Reputation scripts for indicator enrichment.
Reputation scripts are user-created scripts that return the verdict of an indicator as a number. The number overrides the verdict returned from the reputation command, but does not override a manually-set verdict. The reliability of the score from a reputation script is A++ - Reputation script
by default and controlled by the enrichment.reputationScript.reliability
server configuration.
You can modify the reliability, if needed, by navigating to enrichment.reputationScript.reliability
with the desired reliability score.
To apply a reputation script to an indicator type:
Go to
→ → → → .Select the indicator type and click Edit.
Select the desired reputation script.
Reputation scripts must have the reputation tag applied in order to appear in the list.
Note
The Reputation script overrides any default settings for the indicator that relates to the verdict.
Out-of-the-box Reputation Script Examples
In the Scripts page, there are several out-of-the-box reputation scripts, including:
CertificateReputation
cveReputation
MaliciousRatioReputation
SSDeepReputation
CLI Execution Examples
!CertificateReputation input=<value of the indicator>
!MalicioiusRationReputation input=<value of the indicator>
Reputation Script Input
The reputation requires a single input argument named input
that accepts an indicator value.
Argument | Description |
---|---|
| The indicator value. |
Reputation Script Outputs
Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.
from CommonServerPython import * def main(): url_list = argToList(demisto.args().get('input')) entry_list = [] for url in url_list: entry_list.append({ 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': 2, 'EntryContext': { 'DBotScore': { 'Indicator': url, 'Type': 'Onion URL', 'Score': 2, # suspicious 'Vendor': 'DBot' } } }) demisto.results(entry_list) if __name__ in ('__main__', 'builtin', 'builtins'): main()
Values for Common.DbotScore
Constant | Value |
---|---|
Common.DbotScore.NONE | NONE = 0 |
Common.DbotScore.GOOD | GOOD = 1 |
Common.DbotScore.SUSPICIOUS | SUSPICIOUS = 2 |
Common.DbotScore.BAD | BAD = 3 |