IBM Security QRadar SOAR

 View Only
  • 1.  Filter requests to Custom Threat Source by Artifact type

    Posted Tue October 20, 2020 09:09 AM
    Hello all

    Is there any way to filter the requests made to a CTS, when I add an artifact, by artifact type ?

    For example I have a CTS which should work only with IP's. I noticed that if I add an URL a request will be made to that CTS (if active).

    By today I filter results at code level but I would like to know if exists already something like that (also see rules/function examples where you can set a function to work only for certain artifact types).

    Thanks

    ------------------------------
    Lucian Sipos
    ------------------------------


  • 2.  RE: Filter requests to Custom Threat Source by Artifact type

    Posted Tue October 27, 2020 07:27 AM
    Will reach out to the wider team for an answer on this ..

    ------------------------------
    John Quirke
    ------------------------------



  • 3.  RE: Filter requests to Custom Threat Source by Artifact type

    Posted Thu November 12, 2020 10:04 AM
    Currently, (v38), you can't filter by artifact type on CTS

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------



  • 4.  RE: Filter requests to Custom Threat Source by Artifact type

    Posted Wed November 18, 2020 11:39 AM
    Hi, Lucian - Sorry this is a bit late but I wrote a Custom Threat Feed (for ThreatConnect, though that's not significant) about 18 months ago and had to find out quite a lot about these things for myself.

    As Benoit has said, there does not appear to be any way to turn off such requests 'at source'.  But at the CTS end you are working in a framework that supports handlers, so a decoration of this sort will allow ONLY the IP Address artifacts to get through to your code:

    @handler ("net.ip")
    def implement_my_custom_threat_feed(self, event, *args, **kwargs)
    # Your code follows...


    Opening this up to other Artifact types is simply a matter of adding other handler definitions such as "net.name" for DNS name, "hash.md5" for a hash and so on, should that ever be necessary.

    So not exactly what you initially requested but a fairly clean and easily mainainable way to keep unwanted Artifact queries out of your code.​​

    I hope this helps...

    Best regards - Edwin Bolton

    ------------------------------
    Edwin Bolton
    ------------------------------