From a6dde5e4e1d03894013b5f1ef3e6d4f020242bfa Mon Sep 17 00:00:00 2001 From: Nick Date: Wed, 17 Feb 2021 14:57:59 -0500 Subject: [PATCH] Multiple updates to proofpoint example - Added additionally necessary keys to keys.py.example - Added error check for unset keys - Used built-in HTTP Basic Auth for requests instead of manually-created header - Removed setting of orgc as that's pulled from the MISP key being used - --- examples/keys.py.sample | 7 +++++-- examples/proofpoint_tap.py | 28 +++++++++++++++------------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/examples/keys.py.sample b/examples/keys.py.sample index f1166c8..9a81d75 100644 --- a/examples/keys.py.sample +++ b/examples/keys.py.sample @@ -1,8 +1,11 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -misp_url = 'https:///' +misp_url = 'https:// your MISP URL /' misp_key = 'Your MISP auth key' # The MISP auth key can be found on the MISP web interface under the automation section misp_verifycert = True misp_client_cert = '' -proofpoint_key = 'Your Proofpoint TAP auth key' +misp_orgID = '2' # Org ID to use for ingesting events +misp_orgUUID = '11111111-2222-3333-4444-555555555555' # Org UUID to use for ingesting events +proofpoint_sp = '' # Service Principal from TAP (https://threatinsight.proofpoint.com//settings/connected-applications) +proofpoint_secret = '' \ No newline at end of file diff --git a/examples/proofpoint_tap.py b/examples/proofpoint_tap.py index 532a761..b50824b 100644 --- a/examples/proofpoint_tap.py +++ b/examples/proofpoint_tap.py @@ -1,7 +1,17 @@ import requests +from requests.auth import HTTPBasicAuth import json from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation -from keys import misp_url, misp_key, misp_verifycert, proofpoint_key +from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret, misp_orgID, misp_orgUUID + +################# Edit these ################# +orgID = misp_orgID +orgUUID = misp_orgUUID +############################################## + +if orgUUID == '11111111-2222-3333-4444-555555555555': + print('Please edit the orgID and orgUUID variables in keys.py') + quit() # initialize PyMISP and set url for Panorama misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert) @@ -16,27 +26,19 @@ queryString = { "format": "json" } -# auth to api needs to be set as a header, not as part of the query string -headers = { - 'Authorization': "Basic " + proofpoint_key -} -responseSiem = requests.request("GET", urlSiem, headers=headers, params=queryString) + +responseSiem = requests.request("GET", urlSiem, params=queryString, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret)) if 'Credentials authentication failed' in responseSiem.text: - print("Credentials invalid, please edit keys.py and try again") + print('Credentials invalid, please edit keys.py and try again') quit() jsonDataSiem = json.loads(responseSiem.text) for alert in alertType: for messages in jsonDataSiem[alert]: - orgc = MISPOrganisation() - orgc.name = 'Proofpoint' - orgc.id = '#{ORGC.ID}' # organisation id - orgc.uuid = '#{ORGC.UUID}' # organisation uuid # initialize and set MISPEvent() event = MISPEvent() - event.Orgc = orgc if alert == "messagesDelivered" or alert == "messagesBlocked": if alert == "messagesDelivered": event.info = alert @@ -115,7 +117,7 @@ for alert in alertType: # get campaignID from each TAP alert and query campaign API if threatInfo["campaignID"] is not None and threatInfo["campaignID"] != "": urlCampaign = "https://tap-api-v2.proofpoint.com/v2/campaign/" + threatInfo["campaignID"] - responseCampaign = requests.request("GET", urlCampaign, headers=headers) + responseCampaign = requests.request("GET", urlCampaign, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret)) jsonDataCampaign = json.loads(responseCampaign.text)