Reputation commands run based on the indicator's type, and return a verdict for the indicator.
Reputation commands run on indicators based on the indicator type to get the indicator verdict. The command uses integrations such as Unit 42, etc.
The command returns the verdict of the indicator as an entry with entry context and may also return context values that can be mapped to the custom fields of the indicator.
For example, you can run commands such as !ip
, which runs a reputation on an IP address or !url
to run reputation commands on an URL. For more information about these commands and how to create your own commands, see Generic Reputation Commands.
Note
Running a reputation command directly (such as !ip
) might not apply the result to the indicator, nor does it use the enrichment cache. To ensure the indicator is enriched, and to take advantage of caching, use the enrichIndicators
command or the Enrich button in the UI. This runs the appropriate reputation command/script based on the indicator type settings. Note that extracted indicators are enriched in the same way.
CLI Reputation Command Examples
There are several out-of-the-box reputation commands, including:
!ip ip=<value of the indicator>
!domain domain=<value of the indicator>
!file file=<value of the indicator>
Reputation Command Input
The reputation command uses the indicator value as the input argument.
Arguments | Description |
---|---|
The value of the indicator | For example - name: ip arguments: - name: ip default: true description: List of IPs. isArray: true |
In this example, the ip
script uses ip
, as the input, with the is array
field checked.
Reputation Command Outputs
Outputs return a dbotScore.