mirror of https://github.com/MISP/PyMISP
fixed TODO, added quarantineFolder/quarantineRule from messagesBlocked, added some error handling to prevent empty attributes from trying to be added
parent
7dfb2003ab
commit
6000364d56
|
@ -3,10 +3,6 @@ import json
|
|||
from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
|
||||
from keys import misp_url, misp_key, misp_verifycert, proofpoint_key
|
||||
|
||||
# TODO:
|
||||
# messages:
|
||||
# if messagesBlocked; quarantineFolder & quarantineRule
|
||||
|
||||
# initialize PyMISP and set url for Panorama
|
||||
misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
|
||||
|
||||
|
@ -56,9 +52,8 @@ for alert in alertType:
|
|||
sender = event.add_attribute('email-src', messages["sender"])
|
||||
sender.comment = 'sender address'
|
||||
|
||||
if messages["fromAddress"] is not None and messages["fromAddress"] != "" :
|
||||
fromAddress = event.add_attribute('email-src-display-name', messages["fromAddress"])
|
||||
# for reasons unbeknownst to me, uncommenting the following line breaks this attribute from posting
|
||||
# fromAddress.comment = 'from address'
|
||||
|
||||
headerFrom = event.add_attribute('email-header', messages["headerFrom"])
|
||||
headerFrom.comment = 'email header from'
|
||||
|
@ -69,6 +64,14 @@ for alert in alertType:
|
|||
subject = event.add_attribute('email-subject', messages["subject"])
|
||||
subject.comment = 'email subject'
|
||||
|
||||
if messages["quarantineFolder"] is not None and messages["quarantineFolder"] != "":
|
||||
quarantineFolder = event.add_attribute('comment', messages["quarantineFolder"])
|
||||
quarantineFolder.comment = 'quarantine folder'
|
||||
|
||||
if messages["quarantineRule"] is not None and messages["quarantineRule"] != "":
|
||||
quarantineRule = event.add_attribute('comment', messages["quarantineRule"])
|
||||
quarantineRule.comment = 'quarantine rule'
|
||||
|
||||
messageSize = event.add_attribute('size-in-bytes', messages["messageSize"])
|
||||
messageSize.comment = 'size of email in bytes'
|
||||
|
||||
|
@ -131,14 +134,17 @@ for alert in alertType:
|
|||
disposition.comment = 'email body or attachment'
|
||||
|
||||
# sha256 hash of threat
|
||||
if parts["sha256"] is not None and parts["sha256"] != "":
|
||||
sha256 = event.add_attribute('sha256', parts["sha256"])
|
||||
sha256.comment = 'sha256 hash'
|
||||
|
||||
# md5 hash of threat
|
||||
if parts["md5"] is not None and parts["md5"] != "":
|
||||
md5 = event.add_attribute('md5', parts["md5"])
|
||||
md5.comment = 'md5 hash'
|
||||
|
||||
# filename of threat
|
||||
if parts["filename"] is not None and parts["filename"] != "":
|
||||
filename = event.add_attribute('filename', parts["filename"])
|
||||
filename.comment = 'filename'
|
||||
|
||||
|
|
Loading…
Reference in New Issue