Generic reputation commands - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

Reputation commands generalized across reputation integrations to calculate a DBot score.

Cortex XSIAM supports many integrations with reputation providers, for example, VirusTotal, AlienVault OTX, and MISP. Every integration that returns a reputation about an indicator must implement the generic reputation commands and calculate a DBot Score.

When creating commands that enrich indicators, the commands should be named according to the indicator, such as !ip and !domain. This naming convention allows commands from multiple integrations to be run together to enrich an indicator. For example, running !ip ip=8.8.8.8 can trigger multiple integrations that gather information about the IP address.

The recommended way to return indicator context is using one of the classes under Common (Common.IPCommon.URL). For more information, see Return IP Reputation in Context and outputs. An example of returning indicators is the IPinfo v2 integration.

The following are available generic reputation commands.