How to check custom indicator types with !GetIndicatorDBotScore?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to check custom indicator types with !GetIndicatorDBotScore?

L1 Bithead

Hi everyone,

does anyone of you know how to check a custom indicator with !GetIndicatorDBotScore?

Due to the recent change in the URL indicator type's regex, we needed to create a new indicator type, that makes use of the old regex. Unfortunately this breaks our playbooks, which rely at a certain spot on the !GetIndicatorDBotScore command. This will only take system level indicators.

Can I turn a custom indicator into a system level indicator or can I force !GetIndicatorDBotScore to accept a custom indicator?

 

1 ACCEPTED SOLUTION

Accepted Solutions

Araka,
I investigated your HTML snippet and see how that isn't working right with the system URL indicator regular expression.  Can you please put in a support case for us to investigate that further?

In the meantime you probably want to investigate a more immediate fix for this.  You have several options but first I wanted to ask: Have you investigated the "GetIndicatorDBotScoreFromCache" automation?  This is used to pull the overall reputation score of an indicator from the indicator database.  This also works with custom indicator types.

View solution in original post

8 REPLIES 8

L2 Linker

Araka,
Good afternoon!  Can you please provide some more information on what URLs are not matching the system URL indicator?
Also, what information is most important from the !GetIndicatorDBotScore command?

Hi Jwilkes,

thanks for answering! I appreciate it. 

Since the update to the URL regex, we get falsely parsed URLs from email html bodies. See this for example:

 

https://email.bfi-stmk.at/t/t-l-cuiduyk-yuuuhkhttk-x/"><img style="display: block;height: auto;width: 100%;border: 0;" src="https://i.vimeocdn.com/filter/overlay?src=http://img.youtube.com/vi/H24Iy56MM6g/0.jpg&src=https://in...

 

This gets parsed as one URL. 

And about the !GetIndicatorDBotScore command, we use it to get verdicts about certain IOCs in playbooks. In some cases, for example, we use it to check if we already have the verdict of an IOC and then skip the Threat Intel tasks, if it already exists with a malicious reputation. Well, now we would like to use it with the new Indicator Type, that makes use of the working regex, but !GetIndicatorDBotScore will only ingest system level Indicator Types. 

Araka,

Thank you for your response.  I understand what is going on much better.  One other question: when getting the verdict of the IOCs in the playbook, are you looking for individual enrichment reputations or the overall reputation?

Hi,

thanks. We are looking for the overall reputation.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!