Configure Intel Exchange Risk Score
You can optimize the Intel Exchange Risk Score for indicators by configuring weightage settings. The score calculation uses three primary factors—Source Score, Enrichment Score, and Attribute Score, which reflect the credibility, relevance, and threat level of indicators. A higher Risk Score indicates a higher likelihood of maliciousness.
Note
By default, the Intel Exchange Risk Score is enabled with an Overall Source Score Weightage of 100%
Source Score: You can define the weightage for the credibility of each threat data source. A trusted source with a higher weightage and the latest data can contribute more to the overall Intel Exchange Risk Score, giving you greater control over the Risk Score for indicators based on source reliability.
Enrichment Score: You can define the impact of enrichment tools on the final Risk Score. Customizing the Enrichment Score weightage helps ensure that the enrichment tools of your preference contribute to accurate scoring.
Attribute Score: Set the weightage for specific attributes of each indicator, which can enhance or reduce its overall Risk Score based on attribute relevance.
Steps
To configure the Intel Exchange Risk Score, follow these steps:
Sign in to Intel Exchange.
Go to Administration > Risk Score Engine.
Click the vertical ellipsis for the Intel Exchange Risk Score and select Edit.
Source Score: Customize the impact of the credibility of the threat data sources on the final Risk Score. Click + Source to add configured sources to the weightage. Each source you add will affect the overall source score weightage, which in turn affects the Intel Exchange Risk Score distribution. By default, sources that are configured and enabled in Integration Management > Feed Sources are automatically added with a weightage of 50% each.
Note
Sources that are previously added in External Risk Score are unavailable while configuring the Intel Exchange Risk Score.
You can adjust the Overall Source Score Weightage which defines the impact of the Source Score on the final Risk Score.
Enrichment Score: Customize the impact of enrichment sources on the final Risk Score. Click + Enrichment Tool to add configured enrichment tools to the weightage. Each enrichment tool you add will affect the overall enrichment score weightage, which in turn affects the Intel Exchange Risk Score distribution. By default, enrichment tools that are configured and enabled in Enrichment Management > Enrichment Tools are automatically added with a weightage of 50% each.
The score for Malicious is 100 and Non-malicious is 0. Tools that return the enrichment verdict as NA are not considered in the final Intel Exchange Risk Score.
You can adjust the Overall Enrichment Score Weightage which defines the impact of the Enrichment Score on the final Risk Score.
Attribute Score: Customize the impact of attributes of the threat object on the final Risk Score. Click + Attribute to add configured attributes to the weightage.
Primary: Select the properties of the indicator
Secondary: Select the objects related to the indicator.
Each attribute you add will affect the overall attribute score weightage, which in turn affects the Intel Exchange Risk Score distribution.
You can adjust the Overall Attribute Score Weightage which defines the impact of the Attribute Score on the final Risk Score.
Decay Information: Set the decay period for the indicator types to define how the source-reported confidence score and enrichment scores diminish over time, ensuring the sources and enrichment tools reporting the latest data have a higher influence on the overall Risk Score.
Note
If an indicator's Source Modified Date exceeds the defined decay period, the source confidence score is reduced to 0.
(Optional) To test the impact of your configuration on the Risk Score, click Run Simulator. For more information, see Run Simulator.
Click Save.
Note
Ensure the sum of the Overall Source Score, Enrichment Score, and Attribute Score weightage is 100%.
Run Simulator
The Risk Score Simulator helps you assess the impact of selected configurations on the final Risk Score for an indicator. From the dropdown, you can select the indicator type to run the simulation.
Source Score
The following columns are available while editing the Source Score in the simulator:
Source Confidence: Enter the projected source confidence for each source.
Last Reported (Days): Enter the number of days since the indicator was last reported. The rate of decay of the specified Source Confidence is determined by this value.
Final Score: This score is auto-populated based on the specified Source Score weightage and the decay period for the threat data object.
For example, for a source, if you specify the weightage as 100%, the source confidence as 85, the last reported value is 50 and the decay period is 365 days, the final source confidence is decayed to a value of 80.14.
Similarly, if you specify the weightage as 50%, the source confidence as 85, the last reported value is 50 and the decay period is 180 days, the final source confidence is decayed to a value of 37.19.
Enrichment Score
The following columns are available while editing the Enrichment Score in the simulator:
Enrichment Verdict: Select the source verdict for the threat data object as Malicious or Non-Malicious. The score for the Malicious verdict is 100 and the Non-malicious verdict is 0.
Last Enriched (Days): Enter the number of days since the threat data object was last enriched by the enrichment tool.
Final Score: The score is auto-populated based on the specified Enrichment Score weightage and decay period for the threat data object.
For example, for an enrichment tool, if you specify the weightage as 100%, the enrichment verdict as Malicious, the last enriched value as 50, and the decay period is 365 days, the final enrichment score is decayed to a value of 94.29
Similarly, if you specify the weightage as 50%, specify the verdict as Malicious, the last enriched value as 50, and the decay period is 180 days, the final enrichment score is decayed to a value of 43.75
Attribute Score
The following columns are available while editing the Attribute Score in the simulator:
Value: This attribute value is pre-populated from the previously configured Intel Exchange Risk Score.
Include: Turn on the toggle to include the attribute while calculating the final simulated Risk Score.
Final Score: This final score is calculated based on the included attribute types.
The attribute score is an average of the previously configured weightage of the attributes.