Apply reputation scripts to an indicator type for indicator enrichment.
Reputation scripts are user-created scripts that return the verdict of an indicator as a number. The number overrides the verdict returned from the reputation command. The reliability of the score from a reputation script is by default A++ - Reputation script
.
To apply a reputation script to an indicator type:
Go to
→ → → → .Select the indicator type and click Edit.
Select the desired reputation script.
Reputation scripts must have the
reputation
tag applied to appear in the list.
Note
The Reputation script overrides any default settings for the indicator that relates to the verdict.
Out-of-the-box Reputation Script Examples
In the Scripts page, there are several out-of-the-box reputation scripts, including:
CertificateReputation
cveReputation
MaliciousRatioReputation
SSDeepReputation
CLI Execution Examples
!CertificateReputation input=<value of the indicator>
!MalicioiusRationReputation input=<value of the indicator>
Reputation Script Input
The reputation requires a single input argument named input
that accepts an indicator value.
Argument | Description |
---|---|
| The indicator value. |
Reputation Script Outputs
Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.
from CommonServerPython import * def main(): url_list = argToList(demisto.args().get('input')) entry_list = [] for url in url_list: entry_list.append({ 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': 2, 'EntryContext': { 'DBotScore': { 'Indicator': url, 'Type': 'Onion URL', 'Score': 2, # suspicious 'Vendor': 'DBot' } } }) demisto.results(entry_list) if __name__ in ('__main__', 'builtin', 'builtins'): main()
Values for Common.DbotScore
Constant | Value |
---|---|
Common.DbotScore.NONE | NONE = 0 |
Common.DbotScore.GOOD | GOOD = 1 |
Common.DbotScore.SUSPICIOUS | SUSPICIOUS = 2 |
Common.DbotScore.BAD | BAD = 3 |