End-of-Life (EoL)
Indicator Reputation
Indicator reputation affects how the indicator is processed
and handled in Cortex XSOAR.
An indicator’s reputation is assigned
according to the reputation returned by the source with the highest
reliability. In cases where multiple sources with the same reliability
score return a different reputation for the indicator, the worst
reputation is taken.
Indicator reputations
Indicators are assigned a reputation on a scale of 0 to 3.
Score | Reputation | Color |
|---|---|---|
0 | None | No color |
1 | Good | Green |
2 | Suspicious | Orange |
3 | Bad | Red |
Example 1
In this example, two 3rd-party integrations, VirusTotal and AlienVault,
return a different reputation for the same indicator. VirusTotal
returns a reputation of Good, and AlienVault returns a reputation
of Bad. The indicator’s reputation will be Bad.
Example 2
In this example, two sources with different reliability scores
return a different reputation for the same indicator. The first
source is a TAXII feed with a reliability score of C - Fairly reliable,
and the second source is a CSV feed with a reliability score of
B - Usually reliable. The TAXII feed returns a reputation of Bad
and the CSV feed returns a reputation of Good. The indicator’s reputation
will be Good because the CSV reliability score is higher than that
of the TAXII feed.
Source reliability
The reliability of an intelligence-data source influences the
reputation of an indicator and the values for indicator fields when
merging indicators.
Indicator fields are merged according to the source reliability
hierarchy. This means that when there are two different values for
a single indicator field, the field will be populated with the value
provided by the source with the highest reliability score.
In rare cases, two sources with the same reliability score might
return different values for the same indicator field. In these cases,
the field will be populated with the most recently provided source.
For the field types Tags and Multi-select, all values are appended,
nothing is overridden.
Source | Reliability Score | Notes |
|---|---|---|
User (manual) | A+++ | A user manually updates the reputation of an
indicator. |
Reputation script | A++ | A script with the reputation tag, which
calculates the reputation of an indicator. For example, the DataDomainReputation script
evaluates the reputation of a URL or domain. |
3rd-party enrichment | A+ | An integration or service that evaluates the
reputation of an indicator. For example, the urlscan.io integration
evaluates the reputation of a URL. |
Feed reliability | A: Completely reliable | The feed reliability is applied at
the integration instance level. |
B: Usually reliable | ||
C: Fairly reliable | ||
D: Not usually reliable | ||
E: Unreliable | ||
F: Reliability cannot be judged |
Indicator expiration
Indicators can have the status Active or Expired, which is determined
by the
expirationStatus
field. When indicators expire, they
still exist in Cortex XSOAR, meaning they are still displayed and
you can still search for them. A job runs every hour to check for
newly expired indicators.By default, indicators are expired according to either the expiration
interval configured for the indicator type to which the indicator
belongs, or to never expire.
This is the hierarchy by which indicators are expired.
Method | Description |
|---|---|
Manual | A user manually expires an indicator. This
method overrides all other methods. |
Feed integration | The expiration method configured for an integration instance,
which overrides the method defined for the indicator type. |
Indicator type | The expiration method defined for the indicator
type to which this indicator belongs (interval or never). This is
the default expiration method for an indicator. |
Recommended For You
Recommended Videos
Recommended videos not found.
