Risk Levels
Pulsedive uses six risk levels across its data:| Level | Meaning |
|---|---|
unknown | Pulsedive hasn’t assessed risk yet, either because there isn’t enough data or the data available doesn’t point to an elevated or reduced risk level |
none/very low | Pulsedive’s assessment points to benign activity |
low | Pulsedive has identified a small number of risk factors, or risk factors with limited severity |
medium | Pulsedive has identified a moderate number of risk factors, or risk factors with moderate severity |
high | Pulsedive has identified a substantial number of risk factors, or risk factors with high severity |
critical | Pulsedive has identified risk factors with the highest severity, strongly indicating malicious activity |
retired status in place of a risk level in summary contexts.
Risk Distributions
Feeds don’t carry a directly assigned risk score. Threats can: you can assign a risk score to a threat directly, independent of its linked indicators. Both threats and feeds also surface risk distributions: breakdowns of indicator risk levels across all linked indicators. A risk distribution tells you the count of linked indicators at each risk level, giving you a high-level read on the severity profile of a threat’s or feed’s associated activity. For a threat, this distribution exists alongside its own assigned risk score, not instead of it. You can retrieve a risk distribution as a flat total count or split by risk level using thesplitrisk parameter.
How Risk Is Determined
Risk works differently across the three entity types.Indicators
Pulsedive calculates a risk score for each indicator automatically. The system-recommended score (risk_recommended) reflects Pulsedive’s evaluation based on observed data and risk factors.
The active score (risk) is what the indicator currently carries, which may match the recommendation or reflect a manual override.
When manualrisk is set, a manual override has replaced the system-recommended score.
Risk factors (riskfactors) are human-readable explanations that describe why an indicator received its score.
Contributors and admins can override an indicator’s risk in several ways:
- Through feed configuration
- Through bulk management in Explore
- By editing an indicator directly
- Through individual or bulk submission via Analyze