Priority Indicator Scores
The TruSTAR platform can use an Indicators's Normalized Indicator Score to provide Priority Indicator Scores in workflow tools, such as Splunk Enterprise Security (ES).
- Normalized Indicator Scores explains how TruSTAR combines the indicator scores from different intelligence sources into a single value for that Indicator in the TruSTAR platform.
- Priority Event Scores explains how TruSTAR aggregates Normalized Scores for an event (such as an email (and assigns a score that reflects the overall severity of the event. This is only available through the Phishing Triage feature.
- Phishing Triage Basics introduces this TruSTAR feature set.
How It Works
Obtaining the Notable Event Urgency Score in Splunk (ES) is performed by the Enrich action feature in the TruSTAR integration with Splunk ES.
The Enrich feature can only enrich a Threat Activity Notable Event, and those are guaranteed to include a single Indicator. The TruSTAR integration enriches that single Indicator by pulling original scores from the intelligence sources you subscribe to, normalizes those scores, and then assigns a Priority Indicator Score to that Indicator that is equal to the max of all the normalized scores available.
For example, let's say TruSTAR has three normalized values for the Indicator: 1, 2, and 3. The score assigned to that Indicator in this situation will be 3.
Priority Indicator Score = Max (all normalized indicator scores)
TruSTAR then converts that normalized score to the Notable Event’s Urgency score as shown below.
TruSTAR Priority Indicator Score
Splunk ES Notable Event Urgency Score
Note that no score in the TruSTAR Normalized scale maps to the critical score in Splunk ES.
In the event that an indicator is not mapped to an indicator score but has an attribute associated to it (THREAT_ACTOR, MALWARE, CVE, MITRE_TACTIC) then the indicator will by default be mapped to a high score.