Reputation Scripts

Reputation scripts for indicator enrichment
Reputation scripts calculate the verdict of an indicator. To apply a reputation script to an indicator type, navigate to
Settings
OBJECTS SETUP
Indicators
Types
. Select the indicator type, click
Edit
and select the desired reputation script from the drop-down list. Reputation scripts must have the
reputation
tag applied in order to appear in the list.
By default, reputation scripts have a reliability score of
A++
. You can modify the reliability, if needed, by navigating to
Settings
ADVANCED
Troubleshooting
and adding the server configuration
enrichment.reputationScript.reliability
with the desired reliability score.
In the example below, if the VirusTotal result is
good
, the dBot score is 1. If the VirusTotal result is
bad
or
suspicious
, the dBOT score is 3 (
bad
). If there are no results in VirusTotal, the dBOT score is 2 (
suspicious
), instead of the default 0 (
unknown
).
def score_logic(args): """ Internal calculation logic should be inserted here. here we keep the VirusTotal results if it is GOOD, otherwise it will be BAD """ scores_history = json.loads(args.get("cache")) if demisto.get(scores_history, "scores"): vt_score = demisto.get(scores_history.get("scores"), "VirusTotal") demisto.info(f'############ {vt_score} ##########') if vt_score: demisto.info(f'############ {vt_score.get("score")} ##########') return Common.DBotScore.GOOD if vt_score.get("score") == 1 else Common.DBotScore.BAD # If there are no results in VirusTotal: return Common.DBotScore.SUSPICIOUS def calculate_results(args): dbot = { 'Indicator': args.get("input"), 'Type': 'IP', 'Score': score_logic(args), 'Vendor': 'ReputationScript' } context = { 'example_field': { 'innerKey': 'value EnrichReputation', 'tags':["Tag1","Tag2"] }, 'DBotScore': dbot } res = [{ 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': score_logic(args), 'EntryContext': context }] return res ''' MAIN FUNCTION ''' def main(): try: args = demisto.args() return demisto.results(calculate_results(args)) except Exception as ex: return_error(f'Failed to execute Reputation Script. Error: {str(ex)}') ''' ENTRY POINT ''' if __name__ in ('__main__', '__builtin__', 'builtins'): main()

Recommended For You