Reputation Commands - Threat Intel Management Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Cortex XSOAR
Creation date
Last date published
Threat Intel Management Guide

Reputation commands run on indicators based on the indicator type to get the indicator verdict. The command uses integrations such as AutoFocus, Unit 42, etc.

The command returns the verdict of the indicator as an entry with entry context and may also return context values that can be mapped to the custom fields of the indicator.

For example, you can run commands such as !ip, which runs a reputation on an IP address or !url to run reputation commands on an URL. For more information about these commands and how to create your own commands, see


Running a reputation command directly (such as !ip) might not apply the result to the indicator, nor does it use the enrichment cache. To ensure the indicator is enriched, and to take advantage of caching, use the enrichIndicators command or the Enrich button in the UI. This runs the appropriate reputation command/script based on the indicator type settings. Note that extracted indicators are enriched in the same way.

CLI Reputation Command Examples

There are a number of out-of-the-box reputation commands, including:

  • !ip ip=<value of the indicator>

  • !domain domain=<value of the indicator>

  • !file file=<value of the indicator>

Reputation Command Input

The reputation command uses the indicator value as the input argument.



The value of the indicator

For example ip, email, url. Inputs are based on different integrations. Basic inputs are common to all reputation commands. For example the !ip command has the following basic inputs:

- name: ip
   - name: ip
     default: true
     description: List of IPs.
     isArray: true

In this example, the ip script uses the ip as the input with the is array field checked.

Reputation Command Outputs

Outputs return a dbotScore.