Reputation and DBotScore
DBot is the Cortex XSOAR machine learning bot which ingests information about indicators to determine if they are malicious or not. Since DBot requires a very specific dataset, we must format our data as per this article.
#
Context FormatThe DBot score must be at the root level of the context and contain all the required keys as listed below.
Key | Meaning | Required |
---|---|---|
Indicator | The indicator value | Required |
Type | Can be: ip, file, email, url, cve, account, cider, domainglob, certificate, or cryptocurrency | Required |
Vendor | This is the vendor reporting the score of the indicator | Required |
Score | An int representing the status of the indicator. See Score Types below | Required |
Reliability | Reliability of the source providing the intelligence data. See Reliability Levels below | Optional |
#
Reliability LevelThe reliability of an intelligence-data source influences the reputation of an indicator and the values for
indicator fields when merging indicators.
The values are case sensitive.
#
Score TypesDbot uses an integer to represent the reputation of an indicator.
Number | Reputation |
---|---|
0 | Unknown |
1 | Good |
2 | Suspicious |
3 | Bad |
#
UnknownUnknown score can be interpeted in two ways:
- The vendor returns an "Unknown" score for the indicator.
- The vendor returns nothing on the indicator.
In both cases we mark the indicator score as Unknown.
#
MaliciousIf the DBot score is returned as a "3" or "Bad", we need to add to the context that a malicious indicator was found. To do this, we add an additional key to the URL, IP, or File context called "Malicious" as shown below:
Malicious has two key values, "Vendor" and "Description". Vendor is the entity reporting the malicious indicator and description explains briefly what was found. For example:
Please Note: We are unable to use the Cortex XSOAR Transformers (DT) within the DBot score context.
For example, using the following in your DBot context, will not work: