[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Opinion Object Proposal
Hi All,As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released.Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like.I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release.1.2.Opinion
Type Name: opinion
Status: Proposal
MVP: Undecided
The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received.
This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious.
1.2.1. Properties
STIX TLO Common Properties
type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings
Property Name
Type
Description
type (required)
string
The value of this field MUST be opinion
description (optional)
string
A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object.
object_ref(required)
identifier
The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object.
opinion(required)
list of type controlled-vocab
The opinion that the producer has about the object listed in the object_ref field. This is one of the following options:
"strongly-agree"
"agree"
"neutral"
"disagree"
"strongly-disagree"
"no-opinion"
1.2.2. Source Relationships
These are the relationships defined between the Opinion Object and other objects.
STIX TLO Common Relationships
duplicate-of, related-to
1.2.3. Destination Relationships
These are the relationships defined between other objects and the Opinion Object.
Kind of Relationship
Source Type
Description
evidence-of
observation
Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field.
CheersTerry MacDonald | Chief Product Officer
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]