Supposing that Custom Threat Source will respond with "upload_file":true.
When we create the artifact for "RFC822 Email Message File" or "X509 Certificate File", we associate a file as attachment.
With these cases, only file names were passed to the Custom Threat Source rather than sending file binary data in my environment.
The following are the examples observed in my resilient34 environment.
{"type":"cert.x509","value":"V34_9.68.70.87_cacert.cer"}
{"type":"email","value":"emailmessage-1.txt"}
So I wonder if there are some Resilient configurations necessary to send the binary data.
I think binary data should be the entities to be evaluated for Custom Threat Source.
------------------------------
Yohji Amano
------------------------------