Triage uses 1 - 10 scoring to reflect whether something is malicious or not. The following is an explanation of what each score means and what can cause this score.
Known bad |
|
Example:
|
|
Likely malicious One or more known damaging malware attack patterns were detected. |
|
Example:
|
|
Shows suspicious behavior One or more suspicious actions were detected. The detected actions can be malicious, but also have (common) benign uses. |
|
Examples:
|
|
Likely benign One or more interesting behaviors were detected. The detected actions are interesting enough to be notified about, but are not directly malicious. |
|
No (potentially) malicious behavior was detected. |
Note: it is important to look at the actual signatures that triggered. The score is determined by these.
Why do I sometimes see different severities and scores?
When you detonate a hash in the Recorded Future Sandbox, the resulting score may trigger a corresponding Recorded Future Risk Rule. For example, if the sample is malicious with a score of 8-9 or 10, it will trigger our Positive Malware Verdict risk rule. If the sample scores a 6-7 for suspicious behavior, it will trigger the Suspicious Behavior Detected risk rule.
However, when Recorded Future risk scores a hash, that score can include multiple pieces of evidence, including sandbox results as well as evidence from other sources. As a result, you may see a risk score that is higher than the score in the sandbox due to evidence of malicious activity from other sources. Note that you will not see a lower risk score, as additional evidence can only raise - not lower - a risk score.