Intelligence metadata | Observable scoring#

You can create Risk score policies to have EclecticIQ Intelligence Center (EIQ IC) apply a Risk score to Observables, denoting the risk each Observable poses.

You configure each Risk score policy to apply to a number of Obserable types.

Create Observable Risk score policies

Once you’ve understood how Observable Observable scoring works, you can set up Observable Risk score policies

Overview of Observable scoring#

Observables’ Risk scores can be:

  • High

  • Medium

  • Low

These scores can be policy-based or user-assigned.
An Observable will always show the latest score it received, meaning a policy might override a user-assigned score or vice versa, and decay always decreases the latest score.

Policy-based Risk scoring#

An Observable’s policy-based Risk score level is a composite of one or more parameter scores:

  • First, different parameters of the Observable (aspects like the number of sources that reported the Observable or the TLP of the associated Entity) receive scores of High, Medium, or Low.

  • Then, the accumulated parameter scores are checked against the thresholds to arrive at the Observable’s overall Risk score level.

User-assigned Risk scores#

You can manually assign Risk scores to Observables if you need to.

To do this:

  1. From the left sidebar, select Search icon and select Observables.

  2. On the Observables tab, enter a query to filter for the Observables for which you’d like to update the Risk score

  3. Check the box of all the Observables you want to update.

  4. From the bar at the top, select Risk score.

  5. Toggle the switches so that only the switch of the score you want the Observables to have (or the **Remove risk score) is enabled

  6. Select Apply.

Limitiations#

  • Policy-based Observable scoring only happens during ingestion and when the policy is sabed, meaning enriching or editing an Observable will not change its Risk score levels.

  • Observables related to 1,000 or more Entities receive no score for the Related Entities parameter.

Risk score parameters#

Each Risk score parameter pertains either to the Observable itself or to the Entity the Observable is associated with.

You can enable or disable scoring for each individual parameter.

Observable parameters#

  • Sources

    Under Sources assign sources in your EIQ IC a Risk score level. Each Observable will then receive its the score highest score from among the sources that reported it for the Sources parameter.

  • Number of sources

    Under Number of sources assign a threshold number of sources for the three Risk score levels. For instance, you can define it so that:

    • Observables reported by five or more sources score high.

    • Observables reported by three or four sources score medium.

    • Observables reported by less than three sources score low.

  • Observable types

    Under Observable types you can assign a Risk score level for Observable types, reflecting that some Observable types might be inherently more risky to you.

    Additionally, you can assign a Risk score level to values, wildcarded or specific, for Observable types.

  • Maliciousness

    Under Maliciousness, set which Risk score level each Maliciousness confers to an Observable.

Associated Entity parameters#

  • Entity type

    Under Entity type assign a Risk score level to each Entity type, reflecting that Observables associated to some Entity types might be inherently more risky to you than Observables associated with different Entity types.

  • Taxonomy

    Under Taxonomy add tags to have specific characteristics of the associated Entities, such as the Admiralty code, Industry sector, or Kill chain phase, contribute to the Risk score level of Observables.

  • TLP

    Under TLP assign a Risk score level to each TLP level, so the TLP levels of the Entities Observables are associated with contribute to Observables’ Risk score levels.

  • Confidence

    Under Confidence assign a Risk score level for each Confidence level.

Risk score level threshold#

In a Risk score level policy, you define how the parameter scores should accumulate into overall scores. This is done by setting the lower thresholds for High and Medium scores.
The final calculation goes as follows:

  1. If only one parameter is enabled, that parameter’s Risk score level becomes the Observable’s Overall Risk score level.

  2. The Observable overall Risk score level becomes High if the amount of parameters that scored High exceeds the threshold number for overall Risk score level High.

  3. The Observable Risk score level becomes Medium, if:

    • at least one parameter scored High, but

    • the number of parameters that scored High is lower than the threshold number for overall Risk score level High.

  4. The Observable Risk score level also becomes Medium, if:

    • no parameters scored High, and

    • more parameters scored Medium than the threshold number for Observable Risk score level Medium.

  5. The Observable Risk score level becomes low, if:

    • no parameters scored High, and

    • the number of parameters that scored Medium is lower than the the threshold number for Observable Risk score level Medium.

Decay#

Observable Risk scores are subject to decay, meaning an Observable’s Risk score is lowered over time to reflect the underlying intelligence becoming less threatening as time passes.