From 9311327b1010e21050a1c5177f5fc4f411bcb3fa Mon Sep 17 00:00:00 2001 From: pabloperezj Date: Mon, 5 Aug 2024 15:17:15 +0200 Subject: [PATCH] Add feed minimum GTI score --- .../CategorizedFeeds/CategorizedFeeds.py | 16 +++++++++++++--- .../CategorizedFeeds/CategorizedFeeds.yml | 6 ++++++ .../Integrations/CategorizedFeeds/README.md | 1 + 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.py b/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.py index 202512cfbaf5..a289ef3e6c83 100644 --- a/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.py +++ b/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.py @@ -80,7 +80,8 @@ def fetch_indicators_command(client: Client, feed_type: str, tlp_color: str = None, feed_tags: list = None, - limit: int = None) -> list[dict]: + limit: int = None, + minimum_score: int = 0) -> list[dict]: """Retrieves indicators from the feed Args: client (Client): Client object with request @@ -151,7 +152,8 @@ def fetch_indicators_command(client: Client, if tlp_color: indicator_obj['fields']['trafficlightprotocol'] = tlp_color - indicators.append(indicator_obj) + if (indicator_obj.get('gti_threat_score') or 0) >= minimum_score: + indicators.append(indicator_obj) return indicators @@ -171,7 +173,15 @@ def get_indicators_command(client: Client, tlp_color = params.get('tlp_color') feed_tags = argToList(params.get('feedTags', '')) limit = int(args.get('limit', 0)) - indicators = fetch_indicators_command(client, feed_type, tlp_color, feed_tags, limit) + minimum_score = int(params.get('feedMinimumGTIScore', 80)) + indicators = fetch_indicators_command( + client, + feed_type, + tlp_color, + feed_tags, + limit, + minimum_score + ) human_readable = tableToMarkdown( f'Indicators from Google Threat Intelligence {FEED_STR.get(feed_type, feed_type)} Feeds:', diff --git a/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.yml b/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.yml index 9bb831ddcb1a..f0853e15472e 100644 --- a/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.yml +++ b/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/CategorizedFeeds.yml @@ -68,6 +68,12 @@ configuration: defaultvalue: "30" type: 19 required: false +- name: feedMinimumGTIScore + type: 0 + display: Feed Minimum GTI Score + required: true + defaultvalue: 80 + additionalinfo: The minimum GTI score to import as part of the feed - display: Bypass exclusion list name: feedBypassExclusionList type: 8 diff --git a/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/README.md b/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/README.md index 3366a1558f86..5186cff32ad0 100644 --- a/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/README.md +++ b/Packs/GoogleThreatIntelligence/Integrations/CategorizedFeeds/README.md @@ -18,6 +18,7 @@ Use this feed integration to fetch Google Threat Intelligence Feeds matches. It | | | False | | | | False | | Feed Fetch Interval | | False | + | Feed Minimum GTI Score | The minimum GTI score to import as part of the feed | True | | Bypass exclusion list | When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. | False | | Tags | Supports CSV values. | False | | Traffic Light Protocol Color | The Traffic Light Protocol \(TLP\) designation to apply to indicators fetched from the feed. | False |