How is an event score determined?

Ultimately, the event score of a security event is determined by the Stellar Cyber Red Team and Machine Learning team in consultation with security experts throughout the organization.

In detail, the Security Event Score is calculated from three components of an event: severity, fidelity, and threat intelligence. Threat intelligence is derived from the various threat intelligence feeds and also from ML determinations about various users and assets.

The final event score is determined primarily by severity, and adjustments are made based on fidelity and threat intelligence scores. This means the event score will be in the vicinity of the severity. If either fidelity or threat intelligence has a strong confidence, the event score will be higher than the base severity score. If both of them are low, the event score will be lower than the base severity score.

The exact algorithm is different for different types of events, based on the expertise of designers. For example, a DNS Tunneling Anomaly starts with a severity of 98, but if your Red Team has been practicing DNS Tunneling for a while and the activity is quite common, the fidelity might be 4, and the private addresses have no threat intelligence (Threat Intel: N/A). The final risk score might be 97 because data exfiltration is a great threat. On the other hand, SMB Username Enumeration begins with a Severity of 30. The first time it's seen on a network (Fidelity 100), the risk score of that event might be 55.

Over time, Stellar Cyber continues to improve the algorithms used to calculate event scores as the changing threat and attack landscape changes.