Add feed minimum GTI score

VirusTotal · Aug 5, 2024 · 9311327 · 9311327
1 parent 161773e
commit 9311327
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.py b/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.py
@@ -80,7 +80,8 @@ def fetch_indicators_command(client: Client,
  feed_type: str,
  tlp_color: str = None,
  feed_tags: list = None,
- limit: int = None) -> list[dict]:
+ limit: int = None,
+ minimum_score: int = 0) -> list[dict]:
  """Retrieves indicators from the feed
  Args:
  client (Client): Client object with request
@@ -151,7 +152,8 @@ def fetch_indicators_command(client: Client,
  if tlp_color:
  indicator_obj['fields']['trafficlightprotocol'] = tlp_color
 
- indicators.append(indicator_obj)
+ if (indicator_obj.get('gti_threat_score') or 0) >= minimum_score:
+ indicators.append(indicator_obj)
 
  return indicators
 
@@ -171,7 +173,15 @@ def get_indicators_command(client: Client,
  tlp_color = params.get('tlp_color')
  feed_tags = argToList(params.get('feedTags', ''))
  limit = int(args.get('limit', 0))
- indicators = fetch_indicators_command(client, feed_type, tlp_color, feed_tags, limit)
+ minimum_score = int(params.get('feedMinimumGTIScore', 80))
+ indicators = fetch_indicators_command(
+ client,
+ feed_type,
+ tlp_color,
+ feed_tags,
+ limit,
+ minimum_score
+ )
 
  human_readable = tableToMarkdown(
  f'Indicators from Google Threat Intelligence {FEED_STR.get(feed_type, feed_type)} Feeds:',

diff --git a/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.yml b/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.yml
@@ -68,6 +68,12 @@ configuration:
  defaultvalue: "30"
  type: 19
  required: false
+- name: feedMinimumGTIScore
+ type: 0
+ display: Feed Minimum GTI Score
+ required: true
+ defaultvalue: 80
+ additionalinfo: The minimum GTI score to import as part of the feed
 - display: Bypass exclusion list
  name: feedBypassExclusionList
  type: 8

diff --git a/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/README.md b/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/README.md
@@ -18,6 +18,7 @@ Use this feed integration to fetch Google Threat Intelligence Feeds matches. It
  | | | False |
  | | | False |
  | Feed Fetch Interval | | False |
+ | Feed Minimum GTI Score | The minimum GTI score to import as part of the feed | True |
  | Bypass exclusion list | When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. | False |
  | Tags | Supports CSV values. | False |
  | Traffic Light Protocol Color | The Traffic Light Protocol \(TLP\) designation to apply to indicators fetched from the feed. | False |