steps
v32.2 of the resilient platform contains an out-of-the-box python script called “sample script: process incoming email (v32.2)”. if you upgrade to v32.2, any existing organization and organizations created afterward will have a new script.
The script is designed to perform email analysis on email message objects. does the following:
- checks if there is an incident whose title reflects the email received.
- if so, associate the email with the existing incident.
- if not:
- create a new incident with a suitable title.
- associates the email message with the new incident.
- adds the subject of the email message as an artifact to the new incident.
- sets the reporter field of the incident to be the email address that sent the message.
running the script
settings
the owner of the incident
New incidents need an owner, either an individual identified by their email address or a group name. in the provided script, this value is left blank. you must edit the script to add a resilient user as an owner. for example, to change the owner to [email protected], find line 8 of the script:
edit line:
allowed lists
a whitelist is a list of trusted data elements that should not become suspicious artifacts; for example, the ip address of your own email server. there are two categories of whitelist used in the script: ip address and url domain. these allow lists are configured by modifying the data in the script.
Initially, these allowlists are made up of commented entries that serve as examples of data that you might want to exclude from consideration. allowed lists have no effect unless you uncomment entries and make a grammatically correct list, or add your own entries.
lists of allowed ip addresses
The ip allow lists are divided into separate ipv4 and ipv6 lists. these lists are applied to ip addresses retrieved by pattern matching in the body of the email message. if an ip address appears on an allow list then it is not added as an artifact to the incident.
There are two categories of ip allow list entry, cidr (classless inter-domain routing) and iprange. for example, in ip v4, ibm owns the 9 class a network. you may also want to allow list an ip range, like 12.0.0.1 – 12.5.5.5. To add these criteria to the allow list, you must add the following to the ipv4allowlist: