Fill Opinion Details
An Opinion is an assessment of the accuracy or reliability of information within a STIX Object produced by another entity. The key element is the opinion property, which reflects the level of agreement or disagreement on a fixed scale, allowing for consistency in statistical analysis.
For example, an analyst may "strongly disagree" with a Campaign object and explain why. In an automated workflow, a SOC operator might give an Indicator a low rating (e.g., "one star"), indicating disagreement or that the Indicator is considered a false positive in their environment. Since opinions are subjective, it's up to sharing communities to provide clear guidelines on interpreting and using Opinion objects.
Because Opinions are often created by human analysts, they include a property to identify the analyst(s) who authored the opinion, which is separate from the created_by_ref property that tracks the organization responsible for creating the object.
The opinion component contains the following:
Basic Details
Common Fields
Custom Attributes
Object Reference
External References
Basic Details
Field Name | Required | Description |
|---|---|---|
Opinion | Mandatory | The perspective held by the producer regarding all the STIX Object(s) referenced in the object_refs property. |
Author(s) | Optional | The name(s) of the author(s) of this opinion, such as the analyst(s) who created it. |
Explanation | Optional | A rationale for why the producer holds this opinion. For instance, if the opinion is strongly disagree, the explanation may include the reasons for the disagreement and the evidence supporting this stance. |
Common Fields
Field Name | Description |
|---|---|
Tags | Specify the tags for the opinion. |
TLP | Specify the TLP of the opinion, such as RED, AMBER, GREEN, WHITE, and NONE. |
Confidence | Specify the confidence score for the opinion. |
Custom Scores | This field allows for the assignment of scores to threat data objects based on factors that influence the lifecycle of indicators of compromise (IOCs), such as relevance, severity, and risk. Custom scores aid analysts in prioritizing their analysis, guiding actions, and facilitating the sharing of threat intelligence. |
Created by Reference | Specify the entity that created the CTIX object. |
Revoked | Select this option to mark the component as revoked or invalid. |
Custom Attributes
Field Name | Description |
|---|---|
Add Custom Attribute | Specify the additional information that helps in improving the threat intelligence details. CTIX displays custom attributes created in Administration > Custom Entities Management. You can create multiple custom attributes for the report. |
Object References
Field Name | Description |
|---|---|
Select SDO Type | Specify the STIX Objects that are referred to by this STIX component. |
External Reference
Field Name | Description |
|---|---|
Source Name | Enter a source name. |
Description | Enter a description. |
External ID | Enter an external ID. |
URL | Enter the URL of the external reference. |
Hash Type | Select the hash type. |
Hash Value | Enter the hash value. |