Reputation Scripts - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

Reputation scripts for indicator enrichment.

Reputation scripts are user-created scripts that return the verdict of an indicator as a number. The number overrides the verdict returned from the reputation command, but does not override a manually-set verdict. The reliability of the score from a reputation script is A++ - Reputation script by default and controlled by the enrichment.reputationScript.reliability server configuration.

You can modify the reliability, if needed, by navigating to Settings & InfoSettingsSystemServer Settings+ Add Server Configuration and adding the server configuration enrichment.reputationScript.reliability with the desired reliability score.

To apply a reputation script to an indicator type:

  1. Go to Settings & InfoSettingsObject SetupIndicatorsTypes.

  2. Select the indicator type and click Edit.

  3. Select the desired reputation script.

    Reputation scripts must have the reputation tag applied in order to appear in the list.

Note

The Reputation script overrides any default settings for the indicator that relates to the verdict.

Out-of-the-box Reputation Script Examples

In the Scripts page, there are several out-of-the-box reputation scripts, including:

  • CertificateReputation

  • cveReputation

  • MaliciousRatioReputation

  • SSDeepReputation

CLI Execution Examples
  • !CertificateReputation input=<value of the indicator>

  • !MalicioiusRationReputation input=<value of the indicator>

Reputation Script Input

The reputation requires a single input argument named input that accepts an indicator value.

Argument

Description

input

The indicator value.

reputation-script-8-set.png
Reputation Script Outputs

Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.

from CommonServerPython import *


def main():
    url_list = argToList(demisto.args().get('input'))
    entry_list = []

    for url in url_list:
        entry_list.append({
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': 2,
            'EntryContext': {
                'DBotScore': {
                    'Indicator': url,
                    'Type': 'Onion URL',
                    'Score': 2,  # suspicious
                    'Vendor': 'DBot'
                }
            }
        })

    demisto.results(entry_list)


if __name__ in ('__main__', 'builtin', 'builtins'):
    main()

Values for Common.DbotScore

Constant

Value

Common.DbotScore.NONE

NONE = 0

Common.DbotScore.GOOD

GOOD = 1

Common.DbotScore.SUSPICIOUS

SUSPICIOUS = 2

Common.DbotScore.BAD

BAD = 3