Skip to content
Branch: master
Find file History
Latest commit 3cd8841 Feb 4, 2019
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
Dockerfile Published Feb 5, 2018
README.md Updated May 23, 2018
entrypoint.sh
imap2thehive.conf Added spam & replaced auth info Feb 4, 2019
imap2thehive.py Fixed authentication method Feb 4, 2019
imap2thehive.whitelists Added observables whitelist May 23, 2018
requirements.txt Published Feb 5, 2018

README.md

Purpose

The script imap2thehive.py polls an IMAP4 mailbox for new emails and imports fetched messages into an instance of TheHive. By default, a new case is created per email read. If the subject of the mail contains "[ALERT]", an alert is created.

Configuration

The script is fully configurable via a Python-friendly configuration file. See imap2thehive.conf sample for more details.

Usage

The script can be run manually to import a mailbox or it can be scheduled to run at fixed interval with a cron job. The syntax is simple:

# ./imap2thehive.py -h
usage: imap2thehive.py [-h] [-v] [-c CONFIG]

Process an IMAP folder to create TheHive alerts/cased.

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         verbose output
  -c CONFIG, --config CONFIG
                        configuration file (default: /etc/imap2thehive.conf)

Docker Container

I created a Dockerfile to build a container:

# git clone https://github.com/xme/dockers
# cd imap2thehive
# docker build -t imap2thehive:latest .
# docker run -v $PWD/imap2thehive.conf:/etc/imap2thehive.conf:ro imap2thehive

Observables Whitelisting

The script is able to extract observables (emails, URLs, files, hashes). To avoid too many false positives, it is possible to create whitelists (based on regular expressions). See the file imap2thehive.whitelists.

You can’t perform that action at this time.