Splunk® Intelligence Management (Legacy)

User Guide

Use normalized indicator scores to identify the relative severity of each indicator

Splunk Intelligence Management provides access to intelligence data by integrating with a number of premium intelligence sources. Each of those sources calculates scores for events and indicators in their own unique way. The normalized indicator scoring in Splunk Intelligence Management converts those original indicator scores into a single value to show the relative severity of the indicator.

For example, three different premium intelligence sources may see the same indicator and assign a score to that indicator using their internal systems. One source may score it as medium, while another scores it as a 6, and the third assigns it a high score. Normalized scoring automatically takes those three different scales and converts them into a single value that reflects the original scores of the indicator. When you view that Indicator in Splunk Intelligence Management, you see both the original indicator score and the normalized indicator score.

  • Original Indicator Score: Score of an indicator as provided by one of the third-party intelligence sources available through the Splunk Intelligence Management Marketplace.
  • Normalized Indicator Score: Score for the indicator assigned by Splunk Intelligence Management that measures all third-party scores based on a single standard score.

Normalized scoring scale

The normalized indicator score in Splunk Intelligence Management uses the following scale:

Splunk Intelligence Management Station Score Splunk Intelligence Management API Score
Unknown -1
Benign 0
Low 1
Medium 2
High 3

How normalized scoring works

Original indicator scores from external intelligence sources can be either of the following values:

  • Numeric: For example: 0-10
  • Categorical: For example: Low, Medium, and High

Normalizing numeric scores

When the original indicator score is a numerical value, those values are mapped to the normalized indicator score scale in Splunk Intelligence Management by comparing them to the the maximum possible score from that intelligence source and then mapping the scaled value to the following normalized scores:

Mapping Splunk Intelligence Management normalized score
0 0
0 < x <= 0.33 1
0.33 < x <= 0.66 2
0.66 < x <= 1 3

When a third-party intelligence source changes the scoring, including the maximum score, Splunk Intelligence Management detects the change and adjusts all previously calculated scores to use the new scoring values.

Normalizing categorical indicator scores

Splunk Intelligence Management handles categorical scores by looking at the distribution of categorical scores for an intelligence source and then mapping them across the 0-3 normalized scoring scale.

For example: If the intelligence source uses five values, as Digital Shadows does, the mapping works as indicated in the following table:

Digital Shadows original score Splunk Intelligence Management normalized score
none 0
very_low 1
low 2
medium 2
high 3

Both low and medium scores map to 2, due to the way Digital Shadows scores are distributed. The value "None" refers to no threat so it gets mapped to 0.

Only external intelligence sources that have an attributes parser can provide original indicator scores. For more information on the updated list of threat intelligence sources that have an attributes parser, see Threat intelligence sources.

API access

You can use the Get Indicator Summaries API endpoint to fetch the original indicator score assigned by an external intelligence source, stored in the Indicator Score field of the response. This endpoint also retrieves the normalized indicator score, which is stored in the severityLevel field in the response.

Related Links

  • Priority indicator scores explain how Splunk Intelligence Management computes priority scores for specific integrations. For more information on priority indicator scores, see Generate priority indicator scores in workflow tools.
  • Priority event scores explain how Splunk Intelligence Management aggregates normalized indicator scores for an event (such as an email) and assigns a score that reflects the overall priority of the event. This scoring is available as part of Phishing Triage. For more information on priority indicator scores, see Access priority event scoring in Phishing Triage.
Last modified on 21 April, 2022
Update your user settings   Access priority event scoring in Phishing Triage

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters