CIF can apply a confidence value to a whole feed. My understanding is that it does not have the ability to apply confidence to individual items within in a feed. As it exists right now, if you have indicators of compromise that you have varying confidence in you would have to run an instance of CIFGlue for each of those confidence levels and configure CIF to pull from each of those instances. This is not ideal.
The proposed enhancement is to allow an investigator to enter an indicator of compromise into CIFGlue and also specify a confidence level. Discussion needs to be held around whether that confidence should be a % or a high/medium/low selector. CIFGlue should then produce feeds at these different levels for CIF to ingest.
So we would have feeds for malware-high.rss, malware-medium.rss, malware-low.rss, other-high.rss, other-medium.rss, other-low.rss, etc.
veris-opensource
commented
12 years ago
CIF can apply a confidence value to a whole feed. My understanding is that it does not have the ability to apply confidence to individual items within in a feed. As it exists right now, if you have indicators of compromise that you have varying confidence in you would have to run an instance of CIFGlue for each of those confidence levels and configure CIF to pull from each of those instances. This is not ideal.
The proposed enhancement is to allow an investigator to enter an indicator of compromise into CIFGlue and also specify a confidence level. Discussion needs to be held around whether that confidence should be a % or a high/medium/low selector. CIFGlue should then produce feeds at these different levels for CIF to ingest.
So we would have feeds for malware-high.rss, malware-medium.rss, malware-low.rss, other-high.rss, other-medium.rss, other-low.rss, etc.