OTX lookup result doesn't use validation informations from the OTX response

[jrvn]

As-Is: OTXLookupResult checks in the result only non-zero count of pulses. But some of the results have validation field, where can be found information about whitelisting of IP/Domain (not malicious, even if found in pulses). This causes return of the false positive result into Graylog.

To-Be: OTXLookupResult should check the occurence of validation key first and if it is false, then continue with checking the non-zero count of pulses.

Example of the result from OTX API, indicator IPv4, IP=8.8.8.8

...
"validation": [
      {
        "message": "suspiciously short IP (len: 7)",
        "name": "Suspicious IP format / Possible version number",
        "source": "suspicious"
      },
      {
        "message": "contained in 8.8.8.8",
        "name": "Whitelisted IP",
        "source": "whitelist"
      }
    ],
...

Example: for inspiration, here is code in Python OTX-Python-SDK example, function def ip()

[koalaeagle]

This would be great, as I see a lot of false positives due to this lack of validation.
For now, we are manually whitelisting these in the pipeline but it can be quite time consuming.

[borjam]

It would be nice to have some configuration options to somewhat filter the results. So, for example, it would be possible to check fields such as the whitelisting option without modifying the code.
Or at the very least return more otx fields, something like "otx_whitelisted" and/or "otx_falsepositive" so that they can be applied in searches.