Skip to content
Branch: master
Find file History
Latest commit 3cd8841 Feb 4, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
Dockerfile Published Feb 5, 2018 Updated May 23, 2018
imap2thehive.conf Added spam & replaced auth info Feb 4, 2019 Fixed authentication method Feb 4, 2019
imap2thehive.whitelists Added observables whitelist May 23, 2018
requirements.txt Published Feb 5, 2018


The script polls an IMAP4 mailbox for new emails and imports fetched messages into an instance of TheHive. By default, a new case is created per email read. If the subject of the mail contains "[ALERT]", an alert is created.


The script is fully configurable via a Python-friendly configuration file. See imap2thehive.conf sample for more details.


The script can be run manually to import a mailbox or it can be scheduled to run at fixed interval with a cron job. The syntax is simple:

# ./ -h
usage: [-h] [-v] [-c CONFIG]

Process an IMAP folder to create TheHive alerts/cased.

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         verbose output
  -c CONFIG, --config CONFIG
                        configuration file (default: /etc/imap2thehive.conf)

Docker Container

I created a Dockerfile to build a container:

# git clone
# cd imap2thehive
# docker build -t imap2thehive:latest .
# docker run -v $PWD/imap2thehive.conf:/etc/imap2thehive.conf:ro imap2thehive

Observables Whitelisting

The script is able to extract observables (emails, URLs, files, hashes). To avoid too many false positives, it is possible to create whitelists (based on regular expressions). See the file imap2thehive.whitelists.

You can’t perform that action at this time.