Reputation Scripts - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Reputation scripts for indicator enrichment

Reputation scripts are user-created scripts that gets the indicator value and returns the verdict as a number. It overrides the verdict returned from the reputation command. The reliability of the score from a reputation script, by default, is A++ - Reputation script and controlled by the enrichment.reputationScript.reliability server configuration.

You can modify the configuration by selecting SettingsABOUTTroubleshootingAdd Server Configuration and then add the enrichment.reputationScript.reliability server configuration with the desired reliability score.

To apply a reputation script to an indicator type:

  1. Go to SettingsOBJECTS SETUPIndicatorsTypes.

  2. Select the indicator type and click Edit.

  3. Select the desired reputation script.

    Reputation scripts must have the reputation tag applied to appear in the list.

Note

The Reputation script overrides any default settings for the indicator that relates to the verdict.

Out-of-the-box Reputation Script Examples

In the Automation page, there several out-of-the box reputation scripts, including:

  • CertificateReputation

  • cveReputation

  • MaliciousRatioReputation

  • SSDeepReputation

CLI Execution Examples
  • !CertificateReputation input=<value of the indicator>

  • !MalicioiusRationReputation input=<value of the indicator>

Reputation Script Input

The reputation requires a single input argument named input that accepts an indicator value.

Argument

Description

input

The indicator value.

reputation-settings.png
Reputation Script Outputs

Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.

from CommonServerPython import *


def main():
    url_list = argToList(demisto.args().get('input'))
    entry_list = []

    for url in url_list:
        entry_list.append({
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': 2,
            'EntryContext': {
                'DBotScore': {
                    'Indicator': url,
                    'Type': 'Onion URL',
                    'Score': 2,  # suspicious
                    'Vendor': 'DBot'
                }
            }
        })

    demisto.results(entry_list)


if __name__ in ('__main__', 'builtin', 'builtins'):
    main()

Values for Common.DbotScore

Constant

Value

Common.DbotScore.NONE

NONE = 0

Common.DbotScore.GOOD

GOOD = 1

Common.DbotScore.SUSPICIOUS

SUSPICIOUS = 2

Common.DbotScore.BAD

BAD = 3