Reputation scripts for indicator enrichment.
Reputation scripts are user-created scripts that returns the verdict as a number. The number overrides the verdict returned from the reputation command. The reliability of the score from a reputation script is A++ - Reputation script
by default and controlled by the enrichment.reputationScript.reliability
server configuration. You can modify the configuration by selecting → → → and then add the enrichment.reputationScript.reliability
server configuration with the desired reliability score.
You need to ensure that you use the correct dbscore score is in the correct format. For information about arguments, the context format, and outputs, see Reputation and DBotScore.
To apply a reputation script to an indicator type, navigate to Edit and select the desired reputation script from the drop-down list. Reputation scripts must have the reputation
tag applied in order to appear in the list.
Note
The Reputation script overrides any default settings for the indicator that relates to the verdict.
In the example below, if the VirusTotal result is good
, the dBot score is 1. If the VirusTotal result is bad
or suspicious
, the dBOT score is 3 (bad
). If there are no results in VirusTotal, the dBOT score is 2 (suspicious
), instead of the default 0 (unknown
).
def score_logic(args): """ Internal calculation logic should be inserted here. here we keep the VirusTotal results if it is GOOD, otherwise it will be BAD """ scores_history = json.loads(args.get("cache")) if demisto.get(scores_history, "scores"): vt_score = demisto.get(scores_history.get("scores"), "VirusTotal") demisto.info(f'############ {vt_score} ##########') if vt_score: demisto.info(f'############ {vt_score.get("score")} ##########') return Common.DBotScore.GOOD if vt_score.get("score") == 1 else Common.DBotScore.BAD # If there are no results in VirusTotal: return Common.DBotScore.SUSPICIOUS def calculate_results(args): dbot = { 'Indicator': args.get("input"), 'Type': 'IP', 'Score': score_logic(args), 'Vendor': 'ReputationScript' } context = { 'example_field': { 'innerKey': 'value EnrichReputation', 'tags':["Tag1","Tag2"] }, 'DBotScore': dbot } res = [{ 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': score_logic(args), 'EntryContext': context }] return res ''' MAIN FUNCTION ''' def main(): try: args = demisto.args() return demisto.results(calculate_results(args)) except Exception as ex: return_error(f'Failed to execute Reputation Script. Error: {str(ex)}') ''' ENTRY POINT ''' if __name__ in ('__main__', '__builtin__', 'builtins'): main()
Reputation Script Inputs
The following inputs are required.
Inputs | Description |
---|---|
| The indicator value. |
| The enrichment scores that were saved in the enrichment command phase (runs before the reputation script). The scores appear in the |
| The definition of the cache expiration as it appears in the indicator type. The value is in minutes. |
Reputation Script Outputs
Either a number or a dbotScore.