TruSTAR’s Normalized Indicator Score Scale

Updated 3 weeks ago by Sachit Soni

Trustar provides its customers access to intelligence data by integrating with a number of premium intelligence sources. Each one of these sources follows a different schema and presents scores in a unique way. Scoring Normalization creates a single scale on which to map scores so that scores from different sources are made comparable.

The Scale

TruSTAR’s Indicator Score Normalization algorithm normalizes an intel source’s indicator scores to a 0 → 3 scale, with each number meaning:

0 = benign

1 = low

2 = medium

3 = high

If no score is found from an intelligence source, the score is “Unknown”.

Types of Intel Source Scores.

Intel source scores all fall into 1 of 2 data types: numeric or categorical.

Normalizing Numeric Indicator Scores.

Numeric indicator scores are mapped to TruSTAR’s Normalized Indicator Score Scale by scaling them w.r.t. the max possible score from that intelligence source, and mapping the scaled value to the following normalized  scores:

Quotient

TruSTAR Normalized Score

0

0

0 < x <= 0.33

1

0.33 < x <= 0.66

2

0.66 < x <= 1

3

Oftentimes, the scale on which an intelligence source scores, specifically the max score, changes. If that happens, our algorithm detects the change and adjusts all previously-calculated scores to it.

Normalizing Categorical Indicator Scores. 

We map the categorical scores to the 0-3 scale by first looking at the distribution of categorical scores for an intel source and then characterizing each.

Let’s take a look at Digital Shadows for example:

Digital Shadows

TruSTAR Normalized Score

“none”

0

“very_low”

1

“low”

2

“medium

2

“high”

3

Both “low” and “medium” map to 2 due to the way Digital Shadows scores are distributed. “None” refers to no threat so it gets mapped to 0. 

Splunk ES Urgency Score

Splunk ES Notable Event Urgency Score adjustment is performed by our integration’s “Enrich” action feature.  That feature can only enrich a certain type of Notable Event (a “Threat Activity” Notable Event), and they are guaranteed to have 1 IOC in them only.  Our integration obtains the normalized version of all the scores from all the intel sources the user has access to and assigns the indicator a single score equal to the max of all the normalized scores available about that IOC.

Indicator score = Max (all normalized source scores for that indicator)

It then sets the Notable Event’s Urgency score according to this scale:

TruSTAR Normalized Indicator Score

Splunk ES Notable Event Urgency Score

0

“Informational”

1

“Low”

2

“Medium”

3

“High”

[nothing that maps to “critical”.]

“Critical”


How Did We Do?