Fine tune your Confidence Level policy in OpenCTI 6.2
Version 6.0 of OpenCTI introduced the maximum confidence level for users and groups. This feature has given us a powerful tool for managing how the knowledge can be manipulated on the platform, to maximize trust and control.
Here are the main principles:
- Users have a maximum confidence level, inherited from their groups.
- To manipulate knowledge (entities, relationships), a user must have a higher confidence level than the object.
- When creating knowledge in the platform, new objects cannot have a confidence higher than the user’s maximum confidence level.
- Feeds and connectors do their job with the confidence level of their associated user, with the same business rules.
- Confidence level does not affect the ability to view the elements in the platform, only the ability to apply changes to the knowledge base
If you missed this breaking-change, don’t hesitate to check out the dedicated blog post for more details! We describe a complete example of custom confidence policy and how it can be implemented in OpenCTI.
Now, with the version 6.2, OpenCTI goes even further by offering the possibility to define a maximum confidence level for a user by entity type.
Let’s take a closer look at how all this works!
Examples of use-cases
Managing the level of confidence depending on expertise and seniority
A group of analysts produces reports for the company. A new analyst has started their position in the team, and the team expects some time to get around the knowledge base and familiarize with the tools. While the Analysts group has a maximum confidence of 80, we set this specific user with a level 20 on the Report entity type, to ensure they do not make unwanted modifications to sensitive information.
The max confidence level for Report is set at 20 for this Junior Analyst through the new Confidences tab in the edition panel.
Differentiated trust for one knowledge source
The company platform is receiving a lot of data from different sources: connectors, RSS feeds, Live streams. A group Connectors gathers all the users associated with the enabled connectors in the platform and has set a maximum confidence level of 50.
A specific connector has proven useful for threat data, such as malwares or threat actors, but their incident reports are not trustworthy. The user associated with the connector is set to override confidence level for Malwares (90) and Incidents (30).
Reduce trust for stable knowledge
Some of the knowledge data in the platform can be considered as more stable than others, like Location data for example (Cities, Regions, Countries, Areas).
For that reason, the confidence level for these entities can be overridden at the default group level, so that all users of the platform cannot modify them if they have been added by a trusted source before.
Most of the users are associated with the Default group, with a max confidence level set to 90. We can override this confidence level for City, Region, Country and Area entity types to a confidence level of 20. Users belonging to this group will not be able to update these stable entities in the platform by mistake.
User effective confidence level
User and group confidence level configuration shall be viewed as:
- a maximum confidence level between 0 and 100 (optional for users, mandatory for groups);
- a list of overrides (a max confidence level between 0 and 100) per entity type (optional).
The user’s effective confidence level is the result of this configuration from multiple sources (user and their groups). Effective confidence levels are used ultimately when the operation is made on the knowledge, to allow or not the operation.
To compute this value, OpenCTI uses this simple strategy:
- effective maximum confidence is the maximum value found in the user’s groups;
- effective overrides are cumulated from all groups, taking the maximum value if several overrides are set on the same entity type
- if a user maximum confidence level is set, it overrides everything from groups, including the overrides per entity type defined at group level
- if not, but the user has specific overrides per entity types, they overrides the corresponding confidence levels per entity types coming from groups
Finally, note that if a user has the administrator’s “Bypass” capability, the effective confidence level will always be 100 without overrides, regardless of the group and user configuration on confidence level.
Effective confidence level explained
According to your platform confidence policy, users might end up with a complex configuration of groups, max level and overrides. It might be difficult to understand where the maximum value comes from or why there is an override for a specific entity type.
The user’s details view has been updated to ease the understanding of the effective confidence level computation, with a handy tooltip that shows you the source of each value (be it the user or a one of their groups).
Conclusion
The OpenCTI Version 6.2 introduces a feature that allows setting a maximum confidence level for users on a per-entity basis, at the group level, or individually for specific users. Notably, this enables better control of connector impacts on specific entities, as well as differentiating trust according to the level of expertise of your analysts. This granular approach helps tailor permissions based on users’ expertise and seniority, as well as the trustworthiness of various knowledge sources.
The user’s effective confidence level is the result of combining the user’s and group’s configuration. The system takes into account both the maximum confidence level and the per-entity overrides, with user settings taking precedence over group settings.
We hope this new feature will empower you with the ability to precisely craft confidence policies across your OpenCTI platforms.
Read more
Explore related topics and insights