Understand Silent Push risk scores

Prev Next

Silent Push Risk Score provides an at-a-glance assessment of the risk associated with the indicator. The Risk Score is displayed on the top left of the Total View screen as well as in color-coded dots located next to an indicator.

Scanning through passive DNS data returns a risk indication for every record. As soon as the colored dots appear, you can hover over them to view the risk score and the risk score reason which explains why the risk score was assigned to the indicator.

The risk score displayed is taken from a variety of attributes, varying by domain and IP observable type.

Domain-based scoring

  • IOFA Feed History Score (listing_score) - A score based on the frequency and recency of an observable's presence within IOFA feeds
  • NS Reputation Score(ns_reputation_score) - A score based on the name servers currently associated with the domain. The reputation score is based on the number of domains hosted on the name server versus the number of those domains listed in threat intelligence feeds
  • NS Entropy Score(ns_entropy_score) - A score that reflects the recency, frequency, and number of name server changes associated with the domain
  • Age Score (age_score) - A score that is based on the age of the domain as seen in DNS zone files, with more recently created domains receiving a higher score
  • Is New Score (is_new_score) - This score is 100 if the domain has been created within the last 24 hours, reflecting that newly created domains represent a higher risk when observed in network traffic
  • Is Expired (is_expired) - A flag indicating that the domain has expired
  • Is Parked (is_parked) - A flag indicating that the domain is parked
  • Is Sinkholed (is_sinkholed) - A flag indicating that the domain is a sinkhole
  • SP Risk Score (sp_risk_score) - This is the score that is displayed and is equal to the highest of the following scores: IOFA Feed History Score, NS Reputation Score, NS Entropy Score, Age Score, Is New Score. The score will be reduced to 0 if any of these flags is true: Is Expired, Is Parked, Is Sinkholed

IP-based scoring

  • IOFA Feed History Score (listing_score) - A score based on the frequency and recency of an observable's presence within IOFA feeds
  • IP Reputation Score(ip_reputation) - A score based on the number of DNS A record names resolving to this IPv4 address and that have been listed on IOFA feeds. The score reflects volume rather than severity
  • ASN Takedown Reputation Score (asn_takedown_reputation) - A reputation score based on the time it takes for an ASN owner to react to takedown requests related to malicious URLs. A higher reputation score indicates the ASN owner is slow to react to takedown requests
  • ASN Reputation Score (asn_reputation) - The ratio of blacklisted IPs, taken from from the total number of IPs that have been observed as being active within an ASN, in the last 30 days
  • Subnet Reputation Score (subnet_reputation) - The ratio of blacklisted IPs, taken from the total number of IPs that have been observed as being active within a particular subnet in the last 30 days
  • Known Benign (known_benign) - A flag indicating that the IP is known benign
  • Known Sinkhole IP (known_sinkhole_ip) - A flag indicating that the IP is a sinkhole
  • SP Risk Score (sp_risk_score) - This is the score that is displayed and is equal to the highest of the following scores: IOFA Feed History Score, IP Reputation Score, ASN Takedown Reputation Score, ASN Reputation Score, Subnet Reputation Score. The score will be reduced to 0 if any of these flags is true: Known Benign, Known Sinkhole IP