Generate priority indicator scores in workflow tools
Splunk Intelligence Management can use an indicator's normalized score to provide priority indicator scores in workflow tools, such as Splunk Enterprise Security (ES).
How priority indicator scoring works
Obtaining the notable event urgency score in Splunk Enterprise Security is performed by the Enrich action feature in the Splunk Intelligence Management integration with Splunk Enterprise Security.
The Enrich feature can only enrich a Threat Activity notable event, and those are guaranteed to include a single indicator. The Splunk Intelligence Management integration enriches that single indicator by pulling original scores from the intelligence sources that you subscribe to, normalizes those scores, and then assigns a priority indicator score to that Indicator that is equal to the maximum value of all the normalized scores available.
For example, let's say Splunk Intelligence Management has three normalized values for the indicator: 1, 2, and 3. The score assigned to that indicator in this situation will be 3.
Priority Indicator Score = Max (all normalized indicator scores)
Splunk Intelligence Management then converts that normalized score to the notable event's Urgency score as shown below.
|Splunk Intelligence Management priority indicator score||Splunk ES notable event urgency score|
Note that no score in the Splunk Intelligence Management normalized scale maps to the critical score in Splunk Enterprise Security.
The normalized indicator score can be retrieved using the /1.3/indicators/summaries API endpoint. The field which contains the normalized indicator score is called serverityLevel.
- Normalized Indicator Scores explains how Splunk Intelligence Management combines the indicator scores from different intelligence sources into a single value for that Indicator in Splunk Intelligence Management.
- Priority Event Scores explains how Splunk Intelligence Management aggregates Normalized Scores for an event (such as an email (and assigns a score that reflects the overall severity of the event. This is only available through the Phishing Triage feature.
- Phishing Triage Basics introduces this Splunk Intelligence Management feature set.
Access priority event scoring in Phishing Triage
Extract MITRE ATT&CK techniques and tactics from premium intelligence sources
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current