Hi, Lucian - Sorry this is a bit late but I wrote a Custom Threat Feed (for ThreatConnect, though that's not significant) about 18 months ago and had to find out quite a lot about these things for myself.
As Benoit has said, there does not appear to be any way to turn off such requests 'at source'. But at the CTS end you are working in a framework that supports handlers, so a decoration of this sort will allow ONLY the IP Address artifacts to get through to your code:
@handler ("net.ip")
def implement_my_custom_threat_feed(self, event, *args, **kwargs)
# Your code follows...
Opening this up to other Artifact types is simply a matter of adding other handler definitions such as "net.name" for DNS name, "hash.md5" for a hash and so on, should that ever be necessary.
So not exactly what you initially requested but a fairly clean and easily mainainable way to keep unwanted Artifact queries out of your code.
I hope this helps...
Best regards - Edwin Bolton
------------------------------
Edwin Bolton
------------------------------
Original Message:
Sent: Tue October 20, 2020 09:08 AM
From: Lucian Sipos
Subject: Filter requests to Custom Threat Source by Artifact type
Hello all
Is there any way to filter the requests made to a CTS, when I add an artifact, by artifact type ?
For example I have a CTS which should work only with IP's. I noticed that if I add an URL a request will be made to that CTS (if active).
By today I filter results at code level but I would like to know if exists already something like that (also see rules/function examples where you can set a function to work only for certain artifact types).
Thanks
------------------------------
Lucian Sipos
------------------------------