Disclaimer: This is my first real Python program that I've written so I'm sure there are a lot of items that I could/should have handled differently. I'm always open for suggestions on how to make it better. This is also only revision one of this code. There are quite a few scenarios (i.e. how VirusTotal sends back information) that I may have not seen yet in my testing. So there are probably going to be various issues that may come up that I'll have to account for.
This script will monitor an inbox and pull out all relevant information for a SecOps team to review.
- Script runs via a cronjob that monitors an inbox for unread messages every minute.
- If there are multiple messages, it will only pull one at a time to help spread out the VirusToal API calls as well as to simplify the amount of variables that are being pulled in.
- It will pull in emails with .msg files attached to it or basic forwarded messages.
- Depending on the content of the email message, it will SHA256 the attachment and look it up via VirusTotal as well as lookup the URL if there is one.
- Once it gets all of the relevant information, it will then create a ServiceNow ticket.
- Note: This is for our internal process only. You will need to substitute your own ticketing API call here.
- The ticket contents will show the basic email information at the top and then any VT information below.
- The format of the results are
- URL or SHA256 Scanned
- Date Scanned
- Amount of positive hits
- Link to the scan results.
- If there there are no results, it will either show up as empty, null, or say there are no results. This slightly varies depending on if it's a file or URL.
- The free VT API only allows 4 API calls per minute. So if there is an email with more than 4 calls, it will only lookup the first 4.
- Better error handling around the initial VT query on if the service is down or we've met our threshold.
- Better error handling around VT results. Since there are quite a few items that can come back, I haven't seen them all yet.
- Fix some formatting issues on the subject if the message is forwarded to the inbox.
- Make the SN description field "prettier".
- Add other reputation lookups so additional information is in the initial ticket.
- If positives is greater than X, automatically block via security tools.
I created this code using Pythong 3.6.3. When I moved it to another server using 3.4, I received various message errors due to a change from 3.4 to 3.6. So to ensure it works correctly, please use 3.6.