Enrich Splunk Enterprise Security notable events with priority indicator scores
Splunk Intelligence Management enriches Splunk Enterprise Security notable events by generating priority indicator scores from normalized indicator scores. You can use priority indicator scores to make informed decisions about the indicators of compromise (IOCs) produced by your active intelligence sources.
Urgency scores in Splunk Enterprise Security also come from Splunk Intelligence Management priority indicator scores.
Splunk Intelligence Management can only enrich a threat activity notable event, which includes only one indicator.
How Splunk Intelligence Management calculates priority indicator scores
Splunk Intelligence Management calculates each priority indicator score using the following aggregations:
- The normalized indicator score
- The weight of the enclaves within the intelligence workflow
The normalized indicator score is a score for each enclave determined by the
malicious_score of the attributes and observables associated with the indicator. To learn more about normalized indicator scores, see Use normalized indicator scores to identify the relative severity of each indicator.
Using the maximum normalized indicator score from all of the enclaves and the weight of the enclaves within the intelligence workflow, Splunk Intelligence Management assigns a priority indicator score between the values of 0 and 3.
For example, if Splunk Intelligence Management has three normalized indicator scores with the values 1, 2, and 3 for an indicator, then Splunk Intelligence Management uses the value of 3 to generate the priority indicator score.
How priority indicator scores map to notable event urgency scores
Priority indicator scores from Splunk Intelligence Management map to notable event urgency scores in Splunk Enterprise Security.
The following table shows the conversion:
|Splunk Intelligence Management priority indicator score
|Splunk ES notable event urgency score
No priority indicator score from Splunk Intelligence Management maps to the
Critical urgency score in Splunk Enterprise Security.
You can retrieve the normalized indicator score using the /1.3/indicators/summaries API endpoint. The field which contains the normalized indicator score is called serverityLevel.
Access priority event scoring in Phishing Triage
Extract MITRE ATT&CK techniques and tactics from premium intelligence sources
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current