From 694c4b72eecd7d3cbf923bd1e274edd1b9a95119 Mon Sep 17 00:00:00 2001
From: Nick <nsimonian@fragomen.com>
Date: Wed, 17 Feb 2021 12:07:11 -0500
Subject: [PATCH 1/8] Added check for invalid creds

Without the added check, the script will error out on line 29 since the key doesn't exist in the dict.  This at least gives a reason.
---
 examples/proofpoint_tap.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/examples/proofpoint_tap.py b/examples/proofpoint_tap.py
index 561191e..b5a0fce 100644
--- a/examples/proofpoint_tap.py
+++ b/examples/proofpoint_tap.py
@@ -22,6 +22,9 @@ headers = {
 }
 
 responseSiem = requests.request("GET", urlSiem, headers=headers, params=queryString)
+if 'Credentials authentication failed' in str(responseSiem.text):
+    print("Credentials invalid, please edit keys.py and try again")
+    quit()
 
 jsonDataSiem = json.loads(responseSiem.text)
 

From f5a9d5924db85b63e51406bfff11ee4ee77068d7 Mon Sep 17 00:00:00 2001
From: Nick <nsimonian@fragomen.com>
Date: Wed, 17 Feb 2021 12:09:01 -0500
Subject: [PATCH 2/8] removed cast of str to str

---
 examples/proofpoint_tap.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/proofpoint_tap.py b/examples/proofpoint_tap.py
index b5a0fce..532a761 100644
--- a/examples/proofpoint_tap.py
+++ b/examples/proofpoint_tap.py
@@ -22,7 +22,7 @@ headers = {
 }
 
 responseSiem = requests.request("GET", urlSiem, headers=headers, params=queryString)
-if 'Credentials authentication failed' in str(responseSiem.text):
+if 'Credentials authentication failed' in responseSiem.text:
     print("Credentials invalid, please edit keys.py and try again")
     quit()
 

From a6dde5e4e1d03894013b5f1ef3e6d4f020242bfa Mon Sep 17 00:00:00 2001
From: Nick <nsimonian@fragomen.com>
Date: Wed, 17 Feb 2021 14:57:59 -0500
Subject: [PATCH 3/8] Multiple updates to proofpoint example

- Added additionally necessary keys to keys.py.example
- Added error check for unset keys
- Used built-in HTTP Basic Auth for requests instead of manually-created header
- Removed setting of orgc as that's pulled from the MISP key being used
-
---
 examples/keys.py.sample    |  7 +++++--
 examples/proofpoint_tap.py | 28 +++++++++++++++-------------
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/examples/keys.py.sample b/examples/keys.py.sample
index f1166c8..9a81d75 100644
--- a/examples/keys.py.sample
+++ b/examples/keys.py.sample
@@ -1,8 +1,11 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 
-misp_url = 'https://<your MISP URL>/'
+misp_url = 'https:// your MISP URL /'
 misp_key = 'Your MISP auth key' # The MISP auth key can be found on the MISP web interface under the automation section
 misp_verifycert = True
 misp_client_cert = ''
-proofpoint_key = 'Your Proofpoint TAP auth key'
+misp_orgID = '2' # Org ID to use for ingesting events
+misp_orgUUID = '11111111-2222-3333-4444-555555555555' # Org UUID to use for ingesting events
+proofpoint_sp = ''  # Service Principal from TAP (https://threatinsight.proofpoint.com/<custID>/settings/connected-applications)
+proofpoint_secret = ''
\ No newline at end of file
diff --git a/examples/proofpoint_tap.py b/examples/proofpoint_tap.py
index 532a761..b50824b 100644
--- a/examples/proofpoint_tap.py
+++ b/examples/proofpoint_tap.py
@@ -1,7 +1,17 @@
 import requests
+from requests.auth import HTTPBasicAuth
 import json
 from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
-from keys import misp_url, misp_key, misp_verifycert, proofpoint_key
+from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret, misp_orgID, misp_orgUUID
+
+################# Edit these #################
+orgID = misp_orgID
+orgUUID = misp_orgUUID
+##############################################
+
+if orgUUID == '11111111-2222-3333-4444-555555555555':
+    print('Please edit the orgID and orgUUID variables in keys.py')
+    quit()
 
