The script email2thehive.py reads an email file(.msg/.eml) and creates a new case into an instance of TheHive. If the subject of the mail contains "[ALERT]", an alert is created.
The script is fully configurable via a Python-friendly configuration file. See email2thehive.conf sample for more details.
The script can be run manually to import an email file. The syntax is simple:
# ./email2thehive.py -h
usage: email2thehive.py [-h] [-v] [-c CONFIG] [-f FILEPATH]
Process an email file to create TheHive alerts/cased.
optional arguments:
-h, --help show this help message and exit
-v, --verbose verbose output
-c CONFIG, --config CONFIG
configuration file (default: /etc/email2thehive.conf)
-f FILEPATH, --file FILEPATH
email file path
The script is able to extract observables (emails, URLs, files, hashes). To avoid too many false positives, it is possible to create whitelists (based on regular expressions). See the file email2thehive.whitelists.
Original project imap2thehive which polls an IMAP4 mailbox for new emails and imports fetched messages into an instance of TheHive.