Skip to main content

CertificateReputation

This Script is part of the Common Scripts Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Enrich and calculate reputation of a Certificate indicator.

Script Data#


NameDescription
Script Typepython3
Tagsreputation
Cortex XSOAR Version6.0.0

Inputs#


Argument NameDescription
inputValue of the indicator.
update_indicatorSet validation checks in the indicator

Outputs#


PathDescriptionType
Certificate.NameName (CN or SAN) appearing in the certificate.String
Certificate.SubjectDNThe Subject Distinguished Name of the certificate.
This field includes the Common Name of the certificate.
String
Certificate.PEMCertificate in PEM format.String
Certificate.IssuerDNThe Issuer Distinguished Name of the certificate.String
Certificate.SerialNumberThe Serial Number of the certificate.String
Certificate.ValidityNotAfterEnd of certificate validity period.Date
Certificate.ValidityNotBeforeStart of certificate validity period.Date
Certificate.SubjectAlternativeName.TypeType of the SAN.String
Certificate.SubjectAlternativeName.ValueName of the SAN.String
Certificate.SHA512SHA512 Fingerprint of the certificate in DER format.String
Certificate.SHA256SHA256 Fingerprint of the certificate in DER format.String
Certificate.SHA1SHA1 Fingerprint of the certificate in DER format.String
Certificate.MD5MD5 Fingerprint of the certificate in DER format.String
Certificate.PublicKey.AlgorithmAlgorithm used for public key of the certificate.String
Certificate.PublicKey.LengthLength in bits of the public key of the certificate.Number
Certificate.PublicKey.ModulusModulus of the public key for RSA keys.String
Certificate.PublicKey.ExponentExponent of the public key for RSA keys.Number
Certificate.PublicKey.PublicKeyThe public key for DSA/Unknown keys.String
Certificate.PublicKey.PThe P parameter for DSA keys.String
Certificate.PublicKey.QThe Q parameter for DSA keys.String
Certificate.PublicKey.GThe G parameter for DSA keys.String
Certificate.PublicKey.XThe X parameter for EC keys.String
Certificate.PublicKey.YThe Y parameter for EC keys.String
Certificate.PublicKey.CurveCurve of the Public Key for EC keys.String
Certificate.SPKISHA256SHA256 fingerprint of the certificate Subject Public Key Info.String
Certificate.Signature.AlgorithmAlgorithm used in the signature of the certificate.String
Certificate.Signature.SignatureSignature of the certificate.String
Certificate.Extension.CriticalCritical flag of the certificate extension.Bool
Certificate.Extension.OIDOID of the certificate extension.String
Certificate.Extension.NameName of the certificate extension.String
Certificate.Extension.ValueValue of the certificate extension.Unknown
Certificate.Malicious.VendorThe vendor that reported the file as malicious.String
Certificate.Malicious.DescriptionA description explaining why the file was determined to be malicious.String
DBotScore.IndicatorThe indicator that was tested.String
DBotScore.TypeThe indicator type.String
DBotScore.VendorThe vendor used to calculate the score.String
DBotScore.ScoreThe actual score.Number

Script Example#

!CertificateReputation input="fead39be0bc680baaaf282d915b44c803e7ab66e61ff5afc356bcf0d12d73f2c" update_indicator=false

