End-of-Life (EoL)

Indicator Reputation

Indicator reputation affects how the indicator is processed and handled in Cortex XSOAR.
An indicator’s reputation is assigned according to the reputation returned by the source with the highest reliability. In cases where multiple sources with the same reliability score return a different reputation for the indicator, the worst reputation is taken.
Indicator reputations
Indicators are assigned a reputation on a scale of 0 to 3.
Score
Reputation
Color
0
None
No color
1
Good
Green
2
Suspicious
Orange
3
Bad
Red
You can change the reputation by editing the indicator. If you have manually changed the indicator’s reputation and want to recalculate it according to enrichment integrations, click
Calculate
when editing the indicator.
Source reliability
The reliability of an intelligence-data source influences the reputation of an indicator and the values for indicator fields when merging indicators.
Indicator fields are merged according to the source reliability hierarchy. This means that when there are two different values for a single indicator field, the field will be populated with the value provided by the source with the highest reliability score.
In rare cases, two sources with the same reliability score might return different values for the same indicator field. In these cases, the field will be populated with the most recently provided source, unless the field is reputation. If two sources have the same reliability score and return different values for the reputation field, the worse reputation is used.
For the field types Tags and Multi-select, all values are appended, nothing is overridden.
Source
Reliability Score
Notes
Manual
A+++
A user manually updates the reputation of an indicator.
Reputation script
A++
A script with the
reputation
tag, which calculates the reputation of an indicator. For example, the
DataDomainReputation
script evaluates the reputation of a URL or domain.
3rd-party enrichment
A+
An integration or service that evaluates the reputation of an indicator. For example, the
urlscan.io
integration evaluates the reputation of a URL.
Feed
A: Completely reliable
The feed reliability is applied at the integration instance level.
B: Usually reliable
C: Fairly reliable
D: Not usually reliable
E: Unreliable
F: Reliability cannot be judged
Example 1
In this example, two 3rd-party integrations, VirusTotal and AlienVault, return a different reputation for the same indicator. The indicator’s reputation will be Bad because VirusTotal’s reliability score is higher than AlienVault.
Integration
Reliability
Reputation
Final Reputation
VirusTotal
C - Fairly reliable
Bad
Bad
AlienVault
D - Not usually reliable
Good
Example 2
In this example, two sources with the same reliability score return a different reputation for the same indicator. The indicator’s reputation will be Bad because when two sources have the same reliability, the worse reputation applies.
Integration
Reliability
Reputation
Final Reputation
TAXII Feed
C - Fairly reliable
Bad
Bad
CSV Feed
C - Fairly reliable
Good

Recommended For You