Reputation commands run based on the indicator type and return a verdict for the indicator.
Reputation commands are built-in or custom commands that use integrations such as Unit 42 to provide predefined functionalities for obtaining an indicator verdict for specific indicator types. These commands simplify the process of fetching reputation data from external services or threat intelligence feeds without requiring extensive scripting. Reputation commands come with preconfigured parameters and settings for commonly used threat intelligence sources.
You can set an indicator type to run reputation commands. The command returns the verdict of the indicator as an entry with entry context and may also return context values that can be mapped to the custom fields of the indicator.
Note
Running a reputation command directly (such as !ip
) might not apply the result to an indicator, nor does it use the enrichment cache. To ensure an indicator is enriched, and to take advantage of caching, use the enrichIndicators
command or the Enrich button in the UI. This runs the appropriate reputation command/script based on the indicator type settings. Note that extracted indicators are enriched in the same way.
Out-of-the-box reputation commands
You can create a new reputation command, or you can use an out-of-the-box reputation command, for example:
ip
file
url
email
domain
For more details on using out-of-the-box reputation commands or developing new reputation commands, see Generic Commands Reputation.
Reputation command input
The reputation command uses the indicator value as the input argument.
Arguments | Description |
---|---|
The value of the indicator | For example - name: ip arguments: - name: ip default: true description: List of IPs. isArray: true |
In this example, the ip
script uses ip
, as the input, with the is array
field checked.
Reputation command output
Outputs return a dbotScore.
Run a Reputation command in the CLI
The following are examples of the syntax for running the ip
, domain
, and file
reputation commands in the CLI.
!ip ip=<value of the indicator>
!domain domain=<value of the indicator>
!file file=<value of the indicator>