def connectEws():
logger = logging.getLogger(__name__)
logger.info('%s.connectEws starts', __name__)
report = dict()
report['success'] = bool()
try:
cfg = getConf()
ewsConnector = EwsConnector(cfg)
folder_name = cfg.get('EWS', 'folder_name')
unread = ewsConnector.scan(folder_name)
theHiveConnector = TheHiveConnector(cfg)
for msg in reversed(unread):
#type(msg)
#<class 'exchangelib.folders.Message'>
conversationId = msg.conversation_id.id
#searching if case has already been created from the email
#conversation
esCaseId = theHiveConnector.searchCaseByDescription(conversationId)
if esCaseId is None:
#no case previously created from the conversation
caseTitle = str(msg.subject)
caseDescription = ('```\n' + 'Case created by Synapse\n' +
'conversation_id: "' +
str(msg.conversation_id.id) + '"\n' + '```')
if msg.categories:
assignee = msg.categories[0]
else:
assignee = 'synapse'
case = theHiveConnector.craftCase(caseTitle, caseDescription)
createdCase = theHiveConnector.createCase(case)
caseUpdated = theHiveConnector.assignCase(
createdCase, assignee)
commTask = theHiveConnector.craftCommTask()
esCaseId = caseUpdated.id
commTaskId = theHiveConnector.createTask(esCaseId, commTask)
else:
#case previously created from the conversation
commTaskId = theHiveConnector.getTaskIdByTitle(
esCaseId, 'Communication')
if commTaskId != None:
pass
else:
#case already exists but no Communication task found
#creating comm task
commTask = theHiveConnector.craftCommTask()
commTaskId = theHiveConnector.createTask(
esCaseId, commTask)
fullBody = getEmailBody(msg)
taskLog = theHiveConnector.craftTaskLog(fullBody)
createdTaskLogId = theHiveConnector.addTaskLog(commTaskId, taskLog)
attachedFiles = getFileAttachments(msg)
for attached in attachedFiles:
theHiveConnector.addFileObservable(esCaseId, attached['data'],
attached['message'])
readMsg = ewsConnector.markAsRead(msg)
report['success'] = True
return report
except Exception as e:
logger.error('Failed to create case from email', exc_info=True)
report['success'] = False
return report
def connectEws():
logger = logging.getLogger(__name__)
logger.info('%s.connectEws starts', __name__)
report = dict()
report['success'] = bool()
try:
cfg = getConf()
ewsConnector = EwsConnector(cfg)
folder_name = cfg.get('EWS', 'folder_name')
unread = ewsConnector.scan(folder_name)
logger.info("Found " + str(len(unread)) + " unreads mails")
theHiveConnector = TheHiveConnector(cfg)
for msg in unread:
#type(msg)
#<class 'exchangelib.folders.Message'>
conversationId = msg.conversation_id.id
#searching if case has already been created from the email
#conversation
esCaseId = theHiveConnector.searchCaseByDescription(conversationId)
if esCaseId is None:
#no case previously created from the conversation
caseTitle = str(msg.subject)
caseDescription = ('```\n' + 'Case created by Synapse\n' +
'conversation_id: "' +
str(msg.conversation_id.id) + '"\n' + '```')
if msg.categories:
assignee = msg.categories[0]
else:
assignee = 'synapse'
case = theHiveConnector.craftCase(caseTitle, caseDescription)
createdCase = theHiveConnector.createCase(case)
caseUpdated = theHiveConnector.assignCase(
createdCase, assignee)
commTask = theHiveConnector.craftCommTask()
esCaseId = caseUpdated.id
commTaskId = theHiveConnector.createTask(esCaseId, commTask)
else:
#case previously created from the conversation
commTaskId = theHiveConnector.getTaskIdByTitle(
esCaseId, 'Communication')
if commTaskId != None:
pass
else:
#case already exists but no Communication task found
#creating comm task
commTask = theHiveConnector.craftCommTask()
commTaskId = theHiveConnector.createTask(
esCaseId, commTask)
fullBody = getEmailBody(msg)
taskLog = theHiveConnector.craftTaskLog(fullBody)
createdTaskLogId = theHiveConnector.addTaskLog(commTaskId, taskLog)
serverIPs = re.findall(IP_EX, fullBody)
for ip in serverIPs:
logger.info("IP address found in email: " + ip)
try:
r_id = theHiveConnector.addIPObservable(esCaseId, ip, '')
result = theHiveConnector.scanIP(r_id)
except ValueError as ex:
logger.info(ex)
readMsg = ewsConnector.markAsRead(msg)
for attachmentLvl1 in msg.attachments:
#uploading the attachment as file observable
#is the attachment is a .msg, the eml version
#of the file is uploaded
tempAttachment = TempAttachment(attachmentLvl1)
if not tempAttachment.isInline:
#adding the attachment only if it is not inline
#inline attachments are pictures in the email body
tmpFilepath = tempAttachment.writeFile()
