From f84c9eadee32f07c438a61f6aa0932e928e7a301 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Thu, 18 Jul 2019 11:02:42 +0200 Subject: [PATCH] added new functionality to update an event --- mail2misp/mail2misp.py | 12 ++++++++++++ mail_to_misp.py | 7 ++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/mail2misp/mail2misp.py b/mail2misp/mail2misp.py index 28210bd..9df2987 100644 --- a/mail2misp/mail2misp.py +++ b/mail2misp/mail2misp.py @@ -367,3 +367,15 @@ class Mail2MISP(): for value, source in self.sightings_to_add: self.sighting(value, source) return event + + def update_event(self, event_id=None): + '''Update event on the remote MISP instance.''' + + if self.offline: + return self.misp_event.to_json() + event = self.misp.update_event(self.misp_event, event_id=event_id) + if self.config.sighting: + for value, source in self.sightings_to_add: + self.sighting(value, source) + return event + diff --git a/mail_to_misp.py b/mail_to_misp.py index 8b70161..7784e16 100755 --- a/mail_to_misp.py +++ b/mail_to_misp.py @@ -15,6 +15,7 @@ if __name__ == '__main__': parser = argparse.ArgumentParser(description='Push a Mail into a MISP instance') parser.add_argument("-r", "--read", help="Read from tempfile.") parser.add_argument("-t", "--trap", action='store_true', default=False, help="Import the Email as-is.") + parser.add_argument("-e", "--event", default=False, help="Add indicators to this MISP event.") parser.add_argument('infile', nargs='?', type=argparse.FileType('rb')) args = parser.parse_args() @@ -66,5 +67,9 @@ if __name__ == '__main__': mail2misp.process_body_iocs() - mail2misp.add_event() + if args.event: + misp_event = args.event + mail2misp.update_event(event_id=misp_event) + else: + mail2misp.add_event() syslog.syslog("Job finished.")