DBot is the Cortex XSOAR machine learning bot, which ingests information about indicators to determine if they are malicious. Since DBot requires a very specific dataset, you must format the data according to this article. As described in the generic reputation command article, when developing an integration that implements a generic reputation command, it is necessary also to create a corresponding DBot score object.
The DBot score must be at the root level of the context and contain all the required keys, as listed below.
|Indicator||The indicator value.||Required|
|Type||The indicator type. Can be: ip, file, email, url, cve, account, cider, domainglob, certificate, or cryptocurrency.||Required|
|Vendor||The vendor reporting the score of the indicator.||Required|
|Score||An integer regarding the status of the indicator. See Score Types below.||Required|
|Reliability||The reliability of the source providing the intelligence data. See Reliability Level below.||Required|
|Message||Optional message to show an API response. For example, ||Optional|
When merging indicators, the reliability of an intelligence-data source impacts the reputation of an indicator and the values assigned to indicator fields.
An integration that outputs a DBotScore object, and hence defines each indicator's reliability, should allow the user to manually configure the default reliability for the generated indicator's DBotScore.
To achieve this, a Source Reliability (named
integration_reliability) parameter has to be implemented in the YAML file.
This parameter is later used to determine the reliability level when creating the DBotScore object.
NOTE: The values are case sensitive.
DBot uses an integer to represent the reputation of an indicator.
An unknown score can be interpeted in the following ways:
- The vendor returns an "Unknown" score for the indicator.
- The vendor returns nothing on the indicator.
In both cases, you mark the indicator score as Unknown, but in the second case you need to add a message:
"No results found".
If the DBot score is returned as a
"Bad", you need to add to the context that a malicious indicator was found. To do this, add an additional key to the
File context called
"Malicious" as shown below:
Malicious has two key values:
Vendor is the entity reporting the malicious indicator. The
Description explains briefly what was found. For example:
NOTE: It is not possible to use the Cortex XSOAR Transformers (DT) within the DBot score context. For example, using the following in your DBot context, will not work: