Splunk® Intelligence Management (Legacy)

User Guide

Access priority event scoring in Phishing Triage

When you activate Phishing Triage in Splunk Intelligence Management, you have access to priority event scoring. Phishing Triage uses the normalized scores for indicators within an event (such as an email) to assign a score that indicates the priority of the event.

How priority event scoring works

Splunk Intelligence Management performs the following steps automatically to compute the priority event score:

  • Finds correlations between emails and indicators with a normalized indicator score.
  • Computes scores by taking the m = max (all normalized indicator scores over all correlating indicators within a 30 days period).
  • Assigns that m value as the priority event score for the email.

Extract: Splunk Intelligence Management automatically parses the submitted emails and extracts specific observables:

  • URL
  • IP address
  • Hashes: MD5, SHA1, SHA256
  • Email address

Enrich and Normalize: Splunk Intelligence Management uses these observables and automatically queries the intelligence sources that you subscribe to for correlations with their indicators and then uses normalized indicator scoring to calculate a single comprehensive score for each indicator.

Prioritize: Splunk Intelligence Management indicates the priority of each email by assigning it a priority event score. This score is computed by taking the maximum score of all correlated indicators within the last 30 days.

Priority Event Score = (Max (normalized indicator scores) last 30 days)

For example, let's say that Splunk Intelligence Management finds two indicators in a phishing email that were also contained within three different intelligence sources. Two original scores obtained from those external sources are then normalized using normalized indicator scoring, and become, Medium (2), and one gets normalized to a High (3). The priority event score assigned to that email will be High (3) since we are taking the max value over the last 30 days. To continue with this example, if the High Score is more than 30 days old, then it is ignored in the calculation and the priority event score assigned to that email will be Medium.

Priority event score scale

The priority event score uses the following scale:

Splunk Intelligence Management API Splunk Intelligence Management Station
-1 Unknown
0 Benign
1 Low
2 Medium
3 High

Related Links

Last modified on 21 April, 2022
Use normalized indicator scores to identify the relative severity of each indicator   Enrich Splunk Enterprise Security notable events with priority indicator scores

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters