Configure Custom Scores
Custom scores for threat data objects provide you the flexibility to define scores based on the parameters that impact the lifecycle of indicators of compromise (IOCs), such as relevance, severity, risk, and more. Custom scores help analysts to prioritize analysis, actioning, and dissemination of threat intel.
How do custom scores impact the ingestion, processing, actioning, and dissemination of intel in Intel Exchange?
Ingestion: When creating intel using Quick Add Intel, Threat Mailbox, or RSS Feeds, you can enter the custom score values and create intel. The threat data objects will be ingested with the assigned custom score values. For feed sources such as API, STIX, RSS, Information Sharing, RSS, and Web Scraper, you can configure the default custom score values. Threat intel ingested from the source will be automatically assigned the default custom score values
Processing: When processing a threat data object, you can view and update the custom score values in the Basic Details tab of the threat data object details. You can filter threat data objects using the custom scores in CQL queries.
Actions: To take actions on threat data objects based on the custom score values, you can configure rules and use the custom score as the Rule Type in conditions.
Dissemination: When you publish threat intel to a STIX collection, the custom scores are also published. Subscribers polling data from the STIX collections will receive published data with the custom score values.
Default Custom Scores
By default, Intel Exchange includes the Relevance Score and Severity Score as the out-of-the-box custom scores. You can modify the scores based on your requirements. Refer to the following table for more information about the out-of-the-box custom scores.
Name | API Key | Help Text | Field Type |
|---|---|---|---|
Relevance Score |
| The relevance score communicates how the threat intel data is situated within the attack surface of interest | Single Select List Allowed values:
|
Severity Score |
| The severity score helps prioritize actions based on how much damage the threat intel data has the potential to cause | Integer |
Add Custom Score
Configure a custom score for threat data objects. You can add a maximum of five custom scores.
Before you Start
You must have the View Configuration and Update Configuration permissions.
Steps
To add a custom score, follow these steps:
Go to Administration > Configurations > Custom Scores.
Click Add Custom Score.
Enter the following details:
Name: Enter a name for the custom score within 50 characters. For example, Severity Score.
Help Text: Enter a description for the custom score within 100 characters to provide more information to the analysts. You can include only alphabets and numbers in the help text. For example, This custom score indicates the severity level of an IOC.
Field Type: Select one of the following field types for the custom score:
Text: Allows analysts to enter a text value for the custom score.
Integer: Allows analysts to enter an integer value for the custom score.
Single Select List: Allows analysts to select one of the pre-defined list of values for the custom score.
Values: If you have selected Single Select Field as the field type of the custom score, then click Add Value to define the list of allowed values. You can define a maximum of 10 values for a custom score.
Click Save.
The custom score is added. Analysts can now view and update the custom score value in threat data objects.
Manage Custom Scores
You can perform the following activities to manage custom scores:
Edit: To modify the details of a custom score, such as name, help text, and values. The modified details of the custom score are updated in all threat data objects.
Note
You cannot modify the API key and field type of a custom score.
Disable: To disable a custom score and remove the score from all threat data objects.
Modifying or disabling a custom score does not affect the intel published to STIX collections.