Source Scoring

Updated 8 months ago by Sachit Soni

Having confidence in your intelligence sources is essential to effectively leveraging intelligence as a force-multiplier for your security operations.

But measuring how various intelligence sources are contributing to your security operations is difficult. At TruSTAR we firmly believe that the value of threat intelligence can and should be measured, which is why we’re rolling out a new Source Scoring feature.

TruSTAR_Source-Scoring

Where can I find this feature?

You need to have a private Enclave to take advantage of this feature. The Dashboard will now have a dedicated panel to help you quickly visualize how each intelligence source has scored against your private Enclave data. If you have access to more than one private Enclave, you can select the specific Enclave for which you want to see source scoring.  

Who has access to this feature?

Source scoring is only available to TruSTAR users with private Enclaves. If you’re a free user associated with an ISAC/ISAO and interested in a trial with a private Enclave, click here.

How does this feature work?

The overall score is computed based on enrichment data from IPs, URLs, and Hashes. You can easily visualize the overall score and its breakdown for the different IOC types. The score takes into account whitelisted terms to prevent false positives and noise from affecting the overall score. Each source score is personalized to reports and IOCs in your specific enclave. That’s why each one of your Enclaves can have a different source scoring.

How are the scores calculated?

At a high level, the Source Score is calculated from three different indicator types - IPs, URLs, and Hashes. Each indicator’s score is weighted using the following evaluative criteria:

  • Uniqueness Score - The Uniqueness Score calculates the probability of the intelligence source to provide unique correlations to your Enclave data.
  • Timeliness Score - The Timeliness Score calculates the probability of the intelligence source to provide timely correlations to your Enclave data.

You can read the full technical documentation for this feature here.

What actions can I take based on this data?

You will be able to unsubscribe from sources based on the score and the value they are providing to your analysis workflow. We will also show you open source intelligence that you are not currently utilizing but would be valuable to your Enclave.  

What's next?

We’re starting with IPs, URLs and Hashes, and we will add more IOC types in future releases. We always welcome feedback at support@trustar.co. Reach out to your customer success rep to get a personal demo for your team on this new feature.


How Did We Do?