Access priority event scoring in Phishing Triage
When you activate Phishing Triage in Splunk Intelligence Management, you have access to priority event scoring. Phishing Triage uses the normalized scores for indicators within an event (such as an email) to assign a score that indicates the priority of the event.
How priority event scoring works
Splunk Intelligence Management performs the following steps automatically to compute the priority event score:
- Finds correlations between emails and indicators with a normalized indicator score.
- Computes scores by taking the m = max (all normalized indicator scores over all correlating indicators within a 30 days period).
- Assigns that m value as the priority event score for the email.
Extract: Splunk Intelligence Management automatically parses the submitted emails and extracts specific observables:
- URL
- IP address
- Hashes: MD5, SHA1, SHA256
- Email address
Enrich and Normalize: Splunk Intelligence Management uses these observables and automatically queries the intelligence sources that you subscribe to for correlations with their indicators and then uses normalized indicator scoring to calculate a single comprehensive score for each indicator.
Prioritize: Splunk Intelligence Management indicates the priority of each email by assigning it a priority event score. This score is computed by taking the maximum score of all correlated indicators within the last 30 days.
Priority Event Score = (Max (normalized indicator scores) last 30 days)
For example, let's say that Splunk Intelligence Management finds two indicators in a phishing email that were also contained within three different intelligence sources. Two original scores obtained from those external sources are then normalized using normalized indicator scoring, and become, Medium (2), and one gets normalized to a High (3). The priority event score assigned to that email will be High (3) since we are taking the max value over the last 30 days. To continue with this example, if the High Score is more than 30 days old, then it is ignored in the calculation and the priority event score assigned to that email will be Medium.
Priority event score scale
The priority event score uses the following scale:
| Splunk Intelligence Management API | Splunk Intelligence Management Station |
|---|---|
| -1 | Unknown |
| 0 | Benign |
| 1 | Low |
| 2 | Medium |
| 3 | High |
Related Links
- Normalized indicator scores explain how Splunk Intelligence Management combines the scores of an indicator from different external intelligence sources into a single value for that indicator. For more information on normalized indicator scores, see Use normalized indicator scores to identify the relative severity of each indicator.
- Priority indicator scores explain how Splunk Intelligence Management computes priority scores of indicators for specific integrations. For more information on priority scores for indicators, see Generate priority indicator scores in workflow tools.
- For information on Phishing Triage in Splunk Intelligence Management, see Use the phishing triage workflow to automate suspicious email triage.
| Use normalized indicator scores to identify the relative severity of each indicator | Enrich Splunk Enterprise Security notable events with priority indicator scores |
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current
Download manual
Feedback submitted, thanks!