Reputation Scripts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-12
Category
Administrator Guide
Abstract

Apply reputation scripts to an indicator type for indicator enrichment.

Reputation scripts are user-created scripts that return the verdict of an indicator as a number. The number overrides the verdict returned from the reputation command. The reliability of the score from a reputation script is by default A++ - Reputation script.

To apply a reputation script to an indicator type:

  1. Go to SettingsConfigurationsObject SetupIndicatorsTypes.

  2. Select the indicator type and click Edit.

  3. Select the desired reputation script.

    Reputation scripts must have the reputation tag applied to appear in the list.

Note

The Reputation script overrides any default settings for the indicator that relates to the verdict.

Out-of-the-box Reputation Script Examples

In the Scripts page, there are several out-of-the-box reputation scripts, including:

  • CertificateReputation

  • cveReputation

  • MaliciousRatioReputation

  • SSDeepReputation

CLI Execution Examples
  • !CertificateReputation input=<value of the indicator>

  • !MalicioiusRationReputation input=<value of the indicator>

Reputation Script Input

The reputation requires a single input argument named input that accepts an indicator value.

Argument

Description

input

The indicator value.

reputation-script-8-set.png
Reputation Script Outputs

Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.

from CommonServerPython import *


def main():
    url_list = argToList(demisto.args().get('input'))
    entry_list = []

    for url in url_list:
        entry_list.append({
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': 2,
            'EntryContext': {
                'DBotScore': {
                    'Indicator': url,
                    'Type': 'Onion URL',
                    'Score': 2,  # suspicious
                    'Vendor': 'DBot'
                }
            }
        })

    demisto.results(entry_list)


if __name__ in ('__main__', 'builtin', 'builtins'):
    main()

Values for Common.DbotScore

Constant

Value

Common.DbotScore.NONE

NONE = 0

Common.DbotScore.GOOD

GOOD = 1

Common.DbotScore.SUSPICIOUS

SUSPICIOUS = 2

Common.DbotScore.BAD

BAD = 3