IOC enrichment and decay scoring.
Every Indicator of Compromise in Liberty91 carries a score that reflects how much it should weigh right now. Each indicator gets a base score from 0 to 100 derived from three inputs, then that score decays over time, so stale indicators fade out of your view and fresh ones stay prominent. Enrichment through your Modules adds the context that turns a raw indicator into a lead.
How the base score is set
Liberty91 assigns each indicator a base score from 0 to 100 based on three factors:
- The type of indicator.
- The source it came from.
- The criticality of the threat it is associated with.
This approach follows the decaying-indicators research pioneered by the CIRCL team at MISP. See Source reliability and confidence for how source ratings feed into scoring.
How the score decays
The base score decays over time, measured from when the indicator was last seen. When the score falls below a threshold, the IOC expires. The default threshold is 30, and you can change it to suit your environment.
When an expired or decaying IOC is seen again, the time since last seen resets to zero and the decay countdown begins anew. A re-sighted indicator regains its standing rather than staying expired.
Enrichment through Modules
Enrichment adds context to each indicator through the Modules you turn on, such as AlienVault OTX, MISP, CrowdStrike, and Google Threat Intelligence. When an indicator in an Event matches something one of these sources knows about, the platform surfaces the association and offers it to you as an Enrichment Opportunity, which you can turn into a new Threat Card.
Frequently asked questions
How is an IOC's base score calculated?
From three inputs: the type of indicator, the source it came from, and the criticality of the threat it is associated with. The result is a base score from 0 to 100.
What happens when an IOC is seen again?
The time since last seen resets to zero and the decay countdown starts over, so a re-sighted indicator regains its standing rather than staying expired.