 # initialize PyMISP and set url for Panorama
 misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
@@ -16,27 +26,19 @@ queryString = {
     "format": "json"
 }
 
-# auth to api needs to be set as a header, not as part of the query string
-headers = {
-    'Authorization': "Basic " + proofpoint_key
-}
 
-responseSiem = requests.request("GET", urlSiem, headers=headers, params=queryString)
+
+responseSiem = requests.request("GET", urlSiem,  params=queryString, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret))
 if 'Credentials authentication failed' in responseSiem.text:
-    print("Credentials invalid, please edit keys.py and try again")
+    print('Credentials invalid, please edit keys.py and try again')
     quit()
 
 jsonDataSiem = json.loads(responseSiem.text)
 
 for alert in alertType:
     for messages in jsonDataSiem[alert]:
-        orgc = MISPOrganisation()
-        orgc.name = 'Proofpoint'
-        orgc.id = '#{ORGC.ID}'  # organisation id 
-        orgc.uuid = '#{ORGC.UUID}'  # organisation uuid
         # initialize and set MISPEvent()
         event = MISPEvent()
-        event.Orgc = orgc
         if alert == "messagesDelivered" or alert == "messagesBlocked":
             if alert == "messagesDelivered":
                 event.info = alert
@@ -115,7 +117,7 @@ for alert in alertType:
                 # get campaignID from each TAP alert and query campaign API
                 if threatInfo["campaignID"] is not None and threatInfo["campaignID"] != "":
                     urlCampaign = "https://tap-api-v2.proofpoint.com/v2/campaign/" + threatInfo["campaignID"]
-                    responseCampaign = requests.request("GET", urlCampaign, headers=headers)
+                    responseCampaign = requests.request("GET", urlCampaign, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret))
 
                     jsonDataCampaign = json.loads(responseCampaign.text)
 

From 1b55d265b87599de6072d3d7bc2d7407b999f8ad Mon Sep 17 00:00:00 2001
From: Nick <nsimonian@fragomen.com>
Date: Wed, 17 Feb 2021 14:58:54 -0500
Subject: [PATCH 4/8] re-added brackets

---
 examples/keys.py.sample | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/keys.py.sample b/examples/keys.py.sample
index 9a81d75..36fa465 100644
--- a/examples/keys.py.sample
+++ b/examples/keys.py.sample
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 
-misp_url = 'https:// your MISP URL /'
+misp_url = 'https://<your MISP URL>/'
 misp_key = 'Your MISP auth key' # The MISP auth key can be found on the MISP web interface under the automation section
 misp_verifycert = True
 misp_client_cert = ''

From 5ee18d433fe136ec0d029957ed4acd872b8d6536 Mon Sep 17 00:00:00 2001
From: Nick <nsimonian@fragomen.com>
Date: Wed, 17 Feb 2021 15:01:13 -0500
Subject: [PATCH 5/8] deleted all references to org as it's unneeded

---
 examples/keys.py.sample    |  2 --
 examples/proofpoint_tap.py | 11 +----------
 2 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/examples/keys.py.sample b/examples/keys.py.sample
index 36fa465..7043aaa 100644
--- a/examples/keys.py.sample
+++ b/examples/keys.py.sample
@@ -5,7 +5,5 @@ misp_url = 'https://<your MISP URL>/'
 misp_key = 'Your MISP auth key' # The MISP auth key can be found on the MISP web interface under the automation section
 misp_verifycert = True
 misp_client_cert = ''
-misp_orgID = '2' # Org ID to use for ingesting events
-misp_orgUUID = '11111111-2222-3333-4444-555555555555' # Org UUID to use for ingesting events
 proofpoint_sp = ''  # Service Principal from TAP (https://threatinsight.proofpoint.com/<custID>/settings/connected-applications)
 proofpoint_secret = ''
\ No newline at end of file
diff --git a/examples/proofpoint_tap.py b/examples/proofpoint_tap.py
index b50824b..1cc3bb6 100644
--- a/examples/proofpoint_tap.py
+++ b/examples/proofpoint_tap.py
@@ -2,16 +2,7 @@ import requests
 from requests.auth import HTTPBasicAuth
 import json
 from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
-from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret, misp_orgID, misp_orgUUID
-
-################# Edit these #################
-orgID = misp_orgID
-orgUUID = misp_orgUUID
-##############################################
-
-if orgUUID == '11111111-2222-3333-4444-555555555555':
-    print('Please edit the orgID and orgUUID variables in keys.py')
-    quit()
+from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret
 
