Priority Event Scores

Updated 2 months ago by Elvis Hovor

When you activate the Phishing Triage feature in the TruSTAR platform, you have access to Priority Event Scoring. This feature uses the Normalized Indicator Scores for indicators within an event (such as an email) to assign a score to the event indicating the priority.

  • Normalized Indicator Scores explains how TruSTAR combines the scores of an indicator from different external intelligence sources into a single value for that Indicator in the TruSTAR platform.
  • Priority Indicator Scores explains how TruSTAR computes priority scores of indicators for specific integrations.
  • Phishing Triage Basics introduces this feature in the TruSTAR platform.

How It Works

TruSTAR performs the following steps automatically to compute the Priority Event Score: 

  • Finds correlations between emails and indicators with a Normalized Indicator Score.
  • Computes scores by taking the m = max(all Normalized Indicator Scores over all correlating indicators within a 30 days period). 
  • Assigns m as the Priority Event Score for the Email.
  1. Extract: TruSTAR automatically parses the submitted emails and extracts specific Observables:
  • URL
  • IP address
  • Hashes: MD5, SHA1, SHA256
  • Email address
  1. Enrich and Normalize: TruSTAR uses these Observables and automatically queries the intelligence sources you subscribe to for correlations with their Indicators and then uses Normalized Indicator Scoring to calculate a single comprehensive score for each Indicator.
  2. Prioritize: TruSTAR indicates the priority of each email by assigning it a Priority Event Score. This score is computed by taking the maximum score of all correlated indicators within the last 30 days.
Priority Event Score = (Max (Normalized Indicator Scores) last 30 days)

For example, let's say that TruSTAR finds two indicators in a phishing email that were also contained within three different intelligence sources. Two original scores obtained from those external sources are then normalized using TruSTAR's Normalized Indicator Scoring, and become, Medium (2), and one gets normalized to a High (3). The Priority Event Score assigned to that email will be High (3) since we are taking the max over the last 30 days. To continue with this example, if the High Score is more than 30 days old, then it is ignored in the calculation and the Priority Event Score assigned to that email will be Medium.

Priority Event Score Scale

The Priority Event Score uses the following scale:

TruSTAR API

TruSTAR Station

-1 

Unknown

0

Benign

1

Low

2

Medium

3

High


How Did We Do?