Silent Push Risk Score provides an at-a-glance assessment of the risk associated with the indicator. The Risk Score is displayed on the top left of the Total View screen as well as in color-coded dots located next to an indicator.
Scanning through passive DNS data returns a risk indication for every record. As soon as the colored dots appear, you can hover over them to view the risk score and the reason for the risk score assignment, which explains why the risk score was assigned to the indicator.
The risk score displayed is taken from a variety of attributes, varying by domain and IP observable type.
Domain-based scoring
Metric | Description | Flag Impact |
|---|---|---|
IOFA Feed History Score | Based on the frequency and recency of an observable's presence within IOFA feeds | |
NS Reputation Score | Based on the name servers currently associated with the domain. The reputation score is based on the number of domains hosted on the name server versus the number of those domains listed in threat intelligence feed | |
NS Entrophy Score | Reflects the recency, frequency, and number of name server changes associated with the domain | |
Age Score | Based on the age of the domain as seen in DNS zone files, with more recently created domains receiving a higher score | |
Is New Score | 100 if created within the last 24 hours, indicating higher risk | |
Is Expired | Flag indicating the domain has expired | Reduces SP Risk Score to 0 |
Is Parked | Flag indicating the domain is parked | Reduces SP Risk Score to 0 |
Is Sinkholed | Flag indicating the domain is a sinkhole | Reduces SP Risk Score to 0 |
SP Risk Score | Highest of: listing_score, ns_reputation_score, ns_entropy_score, age_score, is_new_score. Set to 0 if any flag (is_expired, is_parked, is_sinkholed) is true. |
IP-based scoring
Metric | Description | Flag Impact |
|---|---|---|
IOFA Feed History Score | Based on the frequency and recency of an observable's presence within IOFA feeds | |
IP Reputation Score | Based on the number of DNS A record names resolving to this IPv4 address, and that have been listed on IOFA feeds | |
ASN Takedown Reputation Score | Based on the time an ASN owner takes to react to takedown requests, higher score indicates slower response | |
ASN Reputation Score `ask_reputation_score | Ratio of blacklisted IPs to total active IPs in an ASN over the last 30 days | |
Subnet Reputation Score | Ratio of blacklisted IPs to total active IPs in a subnet over the last 30 days | |
Known Benign | Flag indicating that the IP is known benign | Reduces SP Risk Score to 0 |
Known Sinkhole | Flag indicating that the IP is a sinkhole | Reduces SP Risk Score to 0 |
SP Risk Score | Highest of: listing_score, ip_reputation, asn_takedown_reputation, asn_reputation, subnet_reputation. Set to 0 if any flag (known_benign, known_sinkhole_ip) is true. |