Splunk® Intelligence Management (Legacy)

User Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Generate priority indicator scores in workflow tools

Splunk Intelligence Management can use an indicator's normalized score to provide priority indicator scores in workflow tools, such as Splunk Enterprise Security (ES).

How priority indicator scoring works

Obtaining the notable event urgency score in Splunk Enterprise Security is performed by the Enrich action feature in the Splunk Intelligence Management integration with Splunk Enterprise Security.

The Enrich feature can only enrich a Threat Activity notable event, and those are guaranteed to include a single indicator. The Splunk Intelligence Management integration enriches that single indicator by pulling original scores from the intelligence sources that you subscribe to, normalizes those scores, and then assigns a priority indicator score to that Indicator that is equal to the maximum value of all the normalized scores available.

For example, let's say Splunk Intelligence Management has three normalized values for the indicator: 1, 2, and 3. The score assigned to that indicator in this situation will be 3. 

Priority Indicator Score = Max (all normalized indicator scores)

Splunk Intelligence Management then converts that normalized score to the notable event's Urgency score as shown below.

Splunk Intelligence Management priority indicator score Splunk ES notable event urgency score
0 Informational
1 Low
2 Medium
3 High
-- Critical

Note that no score in the Splunk Intelligence Management normalized scale maps to the critical score in Splunk Enterprise Security.

The normalized indicator score can be retrieved using the /1.3/indicators/summaries API endpoint. The field which contains the normalized indicator score is called serverityLevel.


Related Links

  • Normalized Indicator Scores explains how Splunk Intelligence Management combines the indicator scores from different intelligence sources into a single value for that Indicator in Splunk Intelligence Management.
  • Priority Event Scores explains how Splunk Intelligence Management aggregates Normalized Scores for an event (such as an email (and assigns a score that reflects the overall severity of the event. This is only available through the Phishing Triage feature.
  • Phishing Triage Basics introduces this Splunk Intelligence Management feature set.
Last modified on 21 April, 2022
PREVIOUS
Access priority event scoring in Phishing Triage 		  NEXT
Extract MITRE ATT&CK techniques and tactics from premium intelligence sources

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters