Can you explain the driver for alerting when a machine score goes over 100? I don't think you are going to see much value in that, unless you have a one-off use case for this. It is pretty normal for machines to have a score well over 100 with nothing suspicious at all going on. If you wanted to hit a good breakpoint I would say go to 129, since that will only give you machines with L1 IIOC's. But still you'll find a majority of the machines with that score still have nothing malicious/suspicious.
I would recommend picking high fidelity IIOC's that line up with what you are trying to detect and alerting on those. For example, Unsigned, hidden, appdata\local is a pretty good one to find trojans. The powershell ones are all pretty good too.
There was an issue with alerting on IIOC's other than machine category IIOC's in versions prior than 188.8.131.52, so you'll want to upgrade if you haven't already.
Now I'll get off my soapbox and answer your question.
FK_Machines AS [FK_Machines],
NULL AS [FK_MachineModulePaths]
CASE WHEN MI.IOCLevel0 > 0 THEN 1024
((CASE WHEN MI.IOCLevel1 > 7 THEN 7 ELSE MI.IOCLevel1 END) * 128 +
(CASE WHEN MI.IOCLevel2 > 15 THEN 15 ELSE MI.IOCLevel2 END) * 8 +
(CASE WHEN MI.IOCLevel3 > 7 THEN 7 ELSE MI.IOCLevel3 END))
END AS IIOCScore
dbo.MachineIOC AS MI WITH(NOLOCK)
INNER JOIN dbo.Machines AS MA WITH(NOLOCK) ON MA.PK_Machines = MI.FK_Machines
WHERE IIOCScore >= 128 --Set Desired IIoC Machine Score here
100 was just an arbitrary number that we had chosen as a starting point to alert if something had deviated from the norm. If 129 is more appropriate than we'll heed your advice on that one.
We are looking at other IIOCS like unsigned in temp locations, PowerShell etc. This was just the first one to tackle we thought of as a use case to get alerting properly configured within ECAT/NetWitness.