Reputation scripts - Reputation scripts for indicator enrichment. - Threat Intel Management Guide - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR SaaS Documentation
Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2025-12-29
Category
Administrator Guide
Solution
SaaS
Abstract

Reputation scripts for indicator enrichment.

Reputation scripts are used to assess and assign reputation scores to indicators. These scripts integrate external threat intelligence or internal data sources to evaluate the reputation of indicators (such as IP addresses, URLs, or file hashes). Reputation scripts enable you to implement custom logic and algorithms for determining the reputation of indicators.

Reputation scripts return the verdict of an indicator as a number. The number overrides the verdict returned from the reputation command and any default settings for the indicator that relates to the verdict, but does not override a manually set verdict.

The system automatically executes the reputation script in the following cases:

  • During enrichment: When enrichment is triggered (via indicator extraction, the enrichIndicators command, or the Enrich button), the system runs the reputation command and then the reputation script for the specific indicator type.

  • If a verdict changes not via the enrichment process: When explicitly running a reputation command such as !file, if the result changes the indicator's verdict the reputation script runs to finalize the decision. This happens even if you use the using argument to target a specific integration.

The reliability of the score from a reputation script is by default A++ - Reputation script.

You can modify the reliability by navigating to Settings & InfoSettingsSystemServer Settings+ Add Server Configuration and adding the server configuration enrichment.reputationScript.reliability with the desired reliability score.

Out-of-the-box reputation scripts

You can create a new reputation script, or you can use an out-of-the-box reputation script in the Scripts page, for example:

  • CertificateReputation

  • cveReputation

  • MaliciousRatioReputation

  • SSDeepReputation

Reputation Script input

The reputation requires a single input argument named input that accepts an indicator value.

Argument

Description

input

The indicator value.

reputation-script-8-set.png
Reputation Script outputs

Either a number or a dbotScore. It can either be a raw number which is the score, or a full entry with DBotScore.

from CommonServerPython import *


def main():
    url_list = argToList(demisto.args().get('input'))
    entry_list = []

    for url in url_list:
        entry_list.append({
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': 2,
            'EntryContext': {
                'DBotScore': {
                    'Indicator': url,
                    'Type': 'Onion URL',
                    'Score': 2,  # suspicious
                    'Vendor': 'DBot'
                }
            }
        })

    demisto.results(entry_list)


if __name__ in ('__main__', 'builtin', 'builtins'):
    main()
Values for Common.DbotScore

Constant

Value

Common.DbotScore.NONE

NONE = 0

Common.DbotScore.GOOD

GOOD = 1

Common.DbotScore.SUSPICIOUS

SUSPICIOUS = 2

Common.DbotScore.BAD

BAD = 3

Add a Reputation Script to an indicator type

  1. Go to Settings & InfoSettingsObject SetupIndicatorsTypes.

  2. Select the indicator type and click Edit.

  3. Select the relevant reputation script.

    Note

    Reputation scripts must have the reputation tag applied to appear in the list.

Run a Reputation Script in the CLI

You can run out-of-the-box or custom reputation scripts in the CLI to set the verdict for a specific indicator.

The following are examples for running the out-of-the-box CertificateReputation and MalicioiusRationReputation reputation scripts in the CLI.

  • !CertificateReputation input=<value of the indicator>

  • !MalicioiusRationReputation input=<value of the indicator>