From edffb3ac4d33aa02a5b4e70d370afd5949754601 Mon Sep 17 00:00:00 2001
From: Steve Clement <steve@localhost.lu>
Date: Thu, 30 Sep 2021 14:55:39 +0900
Subject: [PATCH] new: [tag] Added an id tag the event if multiple m2m
 instances are used

---
 mail2misp/mail2misp.py         | 1 +
 mail_to_misp_config.py-example | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/mail2misp/mail2misp.py b/mail2misp/mail2misp.py
index c5958b0..03d2479 100644
--- a/mail2misp/mail2misp.py
+++ b/mail2misp/mail2misp.py
@@ -76,6 +76,7 @@ class Mail2MISP():
         self.misp_event.distribution = self.config.default_distribution
         self.misp_event.threat_level_id = self.config.default_threat_level
         self.misp_event.analysis = self.config.default_analysis
+        self.misp_event.add_tag(self.config.id_tag)
 
     def sighting(self, value, source):
         if self.offline:
diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example
index 2409bf1..823adc5 100644
--- a/mail_to_misp_config.py-example
+++ b/mail_to_misp_config.py-example
@@ -6,8 +6,9 @@ misp_key = 'YOUR_KEY_HERE'  # The MISP auth key can be found on the MISP web int
 misp_verifycert = True
 spamtrap = False
 default_distribution = 0
-default_threat_level = 3
+default_threat_level = 4
 default_analysis = 1
+id_tag = 'host:m2m:tld'
 freetext = False
 
 body_config_prefix = 'm2m'  # every line in the body starting with this value will be skipped from the IOCs