and users. That way human users are less likely to accidently set things to a confidence level of 100 while still having the ability to set a confidence level of 100 when it is justified.

nino-filigran commented 6 days ago

Hi @seanthegeek could you elaborate just a bit more? I'm not sure to fully understand. We have already few mechanisms that helps you managing your confidence level:

To me your request shows that the confidence level that your user apply is not the one you expect... Which bascially means that their max confidence level is too high if they make such mistakes.

seanthegeek commented 6 days ago

Currently, when a user creates content, it is set to that user's maximum confidence level unless the user sets that content to a lower value. A user might only need to set something to that high of a confidence level on rare occasions. Having a default confidence level will prevent mistakes if a user forgets to change a confidence level before creating an object, while still allowing the user to set a high confidence level when needed.

ckane commented 6 days ago

I think what @seanthegeek is suggesting here is a case where the platform may have a range of users of various levels of expertise. So a team's standard protocol may be, for example, to tell the users:

If no confidence information comes in with a piece of intelligence, then set its confidence level to 50 or 75

This would allow such users to still record intel at higher confidence levels, but current design requires them to remember to always take a step to drop the confidence to a middle value for "unknown confidence, so far".

I think it would make sense for platform owners to set this at the user and group (role? i can't remember which has max conf. today) levels. Additionally, when using it with connectors, this "default" value could be used to determine the level at which confidence is recorded from a connector's external source, when upstream data has no confidence level or criteria recorded. Today this is often handled by a connector hard-coding a singular value, when the upstream source doesn't record confidence, or doesn't always record confidence. In these cases, a platform owner cannot (easily) override this today without blanket-enforcing a max confidence.