TheHive is a great incident response platform which has the wind in its sails for a while. More and more organization are already using it or are strongly considering to deploy it in a near future. TheHive is tightly integrated with MISP to push/pull IOC’s. Such tool must be fed with useful information to be processed by security analysts. TheHive is using other tools from the same team: Hippocampe parses text-based feeds and store. Cortex is a tool to enrich observables by querying multiple services in parallel. Another source of information is, by example, a Splunk instance. There is a Splunk app to generate alerts directly into TheHive. And what about emails?
TheHive a nice REST API that allows performing all kind of actions, the perfect companion is the Python module TheHive4py. So it’s easy to poll a mailbox at regular interval to populate a TheHive instance with collected emails. I write a tool called imap4thehive.py to achieve this:
# ./imap2thehive.py -h usage: imap2thehive.py [-h] [-v] [-c CONFIG] Process an IMAP folder to create TheHive alerts/cased. optional arguments: -h, --help show this help message and exit -v, --verbose verbose output -c CONFIG, --config CONFIG configuration file (default: /etc/imap2thehive.conf)
The configuration file is easy to understand! How does it work? The IMAP mailbox is polled for new (“unread”) messages. If the email subject contains “[ALERT]”, an alert is created, otherwise, it will be a case with a set of predefined tasks. There is a Docker file to build a container that runs a crontab to automatically poll the mailbox every 5 mins.
The script is available here.
Getting the below error. Please help
[ERROR]: Cannot create case: 404 ({“type”:”NotFoundError”,”message”:”/case”})
Hello, Im getting the following error:
Cannot create case: 404 ({“type”:”NotFoundError”,”message”:”CustomField from not found”})
I already create a Customfield in theHive. do u know what am i doing wrong?
This error has nothing to do with the script… Connection to Gmail via IMAPS (TCP/993) is not available. Firewall issue?
Ahh ok thank you for answer.
Do you know why I always get the following error message:
My config file looks like that:
=== gmail ===
[imap]
host: imap.gmail.com
port: 993
user: xxxxxxxxxxxxxxx
password: xxxxxxxxxxxxxx
folder: incoming
expunge: true
spam: (X-Spam-Flag: YES)
= Authentication error
=== gmail ===
[imap]
host: gmail.com
port: 993
user: xxxxxxxxxxxxxxx
password: xxxxxxxxxxxxxx
folder: incoming
expunge: true
spam: (X-Spam-Flag: YES)
= Cannot connect to IMAP server gmail.com: [Errno 101] Network is unreachable
The same happens with yahoo.
What am I doing wrong here?
You don’t need to interact with Cortex. The script will poll the mailbox and used the TheHive API to create alerts.
I am trying to create the json file that will be read by cortex. The maximum I got was:
{
“name”: “Imap2thehive”,
“version”: “1.0”,
“author”: “Xavier Mertens “,
“url”: “https://github.com/xme/dockers/tree/master/imap2thehive”,
“license”: “MIT”,
“description”: “The script polls an IMAP4 mailbox for new emails and imports fetched messages into an instance of TheHive. By default, a new case is created per email read. If the subject of the mail contains [ALERT], an alert is created.”,
“dataTypeList”: [“thehive:alert”],
“command”: “imap2thehive/imap2thehive.py”,
“baseConfig”: “Imap2thehive”,
“configurationItems”: [
{
“name”: “E-Mail Address”,
“description”: “Fetch email and send to the hive”,
“type”: “string”,
“multi”: false,
“required”: true
}
]
}
Can you give more details? What are you trying to achieve?
Hello, thank you for the sharing.
I don#t if u can help me, maybe my question is very stupid. But i tried to import to cortex, but the GUI of cortex was never updated, do you know what i have done wrong?
My instances of TheHive and Cortex run in different azure VMs. The connection between cortex and thehive is ok wie previous test, but now i have no success using your responder.
By the way you must be a genius for writing such a thing, I would consume probably my whole live to even start writing it.
Is there a way to generate debug logs. I’m having issue with the IMAP connection to the gmail account and I’m not able to figure out the issue.
I have enabled IMAP settings in gmail account and also allowed to less secure apps in gmail but the issue is same. I can login on to the gmail account with same username and password but when i try to connect through this script it is not connecting.
This is the error I’m getting
[WARNING]: Both case template and tasks are defined. Template (thehivetmp) will be used.
[INFO]: Processing XXXXXXXXXXXXXXXX@gmail.com@imap.gmail.com:993/inbox
[ERROR]: Cannot open inbox for XXXXXXXXXXXXXXXX@gmail.com@imap.gmail.com: b'[AUTHENTICATIONFAILED] Invalid credentials (Failure)’
imap2thehive.conf
[imap]
host: imap.gmail.com
port: 993
user: XXXXXXXXXXXXXXXX@gmail.com
password: PPPPPPPP
folder: inbox
expunge: false
spam: (X-Spam-Flag: YES)
Is it you who posted the same kind of query on github?
Hi!
I would like to create temporary filename in /tmp directory without rename, for example /tmp/randomdir/attachment.doc, can you help me? I thought of “fd, path = tempfile.mkdtemp” in line 247 but not work, I’m not python dev.
Thanks!!!
I’m not sure to understand what you’re looking for. My script polls an IMAP mailbox and creates cases/alerts based on the mail content.
Looking for a facility to email case notes directly to the case#. This would include attachments. Looks to me the .py script only polls a targeted email box. Does something exist?