Context Example#

{
"Certificate": {
"Extension": [
{
"Critical": true,
"Name": "basicConstraints",
"OID": "2.5.29.19",
"Value": {
"CA": false
}
},
{
"Critical": false,
"Name": "extendedKeyUsage",
"OID": "2.5.29.37",
"Value": {
"Usages": [
"serverAuth",
"clientAuth"
]
}
},
{
"Critical": true,
"Name": "keyUsage",
"OID": "2.5.29.15",
"Value": {
"DigitalSignature": true,
"KeyEncipherment": true
}
},
{
"Critical": false,
"Name": "cRLDistributionPoints",
"OID": "2.5.29.31",
"Value": [
{
"FullName": [
{
"Type": "uniformResourceIdentifier",
"Value": "http://crl.godaddy.com/gdig2s1-2000.crl"
}
]
}
]
},
{
"Critical": false,
"Name": "certificatePolicies",
"OID": "2.5.29.32",
"Value": [
{
"PolicyIdentifier": "2.16.840.1.114413.1.7.23.1",
"PolicyQualifiers": [
"http://certificates.godaddy.com/repository/"
]
},
{
"PolicyIdentifier": "2.23.140.1.2.1"
}
]
},
{
"Critical": false,
"Name": "authorityInfoAccess",
"OID": "1.3.6.1.5.5.7.1.1",
"Value": [
{
"AccessLocation": {
"Type": "uniformResourceIdentifier",
"Value": "http://ocsp.godaddy.com/"
},
"AccessMethod": "OCSP"
},
{
"AccessLocation": {
"Type": "uniformResourceIdentifier",
"Value": "http://certificates.godaddy.com/repository/gdig2.crt"
},
"AccessMethod": "caIssuers"
}
]
},
{
"Critical": false,
"Name": "authorityKeyIdentifier",
"OID": "2.5.29.35",
"Value": {
"KeyIdentifier": "40c2bd278ecc348330a233d7fb6cb3f0b42c80ce"
}
},
{
"Critical": false,
"Name": "subjectAltName",
"OID": "2.5.29.17",
"Value": [
{
"Type": "dNSName",
"Value": "*.gpgyyjgyyg.gw.gpcloudservice.com"
},
{
"Type": "dNSName",
"Value": "gpgyyjgyyg.gw.gpcloudservice.com"
}
]
},
{
"Critical": false,
"Name": "subjectKeyIdentifier",
"OID": "2.5.29.14",
"Value": {
"Digest": "6e671e5eb8972804b77c47836f7b942aa13e76a7"
}
},
{
"Critical": false,
"Name": "signedCertificateTimestampList",
"OID": "1.3.6.1.4.1.11129.2.4.2",
"Value": [
{
"EntryType": "PreCertificate",
"LogId": "f65c942fd1773022145418083094568ee34d131933bfdf0c2f200bcc4ef164e3",
"Timestamp": "2020-05-29T09:34:10.000Z",
"Version": 0
},
{
"EntryType": "PreCertificate",
"LogId": "5cdc4392fee6ab4544b15e9ad456e61037fbd5fa47dca17394b25ee6f6c70eca",
"Timestamp": "2020-05-29T09:34:11.000Z",
"Version": 0
}
]
}
],
"IssuerDN": "CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
"MD5": "68048c1404b81f9a262a3910ee5d4c82",
"Name": [
"*.gpgyyjgyyg.gw.gpcloudservice.com",
"gpgyyjgyyg.gw.gpcloudservice.com"
],
"PEM": "-----BEGIN CERTIFICATE-----\nMIIGdDCCBVygAwIBAgIIAQ2G6iqf0yAwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV\nBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow\nGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz\nLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1\ncmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwNTI5MDkzNDA0WhcN\nMjEwNTI5MDkzNDA0WjBQMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0\nZWQxKzApBgNVBAMMIiouZ3BneXlqZ3l5Zy5ndy5ncGNsb3Vkc2VydmljZS5jb20w\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcrQMUbheHQYPhUEAP+osO\nJfmJL+1/bZjOZN5XSw945kzCC3p90E3Sqh0beTn1eJH89j+jGREjnRk/75lEBbQG\nSMKKstra/zb6iiVkYn7DUTflt0AJVVgsXAQbB9VFLuTcSnOBCqUx+QTDMJR2efH6\nQsMB4Tln/IKdXiiuzk6hnv1G1CgBVOtlfOuVAEy2luIA49GmO4F4K6aupX2oeWnj\neGagWlMjb37Ar0NGA76vSBhJU/jE+1X28FV2kdC5qjC/PP9p04CnbnSm4brReijR\nbpCzgXNwhfY1hYK9S43S2ywI49OPKjOuu0rvElge311luJED4qxjb2JRx5mDReNB\nAgMBAAGjggLrMIIC5zAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB\nBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYnaHR0\ncDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTIwMDAuY3JsMF0GA1UdIARWMFQw\nSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRl\ncy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEE\najBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYB\nBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y\neS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wTwYD\nVR0RBEgwRoIiKi5ncGd5eWpneXlnLmd3LmdwY2xvdWRzZXJ2aWNlLmNvbYIgZ3Bn\neXlqZ3l5Zy5ndy5ncGNsb3Vkc2VydmljZS5jb20wHQYDVR0OBBYEFG5nHl64lygE\nt3xHg297lCqhPnanMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA9lyUL9F3MCIU\nVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAFyX8ggnwAABAMARzBFAiAWHEdWCSQs\n8oeWb9HOOjV5zwCirDN7AIaNIzwlZL+CWwIhAKmnXAum7FHu2z65BLqUodFtbD13\npWg44Zlf3qAEUnVMAHYAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoA\nAAFyX8girQAABAMARzBFAiBYLbE+evWoNDZk0kQEfjTFzCWb/PD+bp7zpzfPodgS\nVgIhAL3/b3VPsgPbD3iZjbBk7WU8S1J5cI1UDANJGzYZNVySMA0GCSqGSIb3DQEB\nCwUAA4IBAQAnpbpip1Bl803IUzchh7/hjYu8U0IUNigG08CJo2ZYAIHuAXd4h5s4\ns7n59KM9oXcCo+jsD4dKGk08r13uMbSScaxQyJI3WNGVIonU8EvkwRmPQra3pLPy\nUQKMGldJnaUWNkaJ5/Gza/Z8jPg4J+U9OpXMe5NBILEFqCbpF4oZId+BK7D3l6P/\nQNOfg3wlT0TrwsUxyYVFe0B/5SeM0KRZmz34MZ+jE2mRor87e1JFeD2My2YxUMaA\n6vGpxPC0KxalQsB7P5A/B5j9Dbf/ATcy7cTqyRXdPr/6cNNzk2SRHXFzx7lHIkWb\n35JJ9NHFDwQrc2c6YK6xnDUoZUq6lOsi\n-----END CERTIFICATE-----\n",
"PublicKey": {
"Algorithm": "RSA",
"Exponent": 65537,
"Length": 2048,
"Modulus": "dc:ad:03:14:6e:17:87:41:83:e1:50:40:0f:fa:8b:0e:25:f9:89:2f:ed:7f:6d:98:ce:64:de:57:4b:0f:78:e6:4c:c2:0b:7a:7d:d0:4d:d2:aa:1d:1b:79:39:f5:78:91:fc:f6:3f:a3:19:11:23:9d:19:3f:ef:99:44:05:b4:06:48:c2:8a:b2:da:da:ff:36:fa:8a:25:64:62:7e:c3:51:37:e5:b7:40:09:55:58:2c:5c:04:1b:07:d5:45:2e:e4:dc:4a:73:81:0a:a5:31:f9:04:c3:30:94:76:79:f1:fa:42:c3:01:e1:39:67:fc:82:9d:5e:28:ae:ce:4e:a1:9e:fd:46:d4:28:01:54:eb:65:7c:eb:95:00:4c:b6:96:e2:00:e3:d1:a6:3b:81:78:2b:a6:ae:a5:7d:a8:79:69:e3:78:66:a0:5a:53:23:6f:7e:c0:af:43:46:03:be:af:48:18:49:53:f8:c4:fb:55:f6:f0:55:76:91:d0:b9:aa:30:bf:3c:ff:69:d3:80:a7:6e:74:a6:e1:ba:d1:7a:28:d1:6e:90:b3:81:73:70:85:f6:35:85:82:bd:4b:8d:d2:db:2c:08:e3:d3:8f:2a:33:ae:bb:4a:ef:12:58:1e:df:5d:65:b8:91:03:e2:ac:63:6f:62:51:c7:99:83:45:e3:41"
},
"SHA1": "573a758128a4ff8663946852c46bc89a46f124af",
"SHA256": "fead39be0bc680baaaf282d915b44c803e7ab66e61ff5afc356bcf0d12d73f2c",
"SPKISHA256": "de80ccee6accfeee5e290affa142696d2bdaf954f59940e025608593f3ed621c",
"SerialNumber": "75865109030753056",
"Signature": {
"Algorithm": "sha256",
"Signature": "27a5ba62a75065f34dc853372187bfe18d8bbc534214362806d3c089a366580081ee017778879b38b3b9f9f4a33da17702a3e8ec0f874a1a4d3caf5dee31b49271ac50c8923758d1952289d4f04be4c1198f42b6b7a4b3f251028c1a57499da516364689e7f1b36bf67c8cf83827e53d3a95cc7b934120b105a826e9178a1921df812bb0f797a3ff40d39f837c254f44ebc2c531c985457b407fe5278cd0a4599b3df8319fa3136991a2bf3b7b5245783d8ccb663150c680eaf1a9c4f0b42b16a542c07b3f903f0798fd0db7ff013732edc4eac915dd3ebffa70d3739364911d7173c7b94722459bdf9249f4d1c50f042b73673a60aeb19c3528654aba94eb22"
},
"SubjectAlternativeName": [
{
"Type": "dNSName",
"Value": "*.gpgyyjgyyg.gw.gpcloudservice.com"
},
{
"Type": "dNSName",
"Value": "gpgyyjgyyg.gw.gpcloudservice.com"
}
],
"SubjectDN": "CN=*.gpgyyjgyyg.gw.gpcloudservice.com,OU=Domain Control Validated",
"ValidityNotAfter": "2021-05-29T09:34:04.000Z",
"ValidityNotBefore": "2020-05-29T09:34:04.000Z"
},
"DBotScore": {
"Indicator": "fead39be0bc680baaaf282d915b44c803e7ab66e61ff5afc356bcf0d12d73f2c",
"Score": 2,
"Type": "certificate",
"Vendor": "CertificateReputation"
}
}

Human Readable Output#

Score for fead39be0bc680baaaf282d915b44c803e7ab66e61ff5afc356bcf0d12d73f2c is 2

Notes#

WILDCARD_CERTIFICATE Certificate contains at least one name with wildcard DOMAIN_CONTROL_VALIDATED Certificate is Domain Control Validated