Seculyze uses our proprietary and powerful threat intelligence (TI) engine to assess the risk level of alerts in Microsoft Sentinel. By combining multiple open-source and commercial TI feeds, we provide a unified and transparent scoring that helps you prioritize alerts based on real-world threat context - not just static rule severity.
Multi-Source, Multi-Parameter Analysis
For every alert, Seculyze evaluates related indicators such as IP addresses, file hashes, URLs, and domains across multiple feeds, and scores them using a range of contextual and technical factors as shown in the image below.
Key Factors Behind the Score
The TI risk score is calculated using a combination of five weighted dimensions:
Recency
Feed Quality
Confidence & Consensus
MITRE Mapping
Targeting Context
1. Recency
Newer sightings of an indicator increase the threat score. Fresh, active indicators are considered more relevant and dangerous than old ones.
2. Feed Quality
Each threat feed is vetted for trustworthiness and signal-to-noise ratio.
Commercial and closed-source feeds carry more weight
Community-based/open feeds are included, but score lower unless widely corroborated
3. Confidence & Consensus
Indicators seen in multiple feeds independently are assigned higher confidence. This reduces false positives and raises reliability.
4. MITRE Phase Mapping
Each indicator is mapped to its relevant phase in the MITRE ATT&CK framework.
Later phases like Execution, Lateral Movement, or Command & Control raise the score
Earlier phases such as Reconnaissance will comparably have a lower score as the threat is less imminent
5. Targeting Context
If a feed contains industry, geography, or sector targeting information, the score is adjusted accordingly:
Example: An indicator used in attacks on financial institutions will score higher in a banking environment
A threat used against EU entities will be more relevant for a Danish organization
Unified Scoring Model
Each individual source is normalized to a 0.0 to 1.0 risk value. These are then aggregated and adjusted across parameters to form a single TI score per alert.
Threat Risk Levels
Based on the final normalized score, we will add an 'Attention' flag to your alert in the Incident Table in the Seculyze app
Any alerts with relevant TI found will be categorized into three levels:
Risk Level | Score Range | Meaning |
High | 0.6 – 1.0 | Strong TI signal with relevant targeting and recency |
Medium | 0.25 – 0.6 | Some TI relevance, moderate risk |
Low | 0.01 – 0.25 | Minimal or indirect TI support, still tracked |
none | < 0.01 | We've found no relevant TI on the data |
Why It Matters
With Seculyze’s TI scoring:
Alerts are contextualized to your environment, not treated generically
You focus on real, active threats, not theoretical noise
You benefit from multiple sources combined into one risk score