Splunk® Intelligence Management (Legacy)

User Guide

Enrich Splunk Enterprise Security notable events with priority indicator scores

Splunk Intelligence Management enriches Splunk Enterprise Security notable events by generating priority indicator scores from normalized indicator scores. You can use priority indicator scores to make informed decisions about the indicators of compromise (IOCs) produced by your active intelligence sources.

Urgency scores in Splunk Enterprise Security also come from Splunk Intelligence Management priority indicator scores.

Splunk Intelligence Management can only enrich a threat activity notable event, which includes only one indicator.

How Splunk Intelligence Management calculates priority indicator scores

Splunk Intelligence Management calculates each priority indicator score using the following aggregations:

  • The normalized indicator score
  • The weight of the enclaves within the intelligence workflow

The normalized indicator score is a score for each enclave determined by the confidence_score and malicious_score of the attributes and observables associated with the indicator. To learn more about normalized indicator scores, see Use normalized indicator scores to identify the relative severity of each indicator.

Using the maximum normalized indicator score from all of the enclaves and the weight of the enclaves within the intelligence workflow, Splunk Intelligence Management assigns a priority indicator score between the values of 0 and 3.

For example, if Splunk Intelligence Management has three normalized indicator scores with the values 1, 2, and 3 for an indicator, then Splunk Intelligence Management uses the value of 3 to generate the priority indicator score.


How priority indicator scores map to notable event urgency scores

Priority indicator scores from Splunk Intelligence Management map to notable event urgency scores in Splunk Enterprise Security.

The following table shows the conversion:

Splunk Intelligence Management priority indicator score Splunk ES notable event urgency score
0 Informational
1 Low
2 Medium
3 High
-- Critical

No priority indicator score from Splunk Intelligence Management maps to the Critical urgency score in Splunk Enterprise Security.

You can retrieve the normalized indicator score using the /1.3/indicators/summaries API endpoint. The field which contains the normalized indicator score is called serverityLevel.

Related Links

Last modified on 13 June, 2023
Access priority event scoring in Phishing Triage   Extract MITRE ATT&CK techniques and tactics from premium intelligence sources

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters