Threat Scoring

How does threat scoring work?

Salem assigns scores to alerts on a 0-100 scale based on severity, impact, or likelihood to prioritize response efforts. A threat score can be viewed as a percentage likelihood that an alert represents a threat. As a result, these scores directly correlate with Salem's threat determinations : Threat, False Positive, Not Escalated, and Needs Information.

Note: A “Not Escalated” threat determination corresponds to a pre-determined auto-closed alert type and will not appear in the threat score thresholds below.

What are the threat scoring thresholds?

Below are default Salem thresholds, which can be adjusted by admins.

• < 35 = False Positive. Salem has determined that the alert is not likely to represent a threat and as such, it mostly likely a false positive.

• 35 < x < 70 = Needs Information. Salem needs more information to make a threat determination. See the Alert Contextualization for more information on how to add context to make Salem's threat score more precise.

• 70+ = Threat. Salem has determined that this alert most likely represents a threat to the organization and should be immediately prioritized for incident response.

How are threat scores calculated?

The Salem threat score is based on the context Salem knows about the alert, shown in the Salem Investigation Context section of the alert card. Salem uses custom-developed Artificial Neural Network (ANN) models and other algorithms to classify alert details and follow bespoke investigation paths for each input alert. Salem's analysis pattern is modeled from standard human analyst investigation processes.