Priority Indicator Scores

Updated 4 months ago by TruSTAR

The TruSTAR platform can use an Indicators's Normalized Indicator Score to provide Priority Indicator Scores in workflow tools, such as Splunk Enterprise Security (ES).

  • Normalized Indicator Scores explains how TruSTAR combines the indicator scores from different intelligence sources into a single value for that Indicator in the TruSTAR platform.
  • Priority Event Scores explains how TruSTAR aggregates Normalized Scores for an event (such as an email (and assigns a score that reflects the overall severity of the event. This is only available through the Phishing Triage feature.
  • Phishing Triage Basics introduces this TruSTAR feature set.

How It Works

Obtaining the Notable Event Urgency Score in Splunk (ES) is performed by the Enrich action feature in the TruSTAR integration with Splunk ES.

The Enrich feature can only enrich a Threat Activity Notable Event, and those are guaranteed to include a single Indicator. The TruSTAR integration enriches that single Indicator by pulling original scores from the intelligence sources you subscribe to, normalizes those scores, and then assigns a Priority Indicator Score to that Indicator that is equal to the max of all the normalized scores available.

For example, let's say TruSTAR has three normalized values for the Indicator: 1, 2, and 3. The score assigned to that Indicator in this situation will be 3.

Priority Indicator Score = Max (all normalized indicator scores)

TruSTAR then converts that normalized score to the Notable Event’s Urgency score as shown below.

TruSTAR Priority Indicator Score

Splunk ES Notable Event Urgency Score











Note that no score in the TruSTAR Normalized scale maps to the critical score in Splunk ES.

In the event that an indicator is not mapped to an indicator score but has an attribute associated to it (THREAT_ACTOR, MALWARE, CVE, MITRE_TACTIC) then the indicator will by default be mapped to a high score.

The Normalized Indicator Score can be retrieved using the /1.3/indicators/summaries API endpoint. The field which contains the Normalized Indicator Score is called serverityLevel.

How Did We Do?