Reputation Scripts - Reputation scripts for indicator enrichment - Administrator Guide - 6.13 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.13
Creation date
2024-04-15
Last date published
2026-01-15
Category
Administrator Guide
Abstract

Reputation scripts for indicator enrichment

Reputation scripts are user-created scripts that gets the indicator value and returns the verdict as a number. The number overrides the verdict returned from the reputation command and any default settings for the indicator that relates to the verdict, but does not override a manually set verdict.

The system automatically executes the reputation script in the following cases:

  • During enrichment: When enrichment is triggered (via indicator extraction, the enrichIndicators command, or the Enrich button), the system runs the reputation command and then the reputation script for the specific indicator type.

  • If a verdict changes not via the enrichment process: If you manually run a reputation command such as !file and the result changes the indicator's verdict, the reputation script runs to finalize the decision. This happens even if you used the using argument to target a specific integration.

The reliability of the score from a reputation script by default is A++ - Reputation script. You can modify the configuration by selecting SettingsABOUTTroubleshootingAdd Server Configuration and then add the enrichment.reputationScript.reliability server configuration with the desired reliability score.

To apply a reputation script to an indicator type:

  1. Go to SettingsOBJECTS SETUPIndicatorsTypes.

  2. Select the indicator type and click Edit.

  3. Select the desired reputation script.

    Reputation scripts must have the reputation tag applied to appear in the list.

Note

The Reputation script overrides any default settings for the indicator that relates to the verdict.

Out-of-the-box Reputation Script Examples

In the Automation page, there several out-of-the box reputation scripts, including:

  • CertificateReputation

  • cveReputation

  • MaliciousRatioReputation

  • SSDeepReputation

CLI Execution Examples

  • !CertificateReputation input=<value of the indicator>

  • !MalicioiusRationReputation input=<value of the indicator>

Reputation Script Input

The reputation requires a single input argument named input that accepts an indicator value.

Argument

Description

input

The indicator value.

reputation-settings.png
Reputation Script Outputs

Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.

from CommonServerPython import *


def main():
    url_list = argToList(demisto.args().get('input'))
    entry_list = []

    for url in url_list:
        entry_list.append({
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': 2,
            'EntryContext': {
                'DBotScore': {
                    'Indicator': url,
                    'Type': 'Onion URL',
                    'Score': 2,  # suspicious
                    'Vendor': 'DBot'
                }
            }
        })

    demisto.results(entry_list)


if __name__ in ('__main__', 'builtin', 'builtins'):
    main()

Values for Common.DbotScore

Constant

Value

Common.DbotScore.NONE

NONE = 0

Common.DbotScore.GOOD

GOOD = 1

Common.DbotScore.SUSPICIOUS

SUSPICIOUS = 2

Common.DbotScore.BAD

BAD = 3