DBot is the Cortex XSOAR machine learning bot, which ingests information about indicators to determine if they are malicious. Since DBot requires a very specific dataset, you need to format the data according to this article.
The DBot score must be at the root level of the context and contain all the required keys, as listed below.
|Indicator||The indicator value.||Required|
|Type||The indicator type. Can be: ip, file, email, url, cve, account, cider, domainglob, certificate, or cryptocurrency.||Required|
|Vendor||The vendor reporting the score of the indicator.||Required|
|Score||An integer regarding the status of the indicator. See Score Types below.||Required|
|Reliability||The reliability of the source providing the intelligence data. See Reliability Level below.||Optional|
|Message||Optional message to show an API response. For example, ||Optional|
When merging indicators, the reliability of an intelligence-data source influences the reputation of an indicator and the values for
NOTE: The values are case sensitive.
Dbot uses an integer to represent the reputation of an indicator.
An unknown score can be interpeted in the following ways:
- The vendor returns an "Unknown" score for the indicator.
- The vendor returns nothing on the indicator.
In both cases, you mark the indicator score as Unknown, but in the second case you need to add a message:
"No results found".
If the DBot score is returned as a
"Bad", you need to add to the context that a malicious indicator was found. To do this, add an additional key to the
File context called
"Malicious" as shown below:
Malicious has two key values:
Vendor is the entity reporting the malicious indicator. The
Description explains briefly what was found. For example:
NOTE: It is not possible to use the Cortex XSOAR Transformers (DT) within the DBot score context. For example, using the following in your DBot context, will not work: