Reputation commands - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Reputation commands run based on the indicator type and return a verdict for the indicator.

Reputation commands are built-in or custom commands that use integrations such as Unit 42 to provide predefined functionalities for obtaining an indicator verdict for specific indicator types. These commands simplify the process of fetching reputation data from external services or threat intelligence feeds without requiring extensive scripting. Reputation commands come with preconfigured parameters and settings for commonly used threat intelligence sources.

You can set an indicator type to run reputation commands. The command returns the verdict of the indicator as an entry with entry context and may also return context values that can be mapped to the custom fields of the indicator.


Running a reputation command directly (such as !ip) might not apply the result to an indicator, nor does it use the enrichment cache. To ensure an indicator is enriched, and to take advantage of caching, use the enrichIndicators command or the Enrich button in the UI. This runs the appropriate reputation command/script based on the indicator type settings. Note that extracted indicators are enriched in the same way.

Out-of-the-box reputation commands

You can create a new reputation command, or you can use an out-of-the-box reputation command, for example:

  • ip

  • file

  • url

  • email

  • domain

For more details on using out-of-the-box reputation commands or developing new reputation commands, see Generic Commands Reputation.

Reputation command input

The reputation command uses the indicator value as the input argument.



The value of the indicator

For example ip, email, url. Inputs are based on different integrations. Basic inputs are common to all reputation commands. For example, the !ip command has the following basic inputs:

- name: ip
   - name: ip
     default: true
     description: List of IPs.
     isArray: true

In this example, the ip script uses ip, as the input, with the is array field checked.

Reputation command output

Outputs return a dbotScore.

Run a Reputation command in the CLI

The following are examples of the syntax for running the ip , domain, and file reputation commands in the CLI.

  • !ip ip=<value of the indicator>

  • !domain domain=<value of the indicator>

  • !file file=<value of the indicator>