How to check custom indicator types with !GetIndicatorDBotScore?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to check custom indicator types with !GetIndicatorDBotScore?

L1 Bithead

Hi everyone,

does anyone of you know how to check a custom indicator with !GetIndicatorDBotScore?

Due to the recent change in the URL indicator type's regex, we needed to create a new indicator type, that makes use of the old regex. Unfortunately this breaks our playbooks, which rely at a certain spot on the !GetIndicatorDBotScore command. This will only take system level indicators.

Can I turn a custom indicator into a system level indicator or can I force !GetIndicatorDBotScore to accept a custom indicator?

 

1 accepted solution

Accepted Solutions

Araka,
I investigated your HTML snippet and see how that isn't working right with the system URL indicator regular expression.  Can you please put in a support case for us to investigate that further?

In the meantime you probably want to investigate a more immediate fix for this.  You have several options but first I wanted to ask: Have you investigated the "GetIndicatorDBotScoreFromCache" automation?  This is used to pull the overall reputation score of an indicator from the indicator database.  This also works with custom indicator types.

View solution in original post

8 REPLIES 8

L2 Linker

Araka,
Good afternoon!  Can you please provide some more information on what URLs are not matching the system URL indicator?
Also, what information is most important from the !GetIndicatorDBotScore command?

Hi Jwilkes,

thanks for answering! I appreciate it. 

Since the update to the URL regex, we get falsely parsed URLs from email html bodies. See this for example:

 

https://email.bfi-stmk.at/t/t-l-cuiduyk-yuuuhkhttk-x/"><img style="display: block;height: auto;width: 100%;border: 0;" src="https://i.vimeocdn.com/filter/overlay?src=http://img.youtube.com/vi/H24Iy56MM6g/0.jpg&src=https://in...

 

This gets parsed as one URL. 

And about the !GetIndicatorDBotScore command, we use it to get verdicts about certain IOCs in playbooks. In some cases, for example, we use it to check if we already have the verdict of an IOC and then skip the Threat Intel tasks, if it already exists with a malicious reputation. Well, now we would like to use it with the new Indicator Type, that makes use of the working regex, but !GetIndicatorDBotScore will only ingest system level Indicator Types. 

Araka,

Thank you for your response.  I understand what is going on much better.  One other question: when getting the verdict of the IOCs in the playbook, are you looking for individual enrichment reputations or the overall reputation?

Hi,

thanks. We are looking for the overall reputation.

Araka,
I investigated your HTML snippet and see how that isn't working right with the system URL indicator regular expression.  Can you please put in a support case for us to investigate that further?

In the meantime you probably want to investigate a more immediate fix for this.  You have several options but first I wanted to ask: Have you investigated the "GetIndicatorDBotScoreFromCache" automation?  This is used to pull the overall reputation score of an indicator from the indicator database.  This also works with custom indicator types.

Jwilkes,

thanks a lot for investigating. I will do as you say and open a support case. 

"!GetIndicatoDBotScoreFromCache" seems to be an option, I tested it. Thanks! We will start to change that in our playbooks.

Just out of curiosity, could you tell me what the other options are?

Araka,

I recommend the "!GetIndicatoDBotScoreFromCache" automation because it is an "out of the box" automation and seems to meet your requirement of the overall reputation of an indicator.  The other options you can pursue while support is investigating:

  1. If you disable the system URL indicator you can create a custom one with the same name (URL) with your new regular expression.  If the name is URL, "!GetIndicatorDBotScore" should work.  However, "!GetIndicatorDBotScore" pulls the individual enrichment reputation scores instead of overall score like "!GetIndicatoDBotScoreFromCache" does.  You might have to migrate from one indicator type to another as well.
  2. You can detach/duplicate "!GetIndicatorDBotScore" and make an edit to it so that it will work with custom indicators.  If you have a support case, please ask them to update the automation for all customers.  Detach/duplicate is not a preferred method as content will not be updated by content pack (Common Scripts).  I prefer to copy rather than detach because if the automation is accidentally reattached it will undo all changes.

Hope that helps.  Please let me know if you have any other questions.

Thank you very much! This helped me in understanding the problem.

 

Warm regards.

  • 1 accepted solution
  • 4312 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!