- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-25-2022 08:29 AM
Hi everyone,
does anyone of you know how to check a custom indicator with !GetIndicatorDBotScore?
Due to the recent change in the URL indicator type's regex, we needed to create a new indicator type, that makes use of the old regex. Unfortunately this breaks our playbooks, which rely at a certain spot on the !GetIndicatorDBotScore command. This will only take system level indicators.
Can I turn a custom indicator into a system level indicator or can I force !GetIndicatorDBotScore to accept a custom indicator?
01-28-2022 12:20 PM
Araka,
I investigated your HTML snippet and see how that isn't working right with the system URL indicator regular expression. Can you please put in a support case for us to investigate that further?
In the meantime you probably want to investigate a more immediate fix for this. You have several options but first I wanted to ask: Have you investigated the "GetIndicatorDBotScoreFromCache" automation? This is used to pull the overall reputation score of an indicator from the indicator database. This also works with custom indicator types.
01-27-2022 12:00 PM
Araka,
Good afternoon! Can you please provide some more information on what URLs are not matching the system URL indicator?
Also, what information is most important from the !GetIndicatorDBotScore command?
01-28-2022 07:07 AM
Hi Jwilkes,
thanks for answering! I appreciate it.
Since the update to the URL regex, we get falsely parsed URLs from email html bodies. See this for example:
https://email.bfi-stmk.at/t/t-l-cuiduyk-yuuuhkhttk-x/"><img style="display: block;height: auto;width: 100%;border: 0;" src="https://i.vimeocdn.com/filter/overlay?src=http://img.youtube.com/vi/H24Iy56MM6g/0.jpg&src=https://in...
This gets parsed as one URL.
And about the !GetIndicatorDBotScore command, we use it to get verdicts about certain IOCs in playbooks. In some cases, for example, we use it to check if we already have the verdict of an IOC and then skip the Threat Intel tasks, if it already exists with a malicious reputation. Well, now we would like to use it with the new Indicator Type, that makes use of the working regex, but !GetIndicatorDBotScore will only ingest system level Indicator Types.
01-28-2022 08:14 AM
Araka,
Thank you for your response. I understand what is going on much better. One other question: when getting the verdict of the IOCs in the playbook, are you looking for individual enrichment reputations or the overall reputation?
01-28-2022 08:19 AM
Hi,
thanks. We are looking for the overall reputation.
01-28-2022 12:20 PM
Araka,
I investigated your HTML snippet and see how that isn't working right with the system URL indicator regular expression. Can you please put in a support case for us to investigate that further?
In the meantime you probably want to investigate a more immediate fix for this. You have several options but first I wanted to ask: Have you investigated the "GetIndicatorDBotScoreFromCache" automation? This is used to pull the overall reputation score of an indicator from the indicator database. This also works with custom indicator types.
01-31-2022 01:20 AM
Jwilkes,
thanks a lot for investigating. I will do as you say and open a support case.
"!GetIndicatoDBotScoreFromCache" seems to be an option, I tested it. Thanks! We will start to change that in our playbooks.
Just out of curiosity, could you tell me what the other options are?
01-31-2022 05:04 AM
Araka,
I recommend the "!GetIndicatoDBotScoreFromCache" automation because it is an "out of the box" automation and seems to meet your requirement of the overall reputation of an indicator. The other options you can pursue while support is investigating:
Hope that helps. Please let me know if you have any other questions.
02-01-2022 12:45 AM
Thank you very much! This helped me in understanding the problem.
Warm regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!