Merge pull request #522 from goodlandsecurity/proofpoint-vap-integration

Proofpoint VAP integration
2020-01-18 09:42:22 +01:00 · 2020-01-18 09:42:22 +01:00 · adf97dfeff
parent e2054cb8b8 d41e0d9b30
commit adf97dfeff
1 changed files with 65 additions and 0 deletions
--- a/examples/proofpoint_vap.py
+++ b/examples/proofpoint_vap.py
@ -0,0 +1,65 @@
+import requests
+import json
+from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
+from keys import misp_url, misp_key, misp_verifycert, proofpoint_key
+
+# initialize PyMISP and set url for Panorama
+misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
+
+urlVap = "https://tap-api-v2.proofpoint.com/v2/people/vap?window=30"  # Window can be 14, 30, and 90 Days
+
+headers = {
+    'Authorization': "Basic " + proofpoint_key
+}
+
+responseVap = requests.request("GET", urlVap, headers=headers)
+
+jsonDataVap = json.loads(responseVap.text)
+
+for alert in jsonDataVap["users"]:
+    orgc = MISPOrganisation()
+    orgc.name = 'Proofpoint'
+    orgc.id = '#{ORGC.ID}'  # organisation id
+    orgc.uuid = '#{ORGC.UUID}'  # organisation uuid
+    # initialize and set MISPEvent()
+    event = MISPEvent()
+    event.Orgc = orgc
+    event.info = 'Very Attacked Person ' + jsonDataVap["interval"]
+    event.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
+    event.threat_level_id = 2  # setting this to 0 breaks the integration
+    event.analysis = 0  # Optional, defaults to 0 (initial analysis)
+
+    totalVapUsers = event.add_attribute('counter', jsonDataVap["totalVapUsers"], comment="Total VAP Users")
+
+    averageAttackIndex = event.add_attribute('counter', jsonDataVap["averageAttackIndex"], comment="Average Attack Count")
+
+    vapAttackIndexThreshold = event.add_attribute('counter', jsonDataVap["vapAttackIndexThreshold"], comment="Attack Threshold")
+
+    emails = event.add_attribute('email-dst', alert["identity"]["emails"], comment="Email Destination")
+
+    attack = event.add_attribute('counter', alert["threatStatistics"]["attackIndex"], comment="Attack Count")
+
+    vip = event.add_attribute('other', str(alert["identity"]["vip"]), comment="VIP")
+
+    guid = event.add_attribute('other', alert["identity"]["guid"], comment="GUID")
+
+    if alert["identity"]["customerUserId"] is not None:
+        customerUserId = event.add_attribute('other', alert["identity"]["customerUserId"], comment="Customer User Id")
+
+    if alert["identity"]["department"] is not None:
+        department = event.add_attribute(alert['other', "identity"]["department"], comment="Department")
+
+    if alert["identity"]["location"] is not None:
+        location = event.add_attribute('other', alert["identity"]["location"], comment="Location")
+
+    if alert["identity"]["name"] is not None:
+
+        name = event.add_attribute('target-user', alert["identity"]["name"], comment="Name")
+
+    if alert["identity"]["title"] is not None:
+
+        title = event.add_attribute('other', alert["identity"]["title"], comment="Title")
+
+    event.add_tag("VAP")
+
+    misp.add_event(event.to_json())