Generic Reputation Commands

Background and motivation

XSOAR has an abundance of integrations with reputation providers, for example, VirusTotal, AlienVault OTX, MISP, etc. Every integration that returns a reputation about an indicator must implement the generic reputation commands and calculate a DBot Score.

When creating commands that enrich indicators, the commands should be named according to the indicator: !ip, !domain, etc. This naming convention allows commands from multiple integrations to be run together to enrich an indicator. For example, running !ip ip=8.8.8.8 can trigger multiple integrations that gather information about the IP address.

The easiest (and best) way to return indicator context is using one of the classes under Common (Common.IP, Common.URL, etc). For more information, see here. A simple example for returning indicators is the Ipinfo_v2 integration

Generic reputation commands

file file=

Description: Runs reputation on files.

- name: file

arguments:

- name: file

default: true

description: List of files.

isArray: true

ip ip=

Description: Runs reputation on IPs.

- name: ip

arguments:

- name: ip

default: true

description: List of IPs.

isArray: true

url url=

Description: Runs reputation on URLs.

- name: url

arguments:

- name: url

default: true

description: List of URLs.

isArray: true

domain domain=

Description: Runs reputation on domains.

- name: domain

arguments:

- name: domain

default: true

description: List of domains.

isArray: true

email email=

Description: Runs reputation on emails.

- name: email

arguments:

- name: email

default: true

description: List of emails.

isArray: true

cve cve=

Description: Runs reputation on CVEs.

- name: cve

arguments:

- name: cve

default: true

description: List of CVEs.

isArray: true