Open annoyingapt opened 1 month ago
@annoyingapt I understand the issue, though we do not consider this as a bug, but rather an improvement, because in essence, nothing is "malfunctionning". We'll tackle this as a small feature. In the meantime, I can offer you to use the feature "override confidence level by entity type". Therefore, for your user "Virus Total", you can set a "default" value for your URLs/Domain names at let's say 50, to avoid using the VT score creating a too low score, making these IOCs directly revoked. I'm aware that it's not a long term solution, because doing so, you would ignore the VT score, which is not great. But at least it could help you already.
Description
There is an issue where the generation of a score for an indicator is influenced by the indicator type. There is generally no issues when it comes to scores for file hashes, but if you are determining a score for a phishing domain or url, not many of the 95 security vendors will mark it as phishing or malicious as it is not necessarily their target use case. As a result, the vt_score will be low, and if the observable score is low, then an indicator will get a low score too, which could then get immediately revoked due to the lifecycle decay policy.
Recommendation
I recommend that given the user has control of the variable to determine when an indicator is made (e.g. domain_indicator_create_positives) then have an if statement in the _compute_score function to allow the vt_score be 100 (or similar) if this threshold is met.