Reputation and DBotScore
DBot is the Cortex XSOAR machine learning bot which ingests information about indicators to determine if they are malicious or not. Since DBot requires a very specific dataset, we must format our data as per this article.
Context Format
The DBot score must be at the root level of the context and contain all of the keys listed below.
| Key | Meaning |
|---|---|
| Indicator | Can be: IP, SHA1, MD5, SHA256, Email, or Url |
| Type | Can be: ip, file, email, or url |
| Vendor | This is the vendor reporting the score of the indicator |
| Score | An int representing the status of the indicator. See Score Types below |
Score Types
Dbot uses an integer to represent the reputation of an indicator.
| Number | Reputation |
|---|---|
| 0 | Unknown |
| 1 | Good |
| 2 | Suspicious |
| 3 | Bad |
Unknown
Unknown score can be interpeted in two ways:
- The vendor returns an "Unknown" score for the indicator.
- The vendor returns nothing on the indicator.
In both cases we mark the indicator score as Unknown.
Malicious
If the DBot score is returned as a "3" or "Bad", we need to add to the context that a malicious indicator was found. To do this, we add an additional key to the URL, IP, or File context called "Malicious" as shown below:
Malicious has two key values, "Vendor" and "Description". Vendor is the entity reporting the malicious indicator and description explains briefly what was found. For example:
Please Note: We are unable to use the Cortex XSOAR Transformers (DT) within the DBot score context.
For example, using the following in your DBot context, will not work: