Keep multiple versions of an attribute (e.g. description of an intrusion set)

[2xyo]

Problem to Solve

I have multiple CTI feeds providers (with one feed = one OpenCTI connector). Each connector erase/update the description field of intrusion set objects at a regular interval. It's annoying.

However, I would like to keep the description of every CTI feed provider for each intrusion set. Moreover, I also would like to maintains a "personal/local" description for each intrusion set.

Currently, it's not possible because we just keep the last version of the description.

Current partial workaround

Consult the history of the desciption field.

Proposed Solution

• Keep multiples version of the description in Intrusion Set object :
  • the "source of truth" is still the description
  • for each connector, keep the description in a new attribut like x_opencti_alternative_description = [ { 'created_by_ref': 'the description of CTI vendor A'},{ 'created_by_ref': 'the description of CTI vendor B'}, {...} ]
• When a TAXII collection is created, allow the user to configure x_opencti_alternative_description should be concatenated at the end of description field for compatibility purpose.