Reputation scripts for indicator enrichment.
Reputation scripts are user-created scripts that gets the indicator value and returns the verdict as a number. It overrides the verdict returned from the reputation command. The reliability of the score from a reputation script is A++ - Reputation script
by default and controlled by the enrichment.reputationScript.reliability
server configuration.
You can modify the configuration by selecting enrichment.reputationScript.reliability
server configuration with the desired reliability score.
To apply a reputation script to an indicator type:
Go to
→ → → .Select the indicator type and click Edit.
Select the desired reputation script.
Reputation scripts must have the
reputation
tag applied to appear in the list.
Note
The Reputation script returns a verdict for the indicator and overrides any verdict that the system has set for the indicator.
Out-of-the-box Reputation Script Examples
In the
page, there several out-of-the box reputation scripts, including:CertificateReputation
cveReputation
MaliciousRatioReputation
SSDeepReputation
CLI Execution Examples
!CertificateReputation input=<value of the indicator>
!MalicioiusRationReputation input=<value of the indicator>
Reputation Script Input
The reputation requires a single input argument named input
that accepts an indicator value.
Argument | Description |
---|---|
| The indicator value. |
Reputation Script Outputs
Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.
Reputation Script Outputs
Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.
from CommonServerPython import * def main(): url_list = argToList(demisto.args().get('input')) entry_list = [] for url in url_list: entry_list.append({ 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': 2, 'EntryContext': { 'DBotScore': { 'Indicator': url, 'Type': 'Onion URL', 'Score': 2, # suspicious 'Vendor': 'DBot' } } }) demisto.results(entry_list) if __name__ in ('__main__', 'builtin', 'builtins'): main()
Values for Common.DbotScore
Constant | Value |
---|---|
Common.DbotScore.NONE | NONE = 0 |
Common.DbotScore.GOOD | GOOD = 1 |
Common.DbotScore.SUSPICIOUS | SUSPICIOUS = 2 |
Common.DbotScore.BAD | BAD = 3 |