def connectEws(): logger = logging.getLogger(__name__) logger.info('%s.connectEws starts', __name__) report = dict() report['success'] = bool() try: cfg = getConf() ewsConnector = EwsConnector(cfg) folder_name = cfg.get('EWS', 'folder_name') unread = ewsConnector.scan(folder_name) theHiveConnector = TheHiveConnector(cfg) for msg in reversed(unread): #type(msg) #<class 'exchangelib.folders.Message'> conversationId = msg.conversation_id.id #searching if case has already been created from the email #conversation esCaseId = theHiveConnector.searchCaseByDescription(conversationId) if esCaseId is None: #no case previously created from the conversation caseTitle = str(msg.subject) caseDescription = ('```\n' + 'Case created by Synapse\n' + 'conversation_id: "' + str(msg.conversation_id.id) + '"\n' + '```') if msg.categories: assignee = msg.categories[0] else: assignee = 'synapse' case = theHiveConnector.craftCase(caseTitle, caseDescription) createdCase = theHiveConnector.createCase(case) caseUpdated = theHiveConnector.assignCase( createdCase, assignee) commTask = theHiveConnector.craftCommTask() esCaseId = caseUpdated.id commTaskId = theHiveConnector.createTask(esCaseId, commTask) else: #case previously created from the conversation commTaskId = theHiveConnector.getTaskIdByTitle( esCaseId, 'Communication') if commTaskId != None: pass else: #case already exists but no Communication task found #creating comm task commTask = theHiveConnector.craftCommTask() commTaskId = theHiveConnector.createTask( esCaseId, commTask) fullBody = getEmailBody(msg) taskLog = theHiveConnector.craftTaskLog(fullBody) createdTaskLogId = theHiveConnector.addTaskLog(commTaskId, taskLog) attachedFiles = getFileAttachments(msg) for attached in attachedFiles: theHiveConnector.addFileObservable(esCaseId, attached['data'], attached['message']) readMsg = ewsConnector.markAsRead(msg) report['success'] = True return report except Exception as e: logger.error('Failed to create case from email', exc_info=True) report['success'] = False return report
def connectEws(): logger = logging.getLogger(__name__) logger.info('%s.connectEws starts', __name__) report = dict() report['success'] = bool() try: cfg = getConf() ewsConnector = EwsConnector(cfg) folder_name = cfg.get('EWS', 'folder_name') unread = ewsConnector.scan(folder_name) logger.info("Found " + str(len(unread)) + " unreads mails") theHiveConnector = TheHiveConnector(cfg) for msg in unread: #type(msg) #<class 'exchangelib.folders.Message'> conversationId = msg.conversation_id.id #searching if case has already been created from the email #conversation esCaseId = theHiveConnector.searchCaseByDescription(conversationId) if esCaseId is None: #no case previously created from the conversation caseTitle = str(msg.subject) caseDescription = ('```\n' + 'Case created by Synapse\n' + 'conversation_id: "' + str(msg.conversation_id.id) + '"\n' + '```') if msg.categories: assignee = msg.categories[0] else: assignee = 'synapse' case = theHiveConnector.craftCase(caseTitle, caseDescription) createdCase = theHiveConnector.createCase(case) caseUpdated = theHiveConnector.assignCase( createdCase, assignee) commTask = theHiveConnector.craftCommTask() esCaseId = caseUpdated.id commTaskId = theHiveConnector.createTask(esCaseId, commTask) else: #case previously created from the conversation commTaskId = theHiveConnector.getTaskIdByTitle( esCaseId, 'Communication') if commTaskId != None: pass else: #case already exists but no Communication task found #creating comm task commTask = theHiveConnector.craftCommTask() commTaskId = theHiveConnector.createTask( esCaseId, commTask) fullBody = getEmailBody(msg) taskLog = theHiveConnector.craftTaskLog(fullBody) createdTaskLogId = theHiveConnector.addTaskLog(commTaskId, taskLog) serverIPs = re.findall(IP_EX, fullBody) for ip in serverIPs: logger.info("IP address found in email: " + ip) try: r_id = theHiveConnector.addIPObservable(esCaseId, ip, '') result = theHiveConnector.scanIP(r_id) except ValueError as ex: logger.info(ex) readMsg = ewsConnector.markAsRead(msg) for attachmentLvl1 in msg.attachments: #uploading the attachment as file observable #is the attachment is a .msg, the eml version #of the file is uploaded tempAttachment = TempAttachment(attachmentLvl1) if not tempAttachment.isInline: #adding the attachment only if it is not inline #inline attachments are pictures in the email body tmpFilepath = tempAttachment.writeFile() to = str() for recipient in msg.to_recipients: to = to + recipient.email_address + ' ' comment = 'Attachment from email sent by ' comment += str(msg.author.email_address).lower() comment += ' and received by ' comment += str(to).lower() comment += ' with subject: <' comment += msg.subject comment += '>' theHiveConnector.addFileObservable(esCaseId, tmpFilepath, comment) if tempAttachment.isEmailAttachment: #if the attachment is an email #attachments of this email are also #uploaded to TheHive for attachmentLvl2 in tempAttachment.attachments: tempAttachmentLvl2 = TempAttachment(attachmentLvl2) tmpFilepath = tempAttachmentLvl2.writeFile() comment = 'Attachment from the email attached' theHiveConnector.addFileObservable( esCaseId, tmpFilepath, comment) report['success'] = True return report except Exception as e: logger.error('Failed to create case from email', exc_info=True) report['success'] = False return report
def connectEws(): logger = logging.getLogger(__name__) logger.info('%s.connectEws starts', __name__) report = dict() report['success'] = bool() try: cfg = getConf() ewsConnector = EwsConnector(cfg) folder_name = cfg.get('EWS', 'folder_name') unread = ewsConnector.scan(folder_name) theHiveConnector = TheHiveConnector(cfg) api = TheHiveApi('http://127.0.0.1:9000', API_KEY) for msg in unread: #type(msg) #<class 'exchangelib.folders.Message'> conversationId = msg.conversation_id.id #searching if case has already been created from the email #conversation esCaseId = theHiveConnector.searchCaseByDescription(conversationId) if esCaseId is None: #no case previously created from the conversation caseTitle = str(msg.subject) caseDescription = ('```\n' + 'Case created by Synapse\n' + 'conversation_id: "' + str(msg.conversation_id.id) + '"\n' + '```') if msg.categories: assignee = msg.categories[0] else: assignee = 'synapse' case = theHiveConnector.craftCase(caseTitle, caseDescription) createdCase = theHiveConnector.createCase(case) caseUpdated = theHiveConnector.assignCase( createdCase, assignee) commTask = theHiveConnector.craftCommTask() esCaseId = caseUpdated.id commTaskId = theHiveConnector.createTask(esCaseId, commTask) else: #case previously created from the conversation commTaskId = theHiveConnector.getTaskIdByTitle( esCaseId, 'Communication') if commTaskId != None: pass else: #case already exists but no Communication task found #creating comm task commTask = theHiveConnector.craftCommTask() commTaskId = theHiveConnector.createTask( esCaseId, commTask) fullBody = getEmailBody(msg) #Scan body message for observables, returns list of observables observables = searchObservables(fullBody) taskLog = theHiveConnector.craftTaskLog(fullBody) createdTaskLogId = theHiveConnector.addTaskLog(commTaskId, taskLog) readMsg = ewsConnector.markAsRead(msg) for attachmentLvl1 in msg.attachments: #uploading the attachment as file observable #is the attachment is a .msg, the eml version #of the file is uploaded tempAttachment = TempAttachment(attachmentLvl1) if not tempAttachment.isInline: #adding the attachment only if it is not inline #inline attachments are pictures in the email body tmpFilepath = tempAttachment.writeFile() to = str() for recipient in msg.to_recipients: to = to + recipient.email_address + ' ' comment = 'Attachment from email sent by ' comment += str(msg.author.email_address).lower() comment += ' and received by ' comment += str(to).lower() comment += ' with subject: <' comment += msg.subject comment += '>' theHiveConnector.addFileObservable(esCaseId, tmpFilepath, comment) if tempAttachment.isEmailAttachment: #if the attachment is an email #attachments of this email are also #uploaded to TheHive for attachmentLvl2 in tempAttachment.attachments: tempAttachmentLvl2 = TempAttachment(attachmentLvl2) tmpFilepath = tempAttachmentLvl2.writeFile() comment = 'Attachment from the email attached' theHiveConnector.addFileObservable( esCaseId, tmpFilepath, comment) #Parse obserables for o in observables: if isWhitelisted(o['value']): print("skipping %s" % o['value']) else: observable = CaseObservable( dataType=o['type'], data=o['value'], tlp=2, ioc=False, tags=['Synapse'], message='Found in the email body') #send observables to case response = api.create_case_observable(esCaseId, observable) time.sleep(1) report['success'] = True return report except Exception as e: logger.error('Failed to create case from email', exc_info=True) report['success'] = False return report