#!/usr/bin/env python3 # -*- coding: utf-8 -*- misp_url = 'YOUR_MISP_URL' misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section misp_verifycert = True spamtrap = False default_distribution = 0 default_threat_level = 4 default_analysis = 1 id_tag = 'host:m2m:tld' freetext = False # O365MISPClient config o365_freetext = False # must be enabled in addition to the above freetext to use this on o365 email messages o365_client_id = 'YOUR_O365_CLIENT_ID' o365_client_secret = 'YOUR_O365_CLIENT_SECRET' o365_tenant_id = 'YOUR_O365_TENANT_ID' o365_resource = 'YOUR_O365_INBOX' # misp@yourdomain.com or whatever inbox you are reading mail from o365_scopes = [ 'offline_access', # Highly recommended to add this. If not you will have to re-authenticate every hour. 'https://graph.microsoft.com/Mail.Read', # To read my mailbox # 'https://graph.microsoft.com/Mail.Read.Shared' # To read another user/shared mailbox ] body_config_prefix = 'm2m' # every line in the body starting with this value will be skipped from the IOCs m2m_key = 'YOUSETYOURKEYHERE' m2m_benign_attachment_keyword = 'benign' enable_dns = True debug = False nameservers = ['149.13.33.69'] email_subject_prefix = 'M2M' attach_original_mail = False ignore_carrier_mail = False ignore_nullsize_attachments = False excludelist = ('google.com', 'microsoft.com') externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net', 'urlscan.io', 'abuse.ch', 'tria.ge', 'bleepingcomputer.com', 'any.run', 'urlvoid.com', 'intezer.com') internallist = ('internal.system.local') noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net', 'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com', 'dropbox.com' ) # Stop parsing when this term is found stopword = 'Whois & IP Information' # Ignore lines in body of message containing: ignorelist = ("From:", "Sender:", "Received:", "Sender IP:", "Reply-To:", "Registrar WHOIS Server:", "Registrar:", "Domain Status:", "Registrant Email:", "IP Location:", "X-Get-Message-Sender-Via:", "X-Authenticated-Sender:") # Ignore (don't add) attributes that are on server side warning list enforcewarninglist = True # Add a sighting for each value sighting = True sighting_source = "YOUR_MAIL_TO_MISP_IDENTIFIER" # Remove "Re:", "Fwd:" and {Spam?} from subject # add: "[\(\[].*?[\)\]]" to remove everything between [] and (): i.e. [tag] removelist = (r"Re:", r"Fwd:", r"\{Spam\?\} ", r"RE:", r"FW:") # TLP tag setup # Tuples contain different variations of spelling tlptags = {'tlp:amber': ['tlp:amber', 'tlp: amber', 'tlp amber', 'tlp :amber'], 'tlp:amber+strict': ['tlp:amber+strict', 'tlp: amber+strict', 'tlp amber+strict', 'tlp :amber+strict'], 'tlp:green': ['tlp:green', 'tlp: green', 'tlp green', 'tlp :green'], 'tlp:white': ['tlp:white', 'tlp: white', 'tlp white', 'tlp :white'], 'tlp:clear': ['tlp:clear', 'tlp: clear', 'tlp clear', 'tlp :clear'], 'tlp:red': ['tlp:red', 'tlp: red', 'tlp red', 'tlp :red'] } tlptag_default = sorted(tlptags.keys())[0] malwaretags = {'locky': ['ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"'], 'jaff': ['ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"'], 'dridex': ['misp-galaxy:tool="dridex"'], 'netwire': ['Netwire RAT'], 'Pony': ['misp-galaxy:tool="Hancitor"'], 'ursnif': ['misp-galaxy:tool="Snifula"'], 'NanoCore': ['misp-galaxy:tool="NanoCoreRAT"'], 'trickbot': ['misp-galaxy:tool="Trick Bot"'], 'agenttesla': ['misp-galaxy:mitre-malware="Agent Tesla - S0331"'], 'formbook': ['misp-galaxy:malpedia="Formbook"'], 'remcos': ['misp-galaxy:mitre-tool="Remcos - S0332"'], 'snake keylogger': ['misp-galaxy:malpedia="404 Keylogger"'], 'icedid': ['misp-galaxy:malpedia="IcedID"'], 'zloader': ['misp-galaxy:malpedia="Zloader"'], 'lokibot': ['misp-galaxy:mitre-malware="Lokibot - S0447"'], 'valyria': ['misp-galaxy:malpedia="POWERSTATS"'], 'guloader': ['misp-galaxy:mitre-malware="GuLoader - S0561"'], 'avemaria': ['misp-galaxy:mitre-malware="WarzoneRAT - S0670"'], 'warzone': ['misp-galaxy:mitre-malware="WarzoneRAT - S0670"'], 'hancitor': ['misp-galaxy:malpedia="Hancitor"'], 'async': ['misp-galaxy:malpedia="AsyncRAT"'], 'emotet': ['misp-galaxy:mitre-malware="Emotet - S0367"'] } # Tags to be set depending on the presence of other tags dependingtags = {'tlp:white': ['circl:osint-feed'], 'tlp:clear': ['circl:osint-feed'] } # Known identifiers for forwarded messages forward_identifiers = {'-------- Forwarded Message --------', 'Begin forwarded message:'} # Tags to add when hashes are found (e.g. to do automatic expansion) hash_only_tags = {'TODO:VT-ENRICHMENT'} # If an attribute is on any MISP server side `warning list`, skip the creation of the attribute skip_item_on_warninglist = True vt_key = None