Reputation Scripts - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Reputation scripts for indicator enrichment.

Reputation scripts are user-created scripts that returns the verdict as a number. The number overrides the verdict returned from the reputation command. The reliability of the score from a reputation script is A++ - Reputation script by default and controlled by the enrichment.reputationScript.reliability server configuration. You can modify the configuration by selecting SettingsABOUTTroubleshootingAdd Server Configuration and then add the enrichment.reputationScript.reliability server configuration with the desired reliability score.Indicator Verdict

You need to ensure that you use the correct dbscore score is in the correct format. For information about arguments, the context format, and outputs, see Reputation and DBotScore.

To apply a reputation script to an indicator type, navigate to SettingsOBJECTS SETUPIndicatorsTypes. Select the indicator type, click Edit and select the desired reputation script from the drop-down list. Reputation scripts must have the reputation tag applied in order to appear in the list.

Note

The Reputation script overrides any default settings for the indicator that relates to the verdict.

In the example below, if the VirusTotal result is good, the dBot score is 1. If the VirusTotal result is bad or suspicious, the dBOT score is 3 (bad). If there are no results in VirusTotal, the dBOT score is 2 (suspicious), instead of the default 0 (unknown).

def score_logic(args):
    """
    Internal calculation logic should be inserted here.
    here we keep the VirusTotal results if it is GOOD, otherwise it will be BAD
    """
    scores_history = json.loads(args.get("cache"))
    if demisto.get(scores_history, "scores"):
        vt_score = demisto.get(scores_history.get("scores"), "VirusTotal")
        demisto.info(f'############ {vt_score} ##########')
        if vt_score:
            demisto.info(f'############ {vt_score.get("score")} ##########')

            return Common.DBotScore.GOOD if vt_score.get("score") == 1 else Common.DBotScore.BAD
    
    # If there are no results in VirusTotal:
    return Common.DBotScore.SUSPICIOUS

def calculate_results(args):

    dbot = {
        'Indicator': args.get("input"),
        'Type': 'IP',
        'Score': score_logic(args),
        'Vendor': 'ReputationScript'
        }

    context = {
        'example_field': {
            'innerKey': 'value EnrichReputation',
            'tags':["Tag1","Tag2"]
       },
       'DBotScore': dbot
    }

    res = [{
        'Type': entryTypes['note'],
        'ContentsFormat': formats['json'],
        'Contents': score_logic(args),
        'EntryContext': context

    }]
    return res


''' MAIN FUNCTION '''


def main():
    try:
        args = demisto.args()
        return demisto.results(calculate_results(args))

    except Exception as ex:
        return_error(f'Failed to execute Reputation Script. Error: {str(ex)}')


''' ENTRY POINT '''


if __name__ in ('__main__', '__builtin__', 'builtins'):
    main()
Reputation Script Inputs

The following inputs are required.

Inputs

Description

input

The indicator value.

cache

The enrichment scores that were saved in the enrichment command phase (runs before the reputation script). The scores appear in the scores property as a map of the source name. For example, VirusTotal) to its DBotScore.

cacheExpiration

The definition of the cache expiration as it appears in the indicator type. The value is in minutes.

Reputation Script Outputs

Either a number or a dbotScore.