End-of-Life (EoL)
Indicator Reputation
Indicator reputation affects how the indicator is processed
and handled in Cortex XSOAR. Assigned by reputation returned by
the source with highest reliability.
An indicator’s reputation is assigned
according to the reputation returned by the source with the highest
reliability. In cases where multiple sources with the same reliability
score return a different reputation for the indicator, the worst
reputation is taken.
Indicator reputations
Indicators are assigned a reputation on a scale of 0 to 3.
Score | Reputation | Color |
|---|---|---|
0 | None | No color |
1 | Good | Green |
2 | Suspicious | Orange |
3 | Bad | Red |
You can change the reputation by editing the indicator.
If you have manually changed the indicator’s reputation and want
to recalculate it according to enrichment integrations, click
Calculate
when
editing the indicator.Source reliability
The reliability of an intelligence-data source influences the
reputation of an indicator and the values for indicator fields when
merging indicators.
Indicator fields are merged according to the source reliability
hierarchy. This means that when there are two different values for
a single indicator field, the field will be populated with the value
provided by the source with the highest reliability score.
In rare cases, two sources with the same reliability score might
return different values for the same indicator field. In these cases,
the field will be populated with the most recently provided source,
unless the field is reputation. If two sources have the same reliability
score and return different values for the reputation field, the
worse reputation is used.
For the field types Tags and Multi-select, all values are appended,
nothing is overridden.
Source | Reliability Score | Notes |
|---|---|---|
Manual | A+++ | A user manually updates the reputation of an
indicator. |
Reputation script | A++ | A script with the reputation tag, which
calculates the reputation of an indicator. For example, the DataDomainReputation script
evaluates the reputation of a URL or domain. |
3rd-party enrichment | A+ | An integration or service that evaluates the
reputation of an indicator. For example, the urlscan.io integration
evaluates the reputation of a URL. |
Feed | A: Completely reliable | The feed reliability is applied at
the integration instance level. |
B: Usually reliable | ||
C: Fairly reliable | ||
D: Not usually reliable | ||
E: Unreliable | ||
F: Reliability cannot be judged |
Example 1
In this example, two 3rd-party integrations, VirusTotal and AlienVault,
return a different reputation for the same indicator. The indicator’s
reputation will be Bad because VirusTotal’s reliability score is
higher than AlienVault.
Integration | Reliability | Reputation | Final Reputation |
|---|---|---|---|
VirusTotal | C - Fairly reliable | Bad | Bad |
AlienVault | D- Not usually reliable | Good |
Example 2
In this example, two sources with the same reliability score
return a different reputation for the same indicator. The indicator’s
reputation will be Bad because when two sources have the same reliability,
the worse reputation applies.
Integration | Reliability | Reputation | Final Reputation |
|---|---|---|---|
TAXII Feed | B - Usually reliable | Bad | Bad |
CSV Feed | B- Usually reliable | Good |
Recommended For You
Recommended Videos
Recommended videos not found.
