#710 extract interesting artifacts from email source

TheHive-Project · Apr 22, 2020 · 99337a4 · 99337a4
1 parent 38e5cbd
commit 99337a4
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/analyzers/EmlParser/parse.py b/analyzers/EmlParser/parse.py
@@ -8,6 +8,7 @@
 import hashlib
 import base64
 from pprint import pprint
+import iocextract
 
 class EmlParserAnalyzer(Analyzer):
 
@@ -43,6 +44,26 @@ def summary(self, raw):
 
         return {"taxonomies": taxonomies}
 
+    def artifacts(self, raw):
+        artifacts = []
+        urls = list(iocextract.extract_urls(str(raw)))
+        ipv4s = list(iocextract.extract_ipv4s(str(raw)))
+        mail_addresses = list(iocextract.extract_emails(str(raw)))
+        hashes = list(iocextract.extract_hashes(str(raw)))
+
+        if urls:
+            for u in urls:
+                artifacts.append(self.build_artifact('url',str(u)))
+        if ipv4s:
+            for i in ipv4s:
+                artifacts.append(self.build_artifact('ip',str(i)))
+        if mail_addresses:
+            for e in mail_addresses:
+                artifacts.append(self.build_artifact('mail',str(e)))
+        if hashes:
+            for h in hashes:
+                artifacts.append(self.build_artifact('hash',str(h)))
+        return artifacts
 
 def parseEml(filepath):
 

diff --git a/analyzers/EmlParser/requirements.txt b/analyzers/EmlParser/requirements.txt
@@ -1,3 +1,4 @@
 cortexutils;python_version>='3.5'
 eml_parser
 python-magic
+iocextract