Normalized Indicator Scores

Updated 4 months ago by Sachit Soni

TruSTAR provides access to intelligence data by integrating with a number of premium intelligence sources. Each of those sources calculates scores for events and Indicators in their own unique way. TruSTAR's Normalized Indicator Scoring converts those original indicator scores into a single value that TruSTAR uses to show relative severity of the Indicator.

For example, three different premium intelligences sources may see the same Indicator and assign a score to that indicator using their internal systems. One source may score it as "medium" while another scores it as a 6 and the third assigns it a "high" score. Same Indicator, three different measuring systems.

TruSTAR's Normalized Scoring automatically takes those three different scales and converts them into a single value that reflects the original scores of the Indicator. When you view that Indicator in TruSTAR, you will see an Original Indicator Score and a Normalized Indicator Score.

  • Original Indicator Score: This is the score of an indicator as provided by one of the third-party intelligence sources available through the TruSTAR Marketplace.
  • Normalized Indicator Score: TruSTAR's score for the indicator that measures all third-party scores w.r.t. a single standard score.
  • Priority Indicator Scores explains how TruSTAR computes priority scores for specific integrations.
  • Priority Event Scores explains how TruSTAR aggregates Normalized Indicator Scores for an event (such as an email) and assigns a score that reflects the overall priority of the event. This scoring is available as part of the Phishing Triage feature set.

Normalized Scoring Scale

TruSTAR's Normalized Indicator Score uses the following scale.

TruSTAR Station Score

TruSTAR API Score

Unknown

-1

Benign

0

Low

1

Medium

2

High

3

How It Works

Original Indicator Scores from external intelligence sources can be either

  • Numeric; for example, 0-10
  • Categorical; for example, Low, Medium and High

Normalizing Numeric Scores

When the original indicator score is a numerical value, those values are mapped to TruSTAR’s Normalized Indicator Score Scale by comparing them to the the max possible score from that intelligence source and then mapping the scaled value to the following normalized scores

Mapping

TruSTAR Normalized Score

0

0

0 < x <= 0.33

1

0.33 < x <= 0.66

2

0.66 < x <= 1

3

When a third-party intelligence source changes the scoring, including the max score, TruSTAR detects the change and adjusts all previously calculated scores to use the new scoring values.

Normalizing Categorical Indicator Scores

TruSTAR handles categorical scores by looking at the distribution of categorical scores for an intel source and then mapping them across the 0-3 normalized scoring scale.

Digital Shadows Scoring

For example, if the intelligence source uses five values, as Digital Shadows does, the mapping works like this:

Digital Shadows Original Score

TruSTAR Normalized Score

none

0

very_low

1

low

2

medium

2

high

3

Both low and medium scores map to 2, due to the way Digital Shadows scores are distributed. None refers to no threat so it gets mapped to 0. 

Only external intelligence sources that have an attributes parser can provide Original Indicator Scores. For a listing of which sources have an attributes parser, check the Premium Intel Sources Tech Specs support document.

API Access

You can use the Get Indicator Summaries API endpoint to fetch the Original Indicator Score assigned by an external intelligence source, stored in the IndicatorScore field of the response. This endpoint will also retrieves the Normalized Indicator Score, which is stored in the severityLevel field in the response.


How Did We Do?