to = str()
for recipient in msg.to_recipients:
to = to + recipient.email_address + ' '
comment = 'Attachment from email sent by '
comment += str(msg.author.email_address).lower()
comment += ' and received by '
comment += str(to).lower()
comment += ' with subject: <'
comment += msg.subject
comment += '>'
theHiveConnector.addFileObservable(esCaseId, tmpFilepath,
comment)
if tempAttachment.isEmailAttachment:
#if the attachment is an email
#attachments of this email are also
#uploaded to TheHive
for attachmentLvl2 in tempAttachment.attachments:
tempAttachmentLvl2 = TempAttachment(attachmentLvl2)
tmpFilepath = tempAttachmentLvl2.writeFile()
comment = 'Attachment from the email attached'
theHiveConnector.addFileObservable(
esCaseId, tmpFilepath, comment)
report['success'] = True
return report
except Exception as e:
logger.error('Failed to create case from email', exc_info=True)
report['success'] = False
return report
def connectEws():
logger = logging.getLogger(__name__)
logger.info('%s.connectEws starts', __name__)
report = dict()
report['success'] = bool()
try:
cfg = getConf()
ewsConnector = EwsConnector(cfg)
folder_name = cfg.get('EWS', 'folder_name')
unread = ewsConnector.scan(folder_name)
theHiveConnector = TheHiveConnector(cfg)
api = TheHiveApi('http://127.0.0.1:9000', API_KEY)
for msg in unread:
#type(msg)
#<class 'exchangelib.folders.Message'>
conversationId = msg.conversation_id.id
#searching if case has already been created from the email
#conversation
esCaseId = theHiveConnector.searchCaseByDescription(conversationId)
if esCaseId is None:
#no case previously created from the conversation
caseTitle = str(msg.subject)
caseDescription = ('```\n' + 'Case created by Synapse\n' +
'conversation_id: "' +
str(msg.conversation_id.id) + '"\n' + '```')
if msg.categories:
assignee = msg.categories[0]
else:
assignee = 'synapse'
case = theHiveConnector.craftCase(caseTitle, caseDescription)
createdCase = theHiveConnector.createCase(case)
caseUpdated = theHiveConnector.assignCase(
createdCase, assignee)
commTask = theHiveConnector.craftCommTask()
esCaseId = caseUpdated.id
commTaskId = theHiveConnector.createTask(esCaseId, commTask)
else:
#case previously created from the conversation
commTaskId = theHiveConnector.getTaskIdByTitle(
esCaseId, 'Communication')
if commTaskId != None:
pass
else:
#case already exists but no Communication task found
#creating comm task
commTask = theHiveConnector.craftCommTask()
commTaskId = theHiveConnector.createTask(
esCaseId, commTask)
fullBody = getEmailBody(msg)
#Scan body message for observables, returns list of observables
observables = searchObservables(fullBody)
taskLog = theHiveConnector.craftTaskLog(fullBody)
createdTaskLogId = theHiveConnector.addTaskLog(commTaskId, taskLog)
readMsg = ewsConnector.markAsRead(msg)
for attachmentLvl1 in msg.attachments:
#uploading the attachment as file observable
#is the attachment is a .msg, the eml version
#of the file is uploaded
tempAttachment = TempAttachment(attachmentLvl1)
if not tempAttachment.isInline:
#adding the attachment only if it is not inline
#inline attachments are pictures in the email body
tmpFilepath = tempAttachment.writeFile()
to = str()
for recipient in msg.to_recipients:
to = to + recipient.email_address + ' '
comment = 'Attachment from email sent by '
comment += str(msg.author.email_address).lower()
comment += ' and received by '
comment += str(to).lower()
comment += ' with subject: <'
comment += msg.subject
comment += '>'
theHiveConnector.addFileObservable(esCaseId, tmpFilepath,
comment)
if tempAttachment.isEmailAttachment:
#if the attachment is an email
#attachments of this email are also
#uploaded to TheHive
for attachmentLvl2 in tempAttachment.attachments:
tempAttachmentLvl2 = TempAttachment(attachmentLvl2)
tmpFilepath = tempAttachmentLvl2.writeFile()
comment = 'Attachment from the email attached'
theHiveConnector.addFileObservable(
esCaseId, tmpFilepath, comment)
#Parse obserables
for o in observables:
if isWhitelisted(o['value']):
print("skipping %s" % o['value'])
else:
observable = CaseObservable(
dataType=o['type'],
data=o['value'],
tlp=2,
ioc=False,
tags=['Synapse'],
message='Found in the email body')
#send observables to case
response = api.create_case_observable(esCaseId, observable)
time.sleep(1)
report['success'] = True
return report
except Exception as e:
logger.error('Failed to create case from email', exc_info=True)
report['success'] = False
return report