Skip to main content

Cyware Threat Intelligence eXchange

Configure Intel Exchange Risk Score

You can optimize the Intel Exchange Risk Score for indicators by configuring weightage settings. The score calculation uses three primary factors: Source Score, Enrichment Score, and Attribute Score, which reflect the credibility, relevance, and threat level of indicators. A higher Risk Score indicates a higher likelihood of maliciousness. 

  • Source Score: You can define the weightage for the credibility of each threat data source. A trusted source with a higher weightage and the latest data contributes more to the Intel Exchange Risk Score.

  • Enrichment Score: You can define the impact of enrichment tools on the final Risk Score. Customizing the Enrichment Score weightage helps ensure that the enrichment tools of your preference contribute to accurate scoring.

  • Attribute Score: Set the weightage for specific attributes of each indicator, which can enhance or reduce its overall Risk Score based on attribute relevance.

Note

Intel Exchange applies the following weightage distribution for Intel Exchange Risk Score:

  • Source Score: 75%

  • Enrichment Score: 10%

  • Attribute Score: 15%

Steps

To configure the Intel Exchange Risk Score, follow these steps:

  1. Sign in to Intel Exchange.

  2. Go to Administration > Risk Score Engine.

  3. Click the vertical ellipsis for the Intel Exchange Risk Score and select Edit.

    • Source Score: Customize the impact of threat data source credibility on the final Risk Score. Click + Source to add configured sources to the weightage.

      Source enabled in Integration Management > Feed Sources are automatically added. By default:

      • STIX, API, Information Sharing, Sandbox, and Miscellaneous are each assigned 100%.

      • RSS Feeds, Email, Web Scraper, and Webhooks are each assigned 60%.

      Note

      • Sources added in the External Risk Score are unavailable while configuring the Intel Exchange Risk Score.

      • CrowdStrike and Recorded Future are configured only in the External Risk Score and are not a part of the Intel Exchange Risk Score.

      By default, the Source Score contributes 75% of the final Risk Score. You can adjust this using the Overall Source Score Weightage setting.

    • Enrichment Score: Customize the impact of enrichment sources on the final Risk Score. Click + Enrichment Tool to add configured enrichment tools to the weightage. 

      Tools configured and enabled in Enrichment Management > Enrichment Tools are automatically added. Intel Exchange calculates enrichment scores only after the intel is enriched using these tools.

      The score for Malicious is 100, and Non-malicious is 0. Tools that return the enrichment verdict is NA are not considered in the final Intel Exchange Risk Score. 

      By default, the Enrichment Score contributes 10% to the final Risk Score. You can adjust this using the Overall Enrichment Score Weightage setting.

    • Attribute Score: Customize the impact of indicator attributes on the final Risk Score. Click + Attribute to add configured attributes to the weightage.

      • Primary: Select the properties directly associated with the indicator.

      • Secondary: Select the objects associated with the indicator.

      Each attribute you configure contributes to the overall attribute score weightage, which affects the Intel Exchange Risk Score distribution.

      By default, the Attribute Score contributes 15% to the final Risk Score. You can adjust this using the Overall Attribute Score Weightage setting.

      The following are the default weightages for attributes:

      • Primary Attributes: 100

      • Secondary Attributes (related SDOs):

        • Threat Actor / Malware / Infrastructure / Indicator / Campaign / Vulnerability: 100

        • Attack Pattern / Intrusion Set: 90

        • Tool: 85

        • Course of Action: 75

        • All other SDOs: 50

      Note

      Intel Exchange calculates the average based only on attribute values that are present. Attribute values that are not found or marked as ‘NA’ are excluded from the calculation.

    • Decay Information: Set the decay period for the indicator types to define how the source-reported confidence and enrichment scores diminish over time, ensuring the sources and enrichment tools reporting the latest data have a higher influence on the overall Risk Score.

      Note

      If an indicator's Source Modified Date exceeds the defined decay period, the source confidence score is reduced to 0.

  4. (Optional) To test the impact of your configuration on the Risk Score, click Run Simulator. For more information, see Run Simulator.

  5. Click Save.

    Note

    • Ensure the sum of the Overall Source Score, Enrichment Score, and Attribute Score weightage is 100%.

    • The Risk Score is automatically set to 0 if the indicator status is updated to Indicators Allowed, False Positive, or Deprecated.

Run Simulator

The Risk Score Simulator helps you assess the impact of selected configurations on the final Risk Score for an indicator. From the dropdown, you can select the indicator type to run the simulation.

Source Score

The following columns are available while editing the Source Score in the simulator:

  • Source Confidence: Enter the projected source confidence for each source.

  • Last Reported (Days): Enter the number of days since the indicator was last reported. The rate of decay of the specified Source Confidence is determined by this value.

  • Final Score: This score is auto-populated based on the specified Source Score weightage and the decay period for the threat data object.

For example, for a source, if you specify the weightage as 100%, the source confidence as 85, the last reported date is 50 days ago, and the decay period is 365 days, the final source confidence is decayed to a value of 80.14.

Similarly, if you specify the weightage as 50%, the source confidence as 85, the last reported date is 50 days ago, and the decay period is 180 days, the final source confidence is decayed to a value of 37.19.

Enrichment Score

The following columns are available while editing the Enrichment Score in the simulator:

  • Enrichment Verdict: Select the source verdict for the threat data object as Malicious or Non-Malicious. The score for the Malicious verdict is 100, and the Non-malicious verdict is 0.

  • Last Enriched (Days): Enter the number of days since the threat data object was last enriched by the enrichment tool.

  • Final Score: The score is auto-populated based on the specified Enrichment Score weightage and decay period for the threat data object.

For example, for an enrichment tool, if you specify the weightage as 100%, the enrichment verdict as Malicious, the last enriched date as 50 days ago, and the decay period is 365 days, the final enrichment score is decayed to a value of 94.29.

Similarly, if you specify the weightage as 50%, specify the verdict as Malicious, the last enriched date as 50 days ago, and the decay period is 180 days, the final enrichment score is decayed to a value of 43.75.

Attribute Score

The following columns are available while editing the Attribute Score in the simulator:

  • Value: This attribute value is pre-populated from the previously configured Intel Exchange Risk Score.

  • Include: Turn on the toggle to include the attribute while calculating the final simulated Risk Score.

  • Final Score: This final score is calculated based on the included attribute types.

    The attribute score is an average of the previously configured weightage of the attributes.