Silent Push Risk Score
provides an at-a-glance assessment of the risk associated with the indicator. The Risk Score is displayed on the top left of the Total View screen as well as in color-coded dots located next to an indicator.
Scanning through passive DNS data returns a risk indication for every record. As soon as the colored dots appear, you can hover over them to view the risk score and the risk score reason which explains why the risk score was assigned to the indicator.
The risk score displayed is taken from a variety of attributes, varying by domain and IP observable type.
Domain-based scoring
IOFA Feed History Score (listing_score)
- A score based on the frequency and recency of an observable's presence within IOFA feedsNS Reputation Score(ns_reputation_score)
- A score based on the name servers currently associated with the domain. The reputation score is based on the number of domains hosted on the name server versus the number of those domains listed in threat intelligence feedsNS Entropy Score(ns_entropy_score)
- A score that reflects the recency, frequency, and number of name server changes associated with the domainAge Score (age_score)
- A score that is based on the age of the domain as seen in DNS zone files, with more recently created domains receiving a higher scoreIs New Score (is_new_score)
- This score is 100 if the domain has been created within the last 24 hours, reflecting that newly created domains represent a higher risk when observed in network trafficIs Expired (is_expired)
- A flag indicating that the domain has expiredIs Parked (is_parked)
- A flag indicating that the domain is parkedIs Sinkholed (is_sinkholed)
- A flag indicating that the domain is a sinkholeSP Risk Score (sp_risk_score)
- This is the score that is displayed and is equal to the highest of the following scores: IOFA Feed History Score, NS Reputation Score, NS Entropy Score, Age Score, Is New Score. The score will be reduced to 0 if any of these flags is true: Is Expired, Is Parked, Is Sinkholed
IP-based scoring
IOFA Feed History Score (listing_score)
- A score based on the frequency and recency of an observable's presence within IOFA feedsIP Reputation Score(ip_reputation)
- A score based on the number of DNS A record names resolving to this IPv4 address and that have been listed on IOFA feeds. The score reflects volume rather than severityASN Takedown Reputation Score (asn_takedown_reputation)
- A reputation score based on the time it takes for an ASN owner to react to takedown requests related to malicious URLs. A higher reputation score indicates the ASN owner is slow to react to takedown requestsASN Reputation Score (asn_reputation)
- The ratio of blacklisted IPs, taken from from the total number of IPs that have been observed as being active within an ASN, in the last 30 daysSubnet Reputation Score (subnet_reputation)
- The ratio of blacklisted IPs, taken from the total number of IPs that have been observed as being active within a particular subnet in the last 30 daysKnown Benign (known_benign)
- A flag indicating that the IP is known benignKnown Sinkhole IP (known_sinkhole_ip)
- A flag indicating that the IP is a sinkholeSP Risk Score (sp_risk_score)
- This is the score that is displayed and is equal to the highest of the following scores: IOFA Feed History Score, IP Reputation Score, ASN Takedown Reputation Score, ASN Reputation Score, Subnet Reputation Score. The score will be reduced to 0 if any of these flags is true: Known Benign, Known Sinkhole IP