diff --git a/Packs/GoogleThreatIntelligence/IndicatorFields/indicatorfield-GTI_Severity.json b/Packs/GoogleThreatIntelligence/IndicatorFields/indicatorfield-GTI_Severity.json new file mode 100644 index 000000000000..7f8b66535ddc --- /dev/null +++ b/Packs/GoogleThreatIntelligence/IndicatorFields/indicatorfield-GTI_Severity.json @@ -0,0 +1,26 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "gtiseverity", + "closeForm": false, + "content": true, + "editForm": true, + "group": 2, + "hidden": false, + "id": "indicator_gti_severity", + "isReadOnly": false, + "locked": false, + "name": "GTI Severity", + "neverSetAsRequired": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": true, + "useAsKpi": true, + "version": -1, + "fromVersion": "5.5.0" +} diff --git a/Packs/GoogleThreatIntelligence/IndicatorFields/indicatorfield-GTI_Threat_Score.json b/Packs/GoogleThreatIntelligence/IndicatorFields/indicatorfield-GTI_Threat_Score.json new file mode 100644 index 000000000000..8a2a318a9bb6 --- /dev/null +++ b/Packs/GoogleThreatIntelligence/IndicatorFields/indicatorfield-GTI_Threat_Score.json @@ -0,0 +1,26 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "gtithreatscore", + "closeForm": false, + "content": true, + "editForm": true, + "group": 2, + "hidden": false, + "id": "indicator_gti_threat_score", + "isReadOnly": false, + "locked": false, + "name": "GTI Threat Score", + "neverSetAsRequired": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": true, + "useAsKpi": true, + "version": -1, + "fromVersion": "5.5.0" +} diff --git a/Packs/GoogleThreatIntelligence/IndicatorFields/indicatorfield-GTI_Verdict.json b/Packs/GoogleThreatIntelligence/IndicatorFields/indicatorfield-GTI_Verdict.json new file mode 100644 index 000000000000..1968befdf279 --- /dev/null +++ b/Packs/GoogleThreatIntelligence/IndicatorFields/indicatorfield-GTI_Verdict.json @@ -0,0 +1,26 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "gtiverdict", + "closeForm": false, + "content": true, + "editForm": true, + "group": 2, + "hidden": false, + "id": "indicator_gti_verdict", + "isReadOnly": false, + "locked": false, + "name": "GTI Verdict", + "neverSetAsRequired": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": true, + "useAsKpi": true, + "version": -1, + "fromVersion": "5.5.0" +} diff --git a/Packs/GoogleThreatIntelligence/Integrations/FeedLivehunt/FeedLivehunt.py b/Packs/GoogleThreatIntelligence/Integrations/FeedLivehunt/FeedLivehunt.py index 3572925671e5..52c87b8a1fa4 100644 --- a/Packs/GoogleThreatIntelligence/Integrations/FeedLivehunt/FeedLivehunt.py +++ b/Packs/GoogleThreatIntelligence/Integrations/FeedLivehunt/FeedLivehunt.py @@ -137,6 +137,7 @@ def fetch_indicators_command(client: Client, raw_data = { 'value': value_, 'type': type_, + 'attributes': attributes, } detection_ratio = DetectionRatio(attributes.get('last_analysis_stats')) @@ -179,6 +180,11 @@ def fetch_indicators_command(client: Client, 'displayname': attributes.get('meaningful_name'), 'name': attributes.get('meaningful_name'), 'size': attributes.get('size'), + 'malwarefamily': malware_families or None, + 'actor': threat_actors or None, + 'gtithreatscore': gti_assessment.get('threat_score', {}).get('value'), + 'gtiseverity': gti_assessment.get('severity', {}).get('value'), + 'gtiverdict': gti_assessment.get('verdict', {}).get('value'), }, # A dictionary of the raw data returned from the feed source about the indicator. 'rawJSON': raw_data, @@ -187,11 +193,6 @@ def fetch_indicators_command(client: Client, 'fileType': attributes.get('type_description'), 'rulesetName': context_attributes.get('ruleset_name'), 'ruleName': context_attributes.get('rule_name'), - 'gti_threat_score': gti_assessment.get('threat_score', {}).get('value'), - 'gti_severity': gti_assessment.get('severity', {}).get('value'), - 'gti_verdict': gti_assessment.get('verdict', {}).get('value'), - 'malware_families': malware_families or None, - 'threat_actors': threat_actors or None, } if feed_tags: