Reputation Scripts - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

Reputation scripts for indicator enrichment.

Reputation scripts are used to assess and assign reputation scores to indicators. These scripts integrate external threat intelligence or internal data sources to evaluate the reputation of indicators (such as IP addresses, URLs, or file hashes). Reputation scripts enable you to implement custom logic and algorithms for determining the reputation of indicators.

Reputation scripts return the verdict of an indicator as a number. The number overrides the verdict returned from the reputation command but does not override a manually set verdict. The reliability of the score from a reputation script is by default A++ - Reputation script.

Note

The Reputation script overrides any default settings for the indicator that relates to the verdict.

Out-of-the-box reputation scripts

You can create a new reputation script, or you can use an out-of-the-box reputation script in the Scripts page, for example:

  • CertificateReputation

  • cveReputation

  • MaliciousRatioReputation

  • SSDeepReputation

The reputation requires a single input argument named input that accepts an indicator value.

Argument

Description

input

The indicator value.

reputation-script-8-set.png

Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.

from CommonServerPython import *


def main():
    url_list = argToList(demisto.args().get('input'))
    entry_list = []

    for url in url_list:
        entry_list.append({
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': 2,
            'EntryContext': {
                'DBotScore': {
                    'Indicator': url,
                    'Type': 'Onion URL',
                    'Score': 2,  # suspicious
                    'Vendor': 'DBot'
                }
            }
        })

    demisto.results(entry_list)


if __name__ in ('__main__', 'builtin', 'builtins'):
    main()

Constant

Value

Common.DbotScore.NONE

NONE = 0

Common.DbotScore.GOOD

GOOD = 1

Common.DbotScore.SUSPICIOUS

SUSPICIOUS = 2

Common.DbotScore.BAD

BAD = 3

  1. Go to SettingsConfigurationsObject SetupIndicatorsTypes.

  2. Select the indicator type and click Edit.

  3. Select the relevant reputation script.

    Note

    Reputation scripts must have the reputation tag applied to appear in the list.

You can run out-of-the-box or custom reputation scripts in the CLI to set the verdict for a specific indicator.

The following are examples for running the out-of-the-box CertificateReputation and MalicioiusRationReputation reputation scripts in the CLI.

  • !CertificateReputation input=<value of the indicator>

  • !MalicioiusRationReputation input=<value of the indicator>