 # initialize PyMISP and set url for Panorama
 misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)

From 60ba85852763ea1de965438f18fbd9743c0910c3 Mon Sep 17 00:00:00 2001
From: Nick <nsimonian@fragomen.com>
Date: Wed, 17 Feb 2021 15:06:25 -0500
Subject: [PATCH 6/8] re-added error checking for defaults

---
 examples/keys.py.sample    | 4 ++--
 examples/proofpoint_tap.py | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/examples/keys.py.sample b/examples/keys.py.sample
index 7043aaa..3c59bfe 100644
--- a/examples/keys.py.sample
+++ b/examples/keys.py.sample
@@ -5,5 +5,5 @@ misp_url = 'https://<your MISP URL>/'
 misp_key = 'Your MISP auth key' # The MISP auth key can be found on the MISP web interface under the automation section
 misp_verifycert = True
 misp_client_cert = ''
-proofpoint_sp = ''  # Service Principal from TAP (https://threatinsight.proofpoint.com/<custID>/settings/connected-applications)
-proofpoint_secret = ''
\ No newline at end of file
+proofpoint_sp = '<proofpoint service principal>'  # Service Principal from TAP (https://threatinsight.proofpoint.com/<custID>/settings/connected-applications)
+proofpoint_secret = '<proofpoint secret>'
\ No newline at end of file
diff --git a/examples/proofpoint_tap.py b/examples/proofpoint_tap.py
index 1cc3bb6..06e826e 100644
--- a/examples/proofpoint_tap.py
+++ b/examples/proofpoint_tap.py
@@ -4,6 +4,10 @@ import json
 from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
 from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret
 
+if proofpoint_secret == '<proofpoint secret>':
+    print('Set the proofpoint_secret in keys.py before running.  Exiting...')
+    quit()
+
 # initialize PyMISP and set url for Panorama
 misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
 

From 05d4da46a5dc8cd6257682f24e48466c8f369dd4 Mon Sep 17 00:00:00 2001
From: Nick <nsimonian@fragomen.com>
Date: Wed, 17 Feb 2021 15:10:21 -0500
Subject: [PATCH 7/8] supress ssl warnings

---
 examples/proofpoint_tap.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/examples/proofpoint_tap.py b/examples/proofpoint_tap.py
index 06e826e..18e1452 100644
--- a/examples/proofpoint_tap.py
+++ b/examples/proofpoint_tap.py
@@ -3,6 +3,8 @@ from requests.auth import HTTPBasicAuth
 import json
 from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
 from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
 if proofpoint_secret == '<proofpoint secret>':
     print('Set the proofpoint_secret in keys.py before running.  Exiting...')

From 9edd1e75294f17914d22cc463cc4e74ae870b6ac Mon Sep 17 00:00:00 2001
From: Nick <nsimonian@fragomen.com>
Date: Thu, 18 Feb 2021 11:33:34 -0500
Subject: [PATCH 8/8] Removed unused import

---
 examples/proofpoint_tap.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/proofpoint_tap.py b/examples/proofpoint_tap.py
index 18e1452..d76aa3f 100644
--- a/examples/proofpoint_tap.py
+++ b/examples/proofpoint_tap.py
@@ -1,7 +1,7 @@
 import requests
 from requests.auth import HTTPBasicAuth
 import json
-from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
+from pymisp import ExpandedPyMISP, MISPEvent
 from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret
 import urllib3
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)