Multiple updates to proofpoint example

- Added additionally necessary keys to keys.py.example
- Added error check for unset keys
- Used built-in HTTP Basic Auth for requests instead of manually-created header
- Removed setting of orgc as that's pulled from the MISP key being used
-
pull/749/head
Nick 2021-02-17 14:57:59 -05:00 committed by Raphaël Vinot
parent ffd4677c99
commit 1ea59931e0
2 changed files with 20 additions and 15 deletions

View File

@ -1,8 +1,11 @@
#!/usr/bin/env python #!/usr/bin/env python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
misp_url = 'https://<your MISP URL>/' misp_url = 'https:// your MISP URL /'
misp_key = 'Your MISP auth key' # The MISP auth key can be found on the MISP web interface under the automation section misp_key = 'Your MISP auth key' # The MISP auth key can be found on the MISP web interface under the automation section
misp_verifycert = True misp_verifycert = True
misp_client_cert = '' misp_client_cert = ''
proofpoint_key = 'Your Proofpoint TAP auth key' misp_orgID = '2' # Org ID to use for ingesting events
misp_orgUUID = '11111111-2222-3333-4444-555555555555' # Org UUID to use for ingesting events
proofpoint_sp = '' # Service Principal from TAP (https://threatinsight.proofpoint.com/<custID>/settings/connected-applications)
proofpoint_secret = ''

View File

@ -1,7 +1,17 @@
import requests import requests
from requests.auth import HTTPBasicAuth
import json import json
from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
from keys import misp_url, misp_key, misp_verifycert, proofpoint_key from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret, misp_orgID, misp_orgUUID
################# Edit these #################
orgID = misp_orgID
orgUUID = misp_orgUUID
##############################################
if orgUUID == '11111111-2222-3333-4444-555555555555':
print('Please edit the orgID and orgUUID variables in keys.py')
quit()
# initialize PyMISP and set url for Panorama # initialize PyMISP and set url for Panorama
misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert) misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
@ -16,27 +26,19 @@ queryString = {
"format": "json" "format": "json"
} }
# auth to api needs to be set as a header, not as part of the query string
headers = {
'Authorization': "Basic " + proofpoint_key
}
responseSiem = requests.request("GET", urlSiem, headers=headers, params=queryString)
responseSiem = requests.request("GET", urlSiem, params=queryString, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret))
if 'Credentials authentication failed' in responseSiem.text: if 'Credentials authentication failed' in responseSiem.text:
print("Credentials invalid, please edit keys.py and try again") print('Credentials invalid, please edit keys.py and try again')
quit() quit()
jsonDataSiem = json.loads(responseSiem.text) jsonDataSiem = json.loads(responseSiem.text)
for alert in alertType: for alert in alertType:
for messages in jsonDataSiem[alert]: for messages in jsonDataSiem[alert]:
orgc = MISPOrganisation()
orgc.name = 'Proofpoint'
orgc.id = '#{ORGC.ID}' # organisation id
orgc.uuid = '#{ORGC.UUID}' # organisation uuid
# initialize and set MISPEvent() # initialize and set MISPEvent()
event = MISPEvent() event = MISPEvent()
event.Orgc = orgc
if alert == "messagesDelivered" or alert == "messagesBlocked": if alert == "messagesDelivered" or alert == "messagesBlocked":
if alert == "messagesDelivered": if alert == "messagesDelivered":
event.info = alert event.info = alert
@ -115,7 +117,7 @@ for alert in alertType:
# get campaignID from each TAP alert and query campaign API # get campaignID from each TAP alert and query campaign API
if threatInfo["campaignID"] is not None and threatInfo["campaignID"] != "": if threatInfo["campaignID"] is not None and threatInfo["campaignID"] != "":
urlCampaign = "https://tap-api-v2.proofpoint.com/v2/campaign/" + threatInfo["campaignID"] urlCampaign = "https://tap-api-v2.proofpoint.com/v2/campaign/" + threatInfo["campaignID"]
responseCampaign = requests.request("GET", urlCampaign, headers=headers) responseCampaign = requests.request("GET", urlCampaign, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret))
jsonDataCampaign = json.loads(responseCampaign.text) jsonDataCampaign = json.loads(responseCampaign.text)