Reputation commands run on indicators based on the indicator type to get the indicator verdict. The command uses integrations such as AutoFocus, Unit 42, etc.
The command returns the verdict of the indicator as an entry with entry context and may also return context values that can be mapped to the custom fields of the indicator.
For example, you can run commands such as
!ip, which runs a reputation on an IP address or
!url to run reputation commands on an URL. For more information about these commands and how to create your own commands, see https://xsoar.pan.dev/docs/integrations/generic-commands-reputation.
Running a reputation command directly (such as
!ip) might not apply the result to the indicator, nor does it use the enrichment cache. To ensure the indicator is enriched, and to take advantage of caching, use the
enrichIndicators command or the Enrich button in the UI. This runs the appropriate reputation command/script based on the indicator type settings. Note that extracted indicators are enriched in the same way.
CLI Reputation Command Examples
There are a number of out-of-the-box reputation commands, including:
!ip ip=<value of the indicator>
!domain domain=<value of the indicator>
!file file=<value of the indicator>
Reputation Command Input
The reputation command uses the indicator value as the input argument.
The value of the indicator
- name: ip arguments: - name: ip default: true description: List of IPs. isArray: true
In this example, the
ip script uses the ip as the input with the
is array field checked.
Reputation Command Outputs
Outputs return a dbotScore.