Merge pull request #701 from crowface28/main

Fixed Proofpoint TAP Example
2021-02-18 22:41:00 +01:00 · 2021-02-18 22:41:00 +01:00 · 6aab2717e2
parent d0a050263e 9edd1e7529
commit 6aab2717e2
2 changed files with 17 additions and 14 deletions
--- a/examples/keys.py.sample
+++ b/examples/keys.py.sample
@ -5,4 +5,5 @@ misp_url = 'https://<your MISP URL>/'
 misp_key = 'Your MISP auth key' # The MISP auth key can be found on the MISP web interface under the automation section
 misp_verifycert = True
 misp_client_cert = ''
-proofpoint_key = 'Your Proofpoint TAP auth key'
+proofpoint_sp = '<proofpoint service principal>'  # Service Principal from TAP (https://threatinsight.proofpoint.com/<custID>/settings/connected-applications)
+proofpoint_secret = '<proofpoint secret>'
--- a/examples/proofpoint_tap.py
+++ b/examples/proofpoint_tap.py
@ -1,7 +1,14 @@
 import requests
+from requests.auth import HTTPBasicAuth
 import json
-from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
-from keys import misp_url, misp_key, misp_verifycert, proofpoint_key
+from pymisp import ExpandedPyMISP, MISPEvent
+from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+if proofpoint_secret == '<proofpoint secret>':
+    print('Set the proofpoint_secret in keys.py before running.  Exiting...')
+    quit()

 # initialize PyMISP and set url for Panorama
 misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
@ -16,24 +23,19 @@ queryString = {
    "format": "json"
 }

-# auth to api needs to be set as a header, not as part of the query string
-headers = {
-    'Authorization': "Basic " + proofpoint_key
-}

-responseSiem = requests.request("GET", urlSiem, headers=headers, params=queryString)
+
+responseSiem = requests.request("GET", urlSiem,  params=queryString, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret))
+if 'Credentials authentication failed' in responseSiem.text:
+    print('Credentials invalid, please edit keys.py and try again')
+    quit()

 jsonDataSiem = json.loads(responseSiem.text)

 for alert in alertType:
    for messages in jsonDataSiem[alert]:
-        orgc = MISPOrganisation()
-        orgc.name = 'Proofpoint'
-        orgc.id = '#{ORGC.ID}'  # organisation id 
-        orgc.uuid = '#{ORGC.UUID}'  # organisation uuid
        # initialize and set MISPEvent()
        event = MISPEvent()
-        event.Orgc = orgc
        if alert == "messagesDelivered" or alert == "messagesBlocked":
            if alert == "messagesDelivered":
                event.info = alert
@ -112,7 +114,7 @@ for alert in alertType:
                # get campaignID from each TAP alert and query campaign API
                if threatInfo["campaignID"] is not None and threatInfo["campaignID"] != "":
                    urlCampaign = "https://tap-api-v2.proofpoint.com/v2/campaign/" + threatInfo["campaignID"]
-                    responseCampaign = requests.request("GET", urlCampaign, headers=headers)
+                    responseCampaign = requests.request("GET", urlCampaign, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret))

                    jsonDataCampaign = json.loads(responseCampaign.text)