4.3 Data Processing: Prioritize

Updated 2 weeks ago by TruSTAR

To determine how “good” or “bad” the Observable is, the next stage is to query your Premium Intelligence and Open Sources for matches with that Observable. These queries return context, such as scores and attributes.

Score Normalization

Each intelligence source uses a different scoring system, making it hard to compare across sources. For example, one source may use 1-10 for severity and another might use text labels such as Benign or Malicious. 

The Pipeline normalizes those different scores using a conversion table so that scores are comparable across different intelligence sources. The total of all these normalized scores is the Indicator’s Priority Score.

Related Link: Normalized Indicator Scores

For example, in the graphic below, a URL has been found in several sources. TruSTAR normalizes each score (right side), associated attributes, and provides the Prioritized Score for the URL Indicator (left side). 

At this point, the Observable becomes an Indicator because now it has context (scores, sources, and other information) that is useful for triage and investigation. 

The final step in the Prioritization process is to store the Indicator and its context data in a TruSTAR Enclave where it can then be connected to your security processes. 

How Did We Do?