[VirusTotal] Change method vt_score is generated

[annoyingapt]

Description

There is an issue where the generation of a score for an indicator is influenced by the indicator type. There is generally no issues when it comes to scores for file hashes, but if you are determining a score for a phishing domain or url, not many of the 95 security vendors will mark it as phishing or malicious as it is not necessarily their target use case. As a result, the vt_score will be low, and if the observable score is low, then an indicator will get a low score too, which could then get immediately revoked due to the lifecycle decay policy.

Recommendation

I recommend that given the user has control of the variable to determine when an indicator is made (e.g. domain_indicator_create_positives) then have an if statement in the _compute_score function to allow the vt_score be 100 (or similar) if this threshold is met.

try:
    if stats["malicious"] >= threshold:
        vt_score = 100
    else:
        vt_score = round(
            (
                stats["malicious"]
                / (stats["harmless"] + stats["undetected"] + stats["malicious"])
            )
            * 100
        )

[nino-filigran]

@annoyingapt I understand the issue, though we do not consider this as a bug, but rather an improvement, because in essence, nothing is "malfunctionning". We'll tackle this as a small feature. In the meantime, I can offer you to use the feature "override confidence level by entity type". Therefore, for your user "Virus Total", you can set a "default" value for your URLs/Domain names at let's say 50, to avoid using the VT score creating a too low score, making these IOCs directly revoked. I'm aware that it's not a long term solution, because doing so, you would ignore the VT score, which is not great. But at least it could help you already.