IOC Result Aggregator

6 min

extract indicators of compromise (iocs) from a variety of sources capabilities this connector provides the following capabilities parse iocs asset setup no asset setup needed actions aggregate ioc results combine results from ioc lookup sources endpoint method get input argument name type required description highest verdict minimum confidence threshold number optional unique identifier raw scores string optional parameter for aggregate ioc results raw reputations string optional parameter for aggregate ioc results malicious keywords string optional parameter for aggregate ioc results suspicious keywords string optional parameter for aggregate ioc results benign keywords string optional parameter for aggregate ioc results suspicious threshold number optional parameter for aggregate ioc results malicious threshold number optional parameter for aggregate ioc results output parameter type description last aggregated string output field last aggregated highest verdict string output field highest verdict highest verdict confidence number unique identifier highest score number score value normalized scores array output field normalized scores all verdicts array output field all verdicts most common verdict string output field most common verdict most common verdict confidence number unique identifier average score number score value highest verdict context string output field highest verdict context values by verdict string value for the parameter combined verdict string output field combined verdict combined verdict confidence number unique identifier parsed value data string response data example \[ { "last aggregated" "2022 11 25t15 19 10 470582+00 00", "highest verdict" "benign", "highest verdict confidence" 100, "highest score" 3, "normalized scores" \[ 3, 0 ], "all verdicts" \[ "benign", "benign" ], "most common verdict" "benign", "most common verdict confidence" 100, "average score" 1 5, "highest verdict context" "highest threat score found 3 0%", "values by verdict" "{\\"malicious\\" \[], \\"suspicious\\" \[], \\"benign\\" \[\\"3 0%\\", \\"0 0%\\"]}", "combined verdict" "benign", "combined verdict confidence" 100, "parsed value data" "\[{\\"value\\" \\"3 (normalized to 3 0%)\\", \\"verdict\\" \\"benign\\", \\"match\\" \\"score >= ben " } ]