Observable maliciousness resolution#
When an observable is reported by multiple sources, Intelligence Center needs to determine which maliciousness rating to apply. This page describes how Intelligence Center resolves conflicting maliciousness ratings across sources, and how to configure the behaviour for your organisation.
How resolution works#
When multiple sources report on the same observable, Intelligence Center evaluates all observable rules across every source related to that observable. The platform then applies a consistent, policy-driven resolution to determine the final maliciousness rating.
Rules always take precedence#
The most important principle to understand is that rule results take precedence over raw source ratings.
If any source has a matching observable rule, only rule results participate in resolution. The maliciousness value a source independently reports is only used when no source has any matching observable rule at all.
This means: a new feed reporting a different maliciousness rating cannot override an existing rule — regardless of when the data arrives or how reliable that source is.
Source reliability determines the winner#
When multiple sources have matching rules and those rules produce different results, the result from the most reliable source wins.
Source reliability is the A–F rating assigned to each source. Refer to source-reliability for more information.
Sources with no reliability rating set are treated as “Source reliability - F” in the ranking.
Example: Source A (reliability A) has a rule marking an observable as Safe. Source B (reliability C) has a rule marking the same observable as Malicious. The observable is classified as Safe — Source A’s rule wins.
Lower-reliability rules are not suppressed#
If the higher-reliability source has no rule configured for an observable, the lower-reliability source’s rule still applies. The absence of a rule on a higher-reliability source does not suppress a rule that fires on a lower-reliability one.
Example: Source A (reliability A) has no rule. Source B (reliability C) has a rule marking an observable as Malicious. The observable is classified as Malicious. Source A’s raw rating — whatever it may be — does not participate.
Tie-break behaviour#
When two sources share the same reliability rating and their rules produce conflicting results, Intelligence Center applies a configurable tie-break:
Most restrictive wins — the most severe rating is applied (Malicious over Safe)
Most permissive wins — the least severe rating is applied (Safe over Malicious)
The severity ranking from most to least restrictive is:
Malicious (high) → Malicious (medium) → Malicious (low) → Unknown → Safe
Note: Unknown ranks above Safe because the absence of intelligence is a more cautious position than an explicit positive assertion.
The Ignore rule result#
Observable rules can produce Ignore as a result, which instructs the platform not to store the observable at all, or remove the link to an entity.
Ignore participates in the same source reliability arbitration as maliciousness ratings, with one important distinction: if any source produces a maliciousness rating, the observable is always stored — regardless of what other sources say. Ignore only takes effect when no source produces a maliciousness rating.
Example: Source A (reliability A) has a rule returning Ignore. Source B (reliability C) has a rule returning Malicious (high). The observable is classified as Malicious (high) and stored — Source B’s maliciousness rating wins over Source A’s Ignore, because any active intelligence takes precedence over a request to discard.
Resolution scenarios at a glance#
The following table covers the scenarios where the resolution outcome may not be immediately obvious.
Situation |
Outcome |
Why |
|---|---|---|
Two sources have rules, different reliability |
Highest-reliability source’s rule wins |
Reliability reflects how much your organisation trusts a source. The more trusted source’s policy takes precedence. |
Two sources have rules, same reliability, results conflict |
Tie-break setting is applied |
When sources are equally trusted, the platform falls back to your configured preference — most restrictive or most permissive. |
Only the lower-reliability source has a rule |
That rule wins |
A rule is an explicit policy decision. The absence of a rule on a higher-reliability source is not an opinion — it means no policy has been defined for that source yet. |
One source says Ignore, another has a maliciousness rating |
Maliciousness rating wins, observable is stored |
Any active intelligence takes precedence over a request to discard. Storing a potentially malicious observable is safer than discarding it. |
Configuring the feature#
The resolution mechanic is enabled via platform_settings.py.
Activation#
Set OBSERVABLE_MALICIOUSNESS_TIE_BREAK to a valid value to enable the feature:
OBSERVABLE_MALICIOUSNESS_TIE_BREAK = most_restrictive
or
OBSERVABLE_MALICIOUSNESS_TIE_BREAK = most_permissive
Any other value, or leaving the setting commented out, will not enable the mechanic. Existing resolution behaviour is preserved unchanged.
Note
Changing OBSERVABLE_MALICIOUSNESS_TIE_BREAK only affects subsequent resolution decisions. Observables that have already been classified are not retroactively updated.