I just published a new update of my imap2thehive tool. A quick reminder: this tool is aimed to poll an IMAP mailbox and feed an instance of TheHive with processed emails. This new version is now able to extract interesting IOCs from the email body and attached HTML files. The following indicators are supported:
- IP addresses
- Email addresses
- Hashes (MD5, SHA1, SHA256)
To use it, add the following directive in the configuration file:
Newly created cases will contain the IOCs found. They will be tagged with the same TLP level as the case.
The script is available here.