feat(integration): Emailrep check reputation (#98)

.env.example

@@ -44,3 +44,4 @@ DD_API_KEY=your-datadog-api-key
 DD_APP_KEY=your-datadog-app-key
 VT_API_KEY=your-virustotal-api-key
 URLSCAN_API_KEY=your-urlscan-api-key
+EMAILREP_API_KEY=your-emailrep-api-key

tests/data/log_samples/emailrep/email.json

@@ -0,0 +1,33 @@
+{
+  "email": "john@google.com",
+  "reputation": "high",
+  "suspicious": false,
+  "references": 83,
+  "details": {
+    "blacklisted": false,
+    "malicious_activity": false,
+    "malicious_activity_recent": false,
+    "credentials_leaked": true,
+    "credentials_leaked_recent": false,
+    "data_breach": true,
+    "first_seen": "07/01/2008",
+    "last_seen": "01/16/2024",
+    "domain_exists": true,
+    "domain_reputation": "high",
+    "new_domain": false,
+    "days_since_domain_creation": 9719,
+    "suspicious_tld": false,
+    "spam": false,
+    "free_provider": false,
+    "disposable": false,
+    "deliverable": true,
+    "accept_all": false,
+    "valid_mx": true,
+    "primary_mx": "smtp.google.com",
+    "spoofable": true,
+    "spf_strict": false,
+    "dmarc_enforced": false,
+    "profiles": ["linkedin"]
+  },
+  "summary": "Not suspicious. This email address has been seen in 83 reputable sources on the internet, including Linkedin. It has been seen in data breaches or credential leaks dating back to 07/01/2008, but not since 01/16/2024. The sender domain is highly reputable. We've observed no malicious or suspicious activity from this address. "
+}

tests/integrations/test_emailrep.py

@@ -0,0 +1,33 @@
+import os
+
+import pytest
+from httpx import Response
+
+from tracecat.integrations.emailrep import check_email_reputation
+
+
+@pytest.fixture
+def emailrep_secret(create_mock_secret) -> dict[str, str | bytes]:
+    mock_secret = create_mock_secret(
+        "emailrep", {"EMAILREP_API_KEY": os.environ["EMAILREP_API_KEY"]}
+    )
+    mock_secret_obj = mock_secret.model_dump_json()
+    return mock_secret_obj
+
+
+@pytest.mark.respx(assert_all_mocked=False)
+def test_check_email_reputation(emailrep_secret, respx_mock):
+    test_email = "john@google.com"
+
+    # Mock secrets manager
+    respx_mock.base_url = os.environ["TRACECAT__API_URL"]
+    route = respx_mock.get("/secrets/emailrep").mock(
+        return_value=Response(status_code=200, content=emailrep_secret)
+    )
+
+    result = check_email_reputation(email=test_email, app_name="test")
+    assert route.called
+    assert result["email"] == test_email
+    assert "reputation" in result
+    assert "suspicious" in result
+    assert "summary" in result

tracecat/integrations/emailrep.py

@@ -0,0 +1,31 @@
+"""Integrations with Emailrep API.
+
+Required credentials: `emailrep` secret with `EMAILREP_API_KEY` key.
+
+API reference: https://docs.sublimesecurity.com/reference/get_-email
+"""
+
+import os
+
+import httpx
+
+from tracecat.integrations._registry import registry
+
+EMAILREP_BASE_URL = "https://emailrep.io"
+
+
+def create_emailrep_client(app_name: str):
+    emailrep_api_key = os.environ["EMAILREP_API_KEY"]
+    headers = {"User-Agent": f"tracecat/{app_name}", "Key": emailrep_api_key}
+    return httpx.Client(base_url=EMAILREP_BASE_URL, headers=headers)
+
+
+@registry.register(
+    description="Check email reputation",
+    secrets=["emailrep"],
+)
+def check_email_reputation(email: str, app_name: str) -> dict[str, str] | str:
+    client = create_emailrep_client(app_name)
+    response = client.get(f"/{email}")
+    response.raise_for_status()
+    return response.json()