Observable scoring | Work with policies

To have Observables be Risk scored, you need to set up the policies that define the scoring parameters.

Each policy you create will apply to the Observable types you select for it. If an Observable type is included in multiple policies, each Observable of that type will be assigned the highest Risk score from among outcomes.

Setting up a new policy

The detailed steps to setting up a new Risk score policy are described below. In general the flow is:

1. Create a new policy.

2. Define at least one Scoring parameter.

3. Define thresholds for the scores.

4. Save and possibly backdate.

Create new policies

1. From the left sidebar, select and select Observable risk score.

2. Select + Create policy in the top-right corner.

3. Enter a Policy name and select the Observable types you’d like this policy to apply to.

4. Select Create.
   The Observable scoring policy’s detail pane will open.

Define Observable scoring parameters

All of the Observable scoring paramaters described below are optional to set up, in the sense that you only have to define one in order for the selected Observable types to be scored with this policy.

Scoring parameters are set on the Observable scoring policy’s detail pane, which you can open by selecting Observable risk score in the sidebar and then selecting the Risk score policy you’re setting up.

Observable parameters

Sources

1. Under Parameters, select Sources.

2. Select + Add Score.

3. From the Source drop-down menu, select all the sources you want to score one risk level for this Observable type.
   Use the Any source type drop-down menu to filter which source types are being shown.

4. Select the Risk score you would like these sources to score.

5. Select Add score.

6. (Optional) Select + in the top-right corner and repeat steps 2 through 4 to add scores for the other risk levels.

Number of sources

1. Under Parameters, select Number of Sources.

2. For each of the two drop-down menu’s select a number of sources.

Observable types

1. Under Parameters, select Observable types.

2. Select + Add Score.

3. From the Observable type drop-down menu, select all the types you want to score one risk level for this Observable type.

4. Select the Risk score you would like these types to score.

5. (Optional) Select + Value to Match and enter (Wildcarded) values to assign the chosen Risk score only to Observables that match the value you enter. The wildcard character is *.

6. Select Add score.

7. (Optional) Select + in the top-right corner and repeat steps 2 through 4 to add scores for the other risk levels or (wildcarded) values.

Maliciousness

1. Under Parameters, select Maliciousness.

2. For each Maliciousness, select its Risk score to change what you’d like that Maliciousness to score. *To change a Maliciousness’s Risk score to Not set:

   1. Select its checkbox.

   2. At the top of the table, select Risk score.

   3. Make sure the switches for all Risk scores are toggled off.

   4. Select Apply.*

Associated Entity parameters

Entity type

1. Under Parameters, select Associated Entity type.

2. Select + Add Score.

3. From the Entity type drop-down menu, select all the types you want to score one risk level for this Observable type.

4. Select the Risk score you would like these types to score.

5. (Optional) Select + Value to Match and enter Values to match against Entity properties to assign the chosen Risk score only to Entities that match the value you enter in the properties you select.

6. Select Add score.

7. (Optional) Select + in the top-right corner and repeat steps 3 through 5 to define the other risk levels or add scores for different (wildcarded) values.

Taxonomy

1. Under Parameters, select Taxonomy.

2. Select + Add Score.

3. From the Taxonomies drop-down menu, select all the taxonomy entries you want to score one risk level for this Observable type.

4. Select the risk level you want the selected taxonomies to score.

5. Select Add score.

6. (Optional) Select + in the top-right corner and repeat steps 3 through 5 to set which taxonomy entries should score the other risk levels.

TLP

1. Under Parameters, select TLP.

2. For each TLP, select its Risk score to change what you’d like that TLP to score. *To change a TLP’s Risk score to Not set:

   1. Select its checkbox.

   2. At the top of the table, select Risk score.

   3. Make sure the switches for all Risk scores are toggled off.

   4. Select Apply.*

Confidence

1. Under Parameters, select Confidence.

2. For each Confidence level, select its Risk score to change what you’d like that Confidence level to score. *To change a Confidence level’s Risk score to Not set:

   1. Select its checkbox.

   2. At the top of the table, select Risk score.

   3. Make sure the switches for all Risk scores are toggled off.

   4. Select Apply.*

Enable or disable Observable scoring parameters

Making a change to a Observable scoring parameter enables it, meaning it will be included in the overall Observable scoring. To disable or enable a Observable scoring parameter, select a parameter on the Observable scoring policy’s detail pane and toggle the switch in the center of the page.
The ticks in the list of parameter on the left switch to reflect the status of each parameter (blue for enabled, grey for disabled).

Define Risk score threshold

After setting the Risk score parameters, you need to set the threshold values defining how the parameters’ Risk scores combine and result in the Observable’s overall Risk score.
See the Risk score threshold explanation to understand the overall scoring mechanism.

No threshold for single parameter

If you’ve defined or enabled just one parameter, that parameter’s Risk score will always be the Observable’s Risk score.

To define Risk score thresholds:

1. Go to Data configuration > Observable risk score policies and select the Risk score policy for which you’d like to define the thresholds.

2. In the bottom-left corner, select Risk score threshold.
   You may have to scroll down.

3. If you enabled more than one parameter, use the first slider to select the lower threshold for the High overall Risk score level.
   The Observable’s Risk score level will be High if the number of parameters scoring High for that Observable exceeds this number.

4. Similarly, use the second slider to select the lower threshold for the Medium overall Risk score level.
   The Observable’s Risk score level will be Medium if the number of parameters scoring Medium for that Observable exceeds this number OR if the number of parameters scoring High is less than the number set in the previous step but more than one.

Save and backdate

Once you’ve configured and enabled all the parameters you want to include in a Observable scoring policy, select Save in the bottom-right corner. The saved Risk score policy will be applied to all newly ingested Observables.

You can check the box next to the Save and Cancel to also apply the Risk score policy to Observables updated within the last 7, 14, or 30 days.

When enabling Risk score policies, make sure you’ve set appropriate decay periods for all relevant Observable types.

Change an existing policy

To change an existing policy:

1. From the left sidebar, select Observable risk score policies.

2. Select the policy you would like to change.

   • Redefine Observable scoring parameters.

   • Enable or disable Observable scoring parameters

   • Redefine thresholds for the scores.

   • Save and possibly backdate.