Reputation Scripts - Reputation scripts for indicator enrichment - Threat Intel Management Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide
Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-29
Last date published
2025-01-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Reputation scripts for indicator enrichment

Reputation scripts are user-created scripts that gets the indicator value and returns the verdict as a number. It overrides the verdict returned from the reputation command.

You need to ensure that you use the correct dbscore score is in the correct format. The reliability of the score from a reputation script, by default, is A++ - Reputation script and controlled by the enrichment.reputationScript.reliability server configuration.

You can modify the configuration by selecting SettingsABOUTTroubleshootingAdd Server Configuration and then add the enrichment.reputationScript.reliability server configuration with the desired reliability score.

To apply a reputation script to an indicator type:

  1. Go to SettingsOBJECTS SETUPIndicatorsTypes.

  2. Select the indicator type and click Edit.

  3. Select the desired reputation script.

    Reputation scripts must have the reputation tag applied to appear in the list.

Note

The Reputation script returns a verdict for the indicator and overrides any verdict that the system has set for the indicator.

Out-of-the-box Reputation Script Examples

In the Automation page, there several out-of-the box reputation scripts, including:

  • CertificateReputation

  • cveReputation

  • MaliciousRatioReputation

  • SSDeepReputation

CLI Execution Examples

  • !CertificateReputation input=<value of the indicator>

  • !MalicioiusRationReputation input=<value of the indicator>

Reputation Script Input

The reputation requires a single input argument named input that accepts an indicator value.

Argument

Description

input

The indicator value.

reputation-settings.png
Reputation Script Outputs

Either a number or a dbotScore.It can either be a raw number which is the score, or a full entry with DBotScore.

Reputation Script Outputs

Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.

from CommonServerPython import *


def main():
    url_list = argToList(demisto.args().get('input'))
    entry_list = []

    for url in url_list:
        entry_list.append({
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': 2,
            'EntryContext': {
                'DBotScore': {
                    'Indicator': url,
                    'Type': 'Onion URL',
                    'Score': 2,  # suspicious
                    'Vendor': 'DBot'
                }
            }
        })

    demisto.results(entry_list)


if __name__ in ('__main__', 'builtin', 'builtins'):
    main()

Values for Common.DbotScore

Constant

Value

Common.DbotScore.NONE

NONE = 0

Common.DbotScore.GOOD

GOOD = 1

Common.DbotScore.SUSPICIOUS

SUSPICIOUS = 2

Common.DbotScore.BAD

BAD = 3