Imap2TheHive Logo

Feeding TheHive with Emails

TheHive is a great incident response platform which has the wind in its sails for a while. More and more organization are already using it or are strongly considering to deploy it in a near future. TheHive is tightly integrated with MISP to push/pull IOC’s. Such tool must be fed with useful information to be processed by security analysts. TheHive is using other tools from the same team: Hippocampe parses text-based feeds and store. Cortex is a tool to enrich observables by querying multiple services in parallel. Another source of information is, by example, a Splunk instance. There is a Splunk app to generate alerts directly into TheHive. And what about emails?

 

TheHive a nice REST API that allows performing all kind of actions, the perfect companion is the Python module TheHive4py. So it’s easy to poll a mailbox at regular interval to populate a TheHive instance with collected emails. I write a tool called imap4thehive.py to achieve this:

# ./imap2thehive.py -h
usage: imap2thehive.py [-h] [-v] [-c CONFIG]

Process an IMAP folder to create TheHive alerts/cased.

optional arguments:
-h, --help show this help message and exit
-v, --verbose verbose output
-c CONFIG, --config CONFIG
configuration file (default: /etc/imap2thehive.conf)

The configuration file is easy to understand! How does it work? The IMAP mailbox is polled for new (“unread”) messages. If the email subject contains “[ALERT]”, an alert is created, otherwise, it will be a case with a set of predefined tasks. There is a Docker file to build a container that runs a crontab to automatically poll the mailbox every 5 mins.

The script is available here.

 

11 comments

  1. Is there a way to generate debug logs. I’m having issue with the IMAP connection to the gmail account and I’m not able to figure out the issue.

    I have enabled IMAP settings in gmail account and also allowed to less secure apps in gmail but the issue is same. I can login on to the gmail account with same username and password but when i try to connect through this script it is not connecting.

    This is the error I’m getting

    [WARNING]: Both case template and tasks are defined. Template (thehivetmp) will be used.
    [INFO]: Processing XXXXXXXXXXXXXXXX@gmail.com@imap.gmail.com:993/inbox
    [ERROR]: Cannot open inbox for XXXXXXXXXXXXXXXX@gmail.com@imap.gmail.com: b'[AUTHENTICATIONFAILED] Invalid credentials (Failure)’

    imap2thehive.conf

    [imap]
    host: imap.gmail.com
    port: 993
    user: XXXXXXXXXXXXXXXX@gmail.com
    password: PPPPPPPP
    folder: inbox
    expunge: false
    spam: (X-Spam-Flag: YES)

  2. Hi!
    I would like to create temporary filename in /tmp directory without rename, for example /tmp/randomdir/attachment.doc, can you help me? I thought of “fd, path = tempfile.mkdtemp” in line 247 but not work, I’m not python dev.

    Thanks!!!

  3. I’m not sure to understand what you’re looking for. My script polls an IMAP mailbox and creates cases/alerts based on the mail content.

  4. Looking for a facility to email case notes directly to the case#. This would include attachments. Looks to me the .py script only polls a targeted email box. Does something exist?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.